Last Updated on 27/06/2026 by 75385885
Governance Design Meets Governance Reality
1. The Governance Paradox
GRC best practices – For more than three decades, organisations have invested heavily in Governance, Risk & Compliance (GRC). Boards have approved governance frameworks, regulators have issued increasingly sophisticated standards, ERP vendors have embedded preventive controls into business systems and Internal Audit functions have become an integral part of corporate governance.
The results have been impressive.
Modern organisations typically operate within well-designed governance frameworks. Segregation of Duties (SoD) is configured within ERP systems. Purchase approvals follow clearly defined authorisation matrices. Supplier master data is protected through workflow approvals. Three-way matching validates procurement transactions before invoices are paid. Internal Audit periodically tests these controls, while Audit Committees receive regular reports confirming the effectiveness of the control environment.
From a governance perspective, many organisations appear to be well managed.
Yet governance failures continue to surprise boards, regulators and shareholders.
How can organisations with mature GRC frameworks still experience significant governance failures?
The answer is surprisingly simple.
Traditional GRC primarily measures whether governance has been designed correctly. Much less attention is given to whether people continue to behave within that design as business realities evolve.
That distinction may appear subtle.
In reality, it represents one of the most important governance challenges facing organisations today.
Business environments are dynamic. Employees retire, vacancies remain unfilled, customer expectations change, operational pressures increase and managers develop practical workarounds to keep the business running. Most of these decisions are entirely reasonable. Individually they rarely violate policies or procedures.
Collectively, however, they can gradually change organisational behaviour until governance reality no longer resembles governance design.
This phenomenon is rarely caused by poor intentions.
More often, it is simply the natural consequence of people solving practical business problems.
Traditional GRC generally identifies these changes only after they become visible through periodic reviews, audit findings or deteriorating business performance.
Governance Control Navigator (GCN) starts from a different premise.
Instead of asking only whether controls were designed correctly and operated correctly, GCN continuously evaluates whether organisational behaviour still reflects the governance design originally approved by management.
That difference transforms governance from a periodic verification exercise into a process of continuous organisational navigation.
2. Traditional GRC – An Essential Foundation
Before discussing Governance Control Navigator, one point deserves emphasis.
GCN is not a replacement for Governance, Risk & Compliance.
On the contrary, it depends upon a mature GRC environment.
Frameworks such as the COSO Internal Control Framework, the Institute of Internal Auditors’ Three Lines Model, ISO management standards and enterprise GRC platforms have dramatically improved organisational governance over the past decades. They establish responsibilities, define control objectives, assign ownership and provide boards with structured assurance regarding organisational risks.
ERP systems have strengthened these governance frameworks even further.
Modern procurement processes contain numerous embedded controls.
Purchase orders cannot be approved without appropriate authority.
Supplier master files require formal authorisation.
Invoices are automatically matched against purchase orders and goods receipts.
Approval limits prevent employees from committing organisations beyond their delegated authority.
Segregation of Duties ensures that no individual controls an entire transaction from initiation to payment.
These are excellent controls.
Without them, organisations would expose themselves to unacceptable operational and financial risks.
Internal Audit periodically validates that these controls continue to function effectively.
External auditors rely upon many of these controls when determining audit approaches.
Regulators increasingly expect organisations to demonstrate that these governance mechanisms are operating effectively.
In other words, traditional GRC provides the architecture within which responsible organisations operate.
The limitation is therefore not the quality of GRC.
The limitation is the assumption that effective controls automatically guarantee effective governance.
Controls verify transactions.
Organisations, however, are driven by people.
People adapt.
People improvise.
People solve operational problems.
People gradually develop new ways of working.
Those behavioural changes are often invisible to traditional control testing because every individual transaction continues to comply with the designed control environment.
The governance framework appears stable.
The organisational behaviour is quietly evolving.
3. The Invisible Gap Between Governance Design and Governance Reality
Imagine two organisations.
On paper they appear identical.
Both operate the same ERP system.
Both have identical procurement policies.
Both perform quarterly Segregation of Duties reviews.
Both receive clean Internal Audit reports.
Both satisfy external auditors.
From a traditional governance perspective, they appear equally well controlled.
Now imagine observing these organisations for five years.
One organisation continues to operate exactly as management intended.
The other gradually develops practical workarounds.
Experienced employees receive temporary additional responsibilities.
Managers approve operational exceptions to maintain customer service.
Staff shortages require creative solutions.
None of these decisions appears significant.
Each decision is logical.
Each decision solves a genuine operational problem.
Yet together they gradually reshape organisational behaviour.
Nothing within the ERP system necessarily indicates that governance has deteriorated.
Every purchase order remains properly approved.
Every invoice continues to match.
Every payment follows the approved workflow.
Every control still functions exactly as designed.
Governance Design remains unchanged.
Governance Reality slowly moves elsewhere.
This difference between governance design and governance reality is where many significant governance failures begin.
Not through dramatic breaches of policy.
Not through deliberate fraud.
But through small behavioural adjustments that accumulate over time.
Traditional GRC generally evaluates the first reality.
Governance Control Navigator seeks to understand both.
It continuously asks a different governance question:
Does organisational behaviour still resemble the governance model originally approved by management?
Also read more about the COSO-model that GCN fully supports: COSO Internal Control Framework: Lessons from Global Corporate Failures or from COSO the subject of monitoring: Step 5 – Monitoring Activities: The Continuous Pulse of Internal Control, both from our blog.
4. Case Study – The Boutique Within the Boutique
To illustrate this distinction, consider the following fictional—but entirely realistic—case.
A large premium department store operates more than one hundred locations across the United Kingdom.
Each location follows identical procurement procedures.
Luxury fragrance purchasing is centralised through approved suppliers. Purchase orders are processed through the company’s ERP system, invoices are automatically matched against purchase orders and deliveries are recorded electronically.
The governance framework has been refined over many years.

Internal Audit regularly reviews Procure-to-Pay controls.
No significant deficiencies have been reported.
One of the stores is located in an affluent city centre shopping district.
The cosmetics and fragrance department enjoys an excellent reputation.
Among its employees is Sarah.
Sarah has worked for the company for eighteen years.
She is highly respected by colleagues and management alike.
She specialises in premium fragrances including Tom Ford, Creed, Maison Francis Kurkdjian and Chanel’s exclusive collections.
She understands her customers exceptionally well and has consistently received excellent performance evaluations.
As part of her role, Sarah has delegated purchasing authority up to CU 10,000 per month for premium fragrances.
All purchases require approved suppliers, approved purchase orders and remain fully subject to the company’s Segregation of Duties controls.
Sarah is exactly the kind of employee organisations trust.
Which is precisely why her story is so interesting.
5. A Practical Decision
The story does not begin with fraud.
It begins with convenience.
Luxury fragrances are physically small but financially valuable.
A monthly order worth several thousand currency units occupies only a few cartons.
One afternoon Sarah raises what appears to be an entirely practical question.
Instead of having premium fragrance deliveries sent directly to the busy store, would it not be easier if they were delivered to her home?
She lives only ten minutes away.
She starts work earlier than the store opens.
Deliveries at the shop sometimes interfere with customer service and require temporary storage space in the stockroom.
From an operational perspective, home delivery appears efficient.
Management agrees.
The arrangement is documented internally and regarded as a pragmatic logistical solution rather than a governance issue.
Nothing else changes.
Purchase orders continue to follow the approved workflow.
Approval limits remain unchanged.
Supplier relationships remain fully authorised.
Segregation of Duties remains intact.
Three-way matching continues to operate exactly as designed.
Every traditional GRC control continues to function perfectly.
And yet, without anyone recognising it, the first small step has been taken away from governance design and towards a very different governance reality.
6. Behavioural Drift – When Good Intentions Become Bad Governance
The following months passed without incident.
Sarah continued to perform exactly as management expected.
She remained one of the department’s most experienced fragrance specialists. Her product knowledge was exceptional, customer feedback was consistently positive and she was frequently asked to train new colleagues.
Nothing suggested that governance was beginning to drift.
One Saturday afternoon, however, a regular customer asked a seemingly innocent question.
“Sarah, I forgot to buy the new Tom Ford Private Blend before my daughter’s birthday. Is there any chance you could get one for me before next weekend?”
Sarah knew she had a delivery arriving at her home the following Tuesday.
She also knew that, as an employee, she could purchase products with a generous staff discount.
Without giving it much thought, she replied:
“I think I can help you.”
She purchased an additional bottle using her staff discount and passed it to the customer a few days later.
She made no profit.
She was simply helping a loyal customer.
Nothing about the transaction felt unethical.
No governance control was bypassed.
No purchasing policy was violated.
No ERP rule was broken.
No approval limit was exceeded.
No audit trail disappeared.
The transaction looked exactly like every other legitimate employee purchase.
Several weeks later another customer asked a similar favour.
Then a neighbour.
Then Sarah’s sister.
Then a colleague’s friend.
One isolated favour slowly evolved into a regular habit.
Not because Sarah intended to establish an unofficial business.
Simply because each individual request appeared entirely reasonable.
Behavioural drift rarely announces itself dramatically.
It develops through a series of individually rational decisions that gradually create an outcome nobody originally intended.
7. Every Traditional Control Continued to Operate Perfectly
This is where the case becomes particularly interesting from a governance perspective.
Most governance failures are associated with broken controls.
In this case, however, none of the traditional controls failed.
The purchasing process continued to function exactly as management had designed it.
Purchase orders remained within Sarah’s delegated purchasing authority.
Every purchase order was approved through the ERP workflow.
Approved suppliers delivered genuine products.

Goods receipts were recorded correctly.
Invoices matched purchase orders.
Payments were authorised.
Segregation of Duties remained fully operational.
The supplier master file was unchanged.
Internal Audit documentation showed no deficiencies.
Even the ERP exception reports remained remarkably quiet.
If an Internal Auditor selected twenty-five purchase orders for testing, every document would reconcile perfectly.
The working papers would conclude:
- Purchase order approved.
- Supplier authorised.
- Three-way match completed.
- Payment authorised.
- Segregation of Duties maintained.
- No exceptions noted.
From a traditional GRC perspective, the procurement process demonstrated a mature and well-controlled environment.
Yet outside the ERP system, something entirely different was happening.
Sarah’s informal customer network continued to grow.
Customers appreciated the convenience.
Sarah enjoyed helping people.
The company unknowingly financed the inventory.
The products left her house rather than the store.
The organisation had not lost control of its procurement process.
It had begun losing visibility over how organisational behaviour was changing.
That distinction is fundamental.
Governance Design remained stable.
Governance Reality was evolving.
Also read McKinsey & Company: Governance, risk, and compliance: A new lens on best practices.
GRC best practices Continuous Monitoring, Behavioural Analytics, Internal Control, Procurement Fraud, SoD Conflicts, Control Monitoring, Control Effectiveness, GRC-Cases
GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices
8. The Business Starts Asking Different Questions
Nearly five years passed.
Nobody suspected fraud.
Nobody raised concerns about procurement controls.
Internal Audit completed several routine Procure-to-Pay reviews during those years.
The conclusions remained reassuring.
The control environment appeared effective.
Meanwhile, Head Office Retail Operations completed its annual Store Performance Benchmarking and Location Valuation Exercise.
Every store was compared against a range of commercial performance indicators, including:
- customer footfall,
- demographic profile,
- average transaction value,
- gross margin,
- inventory turnover,
- product mix,
- profitability by department.
One particular location immediately attracted attention.
The store occupied a prime position in an affluent shopping district.
Comparable locations generated excellent fragrance sales and attractive gross margins.
This store did not.
Fragrance purchases from approved suppliers had steadily increased over several years.
Official fragrance sales had not.
Gross margins within the fragrance department had gradually declined.
Inventory adjustments remained only slightly above average—certainly not enough to trigger concern individually—but collectively the commercial picture no longer made sense.
Finance challenged Retail Operations.
Retail Operations challenged the Store Manager.
The Store Manager insisted that operational procedures were being followed.
Internal Audit confirmed that previous procurement reviews had identified no material control deficiencies.
Every department possessed a perfectly reasonable explanation.
Collectively, however, none of the explanations explained the commercial reality.
For senior management the question changed completely.
It was no longer:
“Are purchasing controls operating?”
Instead, it became:
“Why is one of our best locations consistently underperforming despite increasing purchases and excellent market conditions?”
That question could not be answered by another checklist.
It required understanding organisational behaviour.
9. The Special Investigation
A cross-functional investigation team was established.
Unlike a traditional audit, its objective was not to test compliance with procurement procedures.
Its objective was to understand why business performance no longer reflected the store’s apparent commercial potential.
The investigation combined expertise from Retail Operations, Finance, Loss Prevention and Internal Audit.
Initially, nothing unusual emerged.
Supplier contracts were correct.
Purchase orders were authorised.
Invoices matched.
Payments reconciled.
Segregation of Duties remained effective.
ERP access rights appeared appropriate.
The governance framework seemed almost exemplary.
Only when investigators began combining operational information with transactional data did unusual patterns start to emerge.
Almost every premium fragrance order associated with Sarah had been delivered to the same residential address.
Purchasing volumes regularly approached—but rarely exceeded—her monthly purchasing authority.
Employee discount purchases for premium fragrances were significantly higher than those of comparable employees.
Several premium product lines showed purchasing patterns that were inconsistent with official retail sales.
None of these observations constituted evidence of fraud.
Individually they could all be explained.
Collectively they described a behavioural pattern that nobody had previously considered.
The investigation gradually uncovered what management had never intended to create.
A boutique operating quietly alongside the official boutique.
Not hidden within the ERP system.
Hidden within perfectly legitimate organisational behaviour.
10. Why Traditional GRC Never Saw It
Many readers may ask an obvious question.
Why did Internal Audit not discover this years earlier?
The answer is surprisingly straightforward.
Because Internal Audit was performing precisely the work it had been asked to perform.
Traditional GRC is designed to determine whether governance controls are operating effectively.
It evaluates whether purchase orders were properly approved.
Whether Segregation of Duties has been respected.
Whether invoices were matched correctly.
Whether payments were authorised appropriately.
Whether policies were followed.
Those questions remain essential.
But they are not the only governance questions that matter.
Traditional GRC rarely asks whether thousands of individually compliant transactions together describe behaviour that no longer reflects management’s original intentions.
It validates governance design.
It does not continuously evaluate governance reality.
That distinction is exactly where Governance Control Navigator (GCN) introduces additional value.
Rather than examining transactions in isolation, GCN continuously analyses behavioural patterns across operational, financial and governance data.
It asks questions that traditional control testing seldom considers.
Why are premium fragrances consistently delivered to a residential address?
Why do purchasing patterns remain close to delegated authority limits month after month?
Why does purchasing growth diverge from official retail sales?
Why does one location consistently underperform comparable stores despite favourable commercial conditions?
None of these questions challenges the effectiveness of traditional GRC.
Instead, they complement it.
They recognise that organisations rarely lose control because one purchase order was approved incorrectly.
They lose control because thousands of individually correct decisions gradually create an organisational reality that nobody intended.
Also read this message on LinkedIn: GRC’s Hidden Pitfalls: The Top IT Governance Issues Everyone Ignores.
At this point it is important to clarify what Governance Control Navigator (GCN) is—and what it is not.
GCN is not another GRC platform.
It is not another compliance framework.
It is not a replacement for COSO, the Three Lines Model, ISO standards or existing ERP controls.
Nor is it intended to replace Internal Audit.
Instead, GCN complements traditional GRC by asking a different governance question.
Traditional GRC asks:
“Are our controls operating as designed?”
Governance Control Navigator asks:
“Does actual organisational behaviour still reflect the governance design approved by management?”
That difference may appear semantic.
In reality, it fundamentally changes how governance information is interpreted.
Traditional GRC examines individual controls.
GCN examines behavioural patterns.
Traditional GRC validates compliance.
GCN evaluates organisational alignment.
Traditional GRC periodically tests transactions.
GCN continuously analyses governance reality.
Returning to Sarah’s case, GCN would never have concluded that fraud had occurred simply because products were delivered to a residential address.
That would have been both irresponsible and technically incorrect.
Instead, GCN would have recognised that several independent indicators were gradually moving away from expected organisational behaviour.
Examples include:
- Premium fragrances consistently delivered to a residential address.
- Purchasing volumes repeatedly approaching delegated authority limits.
- Employee discount purchases significantly exceeding peer averages.
- Store purchasing increasing while official fragrance turnover remained flat.
- Gross margins gradually declining compared with comparable locations.
- Inventory adjustments consistently above the chain average.
- Purchasing behaviour becoming increasingly concentrated within one individual.
Each observation viewed separately is perfectly explainable.
Taken together they describe a behavioural pattern that deserves management attention.
Importantly, GCN does not generate accusations.
It generates governance questions.
Those questions enable management to investigate, understand and, where necessary, intervene before relatively small behavioural changes develop into significant organisational problems.
Read more on GCN – Governance Control Navigator in its pilot phase.
GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices
12. Continuous Monitoring Means Continuous Improvement
One of the most common misconceptions surrounding continuous monitoring is that it creates a culture of surveillance.
Employees often imagine software continuously searching for mistakes or attempting to identify individuals who have done something wrong.
That perception misunderstands the purpose of governance.
Good governance is not about catching people.
Good governance is about helping organisations make better decisions.
The same principle has transformed manufacturing.
Modern production facilities do not wait until the end of the production line to inspect quality.
Quality is monitored throughout the manufacturing process.
Small deviations are identified immediately.
Processes are adjusted before defective products reach customers.
Nobody interprets this as surveillance.
It is recognised as continuous quality improvement.
Governance should operate in exactly the same way.
Suppose GCN had generated an alert during Sarah’s first year.
The alert might simply have stated:
“Residential delivery patterns for premium fragrance purchases differ from normal organisational behaviour. Management review recommended.”
The conversation that follows would probably have been entirely constructive.
Sarah explains why deliveries are made to her home.
Management evaluates whether this remains an appropriate logistical arrangement.
Alternative delivery arrangements are considered.
If the arrangement is justified, management formally documents the decision, defines responsibilities, specifies review dates and authorises the exception.
If the arrangement creates unnecessary governance risk, it can be changed immediately.
No disciplinary investigation.
No financial losses.
No reputational damage.
No five-year special investigation.
The value of continuous monitoring therefore lies far less in identifying non-compliance than in supporting continuous organisational improvement.
It transforms governance into an ongoing management process rather than a retrospective compliance exercise.
This is why Governance Control Navigator should never be viewed as a surveillance mechanism.
It is fundamentally a continuous improvement mechanism.
13. From Governance Design to Governance Reality
The Sarah case illustrates a broader governance principle.
Every organisation operates within at least two realities.
The first is Governance Design.
This consists of policies, procedures, approval matrices, ERP workflows, Segregation of Duties, internal controls and governance frameworks approved by the Board.
It represents how management intends the organisation to operate.
The second is Governance Reality.
This reflects how people actually work.
Business priorities change.
Operational pressures emerge.
Vacancies remain open.
Employees develop practical workarounds.
Managers balance customer expectations with internal procedures.
Organisational behaviour continuously adapts.
Neither reality is inherently right or wrong.
Indeed, organisations require both.
Governance Design provides structure.
Governance Reality provides flexibility.
The governance challenge arises when these realities gradually drift apart without anyone recognising the divergence.
Traditional GRC excels at evaluating Governance Design.
GCN focuses on measuring the alignment between Governance Design and Governance Reality.
The objective is not to eliminate flexibility.
Quite the opposite.
Successful organisations need flexibility to respond to changing business conditions.
However, flexibility should remain visible, transparent, appropriately documented and formally authorised.
When practical workarounds become invisible, governance gradually becomes dependent upon individual judgement rather than organisational oversight.
That is precisely what happened in Sarah’s case.
No individual transaction created the problem.
The accumulation of thousands of individually correct decisions slowly created an organisational reality that no longer reflected management’s original intentions.
GCN seeks to identify precisely those moments where organisational behaviour begins to drift away from governance design.
For many years organisations have invested heavily in improving Governance, Risk & Compliance.
Those investments have been worthwhile.
Modern governance frameworks are stronger than ever.
ERP systems contain sophisticated preventive controls.
Internal Audit provides valuable independent assurance.
Compliance functions continue to strengthen organisational accountability.
None of that changes.
What does change is the business environment in which these governance frameworks operate.
Organisations are becoming more dynamic.
Artificial Intelligence is accelerating decision-making.
Hybrid working has altered operational behaviour.
Supply chains are increasingly complex.
Labour shortages require temporary organisational solutions.
Business realities evolve continuously.
Governance must evolve accordingly.
The future of governance is therefore unlikely to be characterised by more policies, more controls or more audit testing alone.
It will increasingly depend upon understanding how organisations actually behave.
That requires moving beyond individual transactions towards continuous analysis of organisational patterns.
It requires connecting financial performance, operational behaviour and governance information into a coherent picture.
It requires recognising behavioural drift while it remains small enough to correct.
Most importantly, it requires governance to become an active management capability rather than a retrospective reporting process.
This is the role of Governance Control Navigator.
Not to replace Governance, Risk & Compliance.
But to complement it.
Traditional GRC remains indispensable because it tells management whether governance controls have been designed appropriately and whether they continue to operate effectively.
Governance Control Navigator adds a new capability.
It continuously evaluates whether organisational behaviour still reflects those controls and provides management with timely insight to navigate back towards the intended governance design whenever reality begins to drift.
Because organisations rarely fail overnight.
They fail gradually.
One practical decision.
One temporary exception.
One trusted employee.
One operational shortcut.
Individually, none appears significant.
Collectively, they can fundamentally reshape organisational behaviour.
The role of governance is therefore not merely to discover where the organisation has been.
It is to understand where the organisation is today—and to help management navigate confidently towards where it intends to go tomorrow.

GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices GRC best practices