Your GRC Tool Won't Save You

Most institutions have invested heavily in GRC infrastructure. Risk registers are maintained. Compliance checklists are completed quarterly. Policy libraries are versioned, attested, and reviewed on schedule. Audit committees meet regularly. Internal audit functions produce reports. External auditors sign off. The dashboards are green.

This creates a powerful institutional assumption: we are well-governed because we are well-tooled. The board sees the reports. The regulators see the attestations. The auditors see the evidence. Everyone concludes that governance is functioning.

The assumption is wrong, and ASIC v Bekier proved it. Star Entertainment Group had every GRC artefact a modern institution is expected to have — risk committees, compliance teams, audit functions, board oversight structures. The Federal Court of Australia did not find these absent. It found them insufficient. The institution was comprehensively tooled for compliance and comprehensively failing at governance.

The distinction matters because it is not a gap that can be closed by buying more software or hiring more compliance staff. The failure is architectural. GRC tools are designed to document governance intent — what the institution says it will do, what policies exist, what risks have been identified. They are not designed to prove governance execution — that decisions were actually made within authority boundaries, that constraints were actually checked at the moment of action, that human judgment was actually exercised when it needed to be.

The Federal Court's approach in ASIC v Bekier can be distilled to three questions that every director should find unsettling:

These three questions are devastating to the GRC model because GRC tools are not designed to answer them. A risk register can show that a risk was identified. It cannot show that a specific director personally assessed that risk at a specific moment. A compliance checklist can show that a policy was attested. It cannot show that the attestor understood its implications for the decision they were about to make.

There is a fundamental difference between documentation and evidence that the GRC industry has systematically obscured.

Documentation says: "Here is our policy on X." Evidence says: "At 14:32 on Tuesday, this person checked this constraint before making this decision, and the system recorded the check automatically."

Documentation says: "Our risk register identifies Y as a key risk." Evidence says: "When risk Y materialised at this specific moment, this person was alerted, reviewed the available information, and took this specific action within this timeframe."

Documentation says: "Our delegation schedule assigns authority to Z." Evidence says: "When this decision was made, the system verified that the decision-maker had the required authority, checked it against active constraints, and recorded the verification — all before the decision took effect."

The distinction is not pedantic. It is the difference between governance theatre and governance infrastructure. Governance theatre produces artefacts that look like governance is happening. Governance infrastructure produces records that prove governance happened — automatically, contemporaneously, and at the granularity courts and regulators now require.

Star Entertainment had documentation. Extensive documentation. What it could not produce was evidence — contemporaneous records showing that governance was active at the moments that mattered. The documentation existed in a different temporal dimension from the decisions. Policies were written before. Reviews happened after. At the moment of the decision itself, governance was absent from the record.

ASIC v Bekier established what can only be described as an active monitoring standard for corporate governance. The court did not accept passive structures — committees that meet quarterly, reports that circulate monthly, reviews that happen annually — as sufficient evidence of governance. It required evidence that directors were actively guiding and monitoring the institution's operations.

This is a higher standard than most boards currently meet, and it is a standard that GRC tools are structurally incapable of satisfying. A quarterly risk review is not active monitoring. A monthly compliance report is not active monitoring. An annual board strategy day is not active monitoring. These are periodic sampling — governance by interval rather than governance by integration.

Active monitoring means that governance operates continuously, not periodically. It means that when a consequential decision is made, there is a real-time record of the governance that surrounded it. It means that when a risk materialises, there is evidence that the responsible director was informed and responded — not in the next quarterly review, but at the time.

The practical implication is stark. Organisations that rely on periodic governance structures are accumulating governance gaps between review cycles. In those gaps, decisions are made without governance traces, risks materialise without governance responses, and authority boundaries are crossed without governance checks. The longer the interval between reviews, the larger the gap. And it is in these gaps that the failures occur — the failures that courts and regulators will eventually examine.

The concept of governance telemetry emerges directly from the Bekier standard. Engineering organisations are familiar with operational telemetry — the continuous stream of metrics, logs, and traces that allow them to monitor system behaviour in real time. Governance telemetry applies the same principle to institutional decision-making.

Operational telemetry tells you what the system did. Governance telemetry tells you who decided, on what basis, and with what authority. Every consequential action — whether taken by a human or an AI agent — produces a governance trace at the moment it occurs. Not after the meeting. Not in the next report. At the moment.

This is not surveillance. It is the institutional equivalent of an aircraft's flight data recorder. The flight data recorder does not tell pilots how to fly. It records what happened so that when something goes wrong — or when a regulator asks — there is an authoritative, contemporaneous, tamper-evident record of the sequence of events. Governance telemetry serves the same function for institutional decisions.

The components are specific: who made or authorised the decision (traceable to an identifiable human, even when the action was taken by an automated system), what they knew at the time (what information was surfaced, what constraints were checked), what they decided (the specific action taken and its basis), and when each of these occurred (timestamps that establish the temporal sequence courts require). This is the evidence layer that ASIC v Bekier demands, and it is the evidence layer that no GRC tool produces.

The transition from GRC-dependent governance to governance infrastructure requires organisations to confront an uncomfortable truth: much of what they call governance is actually governance theatre — activities that create the appearance of governance without producing the evidence that governance occurred.

Board meetings that approve pre-decided outcomes are governance theatre. Risk committees that review registers without the authority to block actions are governance theatre. Compliance attestations that no one reads are governance theatre. Policy libraries that no system enforces are governance theatre. All produce documentation. None produce evidence.

Governance infrastructure is different in kind, not degree. It operates at the system layer, not the process layer. When a decision is made, the infrastructure checks it against active constraints — automatically, before the decision takes effect. When authority is delegated, the infrastructure enforces the boundaries — not through training or awareness, but through system logic that prevents boundary violations. When information needs to reach a decision-maker, the infrastructure surfaces it — and records that it was surfaced, creating the evidence trail the Bekier standard requires.

The regulatory trajectory is clear. The EU AI Act requires human oversight of high-risk AI systems. The FCA's Senior Managers Regime requires individual accountability for decision domains. The SEC's cyber rules require evidence of board engagement with cybersecurity governance. The EU DORA regulation requires evidence of ICT governance. Every major regulatory framework is converging on the same requirement: prove that governance was active at the moment of action.

GRC tools were built for the old standard: prove that governance structures exist. Governance infrastructure is built for the new standard: prove that governance happened. The institutions that recognise this distinction early will be the ones that survive the regulatory environment that ASIC v Bekier has inaugurated.