14 Risk Oversight Principles You Haven’t Heard Before

Last month, I shared 14 risk principles that you’ve probably heard before. Here are 14 more; these, you may not have heard before. Even if you have heard them, I hope they stimulate your thinking.

No matter what you think about your risk reporting, it can be improved

If leaders are drowning in data with little knowledge or insight, it is easy to assume that risk reporting needs improvement. But in the digital age, risk reporting is a process that should be continuously improved as the needs of executives and directors evolve. Real-time data integration and AI-powered data analytics enable continuous risk monitoring by merging information from multiple systems and sources, both external and internal. Interactive dashboards make risk data more transparent for leaders. Automation streamlines data collection and reporting, reducing manual errors, saving time and ensuring timely risk reports for decision-makers and stakeholders. Digital tools make it an imperative to keep risk reporting fresh and informative on an ongoing basis.

Embed risk management processes into the rhythm of the business

A process for reporting risks upstream, including all the way to the boardroom, is important. But it is just as critical to integrate capabilities for identifying, assessing, mitigating and reporting risks within the business itself consistent with how it is run and managed. Otherwise, these enterprise risk management (ERM) capabilities, which are intended to inform decision-making, remain a mere appendage to the core management processes that matter.

Board the digital train or be left at the station

Digital transformation is the big game in town. Every function of the business is embracing digital innovation to improve quality, time and cost performance. But is risk management keeping up? If risk managers still devote hours preparing manual reports and presentations and decision-makers lack real-time risk information, it is just a matter of time before the relevancy of risk management is called into question. 

ERM should harness the organization’s collective expertise

Risk management works best when diverse perspectives — including those from managers in customer service, production and procurement — inform strategic decisions. Annual Protiviti and NC State University ERM surveys over the past 14 years show that the risk perspectives of C-level executives and directors differ. Thus, broad involvement ensures risk responses are grounded in practical experience. Even in the digital age, collaboration and varied viewpoints remain essential for robust risk discussions and monitoring. The bottom line: What gets discussed gets understood.

Governance

Back to Basics: 14 Risk Oversight Rules You Know (But May Be Ignoring)

by Jim DeLoach

February 23, 2026

Cognitive bias, concentration risk and third-party dependencies haven't disappeared just because we have advanced digital tools to identify patterns and anomalies

Read moreDetails

Just because something hasn’t happened to us doesn’t mean it can’t

It is human nature to assume a bad thing won’t happen to us, but readiness requires asking, “What if it does?” For example, cyberattacks, natural disasters or supply chain breakdowns may seem unlikely — until they happen. The reality is this: Those who are unprepared often face the most severe consequences.

Focusing solely on risk without considering opportunity reduces access to senior leaders

How many senior executives and directors can name a chief risk officer who has advised them that the organization is too risk averse? In the digital age, not enough. For sure, risk is important. No one will admit it, but discussions of risk without linkage to opportunity create a limited attention span for senior leaders focused on transforming the business, achieving top-line growth and improving margins. An exception might be when the risk discussion provides fresh insights and decision-making options on significant threats that leaders didn’t previously understand. Otherwise, a narrow focus on risk can be seen as setting boundaries around opportunity-seeking behavior, e.g., risk is a constraint. In reality, it can be — and in some cases, it should be. But opportunity is the language of growth, a priority in most C-suites and boardrooms. The point is clear: Discussions of risk linked with opportunity and vice versa are more interesting to senior leaders.

Establish balanced incentives to drive behavior

Incentives underpin behavior, decision-making and overall organizational culture. Properly designed, they can drive individuals and teams to prioritize risk awareness, compliance and proactive management of potential threats. Conversely, poorly designed incentives may lead to reckless risk-taking, as seen during the 2007-08 financial crisis. By designing incentive structures to enhance accountability, promote collaboration and sharpen the focus on risk, organizations can improve their ability to mitigate risks as they pursue their objectives. Effective incentive systems balance entrepreneurial opportunity-seeking with a sound control structure so that neither one is too disproportionately strong relative to the other.

Focusing on agility and resilience transforms how one thinks about risk management

In today’s markets, flexibility and the ability to pivot is crucial. All risks are important, but some can be existential in disruptive markets. In the 2007-08 financial crisis, institutions that tested asset values in selected markets were able to identify a steep decline in housing prices across the US before it became common knowledge. They got a head start of as much as 14 months in reducing their exposure, a time advantage that made a huge difference. Early movers to exit an obsolete strategy always end up in a better position.

If you just keep a list, you’re not managing risk

Periodic risk assessments generate lists of risks. If nothing is done beyond the assessment itself, the organization is practicing what I call “enterprise list management,” not enterprise risk management. Management needs to incorporate actionable steps in the business plan to address the priority risks and establish accountability for their timely execution.

Agree at the top when to play it safe and when to roll the dice

Discussions on risk appetite at the top of the organization regarding how much risk it is prepared to accept in pursuing its objectives is foundational for aligning risk-taking with its strategy, culture and values. It is not a mere documentation exercise. Used effectively, the risk appetite dialogue ensures managers understand the risk/benefit trade-offs — determined at the top — that frame the boundaries within which decisions are made, thus providing a critical prerequisite for actionable decision-making and the allocation of capital and resources to initiatives that best match the organization’s capacity for risk. As a strategic tool and guiding framework, it transforms second-line risk functions from perceived obstacles to valued partners in safely pursuing opportunities. In its absence, decision-making processes can become ad hoc, directionless, inconsistent and slower across the business.

High-quality decisions should be made at market speed

Risk oversight drives decisions, and the speed of business dictates the speed of oversight. To that end, decision quality is not enough. Many large companies make high-quality decisions but make them slowly. Fast decision-making means simplifying processes, avoiding excessive structure, minimizing overplanning, prioritizing customers, accepting calculated risks and valuing feedback. Most choices can be made with around 70% of the desired information; waiting for more often delays progress. Leaders should adjust as needed and address misalignment promptly.

Every action has a reaction; watch out for unintended consequences

Thoughtful decision-makers consider the potential for unintended consequences when formulating strategy and planning risk responses. Companies operate in interconnected environments in which actions in one area may ripple across others. These cascading effects can lead to financial loss, reputational damage, regulatory penalties or operational disruptions. Examples include layoffs affecting culture and morale, or technology upgrades increasing security risks. Proactively planning for these outcomes enables better choices and preparedness.

The best risk discussions may be the ones taking place informally

Within a culture of collaboration, transparency and open dialogue, spontaneous daily exchanges between functional and unit leaders about their impact planning, execution and response decisions are the ideal time and place for addressing risk all across the organization. This kind of risk awareness and savviness reflects a culture where everyone shares responsibility for managing risk. If these conversations occur naturally across the company, they can be as influential as scheduled formal discussions in the C-suite and boardroom.      

There is a cost to ignoring risk

Every decision carries inherent risks. Organizations have a risk appetite whether they choose to acknowledge it explicitly or not. Integrating risk into decision-making is crucial for pursuing growth responsibly. Failing to identify or address risks can lead to greater costs over the long run, including financial losses, reputation damage and missed opportunities for innovation.

Perseverance, diligence and strategic thinking are key to understanding and managing organizational risks. As expressed in the saying, “The best view comes after the hardest climb,” effective risk oversight is challenging but leads to valuable insights for better decisions and resilience. Ultimately, strong risk management helps organizations achieve their goals amid uncertainty.

To that end, I hope the risk oversight truisms I have shared above and in my previous article offer some useful ideas and pathways for elevating the effectiveness of ERM and risk oversight. While I am sure there are others, I am confident the ones I have suggested offer sufficient food for thought.