Four risks every board fears.
Four ways to catch them before they land.

Directors are personally liable. Policies on shelves don’t protect anyone. These are the scenarios that keep risk committees up at night — and what changes when governance is enforced at the point of action, not reviewed after the fact.

01

Unauthorised public communication

Someone in your organisation publishes something — social media, press release, member newsletter — that the board didn’t approve, enters political territory, or makes claims that expose the organisation.

Today

Post goes live. Gets screenshotted.

Board finds out when a journalist calls.

Damage is done. You’re scrambling to explain why there was no approval process.

With Constellation

Before the publish action executes — HubSpot, Twitter, Mailchimp, whatever — Constellation checks it against the org’s comms constraints.

“Only approved spokespeople can publish externally.” “No political positions without board resolution.” “No member-facing comms without CEO sign-off.”

If it violates, the action is blocked before it happens. The right person is notified immediately.

Full audit trail exists showing the constraint, the violation, and who approved or denied it.

You never have to reconstruct what happened.

02

Data leaving the building

Staff member exports member data into a spreadsheet and emails it externally. Or pastes client information into ChatGPT. Or shares a report with a third party that includes personal information. You find out when the Privacy Commissioner calls.

Today

You write policies. You run training.

You hope people follow them.

You find out about breaches in the next audit — or from a journalist.

With Constellation

Constraints are encoded: “No member data shared externally without privacy officer approval.” “No personal data entered into third-party AI tools.”

For integrated systems — CRM exports, email platforms, AI assistants — the governance gate checks every action before it executes. Bulk export from your member database? Checked. Client notes pasted into ChatGPT? Blocked.

The staff member tries to share, the system checks the constraint, and the privacy officer is notified in real time. No handbook required.

The board never has to explain why they didn’t have controls in place — because they did, and they can prove it.

03

Spend above delegation

Someone commits expenditure above their authority. A department head signs a $50K contract that needed CEO or board approval. Or worse — a pattern of small transactions designed to stay under the threshold. You discover it at year-end audit.

Today

Delegation authorities exist in a policy document.

Compliance depends on people reading and following the document.

Nobody checks until after the money is spent.

With Constellation

Delegation authorities are encoded as constraints with dollar thresholds and role-based permissions.

Any financial commitment is checked against the person’s authority envelope before it executes.

Over-threshold spend is blocked and routed to the appropriate approver immediately.

Every approval and escalation is logged.

Auditors don’t have to reconstruct the decision chain — it’s already there.

04

Compliance drift

The organisation has 40 pieces of legislation, 12 funding agreements, and a stack of regulatory obligations. Nobody is actively monitoring day-to-day operations against all of them. You’re compliant on paper. In practice, you’ve drifted. You find out when the regulator audits.

Today

Compliance lives in annual attestations and committee reports.

Three months of activity gets reviewed in a two-hour meeting.

Directors sign off on things they can’t practically verify.

With Constellation

Regulatory obligations and funding conditions are encoded as constraints.

Every relevant action — grants, reporting, procurement, communications — is checked continuously against these rules.

Drift is detected in real time, not 12 months later.

The board can demonstrate, at any point, that a live governance system was monitoring compliance and flagging issues as they arose.

That’s the difference between “we had a policy” and “we had a system.”

05

See it in action

This is what a single day looks like when governance runs at the point of action. Watch events appear as they would in real time — pass, blocked, or escalated — all checked automatically.

Governance feed — simulated day

Monitoring…

Waiting for events…

06

What the board actually receives

Instead of a self-assessed attestation and 200 pages of committee minutes, the board gets a governance summary backed by real data.

Governance Summary Report

Q3 2025 — 1 July to 30 September

Auto-generated

247

Actions checked

14

Violations blocked

9

Escalations resolved

100%

Resolution rate

Activity by domain

Finance

82

5 blocked

Communications

64

6 blocked

Data & Privacy

48

3 blocked

Procurement

31

Grants

22

Notable events

12 Aug

Social media post blocked — political content without board resolution

23 Aug

Member data export blocked — missing privacy officer approval

5 Sep

$48K vendor contract escalated to CEO — approved in 12 minutes

19 Sep

Compliance constraint added: ACNC reporting obligations encoded

Board attestation basis: 247 governance checks executed, 14 violations prevented before execution, 9 escalations resolved within authority. All actions logged with full audit trail.

Generated automatically by Constellation. No manual compilation required.

The committee meeting goes from “reviewing what happened” to “deciding what to do next”. The data is already there. The board attests based on evidence, not memory.

07

This is running right now

These are real numbers from institutions using Constellation today. Every check, every violation, every escalation — live from the platform.

08

The pattern underneath

Every one of these scenarios has the same structure: rules exist on paper, compliance depends on human memory, and the board finds out after the damage is done.

Constellation changes the architecture. Rules become constraints. Constraints are checked at the moment of action. Violations are caught before they execute. Everything is logged automatically.

The board doesn’t need to govern differently. They need a system that makes their existing governance actually enforceable.

Live governance infrastructure that enforces your existing rules at the point of action, so the board never has to explain why the controls didn’t catch something.

See where your governance stands

Take the governance health check to identify which of these risks you’re exposed to today. Then see the full business case.

Take the health checkThe business case →Talk to us →