Tim Leech

In a recent LinkedIn post, I argued that the biggest barrier to effective governance is not technology, cost, standards, or even board interest. It is management's reluctance to provide boards with reliable information on uncertainty and performance linked to Mission Critical Objectives (MCOs), combined with boards' reluctance to insist on receiving that information. The reaction to that post reinforced my belief that this issue sits at the center of one of the most important, and least discussed, governance challenges facing organizations today.

A recent post I shared on LinkedIn on the future direction of risk management and internal audit generated a lot of discussion. Not because the ideas were particularly radical, but because many risk and internal audit professionals recognize the profession is reaching an inflection point.

There is a definition of risk that most organizations readily cite but far fewer truly operationalize. It comes from ISO 31000 and is echoed in frameworks developed by COSO. Risk, in its simplest and most useful form, is the effect of uncertainty on objectives.

Corporate governance has not failed because of a lack of rules. It has failed because it has lost sight of its purpose. That is the central argument of my new book, Mission Critical Governance: Focusing Management and Boards on What Matters Most, a work shaped by decades of experience and a growing recognition that modern governance systems are not delivering what boards, investors, and society now expect.

In a recent LinkedIn post, I posed a question that has quietly lingered in governance circles for years. If courts in the United States have already made clear that boards are expected to oversee risks tied to Mission Critical Objectives, why haven’t regulators directly addressed deficient board oversight in this area?

Earlier this week, I shared a brief post on social media reflecting on a question that has stayed with me throughout my career, "How can we evaluate effectiveness without first being clear about purpose?" The post pointed to a deeper issue that deserves more careful treatment. Whenever I am asked to assess effectiveness, I start in the same place. Before looking at structure, process, or performance, I ask a simple question, "What is the purpose of what I am being asked to assess?"

In my latest post, I discuss how if you look at how enterprise risk management is practiced today, you’d be forgiven for thinking that the entity-level risk register sits at the center of ISO 31000 and COSO ERM. It doesn’t.