Why Good Controls Still Fail: Lessons from Football
- 3 days ago
- 3 min read
Authored by Vinod Karunasinghe

With the 2026 FIFA World Cup now underway, football is again reminding us that even the best-prepared teams can be exposed when systems, roles and execution break down. Football clubs invest a lot of time and resources into defensive structures designed to prevent goals from being conceded. Players are trained, responsibilities are assigned and systems are put in place to reduce risk.
Yet even the best teams still concede.
The same challenge exists within organisations. Policies, procedures and controls may be documented and implemented, but incidents, compliance breaches and operational failures can still occur.
This highlights an important distinction: the existence of a control does not necessarily mean the control is always effective!
The question is not only whether controls are in place, but whether they are fit for purpose, consistently performed and appropriately monitored. Effective control monitoring is a key component of the Three Lines of Defence risk management model, providing assurance that controls continue to operate as intended and remain aligned to evolving risks, regulatory obligations and business activities.
Why Controls Fail?
Poor control design
In football, a defensive system may leave critical areas of the field exposed. Even if players follow the system, weaknesses in the design can still create opportunities for the opposition.
Organisations face a similar challenge when controls are not clearly aligned to the risks they are intended to manage. A control may exist on paper but may not adequately address the underlying risk: the design may be there, but the operating effectiveness of the control may be in question.
In these circumstances, organisations may have a false sense of comfort that a risk is being managed when, in practice, the control is not fit for purpose.
Inconsistent execution
Even well-designed systems can fail if they are not executed consistently.
A defender who loses concentration or misunderstands their role can create an opportunity for the opposition. Similarly, organisational controls may fail where responsibilities are unclear, processes are not followed, training is inadequate or resources are stretched.
Insufficient testing and review
Successful football teams regularly review performance, analyse mistakes and adjust their approach throughout the season.
Organisations should apply the same discipline to their control environments.
Risks evolve, business processes change and regulatory expectations continue to develop.
Controls that were effective twelve months ago may no longer provide the same level of assurance today.
Without ongoing testing and review, control weaknesses may not be identified until after an incident, breach or regulatory issue has occurred. This is why for example, APRA’s CPS 230 requires APRA-regulated entities to regularly monitor, review and test controls for design and operating effectiveness.
What Organisations Can Learn
An effective control environment requires more than policies and procedures.
Organisations should regularly assess whether their:
controls are appropriately designed to address identified risks;
controls are consistently performed in practice;
control owners understand their responsibilities;
evidence is available to demonstrate control performance;
control monitoring provides sufficient assurance that controls are operating as intended; and
controls remain fit for purpose as risks, obligations and business operations evolve.
Control effectiveness is not a one-time exercise. Ongoing control monitoring is particularly important where regulatory obligations, sanctions or business processes change. By monitoring changes against obligations and controls already mapped in a register, organisations can identify potential breaches or control gaps before they turn into material risks. Technology can also support this process by automating data collection, centralising documentation and enabling more continuous monitoring of risk factors, reducing manual error and improving consistency.
The Bottom Line
Football teams do not judge their defensive capability solely by the existence of a game plan. They assess whether that plan is working in practice.
Organisations should take the same approach to their control environments.
The presence of a control does not automatically reduce risk. Understanding whether that control is fit for purpose, consistently performed and regularly tested is what gives organisations confidence that risks are being managed.
For organisations, this can be the difference between having a documented control framework and having a control environment that genuinely supports effective governance, compliance and risk management.
If you would like to discuss your organisation’s control environment, control effectiveness framework or assurance activities, please get in touch with the Owl Advisory team
This publication is a joint publication from Mallesons, and Mallesons Compliance Pty Ltd (ACN 672 547 027) trading as Owl Advisory by Mallesons. Mallesons Compliance Pty Ltd is a company wholly owned by the Mallesons Australian partnership. Mallesons Compliance Pty Ltd provides non-legal compliance and governance risk advisory services for businesses. Mallesons Compliance Pty Ltd is not an incorporated legal practice and does not provide legal services. Laws concerning the provision of legal services do not apply to Mallesons Compliance Pty Ltd.