High-profile risk management failures have continued to attract regulatory and investor scrutiny, with boards of directors increasingly in the spotlight. While operational losses and reputational damage have historically been tied to management decisions, oversight bodies are now more frequently called to account for shortcomings in governance.
Investments in risk management capabilities have grown significantly across sectors. Yet despite these efforts, recent incidents suggest that many organisations still face fundamental challenges in board-level risk oversight. Against this backdrop, Mark Sexton, Senior Managing Director at FTI Consulting, shared his insights on what boards must do to meet rising expectations.
The increasing spotlight on risk governance has brought boardroom practices into sharper focus. Sexton said that while management actions remain central to operational failures, boards are now being called out more often for oversight lapses.
"Boards of directors are increasingly being cited for significant risk governance failures," Sexton said.
Substantial resources have been committed to improving organisational risk structures in recent years. Sexton pointed to key developments aimed at strengthening governance frameworks across sectors.
"Substantial investments have been made in risk functions, including standing up dedicated risk committees (‘RiskCos’), developing risk appetite statements, improving reporting and requiring board members to undergo mandatory risk-specific training," he said. While the financial services sector has traditionally led these efforts, "comparable practices are emerging in other industries."
Despite these steps, many boards still fail to deliver robust oversight. Sexton highlighted common themes that emerge repeatedly in governance breakdowns.
"Each governance failure is unique, but several themes appear consistently, including a lack of focus on top risks, skill gaps and low-quality management information," he said.
Risk reporting itself remains a challenge. Boards often receive extensive data that may not adequately prioritise what demands immediate attention. Sexton said boards should take a more active role in improving the quality and focus of reporting.
"Boards should insist on a high-quality executive summary that explains the most critical items requiring board attention in the context of the current market," he said.
Maintaining a current view of the company's risk exposure is crucial. Sexton said that beyond detailed metrics, reporting should show how risk profiles are evolving in response to both internal changes and external pressures.
"Boards should confirm that risk reporting provides timely coverage of changes from both internal and external risk drivers," he said.
Sexton outlined the internal factors boards must watch, including "changes to products, services or geographic footprint," "rapid growth that creates new, large exposures" and "key person turnover or increased turnover across the firm." External factors, he said, include "macroeconomic shocks," "legal, regulatory or political environment" and "disruptive technologies."
Active challenge remains a core responsibility of boards. Sexton warned against simply accepting management's views without probing further into risk assumptions and mitigation efforts.
"Boards should challenge management’s understanding of these factors and the risk-mitigating steps taken in response," he said. "It’s critical to document board review and challenge in meeting minutes."
On current reporting practices, Sexton observed that most RiskCos still rely on lengthy documentation and presentations from the chief risk officer (CRO). He said that while these packages are detailed, executive summaries must be sharper and more strategic.
"The executive summary should highlight key information, including adherence to the firm’s risk appetite, top and emerging risks and notable trends in these areas," he said.
Boards must also take ownership of their informational needs. Sexton said too many boards assume that RiskCo reporting is exhaustive without independently assessing its sufficiency.
"The board must identify gaps or deficiencies in the reporting given significant changes in the internal or external environment," he said. "Are there any blind spots? Is there bias in management’s perspective?"
In reinforcing board independence, Sexton said audit committees should work closely with risk management teams. Coordination across committees, he added, is key to ensuring risk issues are fully captured and addressed.
"The board should ensure the audit committee’s activities and outcomes are aligned with the risk management function," he said. "The annual audit plan provides appropriate coverage of risk management, and multiyear plans provide comprehensive coverage."
Looking ahead, Sexton concluded that rising expectations from investors and regulators would continue to shape boardroom responsibilities around risk.
"Boards must ensure they provide diligent oversight and effective challenge of risk management," he said. "Boards must demonstrate a thorough understanding of the organisation’s risk profile, which entails acquiring relevant knowledge, or bringing in outside experts on specific topics."
What are your thoughts on this story? Please feel free to share your comments below.