In a recent post, I posed a question that I believe cuts to the heart of modern risk governance: why haven’t most boards asked for reports on risk and uncertainty linked to the mission critical objectives that ultimately define whether organizations succeed or fail?
Flaws in traditional enterprise risk management (ERM) and legacy internal audit (IA) practices aren’t exactly a secret. Risk registers, heat maps, and audits focused solely on internal control deficiencies may look tidy in a board report, but they rarely reflect how risk really works or how organizations actually fail.
In this article, Tim Leech expands on a recent post he shared in the LinkedIn discussion group Objective Centric Risk & Uncertainty Management to explore a fundamental, and often overlooked, question in modern governance: Do boards actually agree on their purpose? Drawing on decades of research and a collaborative analysis with ChatGPT, Leech argues that the staggering cost of governance failures may stem from one core issue, there is no consensus on the very purpose of corporate governance itself.
As organizations evolve and face increasingly complex risks, the shift toward objective-centric Enterprise Risk Management (ERM) and internal audit methods has been widely recognized as more effective. By focusing on the impact of uncertainty on mission-critical objectives, companies can take a proactive approach to managing risk and better align their risk management strategies with overall business goals. Unlike traditional risk list approaches, which often focus on identifying and mitigating individual risks in isolation, objective-centric ERM integrates risk management into the organization’s strategic planning process, ensuring that risks are assessed in the context of their potential impact on key objectives.
In his most recent article, Tim Leech explores whether Chief Legal Officers (CLOs), Chief Risk Officers (CROs), and Chief Audit Executives (CAEs) have a legal duty to brief the board on its fiduciary responsibilities related to escalating MCOs and associated risks. By diving into the roles of these executives, Tim Leech highlights their obligations to ensure that boards are well-informed about the risks that need to be managed and monitored to protect the organization.
In this article by Tim Leech, he delves into the evolving roles of risk and internal audit functions, exploring how they can transition from their traditional, compliance-focused image to become key decision-support partners for management and the board. Drawing on his extensive experience, Tim outlines the need for change in how internal audit and risk functions operate, emphasizing the importance of aligning with mission-critical objectives to drive better decision-making and organizational success.
In this article by Tim Leech, we dive into the evolving role of internal audit and risk management functions. The 2025 North American Pulse of Internal Audit report has just been released, and it brings forth important observations that are crucial for understanding the current landscape of internal audit and risk management. The question arises over whether organizations should stick with the traditional model of Risk & Controls Enforcement, or should they shift towards providing decision support services that align with mission-critical objectives (MCOs) and risks?