Rethinking Risk: How Boards Can Lead with Resilience in an Age of Uncertainty
In today's volatile and interconnected world, risk is no longer a slow-moving threat on quarterly reports. It emerges suddenly, spreads rapidly, and crosses geographic and organisational boundaries. Cyberattacks, ESG backlash, continued geopolitical tensions, and misinformation campaigns are just a few examples of risks that challenge traditional governance models. In this environment, boards must evolve from overseeing a static risk register to engaging in dynamic, forward-looking risk oversight that supports and shapes strategy, builds strong resilience, and most importantly builds trust among key stakeholders.
Boards face a new kind of risk landscape
Boards can never continue to look at the same list of risks during every meeting. This practice is becoming less common over time. Risk is now fast-moving, often intangible, and reputational in nature. What once might have been a localized disruption - like a supply chain delay or regulatory shift - can now reverberate globally in real time. Geopolitical instability in one region can ripple across financial markets, operations, and stakeholder expectations worldwide.
A prime example well known among board members is cybersecurity threats; a breach not only threatens operational continuity but also erodes public trust and investor confidence within hours. Similarly, ESG-related controversies, whether due to greenwashing accusations or poor diversity practices, can significantly damage reputations and valuations.
In this environment, static risk registers and rearview-mirror assessments are no longer sufficient. Boards must demand tools and practices that are dynamic, integrated, and capable of anticipating risks before they materialise. Boards now request chief risk officers (CROs) to attend board meetings and explore additional forward-looking risks and challenge the management’s mitigation strategies.
Boards should consider how mitigating one risk can affect other risks in both positive and negative ways. For example, many companies did not have their risk teams analyse indirect impacts of the Russia-Ukraine war beyond the direct risks or opportunities.
The board’s role: Oversight, not management
Boards are not in the business of managing day-to-day risks, but they are ultimately accountable for overseeing how well risks are governed.
The board should ensure a clear governance structure, with defined roles, responsibilities, and escalation procedures. The board should receive timely, relevant, and concise reporting that enables it to focus on what matters most. Most importantly, CROs should be encouraged to provide their portfolio view of risk. Such an opinion, if provided independent of the management or without their influence, should at least give the board members another opportunity to challenge the management’s views.
Equally important is the alignment between risk appetite and corporate strategy. A clearly articulated risk appetite, endorsed by the board and communicated throughout the organization, ensures that the pursuit of growth does not come at the expense of resilience or integrity.
Governance priorities for an uncertain world
To govern risk effectively and to ensure the right priorities are selected, especially in an unpredictable environment, boards are encouraged to use their own company data, external data, and industry data to have a clearer outcome. Boards are encouraged to prioritize the following analysis to aid with risk-based decision making:
Scenario planning and stress testing: these should be conducted regularly, not only during crisis moments, and used to explore plausible but disruptive futures.
Integrated risk thinking: risk oversight must be embedded into all strategic discussions and major decisions, not relegated to the audit or risk committee. There is a tendency to leave risk topics for committee discussions.
Healthy scepticism: boards must be willing to challenge management assumptions, especially during bullish market cycles or periods of strategic overreach. Boards should confidently ask management "why?"
Fostering a risk-aware board culture
An effective risk culture starts at the top. Boards should foster an environment where open, candid conversations about emerging threats are encouraged without fear of blame or reputational damage.
This also requires ensuring that board composition reflects the world the company operates in. Directors with industry-specific insight and risk literacy are crucial for translating abstract risks into actionable oversight.
In addition, ongoing education should be a norm. From cybersecurity and climate risks to new regulatory trends and global instability, continuous learning is essential to stay ahead of the curve.
The board should consider the following in order to strengthen risk aware culture in their organisations:
Establish a well-defined and clearly communicated governance framework within the organisation to ensure accountability and effective risk management. This framework should delineate key roles, responsibilities, and escalation procedures.
Guarantee that the board receives timely, relevant, and accurate information and reports, enabling it to concentrate on critical issues. New practices are emerging where the Chief Risk Officer (CRO) is invited to attend board meetings to provide insights into risk perspectives and strategies for risk mitigation.
Integrate risk considerations into strategic planning. CROs should articulate potential obstacles, risks, and opportunities that may impede the achievement of organizational objectives. The board must ensure that a comprehensive risk assessment is evidenced and documented as part of the strategy presented for approval.
Promote the utilization of various tools by the board to enhance their oversight capabilities. It is essential that the board includes members with robust technical expertise in risk management tools and frameworks, who can challenge and evaluate the effectiveness of these tools.
Practical tools and frameworks
Several tools and frameworks can help boards strengthen their oversight role, and it is the board’s responsibility to ensure that the relevant frameworks and tools are tailored to company’s needs and requirements.
There are several recognized frameworks such as COSO ERM. Many organizations refer to these frameworks without fully adopting them. Some build a framework that suits their specific industry and organisational needs. Others utilize ISO 31000 or a combination of both ISO 31000 and COSO. The key point is that any chosen framework should be appropriate for the organisation and flexible enough to adapt to changes when necessary.
With a wide availability of tools, both off the shelf or self-developed, organisations have many choices, and it is best to select one that suits the needs and growth of the organisation.
An example of some tools that many companies use include:
Risk heat maps and dashboards: visual summaries tailored to board-level visibility can help identify priority risks and track changes over time.
Board-level risk papers/Management -level risk outlook: forward-looking reports should highlight both potential threats and strategic opportunities.
From compliance to strategic oversight
Compliance is important and can have reputational impact as well as possible fines for non-compliance. However, transitioning from compliance to strategic oversight involves embedding risk management into the core of organisational strategy. Boards must elevate their approach to risk by treating it as a critical enabler of resilience and growth, rather than merely a regulatory requirement.
In an era defined by constant change, the board’s role in risk oversight becomes pivotal. This shift is not about predicting every disruption but about cultivating robust governance frameworks, fostering a proactive risk culture, and adopting tools that enable rapid and effective responses to evolving challenges. By integrating strategic oversight, boards empower organisations to not only navigate uncertainty but to seize opportunities and emerge more resilient, trusted, and prepared for long-term success.