Boards Still Don’t Ask: The Governance Disease Behind “Mission Critical” Blind Spots

Takeaways

• Delaware’s Message to Boards: Under the Caremark standard, directors have a fiduciary duty to oversee “mission critical” risks and those whose failure could threaten a company’s survival or compliance.
• The Don’t Tell / Don’t Ask Syndrome: CEOs often avoid surfacing mission-critical risks, and boards rarely demand the information, a silent flaw that fuels oversight failure.
• Beyond Legal Definitions: Mission Critical Objectives (MCOs) should extend beyond regulatory compliance to include strategic and investor-sensitive goals.
• The Governance Disease: Boards, CROs, and CAEs operate without clear purpose, leading to risk and audit functions adrift from strategy and performance.
• The Cure: Purpose-Driven Governance, aligning governance, risk, and assurance directly to mission-critical objectives, demands courage and clarity of purpose.

Deep Dive

When Delaware’s Chancery Court reminds directors that they have a fiduciary duty to oversee mission critical risks, it’s diagnosing a deeper governance disease, not just offering abstract legal theory.

Under the Caremark standard, boards must ensure effective systems exist for identifying, monitoring, and escalating information about the company’s most essential operations, those whose failure could threaten compliance, viability, or reputation. In Marchand v. Barnhill (Blue Bell Creameries, 2019) and In re Boeing Co. Derivative Litigation (2021), the court made it clear that directors cannot claim ignorance when a core function fails. Oversight of “mission critical” areas is not optional. It’s a fiduciary obligation.

Yet despite these rulings, and hundreds of millions in settlements from cases like Boeing and Wells Fargo, most boards still aren’t asking for concise, risk-linked information on mission critical objectives (MCOs). Why? Because of what I call the “Don’t Tell / Don’t Ask Syndrome.” CEOs don’t volunteer the information. Boards don’t demand it.

I explored this in a recent LinkedIn post where I summarized Delaware’s stance and reflected on why so few boards act on it. Despite growing legal expectations, many still believe D&O insurance will shield them from the consequences of oversight failure. It won’t, at least not from the reputational and cultural fallout that follows.

The Governance Disease

This Don’t Tell / Don’t Ask dynamic lies at the heart of a much larger problem I explore in my forthcoming book, Purpose-Driven Governance. It’s a governance disease that has infected boardrooms worldwide, and it begins with a foundational question that remains unanswered: What is governance for?

When boards and executives fail to define the purpose of governance, everything else drifts. Risk and audit functions lose direction. Mandates blur. Oversight becomes a compliance ritual rather than a strategic necessity.

The symptoms are everywhere:

• Purpose Void: Most boards have never defined why governance exists in their organization beyond regulatory compliance.
• Purpose Drift: Risk and audit functions report without clear alignment to the organization’s true objectives.
• Guardians Without Purpose: Internal audit and risk teams drift without a mandate anchored in mission-critical objectives.
• The Quadrillion-Dollar Symptom: The global cost of purposeless governance and oversight failure is staggering.

When boards operate without purpose, they govern reactively—waiting for the next scandal, regulatory intervention, or lawsuit to define their priorities.

A Broader Definition of “Mission Critical”

Delaware’s courts have focused on core operational risks, such as food safety for Blue Bell, airplane safety for Boeing. But my own definition of Mission Critical Objectives (MCOs) is broader. It includes not only legal and operational essentials, but also the strategic objectives that institutional investors and regulators expect boards to oversee with clarity.

Unfortunately, few CROs, CAEs, or internal auditors structure their reporting around MCOs. Many know their CEOs don’t want them to. Instead, risk reports remain filled with heat maps, registers, and activity lists detached from what truly drives enterprise success or failure.

Boards that rely on Directors & Officers (D&O) insurance as their safety net are missing the point. Insurance may cover legal fees, but it cannot protect reputation, credibility, or trust when oversight failures become public.

From Diagnosis to Cure

The cure is Purpose-Driven Governance—a model where boards, CEOs, CROs, and CAEs align governance, risk, and assurance activities directly to Mission Critical Objectives. It starts with defining the board’s true purpose, breaking the Don’t Tell / Don’t Ask cycle, and demanding concise, objective-linked reporting that connects strategy, risk, and performance.

The Delaware Chancery Court has made it clear that boards can no longer plead ignorance when critical systems fail. The logic and the business case for change are overwhelming. But the cure depends on courage to ask, to listen, and to lead.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.