Tim Leech

As organizations evolve and face increasingly complex risks, the shift toward objective-centric Enterprise Risk Management (ERM) and internal audit methods has been widely recognized as more effective. By focusing on the impact of uncertainty on mission-critical objectives, companies can take a proactive approach to managing risk and better align their risk management strategies with overall business goals. Unlike traditional risk list approaches, which often focus on identifying and mitigating individual risks in isolation, objective-centric ERM integrates risk management into the organization’s strategic planning process, ensuring that risks are assessed in the context of their potential impact on key objectives.

In his most recent article, Tim Leech explores whether Chief Legal Officers (CLOs), Chief Risk Officers (CROs), and Chief Audit Executives (CAEs) have a legal duty to brief the board on its fiduciary responsibilities related to escalating MCOs and associated risks. By diving into the roles of these executives, Tim Leech highlights their obligations to ensure that boards are well-informed about the risks that need to be managed and monitored to protect the organization.

In this article by Tim Leech, he delves into the evolving roles of risk and internal audit functions, exploring how they can transition from their traditional, compliance-focused image to become key decision-support partners for management and the board. Drawing on his extensive experience, Tim outlines the need for change in how internal audit and risk functions operate, emphasizing the importance of aligning with mission-critical objectives to drive better decision-making and organizational success.

In this article by Tim Leech, we dive into the evolving role of internal audit and risk management functions. The 2025 North American Pulse of Internal Audit report has just been released, and it brings forth important observations that are crucial for understanding the current landscape of internal audit and risk management. The question arises over whether organizations should stick with the traditional model of Risk & Controls Enforcement, or should they shift towards providing decision support services that align with mission-critical objectives (MCOs) and risks?

The true purpose of every Chief Risk Officer (CRO) and Chief Audit Executive (CAE) should be to support management and boards in making informed, critical decisions. Unfortunately, this is not always the case today. Risk units and internal audit functions should be instrumental in guiding management and boards in the decision-making process, particularly when it comes to managing risks and uncertainties linked to mission-critical objectives (MCOs).