The Board’s Critical Role in Risk Governance: From Oversight to System Control Most Boards Are Looking at Risk the Wrong Way

Dr Alwin Tan, GAICD, MBBS, FRACS, EMBA (Melbourne Business School)

Senior Surgeon | Governance Leader | HealthTech Co-founder |
Harvard Medical School — AI in Healthcare |
Australian Institute of Company Directors — GAICD graduate |
University of Oxford — Sustainable Enterprise

Institute for Systems Integrity (ISI)

There is a comforting belief in governance:

If the board approves a risk appetite statement, reviews dashboards, receives assurance reports, and monitors compliance, then risk is being governed.

It isn't.

In reality, many organisations that suffer catastrophic failures have all of these things.

The frameworks existed.

The reports existed.

The committees existed.

The dashboards were green.

The board was receiving information.

And yet the organisation still failed.

Why?

Because risk governance is not a reporting function.

It is a system control function.

The purpose of risk governance is not to tell the board what happened.

The purpose of risk governance is to ensure the organisation cannot ignore danger before failure occurs.

That is a fundamentally different responsibility.

And one that many boards still misunderstand.

The Great Governance Illusion

Most governance systems are built around visibility.

Boards approve risk frameworks.

Management prepares reports.

Committees review metrics.

Auditors provide assurance.

Risk registers are updated.

The assumption is simple:

If we can see risk, we can govern it.

But history repeatedly demonstrates that this assumption is false.

The organisations involved in major governance failures rarely lacked information.

They lacked action.

The risk was known.

The signal existed.

The warning was available.

The organisation simply failed to respond.

The Challenger disaster.

The Global Financial Crisis.

The Boeing 737 MAX failures.

Major healthcare scandals.

Corporate misconduct inquiries.

Again and again, the same pattern emerges.

The problem was not ignorance.

The problem was organisational inability to act on what was already known.

The failure was not informational.

The failure was systemic.

Boards Do Not Govern Risk. They Govern the Conditions Under Which Risk Can Be Ignored.

This distinction changes everything.

Traditional governance asks:

"What are our risks?"

Effective governance asks:

"How could this organisation become capable of knowing about a risk and still fail to act?"

That is the real governance question.

Because risk does not become dangerous when it appears.

Risk becomes dangerous when warning signals stop changing decisions.

When that happens, governance has already failed.

Long before the incident occurs.

Long before regulators arrive.

Long before the board receives the final report.

Risk Governance Is Really a Signal Integrity System

Every organisation operates through signals.

Complaints.

Near misses.

Staff concerns.

Customer feedback.

Operational anomalies.

Financial trends.

Clinical incidents.

Cyber alerts.

Whistleblower reports.

These signals are the organisation's early warning system.

Yet most boards spend remarkably little time asking whether these signals remain intact as they travel upward.

Instead they focus on the outputs.

The reports.

The dashboards.

The summaries.

The presentations.

But reports are not reality.

Reports are interpretations of reality.

And every interpretation creates opportunities for distortion.

Bad news can be softened.

Patterns can be normalised.

Escalations can be delayed.

Concerns can be filtered.

Reality can be translated into something more comfortable.

By the time the board sees the signal, the signal may no longer be true.

This is why governance is fundamentally a signal integrity challenge.

The board's responsibility is not simply to receive information.

It is to ensure information remains truthful as it moves through the system.

The Four Layers of Risk Governance

Most governance models stop at oversight.

They should not.

Effective risk governance operates across four interconnected layers.

Layer 1: Design

This is what the organisation intends.

Risk appetite.

Risk tolerance.

Policies.

Frameworks.

Governance structures.

Decision rights.

This layer defines the rules.

But rules do not create behaviour.

Many failed organisations had excellent frameworks.

Design alone is never sufficient.

Layer 2: Oversight

This is what the board sees.

Reports.

Dashboards.

Assurance activities.

Committees.

Monitoring systems.

This layer creates visibility.

But visibility does not guarantee understanding.

And understanding does not guarantee action.

Layer 3: Reality

This is what actually happens.

Where staff decide whether to speak up.

Where managers decide whether to escalate.

Where cultural norms determine whether uncomfortable truths travel upward.

Where pressure tests the system.

This is where governance succeeds.

Or fails.

Most governance failures occur here.

Not because frameworks were absent.

But because reality diverged from what governance believed was happening.

Layer 4: Adaptation

This is the most neglected governance layer.

Can the organisation learn?

Can it detect emerging threats?

Can it change behaviour when assumptions become invalid?

Can it adapt before crisis forces adaptation upon it?

Boards that cannot answer these questions are governing a static system inside a dynamic world.

And dynamic worlds always win.

The Six Domains Boards Must Control

The board's role extends beyond oversight into six critical domains.

1. Risk Oversight and Accountability

Ensuring management systems function as intended.

2. Risk Appetite and Boundaries

Defining what the organisation will and will not tolerate.

3. Decision Integrity

Ensuring risk appetite actually influences decisions.

4. Emerging Risk Detection

Identifying threats before they appear in dashboards.

5. Crisis Readiness

Testing whether governance works under stress.

6. Culture and Escalation

Ensuring truth can travel upward without fear.

This final domain may be the most important of all.

Because every governance system ultimately depends on people telling the truth.

The Most Dangerous Organisations Are Not Blind

They are organisations that can see risk and still fail to act.

They know.

But they normalise.

They observe.

But they delay.

They recognise.

But they rationalise.

The danger is not ignorance.

The danger is organisational desensitisation.

The gradual conversion of warning signals into background noise.

When that occurs, governance becomes performative.

The structures remain.

The controls remain.

The reports continue.

But the system has stopped learning.

And failure becomes a matter of timing.

Not possibility.

The Questions Every Board Should Be Asking

Most boards ask:

Are we compliant?

Are our KPIs on target?

Are risks being managed?

These are necessary questions.

But they are not sufficient.

The better questions are:

What truths might not be reaching us?

Where could signals be getting filtered?

Which risks are becoming normalised?

What only becomes visible during crisis?

Where would staff hesitate to speak up?

How would we know if management was wrong?

Are we seeing reality early enough?

These questions move governance from oversight to control.

From reporting to learning.

From compliance to resilience.

Conclusion

Boards do not govern risk by approving frameworks.

They do not govern risk by reviewing reports.

They do not govern risk by signing policies.

They govern risk by ensuring that danger remains visible, escalation remains possible, and action remains timely.

Risk governance is not about controlling risk.

Risk governance is about ensuring the organisation cannot become comfortable ignoring it.

Because organisations rarely fail from a lack of information.

They fail when the truth arrives too late.

And by then, governance is no longer prevention.

It is post-mortem analysis.

References

ASIC (2019) Corporate Governance Taskforce Report: Director and Officer Oversight of Non-Financial Risk. Sydney: Australian Securities and Investments Commission.

Edmondson, A.C. (2018) The Fearless Organization: Creating Psychological Safety in the Workplace for Learning, Innovation, and Growth. Hoboken, NJ: Wiley.

Hopkin, P. (2018) Fundamentals of Risk Management. 5th edn. London: Kogan Page.

Institute of Risk Management (2011) Risk Appetite and Tolerance. London: Institute of Risk Management.

ISO (2018) ISO 31000: Risk Management – Guidelines. Geneva: International Organization for Standardization.

OECD (2015) G20/OECD Principles of Corporate Governance. Paris: OECD Publishing.

Power, M. (2009) ‘The Risk Management of Nothing’, Accounting, Organizations and Society, 34(6–7), pp. 849–855.

Schein, E.H. (2010) Organizational Culture and Leadership. 4th edn. San Francisco: Jossey-Bass.

Taleb, N.N. (2007) The Black Swan: The Impact of the Highly Improbable. New York: Random House.

Vaughan, D. (1996) The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA. Chicago: University of Chicago Press.

AICD (2024) Director Tools: Risk Governance for Boards. Sydney: Australian Institute of Company Directors.

Carver, J. (2006) Boards That Make a Difference: A New Design for Leadership in Nonprofit and Public Organizations. 3rd edn. San Francisco: Jossey-Bass.

Heifetz, R.A., Grashow, A. and Linsky, M. (2009) The Practice of Adaptive Leadership. Boston: Harvard Business Press.

Reason, J. (1997) Managing the Risks of Organizational Accidents. Aldershot: Ashgate.

Weick, K.E. and Sutcliffe, K.M. (2015) Managing the Unexpected: Sustained Performance in a Complex World. 3rd edn. Hoboken, NJ: Wiley.