Modern organisations possess more data, control frameworks, governance procedures and compliance technologies than at any previous point in business history. Yet many executives argue that they have less visibility into the risks and opportunities that genuinely matter. The result is what might be called the “false positive economy”, where companies devote growing resources to investigating alerts, exceptions and reporting requirements that ultimately prove insignificant, while genuinely material threats remain obscured by administrative noise.
This challenge has become particularly acute across the UK and the European Union. Organisations face expanding sustainability reporting obligations under the Corporate Sustainability Reporting Directive (CSRD), increasing use of AI-enabled monitoring systems, more sophisticated anti-money laundering controls and heightened governance expectations. Ironically, the problem is no longer a shortage of information. It is the ability to separate meaningful signals from a flood of data, metrics and automated warnings. In many cases, complexity itself has become a source of risk rather than a solution to it.
When Compliance Becomes Noise
Compliance functions have expanded dramatically in response to growing regulatory scrutiny. Many organisations have responded by introducing increasingly complex control frameworks, generating larger numbers of alerts, exceptions and review processes. In some cases, internal audit, risk and compliance teams perform overlapping activities, creating duplication rather than greater protection.
This has created a compliance paradox. The more controls an organisation implements, the harder it can become to identify genuinely important risks. Employees often spend significant amounts of time demonstrating compliance instead of improving processes, serving customers or addressing operational weaknesses.
The problem is particularly evident in financial crime monitoring and anti-money laundering (AML) screening. Banks routinely investigate thousands of transactions flagged by automated systems, yet industry research suggests that the overwhelming majority of AML alerts are false positives. A legitimate cross-border payment or a customer whose name resembles that of a sanctioned individual may trigger an unnecessary investigation. Similar challenges arise in third-party supplier due diligence, where repeated low-risk alerts can overwhelm review teams.
False positives consume resources, increase costs and contribute to decision fatigue. When staff are faced with a constant stream of warnings, there is a greater risk that genuinely significant threats will be overlooked amid the noise
The ESG Data Deluge
The arrival of new European sustainability reporting requirements has triggered an unprecedented expansion in ESG data collection. Under the CSRD and the European Sustainability Reporting Standards (ESRS), organisations must gather information across environmental, social and governance topics, often extending deep into their supply chains. This has led to a surge in reporting obligations, supplier questionnaires and assurance activities.
Many companies now collect hundreds or even thousands of ESG data points. Yet despite this abundance of information, they often struggle to answer fundamental strategic questions. Which sustainability risks are most significant? Which initiatives genuinely improve business performance? Where is long-term value being created?
A growing problem is what some commentators describe as “materiality inflation”. Faced with complex regulations and concerns about missing important disclosures, organisations increasingly measure everything rather than focusing on what matters most. A manufacturer, for example, may track dozens of environmental indicators across suppliers while remaining uncertain about its most significant climate-related risks. Similarly, retailers often send extensive ESG questionnaires to suppliers yet gain limited insight into actual sustainability performance.
The danger is that excessive reporting can obscure meaningful outcomes. When attention is spread across too many metrics, genuine sustainability priorities can become lost in a sea of data.
Mistaking Process Density for Organisational Resilience
A growing number of management experts use the term “governance theatre” to describe a common organisational response to crises. When something goes wrong, boards often react by creating new committees, adding approval stages, introducing extra reporting requirements and establishing further oversight forums. While these measures can demonstrate action, they do not necessarily improve resilience.
In practice, excessive governance frequently produces slower decision making, diffused accountability and increased bureaucracy. A procurement decision that once required approval from one senior manager may end up passing through several committees before implementation. Similarly, major projects can become trapped in layers of review, with responsibility spread so widely that no single individual feels fully accountable for outcomes.
These concerns are particularly relevant as policymakers seek to improve productivity and competitiveness. Business groups have repeatedly warned that regulatory and administrative complexity can reduce organisational agility and innovation. Resilient organisations are increasingly distinguished not by the number of controls they possess but by their ability to adapt quickly to changing circumstances, make informed decisions and respond effectively to emerging risks. True resilience depends on responsiveness and clarity, not simply on procedural density.
Algorithmic Overreach
One of the most significant developments in modern governance is the rapid adoption of AI-driven compliance and monitoring systems. Automated tools are now embedded in fraud detection, transaction monitoring, sanctions screening, ESG reporting and governance analytics. Their appeal is obvious. They can process enormous volumes of data far faster than human teams and identify patterns that might otherwise go unnoticed. However, these technologies can also generate false positives on an unprecedented scale and the result is often a growing workload rather than greater efficiency.
New concerns emerging in 2025 and 2026 include algorithmic bias, explainability problems and increasing regulatory scrutiny of AI governance. Under the EU AI Act, organisations face growing pressure to demonstrate how automated decisions are reached and monitored. Yet many managers continue to place considerable trust in machine-generated risk assessments, even when the underlying logic is difficult to explain.
This creates a striking paradox. Organisations are increasingly required to manage false positives generated by systems specifically designed to eliminate false positives, adding a new layer of complexity to risk management.
The Productivity Tax of Control
Taken together, excessive controls, duplicated reviews, compliance investigations and expanding ESG reporting requirements impose a significant but often hidden productivity tax on organisations. Employees can spend countless hours producing reports, responding to audits and validating data rather than creating value. A supplier approval process, for example, may involve multiple teams reviewing the same information, while financial crime alerts often require investigation despite posing little genuine risk.
Many organisations underestimate the cumulative cost of these activities. Yet at a time when the UK and Europe are seeking stronger productivity growth, greater competitiveness and increased innovation, such inefficiencies matter. The key question is no longer whether organisations can remain compliant, but whether they can remain productive while doing so.
From More Controls to Better Signals
The future of effective governance will not be defined by ever-increasing volumes of controls, data or reporting. Leading organisations are beginning to recognise that resilience, compliance and sustainability depend on identifying the signals that matter rather than collecting every possible metric. Intelligent simplification, risk-based prioritisation and strong human oversight of automated systems are becoming critical management capabilities.
This shift reflects a broader recognition that procedural volume does not automatically create better outcomes. Organisations that focus on genuinely material risks and opportunities are often better positioned to respond to change, allocate resources effectively and create long-term value. As regulators increasingly emphasise proportionality and risk-based approaches, quality of insight may prove more important than quantity of information. Perhaps the competitive advantage is actually with those who can ignore more and focus relentlessly on what truly matters.
And what about you…?
- Have additional controls, reporting requirements and governance processes genuinely improved risk management in your organisation, or have they made decision-making slower and more complex?
- If you were starting from scratch today, which controls, reports, committees or approval processes would you keep, which would you simplify, and which would you eliminate altogether in order to improve organisational effectiveness?


