Scattered assurance is not the same as a governance picture. One annual discipline pulls it together.

Thomas Collins, GAICD.

A modern board receives an enormous amount of assurance. Cyber reports from technology. Climate data from sustainability. Conduct metrics from human resources. Risk dashboards from the risk function. Each arrives on its own timeline, in its own format, against its own definition of “fine.”
What almost no board receives is a single, reconciled picture of all of it at once. And that is exactly where governance failures live: not inside any one domain, but in the gaps between them, where no single report is looking.
The problem with siloed assurance
Twelve good reports do not add up to one good view. They reconcile to nothing. A cyber weakness and a third-party dependency and a thin incident-response capability are three separate amber items on three separate slides. Seen together, they are a single serious exposure. Siloed reporting structurally hides the way risks compound, which is the way they actually cause damage.
The board ends up assured on every part and blind to the whole. Each function can honestly say it reported. No one was responsible for the join.
The twelve domains a board actually owns
A complete governance picture spans twelve domains. Technology and cyber risk. Climate and sustainability disclosure. Financial accountability. Privacy and data governance. AI and emerging technology. Enterprise risk management. Culture and conduct. Modern slavery and ESG disclosure. Financial reporting and audit. Board composition and renewal. Work health and safety. Financial crime governance.
The annual test is simple to describe. Rate the board’s genuine maturity in each domain on one honest scale, from unaware to leading. Then, and this is the part that matters, look at how they interact. The output is not twelve scores. It is one coherent read on where the board is strong, where it is exposed, and which few gaps carry the most risk.
Why 2026-27 makes this urgent
This is not a quiet year to let assurance run on autopilot. Five major regulatory regimes commence on 1 July 2026 alone, including AML/CTF Tranche 2, Group 2 mandatory climate reporting, the Scams Prevention Framework, payday super, and a new national environmental regulator. Nine of the twelve governance domains carry a new or changed obligation this financial year. They land together, in one reporting period, on management teams that are already stretched.
No compliance calendar was built to absorb that all at once. A board tracking each obligation in its own silo will miss the overlaps. A board that runs the twelve-domain test will see them.
THREE QUESTIONS FOR YOUR NEXT BOARD MEETING
Which of the twelve domains does our board spend the least time on, and is that because it is low risk or because no one is raising it?
Where are we genuinely capable of governing the risk, and where are we merely receiving reports about it?
Can we govern five new regimes commencing at once, or are we tracking them in silos that will miss the overlaps?
Make it an annual discipline
The point of the twelve-domain test is not to generate a score for the file. It is to force the one conversation the regular reporting cycle never quite produces: the whole board looking at the whole picture, once a year, and deciding what matters most. Run honestly, it turns scattered assurance into governance. Skipped, it leaves the board assured on the parts and exposed on the join.