Boards, CEOs, and risk leaders face one pivotal question:
Are your oversight systems focused on mission-critical objectives — or still trapped in risk lists, control checklists, and compliance rituals?
In this fireside chat, governance, risk, and assurance thought leader Tim J. Leech joins the Good Governance Academy to discuss the ideas behind his new book, Mission-Critical Governance: Focusing on What Matters Most.
The conversation will explore why traditional governance, risk, internal audit, and assurance models often fail to give boards the information they truly need: reliable insight into whether the organisation’s most important objectives are being achieved, and whether uncertainty around those objectives remains acceptable.
Drawing on decades of advisory work with boards, executives, risk leaders, and internal auditors, Tim will unpack how Mission-Critical Objective-Centric Risk & Assurance and Purpose-Driven Governance can help organisations move beyond risk lists and control checklists — and towards governance that is anchored in purpose, performance, accountability, and confidence.
Mission-Critical Governance: Focusing on What Matters Most challenges a central weakness in modern governance: boards are often surrounded by reports, dashboards, risk registers, audit findings, and control updates, yet still lack clear, reliable information on whether the organisation’s mission-critical objectives are on track.
The book argues that governance has too often become a compliance ritual rather than a true compass for purpose. In its opening chapters, it describes how boards can become detached from the very purpose that legitimises their existence, creating what Tim Leech calls the Purpose Void.
At the heart of the book is a shift from traditional risk management to objective-centric oversight. Rather than asking only, “What are our top risks?” boards should be asking:
What are our mission-critical objectives, what uncertainty surrounds them, and do we have reliable assurance that they are being achieved within acceptable levels of risk?
Tim J. Leech is a governance, risk, assurance, and internal audit thought leader whose work focuses on helping boards and executive teams strengthen oversight systems around what matters most.
He is the Founder and Managing Director of Risk Oversight Solutions and is known for his work on Mission-Critical Objective-Centric Risk & Assurance and Purpose-Driven Governance — frameworks designed to shift organisations away from traditional risk lists and control deficiency reporting, and towards achieving mission-critical objectives with acceptable uncertainty.
Earlier in his career, Tim built and sold a niche GRC software company and has delivered advisory and training engagements for thousands of leading organisations worldwide, including major multinational companies, financial institutions, and government agencies.
In the approach we promote, a Strategy and Value Oversight Committee plays the lead role in deciding what is “mission critical.” These may, or may not, include ESG-type objectives. In the training we offer facilitators, we encourage them to ask whether the company has any ESG objectives that rank as mission critical.
I make it clear in the author notes how AI was used in the writing of my book, including the version or versions used in research, drafting, and editing. I reviewed every word in the book and take sole responsibility for the content.
It is the board’s job to decide who the CEO and CFO should be. A key question is whether boards acknowledge responsibility for overseeing entity purpose and supporting mission-critical objectives, including overseeing risk and uncertainty linked to those objectives.
A main focus in my book is what I have labelled Don’t Tell/Don’t Ask Governance Syndrome. CEOs often do not want to report on risk linked to mission-critical objectives, and boards often do not ask. There are many reasons why this is true, which are covered in my book.
Each country has evolved what is mainly an implied purpose of the board. It is implied by the things boards are expected to do. This can be found in incorporation statutes, specific laws and regulations, and common law.
In the United States, the Delaware Chancery Court is a primary source of current legal expectations of boards. That court has made it clear that boards should oversee risk linked to “mission-critical” objectives.
Expert legal advice should be sought in each country regarding the board’s fiduciary duty of care generally, and more specifically, its fiduciary duty of care to oversee risk linked to mission-critical objectives.
The biggest blind spot by far is that most boards do not ask CEOs, CROs, or CAEs for reports on risk linked to mission-critical objectives.
We dedicate a full module to this in our certificate course in Mission-Critical Objective-Centric Risk & Assurance Management, also known as c-MORA.
Details on that training can be found here:
https://criskacademy.teachable.com/p/cmora?affcode=105582_xchhpp7n
My view is that the board’s focus should be on mission-critical objectives. These will include a mix of short- and longer-term objectives.
We recommend that a management-led Strategy and Value Oversight Committee proposes what it believes are the company’s mission-critical objectives. These should then be presented to the board for review and endorsement.
Board purpose is generally not stated. It is implied by the activities boards perform, as specified in laws, regulations, director governance codes, and director institutes.
I used AI to look for boards of public companies in major countries around the world that disclose what they see as the board’s purpose. It came back with very few examples. I have asked readers in my posts to provide a link to any company they are aware of that has a board which has disclosed its purpose. So far, there have been no takers.
Major changes are needed in current governance and assurance models to meet the needs of shareholders and broader stakeholders.
AI analysis confirms that current governance practices have serious, even gaping, flaws that nobody appears to want to address. These are covered in my book.
I do not think it is a “misconception.” I have labelled it Don’t Tell/Don’t Ask Governance Syndrome.
CEOs do not want to report on risk linked to mission-critical objectives, and boards do not ask. Chapters 1 and 2 of my new book cover this, and subsequent chapters expand on how costly Don’t Tell/Don’t Ask Governance Syndrome is.
Over my forty-plus years working with companies around the world, many CROs, CAEs, and board directors have agreed with the core philosophies in the Mission-Critical Governance approach we promote.
You can see a list of companies I have done training, advisory, enterprise risk, and assurance software work for here:
https://riskoversightsolutions.com/about-us/
In the majority of these companies, the biggest barrier sponsors of positive change confronted was the fact that few boards had defined purpose in a way that included oversight of risk linked to mission-critical objectives. Most also had CEOs who did not want the state of risk linked to mission-critical objectives disclosed to the board.
SVG Capital, a FTSE 250-listed private equity company in the UK, was a very prominent exception. There is a four-year case study on it in the resources section of our website:
https://riskoversightsolutions.com/resources-2/
They need to take the time to agree on the board’s purpose. There is a whole chapter in my book dedicated to how to work with a board to get agreement on board purpose.
They need to start by agreeing on the purpose of the board. This does not mean listing the things the board will do, but rather defining why the board exists. Few companies today have taken that step.
The short answer is that the “implied purpose” of boards does vary, but few have articulated in writing what it is. In my experience, boards often struggle a lot when asked to define, with much clarity, what the board’s purpose is.
It can start by asking AI what AI believes the purpose of a board of a specific entity in a specific country should be in order to better serve the needs of shareholders and broader stakeholders.
I doubt very much that the answer will be what most boards do today.
Some powerful institutional investors have been calling on boards to better oversee the purpose of the entity they oversee, as well as the objectives key to long-term success.
However, none that I am aware of have been calling for the major governance changes needed to drive real change. Some do drive change by replacing the current CEO with a CEO loyal to powerful investors and one willing to share the real state of risk with the board.
Your question goes to the main subject my book addresses, step by step.
You can review the Table of Contents on the book’s launch site here:
https://www.routledge.com/Mission-Critical-Governance-Focusing-on-What-Matters-Most/Leech/p/book/9781041166658
Link to the policy: GGA Privacy Policy 2021
The Good Governance Academy (“GGA”) strives for transparency and trust when it comes to protecting your privacy and we aim to clearly explain how we collect and process your information.
It’s important to us that you should enjoy using our products, services and website(s) without compromising your privacy in any way. The policy outlines how we collect and use different types of personal and behavioural information, and the reasons for doing so. You have the right to access, change or delete your personal information at any time and you can find out more about this and your rights by contacting the GGA, clicking on the “CONTACT” menu item or using the details at the bottom of the page.
The policy applies to “users” (or “you”) of the GGA website(s) or any GGA product or service; that is anyone attending, registering or interacting with any product or service from the GGA. This includes event attendees, participants, registrants, website users, app users and the like.
Our policies are updated from time-to-time. Please refer back regularly to keep yourself updated.