Author: Tim Leech FCPA FCA Mission-Critical/Objective-Centric Risk & Assurance (#MORA) Pioneer/Trainer/Board Advisor. Managing Director Risk Oversight Solutions Oakville, Ontario, Canada.
A persistent flaw in corporate governance globally is not a lack of risk frameworks, models, or data. It is something more fundamental: most organizations do not explicitly anchor risk assessment and reporting to their most important objectives.
Both ISO 31000 and COSO ERM define risk as the effect of uncertainty on objectives. Yet in practice, risk is commonly managed through risk registers, heat maps, and control assessments that are largely disconnected from the objectives that matter most to sustained success. This disconnect creates an illusion of oversight while obscuring what boards and executives most need to see.
Mission Critical Governance starts by correcting that misalignment.
At its core is the concept of Mission Critical Objectives (MCOs)—the small number of strategic and value preservation objectives that are essential to an organization’s long-term success. These typically include objectives such as maintaining financial integrity, ensuring regulatory compliance in high-risk areas, protecting reputation, and delivering on core strategic commitments.
If risk is the effect of uncertainty on objectives, then the logical starting point for governance is not a list of risks—it is clarity on MCOs.
Once MCOs are defined, risk assessment becomes more meaningful and decision-useful. Instead of asking, “What are our top risks?”, organizations ask:
“What is the level of uncertainty associated with achieving each mission critical objective?”
This shift has profound implications.
First, it enables prioritization. Not all risks are equal—only those that could materially impact mission critical objectives warrant board-level attention. Second, it improves clarity. Boards and executives can see, in a structured way, whether uncertainty related to each MCO is acceptable or requires intervention. Third, it strengthens accountability. Each MCO has a clear owner responsible for both performance and the management of uncertainty.
However, a significant behavioural barrier stands in the way of this approach. In many organizations, an implicit dynamic exists that can be described as a “Don’t Tell / Don’t Ask” governance syndrome. Management may be reluctant to provide clear, candid assessments of uncertainty linked to mission critical objectives. Boards, in turn, often do not explicitly request this information. The result is a cycle of partial transparency and misplaced assurance.
Breaking this cycle requires a redefinition of board purpose.
If boards are to fulfill their fiduciary duty of care, their purpose must explicitly include overseeing performance and uncertainty related to mission critical objectives. This, in turn, requires regular, reliable reporting that integrates both dimensions.
A practical way forward is to implement concise, objective-centric reporting for each MCO. Such reporting should include:
- Current performance status
- An assessment of uncertainty (acceptable vs. unacceptable)
- A clear indication of management’s confidence in achieving the objective
- Key actions underway to address areas of concern
This type of reporting transforms governance from backward-looking compliance to forward-looking stewardship.
The transition to Mission Critical Governance does not require abandoning existing frameworks. Rather, it requires realigning them. Risk registers, assurance activities, and internal audit should all be refocused to support insight into the achievement of mission critical objectives.
In a world of increasing complexity and uncertainty, governance systems that are not anchored to what matters most will continue to fall short. The question for boards and executives is not whether they manage risk—but whether they are managing it in a way that truly protects and enables the objectives that define success.