In today’s environment of geopolitical uncertainty, rapid technological change, and increasingly complex supply chains, organizations widely recognize the importance of governance, risk, and compliance (GRC).

However, recent reports from McKinsey (Governance, Risk, and Compliance: A New Lens on Best Practices) and KPMG (2025 Risk and Resilience Survey) show a consistent challenge: most companies are aware of the importance of risk governance, but still find it challenging to translate that awareness into execution.

These studies highlight gaps in several key areas—governance structures, cross-functional integration, executive mandate, cultural alignment, and technology enablement. Together, these gaps limit an organization’s ability to build true resilience. At the core of the issue is a timing mismatch between cost and benefit.

Investments in risk management—such as people, systems, and process design, are immediate and visible, and require real organizational resources. However, the benefits often take the form of “avoided losses,” which are not captured in accounting statements and are difficult to reflect in financial reports or performance metrics.

Under pressure to deliver near-term operational performance and shareholder returns, executives tend to allocate resources to initiatives with visible, short-term payoffs, while resilience-building is often deprioritized. This tension between short-termism and the long-term nature of risk governance is the core challenge behind the difficulty in execution.

Four Key Challenges

1. Fragmented Governance and Limited Institutional Depth

Many organizations have basic risk management frameworks in place, but lack repeatable and measurable governance practices. As a result, they remain in a transitional stage—structured, but not fully implemented.

The primary cause lies in traditional decentralized governance structures, where business units, risk control, and audit functions are separated across layers. In highly dynamic risk environments, this often leads each line of defense to operate independently, slowing information flow and making it difficult to form a unified decision-making framework.

When cross-domain risks interact, organizations often fail to detect and respond in time. In contrast, companies with centralized or coordinated governance structures can respond more quickly and make more effective decisions—making integrated governance a key indicator of resilience.

2. Limited Authority and Weak Strategic Influence

In many organizations, risk leaders hold relatively low positions in the hierarchy, which limits their ability to influence strategic decision-making. When risk management is not closely linked to corporate strategy, it becomes a compliance obligation rather than a basis for forward-looking decisions. KPMG’s survey also shows that while senior executives may oversee risk- related areas, responsibilities are often fragmented, leading to inconsistent decision authority. This not only slows risk governance but also makes it difficult to build a long-term risk perspective and remain competitive in the face of external disruptions.

3. Compensation Systems Misaligned with Risk Governance

Organizational culture is reflected in incentive structures. McKinsey’s analysis shows that many companies have yet to incorporate ethics, integrity, and risk governance performance into executive compensation. As a result, there is often a misalignment between organizational culture and governance objectives.

When incentives focus primarily on short-term performance, risk and compliance are often treated as secondary priorities rather than part of corporate value. To build a sustainable culture of ethical and responsible governance, organizations need to reflect the importance of risk governance in compensation systems—aligning values with actions.

4. Gaps in Technology Enablement Limiting Forward-Looking Capabilities

Technological enablement remains a shared challenge globally. Many organizations lack integrated risk data systems, AI analytics tools, and automation capabilities.

Both McKinsey and KPMG note that many organizations still rely on manual data consolidation rather than real-time data, scenario simulation, or automated reporting for early risk assessment. As risks become more complex and fast-changing, the lack of technological support limits proactive monitoring and slows response times. To strengthen risk identification and early warning capabilities, adopting advanced tools and building integrated data platforms is essential.

Key Insight: Four Foundations for Moving from Awareness to Execution

Whether risk governance can be embedded into daily operations depends on four core foundations: governance structure, level of authority, compensation mechanisms, and technology platforms.

These are not independent elements but an interconnected system: structure determines how well information is integrated, authority determines whether tools can be effectively applied, compensation shapes cultural alignment, and technology enables proactive execution.

ASUS provides a strong example of how these four foundations can be implemented together.

1. Centralized and Coordinated Governance Structure

An integrated governance model enables a unified risk perspective and faster cross-functional collaboration and response capabilities. ASUS established a Business Continuity Management (BCM) Committee as a central platform connecting the board and task forces, consolidating risks across supply chain, cybersecurity, and sustainability, creating a unified view of enterprise-wide risk view.

It enables two-way information flow:

• Top-down: the board provides a strategic, macro-level perspective, balancing the perspectives of internal and external stakeholders.
• Bottom-up: task forces monitor trends and manage risks, supporting integrated and better-aligned decision-making.

This dual approach effectively bridges decision-making gaps.

2. Strategic Mandate: Bringing Risk into Decision-Making

ASUS's BCM Committee is composed of independent directors, whose high level of independence allows the committee to not only provide oversight but also introduce external perspectives and challenge existing decision-making frameworks.

Beyond regular reviews, the committee engages with management early in the strategy process, incorporating stakeholder concerns at the planning stage. This ensures that risk perspectives are included from the outset, making risk not just a post-event review, but an integral part of early decision-making and alignment.

Through this approach, ASUS brings together multiple perspectives to focus on key risks and ensure alignment in resource allocation and business direction. As a result, the influence of risk governance shifts from review to decision-making.

3. Compensation: Making Risk Governance a Real Incentive

Cultural change requires the support of institutional incentives. Since 2023, ASUS has linked its co-CEOs’ variable compensation to sustainability performance, and expanded this approach in 2025 to include the COO, Chief Sustainability Officer, and senior executives, with adjustments of ±10% based on the achievement of key targets.

This design goes beyond individual financial incentives. It sends a clear and consistent message across the organization: long-term risk management outcomes are real performance metrics—not additional responsibilities.

4. Technology Platforms: From Reactive to Proactive Risk Management

AI, data integration, and automation are transforming risk management from reactive response to proactive prediction.

ASUS is extending its “All in AI” strategy into management practices, with task forces set to establish key risk indicators and initiate the deployment of AI-driven monitoring mechanisms based on key risk indicators(KRIs). By leveraging data integration and scenario-based reasoning, they accelerate the collection and analysis of risk information—enhancing both the timeliness and forward-looking capability of risk identification.

Conclusion: Internalizing Risk Governance as a Core Capability

Future competitiveness depends on whether organizations can truly embed risk governance into daily operations-transforming governance from structure into capability, from capability into culture, and ultimately into a foundation for resilience.

ASUS’s experience shows that when governance structure, authority, compensation, and technology are aligned, risk governance is no longer a passive defense mechanism but a strategic capability that creates long-term value.

By internalizing risk governance into the way the organization operates, companies can build resilience in an uncertain environment and sustain long-term growth and competitive advantage.