top of page

Why Most Businesses Fail Long Before They Realise It - And why risk governance matters earlier than most leadership teams think

  • May 8
  • 6 min read
business-risk-governance-failure | Board-level risk governance helps businesses identify threats before they become crises.


The Truth: Business Failure is often a Governance Failure


The numbers are stark and consistent, whether you look at the UK or the US. In the UK, 20% of new businesses fail in their first year and 60% within three years. The US Bureau of Labor Statistics data tells the same story: one in five gone within a year, half within five years, nearly two thirds within a decade. Geography changes nothing. The underlying dynamics are universal.


Most business owners assume they understand the reasons. Cash runs out. Markets shift. Competition arrives. The product doesn't land. These are real causes - but they are rarely the whole story. Behind most business failures, if you look hard enough, is a more fundamental problem: the people running the business didn't see it coming, or saw it coming and had no structured way to respond.


That is a governance failure. And it is far more common than most boards would like to admit.


The real cause of most business failures

Corporate governance and internal control weaknesses are often identified as the root cause of corporate failure - yet most mid-market businesses have no formal governance infrastructure at all. Risk lives in the CEO's head. Controls are informal. The board receives historical data and calls it oversight. 


Research shows businesses with poor risk management are 4.7 times more likely to face a crisis. That is not a marginal difference. It is the difference between a business that survives a difficult period and one that doesn't. 


The governance gap is not a problem unique to small or early-stage businesses. It persists into mid-market, into PE-backed companies, into organisations with professional boards and experienced management teams. The gap is structural: most businesses were never built with a risk function, and they keep growing without one until the cost of that absence becomes impossible to ignore.


Four business failures that didn't have to happen

Patisserie Valerie: In 2018, the café chain collapsed after auditors discovered a £94 million black hole in its accounts - a fraud that had been running for years inside the finance function. The board had no effective controls framework. There were no named owners for financial controls, no independent verification, and no early warning indicators that something was wrong. The warning signs existed. The system to surface them did not.


This is precisely what a controls effectiveness framework is designed to catch - not fraud detection in the forensic sense, but the named accountability and independent oversight that makes sustained fraud structurally difficult.


Carillion: The construction giant's 2018 collapse - the largest ever trading liquidation in the UK - came after years of aggressive accounting, unsustainable debt, and a board that consistently received reassuring narrative rather than genuine risk data. Carillion's board was not unintelligent. It was uninformed - receiving information designed to manage perception rather than support decision-making. A board risk profile built on escalations only, with genuine amber and red indicators visible to directors, would have told a different story far earlier.


The British Museum: In 2023, thousands of artefacts - some irreplaceable - were discovered as stolen from the collection over a period of years by a member of staff. It was not a sophisticated attack. It was the absence of basic controls accountability: no named owner per item category, no effectiveness testing, no process that would have flagged the gap between what should have been there and what was. The damage is reputational and generational.


Made.com: (2022) Made.com was valued at £775 million and celebrated as a rising star of British e-commerce. Eighteen months after listing on the London Stock Exchange, it was in administration. 

What makes Made.com instructive is that no single cause brought it down. Macroeconomic headwinds hit consumer confidence. Supply chain disruptions left customers waiting months for orders. Marketing costs ballooned unsustainably. Active users declined. Customer churn accelerated. And £75 million in supplier debt accumulated in the background. Each of these was a known risk category. Each was measurable. And each was arriving simultaneously - which is precisely when a risk governance framework earns its cost.


A business facing one of these pressures can improvise. A business facing all of them at once needs a structured picture of how they are interacting, which are escalating, and where the board needs to act first. Without a forward-looking indicator framework and a board-level escalation process, management was responding to each problem in isolation while the combined exposure was becoming fatal.


By the time the crisis was visible, shares had fallen 93% from their IPO price and a £70 million rescue plan had already collapsed. The data existed. The governance framework to surface it did not. 


What large regulated businesses figured out - and everyone else is still waiting for

FTSE 100 companies have invested heavily in risk governance infrastructure for decades. Not because regulators forced them to - though regulation played a role - but because boards operating at that scale learned, often through painful experience, that the absence of structured risk oversight is an existential vulnerability.


The Chief Risk Officer function, the risk appetite framework, the board-level risk profile, the controls effectiveness programme - these are not bureaucratic luxuries. They are the early warning systems that allow a large, complex organisation to see around corners, act before events crystallise, and demonstrate to investors, regulators, and counterparties that it is genuinely in control of its own destiny.


Until now, that infrastructure has been effectively unavailable to businesses below a certain scale - not because the principles don't apply, but because the expertise required to build it has been locked inside large institutions.


Encina Consulting Brings FTSE 100 Expertise to the Wider Markets

Encina Consulting has brought a change to how you can manage Risk no matter what your scale or industry. It's the same frameworks, the same thinking, the same board-level rigour - packaged into fixed-price products that any serious business can deploy, without hiring a risk function.


WeWork: when revealed appetite has no ceiling

By 2019, WeWork was valued at $47 billion. Twelve months later it was fighting for survival. The collapse has been picked apart extensively - the charismatic founder, the eccentric decisions, the ill-fated IPO attempt. But beneath the drama was a governance failure of textbook simplicity: a board that had no structured mechanism to measure what risks the business was actually taking against any defined limit.


WeWork's stated position was that it was a technology company. Its revealed position - long-term lease commitments against short-term flexible memberships, in dozens of markets simultaneously, funded by a single investor relationship - was one of the most concentrated and leveraged risk profiles in modern corporate history. No risk appetite framework would have permitted it. No board risk profile built on genuine escalation principles could have failed to surface it. No KRI dashboard tracking lease liability against membership revenue would have allowed it to accumulate unnoticed.


The infrastructure that FTSE 100 boards take for granted would not have saved WeWork from ambition. But it would have forced the board to confront, explicitly and early, the distance between what they said the business was and what the risk data showed it to be. That conversation - stated appetite versus revealed appetite - is precisely what sound risk governance is designed to produce.


The moment that matters

Every business reaches an inflection point. It is the moment when the organisation has grown beyond the stage where the CEO can hold all the risk in their head - but hasn't yet reached the scale where a full risk function is justified. This is the most dangerous period in a business's lifecycle, because it is the period when complexity is highest relative to governance infrastructure.

It is also the period when most businesses do nothing, because the absence of a catastrophic event feels like evidence that the system is working.


It isn't. It is evidence that a risk event hasn't yet occurred. They always do.


What's Needed? A Proportunate Risk Framework

The investment in risk governance does not need to be large. It does not require a full-time CRO, a dedicated risk team, or a multi-year implementation programme. What it requires is a structured framework - proportionate to the business, grounded in how it actually operates, and owned at board level - that surfaces risk before it crystallises rather than after.


That is what Encina builds. Fixed price. Defined outputs. Deployed quickly. Built on thirty years of experience doing this at the most demanding end of the risk governance spectrum.


The question is not whether your business faces risk. Every business does. The question is whether your governance is capable of seeing it in time. No surprises. 


Jon Macdonald FIA is CEO of Encina Consulting and a former Group Chief Risk Officer at Prudential, Royal London Group, and RSA Insurance Group. He advises boards and leadership teams on enterprise risk management, governance and crisis management strategy.







 
 
 

Comments

bottom of page