Why Boards Still Don’t Ask the Hard Questions About Mission-Critical Risk

Key Takeaways

• CEO Reluctance: Most CEOs don’t want to provide reports on risk and uncertainty linked to mission-critical objectives.
• Board Inaction: Fewer than 5% of boards ask for such reports, leaving critical oversight gaps.
• Cultural Barriers: Boards prefer high-level summaries, rely on management’s framing, and avoid potential conflict.
• Information Control: With no regulatory standard, management filters and times what risk information boards receive.
• Systemic Costs: The “don’t tell/don’t ask” syndrome has contributed to quadrillions of dollars in stakeholder losses.

Deep Dive

In a recent post, I posed a question that I believe cuts to the heart of modern risk governance: why haven’t most boards asked for reports on risk and uncertainty linked to the mission critical objectives that ultimately define whether organizations succeed or fail?

The reality is stark. Research shows that most CEOs don’t want to provide these reports. My own estimate is that fewer than five percent of boards ever ask for them. This is despite the fact that linking risk to mission-critical objectives is arguably the most important responsibility a board has.

To test the question further, I asked ChatGPT, "why don’t more boards want to ask their CEOs, CROs, and CAEs for reports on risk and uncertainty tied to mission-critical objectives?"

The answer that came back was striking in its clarity. ChatGPT pointed to five main factors that, together, explain the reluctance:

• Board culture and comfort zones. Too many boards prefer high-level summaries, rely on management’s framing, and shy away from what might be seen as mistrust or conflict.
• Information asymmetry. Unlike financial reporting, there is no standard or regulatory requirement for disclosing mission-critical risk. CEOs control what boards see and when, which often means risks surface only when it’s too late.
• Incentive misalignment. Directors are often rewarded for short-term performance or transactions, not long-term resilience. Many don’t want to “rock the boat” with CEOs who influence renomination.
• Capability and confidence gaps. Complex risk data can be intimidating. Boards defer to committees, and directors fear that formally receiving detailed information heightens their accountability if they don’t act.
• Legacy governance practices. Traditional risk oversight revolves around reviewing static risk registers. Regulatory regimes rarely push further, and widely used frameworks have been vague about connecting oversight to mission-critical objectives.

Taken together, these factors have created what I call a don’t tell/don’t ask syndrome. Boards don’t ask for mission-critical risk reporting. CEOs don’t offer it. And stakeholders absorb the consequences. I believe this syndrome is at the root of quadrillions of dollars in losses over the past decades.

If boards are serious about fulfilling their fiduciary duty, they need to break this cycle. Oversight that ignores the risks threatening mission-critical objectives isn’t real oversight at all. It’s governance with blinders on.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.