The boardroom fell silent. I'd just asked a simple question: "Who on this board is accountable for enterprise risk management?"
Nine pairs of eyes darted around the mahogany table. The CFO looked at the CEO. The CEO glanced at the Chief Risk Officer. The audit committee chair studied his notes. After fifteen uncomfortable seconds, the board chair finally spoke: "Well... isn't that everyone's job?"
That was my introduction to a $2.3 billion manufacturing company in 2017. They had sophisticated risk management processes, talented risk professionals, and a thick enterprise risk management framework document that nobody on the board had actually read.
Six months later, a supply chain disruption—one that should have been on their risk radar—cost them $87 million and 23% of their market value in a single quarter.
After fifteen years working with boards on risk governance, I've learned a harsh truth: having a risk management framework and having effective board governance of risk are two completely different things.
Why Board-Level ERM Governance Matters (More Than You Think)
Let me share something that still keeps me up at night. In 2019, I consulted with a healthcare company whose board met quarterly to "review risks." They'd spend 20 minutes looking at a heat map with red, yellow, and green dots, nod approvingly, and move on to more "strategic" topics.
Then COVID-19 hit.
Their pandemic preparedness risk was on that heat map—marked yellow for "moderate risk." The board had seen it for three years running. Nobody had ever asked: "What does moderate risk mean? What are we doing about it? Are we prepared?"
When the pandemic struck, they discovered:
Their business continuity plans were theoretical and untested
Their supply chain had single points of failure
Their remote work capabilities were inadequate
Their cash reserves couldn't handle a 60-day revenue disruption
The company survived, barely. But three board members resigned, and shareholder lawsuits alleged breach of fiduciary duty for inadequate risk oversight.
"A board that reviews risks but doesn't govern risk management is like a pilot who checks the instruments but never touches the controls. When turbulence hits, everyone goes down together."
Understanding COSO ERM: The Framework Boards Actually Need
The Committee of Sponsoring Organizations (COSO) Enterprise Risk Management framework isn't just another compliance checkbox. It's a comprehensive approach to integrating risk management with strategy and performance.
But here's what most boards miss: COSO ERM places the board at the center of risk governance, not as passive reviewers but as active governors.
The Five Components of COSO ERM (And What Boards Must Do for Each)
COSO ERM Component | Board's Critical Role | Common Board Failure | Impact of Failure |
|---|---|---|---|
Governance & Culture | Set risk appetite, establish tone at the top, oversee risk culture | Delegating everything to management without setting clear boundaries | Organization takes excessive risks or becomes paralyzed by risk aversion |
Strategy & Objective-Setting | Ensure risk considerations are integrated into strategic planning | Approving strategy without understanding associated risks | Strategic initiatives fail due to unmanaged risks |
Performance | Monitor how risks affect performance and objectives | Focusing only on financial metrics, ignoring operational and strategic risks | Blind spots lead to unexpected failures |
Review & Revision | Regularly assess and improve risk management capabilities | Annual rubber-stamp reviews with no meaningful change | Risk management becomes stale and ineffective |
Information, Communication & Reporting | Demand timely, relevant risk information in usable format | Accepting generic risk reports without asking tough questions | Board operates on incomplete or misleading information |
I learned this framework the hard way. In 2016, I watched a board approve a major acquisition because the financial projections looked attractive. They never asked about integration risks, cultural compatibility, or cybersecurity vulnerabilities.
Eighteen months later, the acquired company suffered a data breach that cost $34 million to remediate and destroyed most of the acquisition's projected value. The board chair told me privately: "We asked about financial risk. We never thought to ask about operational risk. That's on us."
The Board's Five Critical Responsibilities in ERM Governance
Through working with over 40 boards across different industries, I've identified five non-negotiable responsibilities that distinguish effective risk governance from theater.
1. Establishing Risk Appetite and Tolerance
This is where most boards fail spectacularly.
I once asked a board, "What's your risk appetite?" The CEO responded, "We're a growth company, so we have high risk appetite." That's not risk appetite—that's a platitude.
Real risk appetite is specific, measurable, and actionable. Here's a comparison:
Vague Statement (Useless) | Specific Risk Appetite (Useful) | How It Guides Decisions |
|---|---|---|
"We accept moderate risk" | "We will not pursue opportunities where potential loss exceeds 5% of annual EBITDA" | CFO can decline projects exceeding threshold without board approval |
"We prioritize customer data security" | "Zero tolerance for unencrypted customer PII; maximum 4-hour detection time for security incidents" | CISO has clear mandate and budget authority for necessary controls |
"We maintain adequate liquidity" | "Minimum 90-day cash reserves; debt-to-equity ratio not exceeding 2:1" | Treasurer has clear parameters for capital allocation |
"We ensure operational continuity" | "All critical systems must have tested failover with <4 hour RTO; annual BC/DR testing required" | Operations team has authority to invest in redundancy |
A financial services company I worked with implemented specific risk appetite statements in 2020. Within six months, decision-making accelerated dramatically because managers knew exactly what risks they could take without board approval and which required escalation.
Their CFO told me: "Before we defined risk appetite, every significant decision came to the board. We were a bottleneck. Now the organization moves fast within our guardrails, and we only see decisions that truly exceed our risk tolerance."
"Risk appetite without specificity is just wishful thinking. If your team can't make decisions based on your risk appetite statements, you haven't actually set risk appetite."
2. Overseeing Risk Culture (Not Just Risk Processes)
Here's a story that changed how I think about risk culture forever.
In 2018, I was consulting with a pharmaceutical company with impeccable risk management documentation. Their processes looked perfect on paper. But when I interviewed middle managers, I heard the same phrase repeatedly: "We know what the process says, but that's not how things actually work here."
The disconnect was stunning:
Official policy: "Report all quality concerns immediately"
Actual culture: "Don't bother leadership with problems unless they're critical"
Official policy: "Safety takes priority over timelines"
Actual culture: "Hit your deadlines or explain why to the CEO"
Six months later, quality issues in their manufacturing process led to a massive product recall, $340 million in losses, and an FDA warning letter.
The board was shocked. "We reviewed the risk management framework quarterly," the audit committee chair told me. "How did we miss this?"
They missed it because they were reviewing documents, not observing culture.
What Effective Boards Do to Oversee Risk Culture:
Traditional Approach | Culture-Focused Approach | What It Reveals |
|---|---|---|
Review incident reports | Ask: "What incidents aren't being reported and why?" | Fear of reporting, systemic issues |
Review training completion rates | Interview random employees about risk decision-making | Whether training translates to behavior |
Approve risk policies | Conduct anonymous surveys on pressure to cut corners | Real vs. stated priorities |
Meet with C-suite only | Meet with middle managers and frontline employees | Ground truth of organizational culture |
Focus on compliance metrics | Ask: "When was the last time someone was rewarded for raising a risk concern?" | Incentive alignment |
3. Integrating Risk into Strategic Decision-Making
I'll never forget sitting in a board meeting in 2019 where a company was considering entering a new international market. The business case projected $50 million in revenue within three years.
I asked: "What could prevent you from achieving this?"
Silence.
Finally, someone mentioned currency risk. Another mentioned regulatory complexity. But nobody had systematically evaluated:
Political stability risks
Corruption and compliance risks
Intellectual property protection risks
Supply chain and logistics risks
Cultural and operational risks
Cybersecurity and data sovereignty risks
They entered the market. Two years later, unexpected regulatory changes and IP theft cost them $18 million, and they exited with significant losses.
The Strategic Risk Integration Framework I Use with Boards:
For every strategic initiative, the board should demand answers to these questions:
Risk Category | Critical Questions | Decision Impact |
|---|---|---|
Strategic Risk | What assumptions must hold true? What if they don't? | Go/No-go decision |
Operational Risk | What execution capabilities are required? Do we have them? | Resource allocation |
Financial Risk | What's the capital at risk? What's our loss tolerance? | Investment sizing |
Compliance Risk | What regulatory requirements apply? What are penalties for violations? | Market selection |
Reputational Risk | What stakeholder reactions could occur? How would we respond? | Communication planning |
Technology Risk | What technology dependencies exist? What are our contingencies? | Architecture decisions |
A technology company I advised adopted this framework in 2021. They killed two strategic initiatives in planning stages because systematic risk evaluation revealed unacceptable risk-return profiles. They saved an estimated $12 million in losses by not pursuing those projects.
Their CEO told the board: "I wish we'd done this analysis on three initiatives we pursued in previous years. We would have saved ourselves a lot of pain."
4. Ensuring Adequate Resources for Risk Management
This is where boards often reveal their true priorities.
I've sat through countless board meetings where directors eloquently discuss the importance of risk management, then balk at funding requests for risk staff, technology, or training.
In 2020, a retail company's Chief Risk Officer requested $400,000 for supply chain risk management software. The board tabled the request, asking management to "make do with existing tools."
Eighteen months later, supply chain disruptions cost them $7.8 million in lost sales and expedited shipping costs. The board approved a $2.3 million emergency investment in supply chain technology and capabilities.
The board chair admitted to me: "We were penny-wise and pound-foolish. We thought we were being fiscally responsible. We were being negligent."
Board Resource Governance Framework:
Resource Category | Board Questions | Red Flags |
|---|---|---|
Risk Management Staffing | Does our risk team have adequate size and skills for our risk profile? | Risk staff hasn't grown while business complexity increased |
Technology & Tools | Can our risk team identify, assess, and monitor risks effectively with current tools? | Heavy manual processes, limited automation |
Training & Development | Are we building organizational risk management capability? | No risk training for non-risk staff; high turnover in risk roles |
External Expertise | Do we access specialized expertise for complex or emerging risks? | No external advisors; reliance solely on internal views |
Time & Attention | Does leadership have adequate time to devote to risk governance? | Risk management is "extra duty" for already-stretched leaders |
"A board that won't fund risk management is like a homeowner who won't pay for fire insurance because the house hasn't burned down yet. The logic seems sound until it's too late."
5. Monitoring and Challenging Management's Risk Reporting
This is where board expertise and courage matter most.
I worked with a board in 2021 where the CRO presented a polished quarterly risk report. Everything was color-coded, neatly categorized, and reassuring. The board thanked management and moved on.
I asked one director afterward: "Did you understand everything in that report?"
"Not really," he admitted. "But I didn't want to look stupid asking basic questions."
That's a catastrophic failure of board governance.
The Questions Effective Boards Ask:
Risk Reporting Element | Weak Board Question | Strong Board Question |
|---|---|---|
Risk Identification | "Have you identified all major risks?" | "What risks have emerged since last quarter? What risks are we NOT seeing?" |
Risk Assessment | "Are these ratings accurate?" | "Walk me through how you determined this severity. What would change the rating?" |
Risk Mitigation | "Are you managing these risks?" | "What specific actions have been taken? Show me evidence. What's not working?" |
Residual Risk | "Is residual risk acceptable?" | "What assumptions is that based on? What happens if those assumptions are wrong?" |
Emerging Risks | "Are there any new risks?" | "What trends in our industry, technology, or regulatory environment could create new risks?" |
Risk Velocity | "Are risks increasing or decreasing?" | "How quickly could this risk materialize? Do we have time to respond?" |
A healthcare board I worked with implemented a "naive questions" policy in 2022. Any director could ask any question, no matter how basic, without judgment. The policy unleashed previously silent concerns.
In the first meeting, a director with non-healthcare background asked: "I don't understand our cyber insurance coverage. If we had a ransomware attack tomorrow, what exactly would be covered?"
That question led to a six-week review that revealed significant gaps in coverage. They increased their cyber insurance from $10 million to $50 million and implemented additional controls to qualify for better rates.
The board chair told me: "That 'stupid' question potentially saved us from catastrophic uninsured losses. We should have been asking it for years."
The Board's Risk Governance Calendar: Making ERM Operational
Theory is useless without execution. Here's the annual risk governance calendar I've developed with multiple boards:
Quarter | Board Focus | Key Activities | Outputs |
|---|---|---|---|
Q1 | Risk Appetite Review | • Review and update risk appetite statements<br>• Assess whether risk appetite aligns with strategy<br>• Evaluate whether organization operated within appetite in previous year | • Updated risk appetite statement<br>• Appetite breach analysis<br>• Corrective actions for breaches |
Q2 | Strategic Risk Integration | • Review risks associated with strategic plan<br>• Evaluate major strategic initiatives through risk lens<br>• Assess emerging risks that could affect strategy | • Risk-adjusted strategic plan<br>• Initiative risk profiles<br>• Strategic risk register |
Q3 | Risk Culture & Capabilities | • Assess risk culture through surveys and interviews<br>• Review risk management capabilities and resources<br>• Evaluate effectiveness of risk training and awareness | • Risk culture assessment<br>• Capability gap analysis<br>• Resource allocation decisions |
Q4 | ERM Effectiveness Review | • Evaluate overall ERM program effectiveness<br>• Review major risk events and response effectiveness<br>• Assess board's own risk governance performance | • ERM effectiveness report<br>• Lessons learned documentation<br>• Board governance improvements |
Monthly | Risk Monitoring | • Review top 10 risks and changes<br>• Monitor key risk indicators<br>• Review significant risk events and near-misses | • Risk dashboard<br>• Incident reports<br>• Mitigation status updates |
Common Board ERM Governance Failures (And How to Avoid Them)
Let me share the most common failures I've witnessed, because recognizing them is the first step to avoiding them.
Failure #1: The Compliance Checkbox Mentality
A board I observed in 2020 spent 15 minutes reviewing their ERM framework document annually. They'd ask, "Do we have one?" Management would say yes. The board would check the box and move on.
That's not governance. That's theater.
The Fix: The board should spend at least 6-8 hours annually on risk governance across multiple meetings, diving deep into specific risk areas, challenging assumptions, and ensuring the ERM framework drives actual behavior.
Failure #2: Confusing Risk Management with Risk Avoidance
I worked with a board so focused on risk that they killed every innovative initiative. Their company stagnated while competitors innovated and captured market share.
After three years of declining performance, a shareholder activist forced board changes. The new board chair told me: "The previous board managed risk right into irrelevance. They protected the company from failure so well that they also protected it from success."
The Fix: Risk management is about making informed decisions about which risks to take, not avoiding all risk. Boards should ask: "What risks should we be taking more of?" just as often as "What risks should we reduce?"
Failure #3: Delegating Everything to the Audit Committee
Many boards assume risk governance is solely the audit committee's responsibility. This creates bottlenecks and signals that risk management isn't a board priority.
The Fix: While the audit committee often has primary oversight, all board committees should consider risk in their domains:
Committee | Risk Governance Responsibility |
|---|---|
Audit Committee | Financial reporting risk, compliance risk, internal controls, fraud risk |
Compensation Committee | Incentive risk, talent retention risk, equity compensation risk |
Governance/Nominating Committee | Board composition risk, succession risk, ESG risk, reputation risk |
Strategy/Investment Committee | Strategic risk, M&A risk, capital allocation risk, competitive risk |
Technology/Cyber Committee | Cybersecurity risk, technology obsolescence risk, digital transformation risk |
Failure #4: Accepting Management's Risk Framing Without Challenge
I watched a management team present a "low risk" acquisition to a board in 2018. The board approved it. Post-acquisition, cultural integration failures and hidden liabilities created $43 million in unexpected costs.
Why? The board accepted management's risk assessment without independent verification. Management had incentives to minimize perceived risk (their bonuses depended on completing acquisitions). The board's job was to challenge that assessment.
The Fix: For significant decisions, boards should:
Seek independent risk assessments
Use external advisors to validate management's analysis
Conduct pre-mortems: "Assume this failed. What went wrong?"
Require best/worst/most-likely case scenarios with associated probabilities
"Your job as a board isn't to accept management's risk assessment. It's to stress-test it until you're confident it reflects reality, not optimism."
Failure #5: No Consequences for Risk Management Failures
I've seen repeated situations where major risk events occurred because risk management processes weren't followed, and nobody faced consequences.
A manufacturing company ignored documented supply chain risks for three years. When predicted disruptions occurred costing $50+ million, nobody's compensation was affected. The message to the organization was clear: risk management is optional.
The Fix: Board oversight of risk management must include accountability mechanisms:
Risk Management Failure | Appropriate Board Response |
|---|---|
Repeated operation outside risk appetite | Executive compensation adjustment; capability review |
Failure to report significant risks to board | Performance management; process improvement |
Risk mitigation plans not executed | Resource reallocation; leadership changes |
Risk culture violations (e.g., retaliation for reporting) | Immediate investigation; zero tolerance enforcement |
Inadequate response to risk events | Post-incident review; accountability assessment |
Building Board Risk Governance Capabilities
Here's something controversial: most boards aren't equipped to govern risk effectively, and it's not their fault.
Many directors have deep expertise in finance, operations, or strategy, but limited training in risk management. They're expected to govern something they've never been taught.
The Board Risk Competency Framework
Based on my work with numerous boards, here are the competencies at least some board members should possess:
Competency | Why It Matters | How to Acquire |
|---|---|---|
Risk Framework Literacy | Understanding COSO ERM, ISO 31000, or other frameworks | Formal training; certifications (e.g., RIMS-CRMP) |
Risk Assessment Methods | Evaluating how risks are identified, assessed, prioritized | Workshops with risk professionals; case study analysis |
Industry-Specific Risks | Understanding risks unique to your sector | Industry conferences; peer board discussions |
Emerging Risk Awareness | Identifying risks that don't appear in historical data | Scenario planning exercises; futurist consultations |
Risk Culture Assessment | Recognizing healthy vs. dysfunctional risk culture | Culture surveys; ethnographic interviews; frontline engagement |
Risk Reporting Interpretation | Reading between the lines of risk dashboards | Training from risk professionals; comparative analysis |
A technology company board I worked with implemented a risk competency development program in 2021:
Quarterly deep-dive sessions with external experts on emerging risks
Annual board risk workshop with scenario planning exercises
Rotation of board members through risk committee assignments
Mandatory risk governance training for new directors
The board chair told me: "We used to avoid deep risk discussions because we didn't feel qualified. Now we're confident enough to ask tough questions and challenge management effectively."
Technology's Role in Board Risk Governance
I need to address a trend I'm seeing: boards overwhelmed by risk data yet starved for risk insights.
A board I consulted with in 2023 received a 147-page risk report quarterly. Nobody read it. Too much data, too little insight.
We rebuilt their risk reporting around what the board actually needed:
Traditional Risk Report vs. Board-Focused Risk Intelligence:
Traditional Approach | Board-Focused Approach | Impact |
|---|---|---|
147-page comprehensive risk report | 5-page executive summary with deep-dive appendices | Board actually reads and discusses report |
50+ risks tracked and reported | Top 10 risks with trend analysis | Focus on what matters most |
Heat maps with 200+ data points | Dynamic risk dashboard with drill-down capability | Real-time insight, not static snapshots |
Quarterly risk updates only | Real-time alerts for significant risk changes | Board learns about critical risks immediately |
Generic risk categories | Risks linked to specific strategic objectives | Clear connection between risk and strategy |
Backward-looking risk analysis | Forward-looking risk scenarios and simulations | Proactive rather than reactive governance |
Modern board portals and risk intelligence platforms enable this transformation. But technology is only valuable if it provides insight, not just information.
"The board doesn't need more data about risk. It needs better insight into which risks matter, why they matter, and what to do about them."
The Board's Role in Crisis: When Risk Becomes Reality
Theory matters, but crisis reveals truth.
In March 2020, I was advising three different boards when COVID-19 hit. The differences in how they responded revealed everything about their risk governance maturity.
Board A (Strong Risk Governance):
Had updated pandemic risk scenario in November 2019
Activated tested crisis management protocols within 48 hours
Board met weekly (virtually) to provide governance and support
Made decisive resource allocation decisions based on risk assessment
Company navigated crisis with minimal losses; emerged stronger
Board B (Weak Risk Governance):
Had pandemic on risk register but no specific preparations
Took three weeks to establish crisis response cadence
Board met but couldn't make timely decisions; deferred to management
Reacted to each development without strategic framework
Company survived but with significant damage and missed opportunities
Board C (Failed Risk Governance):
Pandemic risk never seriously discussed before crisis
Board fractured; some members pushed for aggressive cost-cutting, others for investment
No clear decision framework; management paralyzed by conflicting direction
Company required emergency financing and eventual sale
The difference wasn't intelligence or experience. It was whether the board had established risk governance practices before crisis struck.
Crisis Response Checklist for Boards:
✅ Can we convene the board within 24 hours if needed? ✅ Do we have tested crisis communication protocols? ✅ Have we pre-authorized management to make certain decisions without board approval during crisis? ✅ Do we have clear crisis escalation criteria defining what reaches the board? ✅ Have we identified scenarios where we'd need external expertise immediately? ✅ Do we have contingency plans for board members being unavailable? ✅ Have we tested our crisis decision-making process?
If you answered no to any of these, your risk governance has gaps that crisis will exploit.
Measuring Board Risk Governance Effectiveness
Here's an uncomfortable question: How do you know if your board's risk governance is effective?
Most boards don't measure their own governance performance. That's a mistake.
Board Risk Governance Self-Assessment Framework:
Dimension | Weak Performance | Strong Performance | Assessment Question |
|---|---|---|---|
Risk Appetite | Vague statements; not used in decisions | Specific, measurable; drives daily decisions | Do managers reference our risk appetite in decision-making? |
Risk Culture | Board unaware of actual culture | Board actively monitors and shapes culture | When did we last talk to frontline employees about risk? |
Strategic Integration | Strategy and risk managed separately | Risk central to strategic decisions | What strategic decisions did we make without risk analysis? |
Resource Allocation | Risk management chronically underfunded | Resources match risk profile | Have we rejected risk management funding requests? |
Board Engagement | Passive receipt of reports | Active questioning and challenge | How many tough questions did we ask this quarter? |
Competency Development | No systematic development | Ongoing learning and capability building | What did we learn about risk management this year? |
Crisis Preparedness | Untested plans; unclear processes | Tested, refined, ready to activate | When did we last test our crisis response? |
A financial services board I worked with implemented annual self-assessment in 2020. The first year's results were humbling—they scored themselves 4.2 out of 10 on average.
But they used that data to improve. They implemented quarterly risk deep dives, brought in external experts, tested crisis scenarios, and increased their risk governance time by 300%.
Three years later, their self-assessment score was 8.1, and more importantly, they successfully navigated two significant risk events that would have devastated them previously.
The Future of Board Risk Governance
As I look ahead, based on trends I'm seeing with forward-thinking boards:
Emerging Board Risk Governance Practices:
Integrated ESG and Enterprise Risk: Environmental, social, and governance risks are being integrated into ERM frameworks, not managed separately.
AI-Augmented Risk Intelligence: Boards are using AI to identify emerging risks, analyze scenarios, and predict risk evolution.
Continuous Risk Monitoring: Moving from quarterly risk reviews to real-time risk dashboards with alert mechanisms.
Stakeholder Risk Perspectives: Incorporating customer, employee, supplier, and community risk concerns into board deliberations.
Cyber Risk as Board Priority: Dedicated board cyber committees or cyber expertise requirements for all board members.
Your Board's Risk Governance Action Plan
If you're a board member or advising boards on risk governance, here's your 90-day action plan:
Days 1-30: Assess Current State
Review your board's risk governance practices against COSO ERM framework
Survey board members on risk governance effectiveness
Interview management about what risk information they need from the board
Evaluate your last four board meetings for time spent on risk vs. other topics
Days 31-60: Develop Improvements
Draft specific, measurable risk appetite statements
Design board risk governance calendar for the year
Identify risk competency gaps and development plan
Redesign risk reporting to focus on insight vs. data
Days 61-90: Implement Changes
Present risk governance enhancement plan to full board
Conduct first risk deep-dive session on top strategic risk
Establish board risk dashboard with real-time monitoring
Schedule risk governance effectiveness review in 6 months
A Final Reflection
I opened this article with a board that couldn't answer who was accountable for risk management. Let me tell you how that story ended.
After their $87 million supply chain disaster, that board completely overhauled their risk governance. They:
Established clear board accountability for risk oversight
Implemented specific risk appetite statements
Created a risk committee with monthly meetings
Required risk analysis for every strategic decision
Invested in risk management capabilities and technology
Three years later, when another supply chain disruption hit (this time a major supplier bankruptcy), they were ready. They had:
Identified the risk and developed contingency suppliers
Implemented early warning systems to detect supplier stress
Created response playbooks that activated immediately
Made decisive decisions that minimized impact
Total cost of the second disruption: $2.1 million—a fraction of the first event.
The board chair told me something I'll never forget: "The first disaster was expensive, but it taught us that risk governance isn't optional. It's the board's most important job. Everything else—strategy, performance, growth—depends on managing risk effectively."
"A board that excels at risk governance doesn't eliminate bad things from happening. It ensures that when they do happen, the organization survives, learns, and emerges stronger."
COSO ERM isn't a framework to implement and forget. It's a governance discipline that requires continuous board attention, learning, and improvement. Your organization's survival may depend on how well your board governs risk, not how well your managers manage it.
The question isn't whether your organization faces existential risks. It's whether your board is governing them effectively.
What will you do differently at your next board meeting?