The Don’t Tell/Don’t Ask Pact Driving Governance Failures

Key Takeaways

• CEO Reluctance: Many CEOs view transparency on mission-critical risks as a threat to authority, reputation, and compensation.
• Board Avoidance: Directors often sidestep probing questions to preserve harmony and avoid accountability.
• Reinforcing Cycle: CEOs don’t offer unless asked; boards don’t ask, knowing more knowledge brings responsibility.
• Systemic Blind Spots: CROs and CAEs rarely deliver mission-critical risk reports, with tacit approval from CEOs, the IIA, and risk institutes.
• The Cost: This pact has fueled repeated governance failures, leaving boards able to say, truthfully but shamefully, “We didn’t know.”

Deep Dive

In my previous piece, Why Boards Still Don’t Ask the Hard Questions About Mission-Critical Risk, I explored why so few boards demand reporting on the risks and uncertainties that threaten an organization’s most important objectives. Like that piece, this one began with a social media post that sparked a strong reaction, because it points to a governance reality many know but rarely admit.

The problem is not only that boards don’t ask. It’s also that CEOs don’t want to tell. When I asked ChatGPT whether today’s biggest governance problem is that CEOs avoid providing reliable information on risks to mission-critical objectives (and boards prefer not to “rock the boat” by asking), the answer came back as a blunt yes.

For CEOs, transparency can feel like self-sabotage. Revealing risks tied to mission-critical objectives may invite pressure for corrective action, raise doubts about leadership, and unsettle investors. It can put bonus structures at risk. Some CEOs go further, resisting even the internal documentation of mission-critical risks. To record them formally is to admit they exist, and once they exist on paper, accountability follows. For CEOs focused on short-term performance narratives, that accountability can feel like a liability in itself.

Boards, meanwhile, often choose silence. Directors know that probing too deeply into mission-critical risks can strain the relationship with management. Few want to be seen as “difficult” or risk renomination. And once boards receive detailed information, they are accountable for acting on it. With knowledge comes responsibility, and with responsibility comes liability. For some, staying in the dark feels like the safer option.

Together, these dynamics create a reinforcing cycle. CEOs don’t volunteer information unless asked. Boards don’t ask, knowing the responsibility that follows. Mission-critical risks remain unexamined until they surface in failure. And when that failure comes, as it inevitably does, boards can truthfully say, “We didn’t know.” But ignorance in these cases is not an accident. It is governance by design.

The cycle is made worse by systemic blind spots. CROs and CAEs, who should be providing boards with reports that link risk and uncertainty directly to mission-critical objectives, rarely deliver them. Instead, they default to generic “top risks,” colorful heat maps, or compliance-driven reporting that avoids the hard questions. This happens with tacit approval from CEOs, the IIA, and risk institutes, all of which have reinforced practices that keep boards in the dark. In many cases, CROs and CAEs are further constrained by the very CEOs they report to, leaving boards without the information they need most.

This don’t tell/don’t ask pact has been at the root of colossal governance failures for decades. Breaking it requires boards to demand reliable, decision-useful reporting on risks tied to mission-critical objectives, CROs and CAEs to step up and provide it, and CEOs to accept that leadership means confronting uncomfortable truths rather than burying them. Until that happens, boards will continue to govern with blinders on, and organizations will continue to absorb the cost.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.