Every serious corporate failure of the past two decades has been examined, in retrospect, by people who found the frameworks in good order. The risk register existed. The policy was current. The audit had been passed, the certificate hung in reception, and the board had received its quarterly pack on schedule. Governance, risk, and compliance has been among the fastest-growing functions in Australian organisations across that same period—more budget, more headcount, more board attention than at almost any point in corporate history—and it is almost never found to have been absent at the moment things went wrong. It was present. It simply did not work.
In this episode of On the Subject of Leadership, I speak with William Domanski—a Fellow of the Institute of Strategic Risk Management, chair of its Australia and New Zealand Young Professionals Committee, and a practitioner who has spent his career at the point where the framework meets the floor. He designed the enterprise risk framework for Standards Australia, the country's peak standards body—which is to say he did risk work for the organisation that publishes risk standards, a position with an almost laboratory quality to it. Before that he built the compliance programme at Mitsubishi Electric across data privacy, export control, modern slavery, and competition law, and ran compliance across Australia and New Zealand for Smiths Detection, whose radiation and threat-detection equipment sits in the ports, borders, and aviation hubs the rest of us pass through without thinking. He now consults, teaches, and writes. His public position is unusually direct for his discipline: that GRC is not a defensive overhead but a collection of capabilities that simultaneously produces value and protects it.
I put the sceptical case to him early and often. He did not retreat into vocabulary, which is rarer than it should be.
What follows are the ideas from the conversation I have continued to turn over since.
The Standard Cannot Interpret Itself
The most intellectually interesting thing William said, he said almost as an aside, and I suspect he did not realise he was standing on a philosophical landmine. Asked whether the guidance-only character of the risk standards was a strength or a weakness, he offered that the standards—ISO 31000, the COSO framework, the OCEG capability model—are all useful in their own right, but that they share an ultimate vulnerability: they are susceptible to interpretation. Two practitioners can read the same requirement, arrive at defensible but contradictory applications, and both hold certificates attesting to their conformance.
Ludwig Wittgenstein (1889–1951) devoted the central passages of his Philosophical Investigations, published posthumously in 1953, to precisely this problem. His rule-following considerations arrive at a conclusion that ought to be read once a year by everyone who drafts a policy, standard, or governance framework: no course of action can be determined by a rule, because any course of action can be made out to accord with the rule. The rule does not contain its own application. It cannot reach out and grip the world. What settles how a rule is applied is not the rule but the practice—the shared training, the customs, the agreed forms of life of the people who use it. Meaning, on this account, is use.
Which means the interpretation problem William identifies is not a defect in ISO's drafting that a better committee could fix. It is a structural feature of rules as such. This has been demonstrated empirically as well as philosophically: Stefan Timmermans and Steven Epstein, in their 2010 review of the sociology of standardisation, concluded that standards do not eliminate variation so much as relocate it—producing, in their phrase, a world of standards but not a standard world.
William's own illustration was the conformity assessment bodies, the accredited auditors who certify conformance. Some, he observed, came up through implementation and retain a taste for documented procedures and work instructions; others accept a process diagram and a record. Yet an organisation's certification depends materially on which auditor walks through the door. The certificate does not attest to a fact about the organisation. It attests to an encounter between an organisation and an interpreter.
Michael Power named the consequence in 1997: the audit society, in which verification becomes ritual—an activity that produces comfort more reliably than it produces knowledge, and whose expansion is driven by the failure of the previous round of verification to prevent the thing it was meant to prevent. The remedy for a failed audit is always a further audit. I asked William whether the discipline would be healthier if its standards were certifiable rather than advisory. On the evidence he supplied, the honest answer is that certification would simply move the interpretive problem into a new office and give it a stamp.
What Integrity Is Being Asked to Carry
Confronted with the gap between the framework and the outcome, William reached—repeatedly, and with evident conviction—for integrity. There should be no shortcutting it. Just because a path is easy does not make it right. The GRC function, in his formulation, produces and protects value while acting with integrity, and the third clause is not decorative.
I want to take this seriously, and then press on it, because both operations are necessary.
Taking it seriously first. Alasdair MacIntyre (1929–2025) argued in After Virtue (1981) that every genuine practice generates goods internal to it—goods that can only be obtained by pursuing the practice well, on its own terms—and that practices are always housed in institutions preoccupied with external goods: money, status, survival. The institution sustains the practice and simultaneously corrupts it, and what holds the line is the virtue of the practitioners. On MacIntyre's account, virtue is not a supplement to good institutional design; it is the only thing that prevents good institutional design from being hollowed out by the institution it serves. William's insistence that integrity is load-bearing rather than ornamental is, in this light, not sentimentality. It is the correct diagnosis.
Now the pressure. A discipline that explains its failures by appealing to the virtue of its practitioners has conceded something significant about its instruments. If the standard cannot interpret itself, and the certificate attests only to an encounter with an auditor, and the difference between value and paperwork is finally the integrity of the people involved—then what, precisely, is the framework adding? The uncomfortable possibility is that GRC's machinery works well in exactly those organisations that would have behaved well without it, and fails in exactly those that need it. Every profession that reaches for character as its residual explanation should ask whether it has just described itself out of a job.
William would resist that conclusion, and he has a serious answer: the framework's value lies in making the trade-offs visible, so that integrity has something to act upon. I think that is right, and I think it is a much narrower claim than the one the industry usually makes.
Two More Lines
The three lines model—operational management owns risk, a risk and compliance function oversees it, audit assures it—is the closest thing the discipline has to settled doctrine. William's amendment was the structural idea of the conversation. Three lines of defence, he argued, are not enough. There are two further lines, and they are lines of accountability rather than defence: executive management, and the board. Risk intelligence, in his account, is passed up the chain like a parcel, and the failure mode is that the last two players receive it without ever being required to do anything with it. Boards and executives, he said, must be active contributors to the decision, not informed participants along the way.
That distinction—contributor versus participant—is doing a great deal of work, and it lands on a problem with a formal name. Dennis Thompson described it in 1980 as the problem of many hands: where many actors contribute to an outcome through a chain of individually defensible steps, moral responsibility for the outcome attaches to nobody. Every hand was clean. Every process was followed.
The three lines model, viewed unsympathetically, is a machine for manufacturing many hands. It distributes risk work across three functions, each with a bounded remit, each able to point to the discharge of its duty. William's two additional lines are an attempt to terminate the chain in a body that cannot pass the parcel any further. Whether a board can be made to hold it is, I suspect, the open question of contemporary governance—and I note that Thompson's own remedy was not better process but the designation of specific individuals who could be named afterwards.
Performance, in the Theatrical Sense
I put to William the observation that the reports reaching board risk committees are frequently reassurance dressed as intelligence—that the traffic light which is honestly amber gets recorded as green, because nobody wishes to explain amber to a director. He agreed, and then took the diagnosis somewhere I had not anticipated. The problem, he argued, begins with the recording apparatus itself. Meetings are transcribed. Transcripts are discoverable. Participants therefore choreograph—his word—their contributions, sanitising them into a form that will survive later reading. The record intended to produce accountability instead produces performance.
Chris Argyris (1923–2013) mapped the mechanism in 1976 with his distinction between espoused theory and theory-in-use. Organisations espouse candour and operate on a governing logic of unilateral control and face-saving; the resulting defensive routines are, in his devastating formulation, undiscussable, and their undiscussability is itself undiscussable. The risk report that is green because green is easier to present is not a failure of individual courage. It is a competent response to a system that punishes amber.
Donald Campbell (1916–1996) supplied the corollary in 1979: the more any quantitative indicator is used for social decision-making, the more it will be subject to corruption pressures, and the more apt it will be to distort the processes it is meant to monitor. A risk register that determines careers stops being a description of risk and becomes an artefact of career management.
William's remedy is worth recording because it is unfashionably concrete: the red flag in a risk committee is not a difficult question. It is the absence of one. If the committee receives the pack and asks nothing, the pack has told them nothing they needed to hear.
Never Use the Machine to Check the Machine
We arrived, inevitably, at artificial intelligence, and William drew a line I have not heard drawn so cleanly. The tool retrieves; the human judges. A large language model is not the chief risk officer—it is what you use before you go and see the chief risk officer, so that the five exchanges you would have needed become two. The moment it makes the judgement rather than helping people to prepare for it, the function has been hollowed out while appearing fully staffed.
The sharper worry he raised concerns bias, and it is not the one usually aired. The danger is not that the model is biased. It is that the prompt is—that a practitioner, without any conscious intent to deceive, constructs a query whose framing produces the output they were hoping for, and then tables that output in a room which receives it as objective. Peter Wason (1924–2003) demonstrated in 1960 that people test hypotheses by seeking confirming instances rather than disconfirming ones; the language model is the most accommodating confirmation engine ever built, and it will seldom volunteer the falsifying case you declined to ask for. William's operational rule follows directly, and I commend it to every risk function in the country: never use AI to verify AI. Take the output to a person, sit in a room with them, and make them ask you where you got it.
The Slow Burn
Which brings us to the paper he has co-authored with Paul Vorbach on the strategic implications of healthy ageing populations, and to his claim that this is the most immediate silent crisis of the century.
The technical argument is more interesting than the headline. The data exist—decades of it, across every jurisdiction—but the methodologies differ so profoundly between jurisdictions that the findings cannot be compared, correlated, or ranked. One country's research says dementia; another's says cardiac disease; another's says workforce collapse. Absent a common framework, there is no way to establish the risk event chain, and so there is no basis on which any government can be told what to do first. He reached, memorably, for renormalisation—the physicist's practice of adjusting parameters that are not quite real in order to make the equations behave—as a description of what happens when you force incompatible data into comparison. You get an answer. You do not get a result.
Ulrich Beck (1944–2015) argued in 1986 that modernity's characteristic risks are precisely those that escape perception: latent, deferred, statistically distributed, and knowable only through the very expert systems whose disagreements then become the political battlefield. That is the ageing transition exactly. And Elke Weber explained in 2006 why the demographic data have not moved anyone: risks apprehended through description rather than experience fail to recruit the emotional response that drives action, and there is only a finite pool of worry available to spend. Inflation is felt. Interest rates are felt. A dependency ratio in 2045 is read.
William's conclusion and mine converged. The condition under which organisations and governments act on a risk is not its magnitude but its proximity—whether it is affecting me, now, or someone close to me. Everything that fails that test gets pushed down the rungs. It is the same failure that has governed the climate response, and it will govern this one, and the discipline that calls itself risk intelligence has so far proved no better at overriding it than the rest of us.
If you sit on a risk or audit committee and cannot remember the last time a pack surprised you; if you have ever certified conformance to a standard you privately doubt changed anything; or if you would like to hear an unusually candid practitioner explain why his own instruments are weaker than his profession claims, this is a conversation worth your full attention.
Good night, and good luck.