Tim Leech

In my recent post, the central question was posed with disarming clarity. If mission critical objectives (MCOs) define the very survival and long-term performance of an organization, why don’t regulators require boards to focus their oversight on them? It seems like the most direct way to strengthen governance.If boards were explicitly tasked with monitoring risks to MCOs, they would naturally direct management, risk teams, and internal auditors to align their assessments and reporting accordingly. Instead, regulators continue to emphasize processes and disclosures that often miss the mark, leaving businesses exposed and stakeholders carrying the weight of failures that cumulatively amount to staggering losses.

In my previous piece, Why Boards Still Don’t Ask the Hard Questions About Mission-Critical Risk, I explored why so few boards demand reporting on the risks and uncertainties that threaten an organization’s most important objectives. Like that piece, this one began with a social media post that sparked a strong reaction, because it points to a governance reality many know but rarely admit.

In a recent post, I posed a question that I believe cuts to the heart of modern risk governance: why haven’t most boards asked for reports on risk and uncertainty linked to the mission critical objectives that ultimately define whether organizations succeed or fail?

Flaws in traditional enterprise risk management (ERM) and legacy internal audit (IA) practices aren’t exactly a secret. Risk registers, heat maps, and audits focused solely on internal control deficiencies may look tidy in a board report, but they rarely reflect how risk really works or how organizations actually fail.

In this article, Tim Leech expands on a recent post he shared in the LinkedIn discussion group Objective Centric Risk & Uncertainty Management to explore a fundamental, and often overlooked, question in modern governance: Do boards actually agree on their purpose? Drawing on decades of research and a collaborative analysis with ChatGPT, Leech argues that the staggering cost of governance failures may stem from one core issue, there is no consensus on the very purpose of corporate governance itself.

As organizations evolve and face increasingly complex risks, the shift toward objective-centric Enterprise Risk Management (ERM) and internal audit methods has been widely recognized as more effective. By focusing on the impact of uncertainty on mission-critical objectives, companies can take a proactive approach to managing risk and better align their risk management strategies with overall business goals. Unlike traditional risk list approaches, which often focus on identifying and mitigating individual risks in isolation, objective-centric ERM integrates risk management into the organization’s strategic planning process, ensuring that risks are assessed in the context of their potential impact on key objectives.

In his most recent article, Tim Leech explores whether Chief Legal Officers (CLOs), Chief Risk Officers (CROs), and Chief Audit Executives (CAEs) have a legal duty to brief the board on its fiduciary responsibilities related to escalating MCOs and associated risks. By diving into the roles of these executives, Tim Leech highlights their obligations to ensure that boards are well-informed about the risks that need to be managed and monitored to protect the organization.