Executive Summary
Over the past decade, organisations have responded to rising regulatory expectations by adding controls, frameworks, policies and reporting layers across risk, compliance and assurance functions.
The intention is sound: strengthen oversight and reduce exposure.
But an unintended consequence is emerging across many institutions: control fatigue.
When governance becomes overly dense, it can reduce clarity, slow decision-making, fragment accountability and create the illusion of assurance without improving real risk visibility.
Three dynamics are increasingly visible inside large organisations:
- Control proliferation: overlapping frameworks across resilience, cyber, third-party risk, ESG, AI governance and conduct risk.
- Reporting saturation: escalating volumes of dashboards and assurance artefacts that obscure rather than illuminate material risks.
- Human disengagement: employees navigating governance processes defensively rather than thoughtfully.
For boards, the challenge is not simply strengthening control environments. It is ensuring that governance structures remain intelligible, effective and proportionate.
The key question is no longer whether enough controls exist.
It is whether the organisation can still see risk clearly through them.
Control Fatigue: When Too Much Governance Becomes a Risk in Itself
For most of the past fifteen years, the direction of governance has been straightforward.
When something fails, add more oversight.
After the global financial crisis, there came stronger capital supervision, conduct regulation and model risk governance.
- Cyber escalation triggered new security frameworks.
- Operational disruptions brought resilience regulation.
- Supply chain fragility drove third-party risk management.
- Artificial intelligence is now prompting entirely new governance regimes.
Each development is understandable. Each respond to real vulnerabilities.
Yet across many organisations, particularly those operating in heavily regulated sectors, something quieter has begun to surface beneath the surface of these reforms.
Governance itself is becoming harder to navigate.
Not because controls are weak, but because there are too many of them.
The gradual accumulation of governance
Governance rarely becomes dense overnight.
It accumulates incrementally.
A regulatory expectation introduces a new control framework. A past incident prompts additional sign-offs. A new reporting requirement leads to an additional dashboard. Internal audit findings generate remediation plans that embed new procedures.
Over time, layers of oversight are added to the organisation like sediment.
Individually, each layer is defensible. Collectively, they can produce something more problematic: an environment where the architecture of control becomes difficult to understand.
Employees may spend increasing portions of their time producing documentation, completing attestations and navigating approval processes. Risk committees receive thicker packs. Control frameworks multiply. Assurance functions expand their scope.
But the question worth asking is not whether governance activity has increased.
It is whether risk visibility has improved at the same rate.
The Financial Reporting Council emphasised that effective governance requires clarity over risk management processes and accountability structures, not simply the existence of extensive control documentation.
The distinction is subtle but important.
More governance activity does not automatically translate into better governance outcomes.
When oversight begins to obscure risk
One of the paradoxes of mature control environments is that the very mechanisms designed to illuminate risk can begin to obscure it.
When reporting expands across multiple governance domains – operational resilience, cyber, compliance monitoring, conduct risk, third-party oversight, AI governance and ESG reporting – board committees may receive an expanding volume of dashboards and assurance summaries.
Yet the underlying signal can become harder to detect.
- Material issues may appear diluted among hundreds of control indicators.
- Metrics designed to demonstrate compliance may dominate discussions at the expense of forward-looking risk analysis.
- Operational teams may focus on meeting reporting requirements rather than questioning whether the controls themselves remain effective.
This is not a theoretical concern. Research from governance and risk advisory bodies increasingly notes the burden created by overlapping control frameworks and duplicative reporting obligations across regulatory domains. The Institute of Internal Auditors has warned that organisations face rising pressure to coordinate assurance activity across expanding governance responsibilities.
When oversight becomes fragmented across separate frameworks, a subtle shift occurs.
Governance begins to measure control presence rather than control effectiveness.
And that shift can weaken the very assurance boards rely on.
The human side of control fatigue
There is a clear need to recognise that control fatigue is not only structural. It is behavioural.
Employees operating within highly regulated organisations increasingly navigate environments where governance requirements intersect with nearly every decision. Documentation, attestations, policy reviews, risk assessments and approvals may accompany even routine activities.
When governance processes multiply beyond what individuals can reasonably internalise, behaviour begins to change.
Employees may follow procedures mechanically rather than thoughtfully. Risk management becomes an administrative task rather than a reflective discipline. Controls are completed because they must be completed, not because the underlying risk is being actively considered.
In extreme cases, employees begin to work around governance mechanisms simply to complete operational tasks.
This behavioural drift is rarely intentional. It emerges gradually when governance structures become too complex to operate intuitively.
Regulators have long emphasised that effective risk management depends not only on formal controls but also on organisational culture and accountability. The UK Prudential Regulation Authority has repeatedly stressed that governance frameworks must support clear decision-making and risk ownership rather than diffuse responsibility across excessive procedural layers.
When control environments grow too dense, the connection between risk ownership and operational behaviour can weaken.
And that is when governance stops shaping behaviour and starts shaping paperwork.
The illusion of assurance
Perhaps the most dangerous consequence of control proliferation is the illusion of assurance.
In organisations with mature governance structures, it is entirely possible to produce extensive evidence of oversight: policy libraries, committee minutes, assurance maps, risk registers, audit findings and remediation plans.
These artefacts can create a sense that risks are being systematically managed.
Yet governance artefacts do not necessarily demonstrate that risks are well understood or actively managed.
In complex control environments, assurance functions themselves may become fragmented. Risk teams monitor frameworks. Compliance teams oversee regulatory obligations. Internal audit provides independent assurance. Operational resilience teams conduct scenario testing. Technology functions maintain cyber governance.
Each function produces its own reports and risk assessments.
But if these perspectives remain insufficiently integrated, boards may receive multiple partial views rather than a coherent picture of risk exposure.
This challenge has been recognised in the growing emphasis on integrated assurance frameworks, which aim to coordinate oversight across risk, compliance and audit functions so that governance activity reinforces rather than duplicates itself.
The objective is not to reduce assurance. It is to ensure that assurance converges around the organisation’s most material risks.
Governance density in the regulatory era
It would be misleading to suggest that organisations have created dense governance environments purely by choice, because many of the drivers are external.
Regulators across jurisdictions have expanded expectations around operational resilience, cybersecurity, outsourcing oversight, consumer protection, climate disclosures and now artificial intelligence governance.
Each domain introduces new reporting obligations and control expectations.
For example, supervisory authorities continue to emphasise the importance of robust internal control frameworks and clear governance structures to support resilience and risk management.
In practice, organisations respond to these expectations by building additional governance layers to ensure compliance.
The difficulty arises when each regulatory domain evolves independently, creating parallel control structures that may not be fully integrated with one another.
Without deliberate simplification and alignment, governance frameworks can become sprawling architectures where responsibilities overlap and signals become diluted.
Re-balancing governance
Recognising control fatigue does not mean dismantling governance structures or reducing oversight.
The answer is not less governance.
It is clearer governance.
Boards should increasingly ask whether the organisation’s control environment still supports decision-making and risk visibility. This requires periodically stepping back from individual frameworks and examining the architecture as a whole.
- Where do multiple frameworks address the same risk in different ways?
- Where does reporting duplicate itself across committees?
- Where are risk owners accountable in name but constrained by excessive procedural layers?
Simplification in this context is not a reduction in standards. It is the deliberate alignment of governance mechanisms around the organisation’s most material risks.
The aim is to ensure that control environments remain understandable, proportionate and capable of supporting real accountability.
Because when governance becomes too complex to navigate, the organisation does not become safer.
It becomes harder to see where risk actually resides.
Governance that remains intelligible
Governance frameworks are designed to create clarity.
They establish accountability, support oversight and ensure that risks are identified before they crystallise.
But like any system, they can become over-engineered.
When that happens, the organisation begins to manage governance itself rather than the risks governance was intended to address.
The institutions that navigate this challenge successfully will not necessarily be those with the largest control environments.
They will be those who ensure their governance remains intelligible.
- Clear lines of ownership.
- Coherent oversight structures.
- Assurance that reinforces rather than duplicates.
- Reporting that illuminates rather than overwhelms.
In other words, governance that helps organisations see risk more clearly, not simply prove that controls exist.
That distinction will become increasingly important as regulatory expectations continue to expand.
Because the greatest governance risk may not always be the absence of control.
Sometimes, it is the quiet accumulation of too many.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>
