Yesterday, 25th June 2025, I engaged with two different boards. The contrast was surgical.
The first board invited me to sit in as they reviewed a strategy I had recently facilitated. These are my favourite sessions: not just because they validate the rigour of the strategy work, but because they reveal the board’s true character. You see the interplay where the Chair manages dissent without silencing, members reveal personal bets masked as fiduciary concern, and decisions are shaped by legacy, not minutes. It worked. The Chair steered with firmness and grace. They knew where the board added value, and more importantly, where to stay out of management’s lane.
The second board was different. They were reviewing their risk policy. I was there to help them link risk appetite to enterprise threats. But from the moment the audit committee chair started reading line-by-line clauses like a compliance priest reciting a ritual, I knew this would not end well. There was no conversation, just correction. No strategic foresight, just policy recital. The elephant sat there, risk was being treated like a regulatory filing, not an enabler of strategy.
This is the rot. Audit committees, once designed to safeguard integrity, are now the weakest link in board foresight. They obsess over audit findings from last quarter, blind to the volatility of what is ahead. In the insurance sector, this is suicidal. One CEO recently confessed: “Our audit committee spends 90 percent of its time discussing resolved issues and 10 percent reviewing the risk dashboard, with zero understanding of exposure interdependencies.” That is like driving while looking in the rear-view mirror.
Here is the shift required: dissolve the legacy audit committee. Build a Risk and Resilience Committee instead. One that can map exposure to climate-adjusted actuarial risks. One that understands how algorithmic underwriting shifts capital adequacy. One that rehearses black swan events not as theory, but as existential threats. And one that has members who are not just ‘financially literate’, but strategically paranoid.
The 3-Lens Risk Grid
- Risk Velocity: How fast can this destroy us?
- Risk Interdependence, What else breaks if this breaks?
- Risk Ownership: Who is awake at the switch?
Table 1: 3-Lens risk grid
| Lens | Description | Diagnostic questions | The best practices | Why it matters | |
| 1. Risk Velocity “How fast can this destroy us?” | Assesses the speed of risk materialisation and impact. Fast-moving risks (e.g., cyber, regulatory, social media) outpace traditional response frameworks. | a) If this risk hits today, how soon before impact?
b) Are we faster at detecting and responding than the risk is at evolving?
c) What is our maximum tolerable response time? |
a) Deploy real-time Early Warning Indicators (EWIs).
b) Run quarterly simulations (e.g., ransomware, whistleblower crisis).
c) Tie executive KPIs to response time-to-containment. |
a) Helps boards distinguish urgent vs important risks.
b) Enables pre-emptive action instead of post-incident spin.
c) Drives investment in response agility and board readiness. |
|
| 2. Risk Interdependence “What else breaks if this breaks?” | Evaluates cascading effects and systemic vulnerabilities. Most major failures are not from a single point, but from chain reactions. | a) What is the chain of impact if this risk materialises?
b) What upstream/downstream functions depend on this process or partner?
c) Are we considering both digital and physical interdependencies? |
a) Apply bowtie analysis and causal loop diagrams.
b) Integrate third-party risk into your ERM model.
c) Conduct full-spectrum stress testing (across functions, not in silos). |
a) Exposes hidden fragilities in operations and value chains.
b) Helps prevent domino failures that overwhelm crisis teams.
c) Enables resilient-by-design decision-making. |
|
| 3. Risk Ownership “Who is awake at the switch?” | Clarifies who is accountable, empowered, and actively monitoring the risk, not just in theory, but in daily practice. | a) Who is named as the risk owner?
b) Do they have the data, authority, and resources to act?
c) Who on the board challenges their assumptions? |
a) Maintain a RACI map for all Tier 1 and Tier 2 risks.
b) Include risk stewardship in performance reviews.
c) Schedule quarterly board–risk owner deep dives. |
a) Eliminates “everyone was responsible” failures.
b) Ensures named individuals are truly accountable.
c) Builds a culture of responsibility, not avoidance. |
|
The board’s role is not to audit the past. It is to confront the future. Audit committees belong to a world that no longer exists. Governance now needs risk intelligence, not checkbox compliance. The organisations that survive will be those whose boards dare to bury sacred cows before the market does it for them.
I remain, Mr Strategy
