Author: Tim Leech FCPA FCA Mission-Critical/Objective-Centric Risk & Assurance (#MORA) Pioneer/Trainer/Board Advisor. Managing Director Risk Oversight Solutions Oakville, Ontario, Canada.
Most organizations don’t suffer from a lack of risk data. They suffer from a lack of focus on what actually matters.
A Mission Critical Objectives (MCO) Register fixes that problem—but only if it is built with discipline and jointly owned by senior management and the board. This is not a documentation exercise. It is a governance reset.
Start Where Most Organizations Don’t: Board Purpose
Before identifying MCOs, one question must be answered: What outcomes is the board responsible for overseeing? In many organizations, this is vague or implicit. The result is predictable—long risk lists, scattered priorities, and limited line of sight to what truly drives success or failure. Senior management and the board must align on a small number of mission critical outcomes—typically 10-15 —that define sustained success. These should span both value creation and value preservation: financial performance, regulatory compliance in high-consequence areas, reputation, safety, and delivery of core strategy.
If everything is important, nothing is.
Apply a Hard Filter: What Is Truly Mission Critical?
Most first drafts of “key objectives” are too long. They need to be cut. An objective qualifies as mission critical only if failure would materially damage the organization’s viability, reputation, or long-term performance—and if the board would reasonably be expected to oversee it as part of its duty of care. This filter is where discipline is established—or lost.
Assign Ownership and Define Success—Precisely
Each MCO must have a named executive owner accountable for both performance and uncertainty. Equally critical is defining success in concrete terms: targets, timeframes, and key assumptions. Without this, assessing risk—the effect of uncertainty on objectives—quickly becomes subjective and inconsistent. Clarity here determines whether the register becomes a decision tool or just another report.
Shift the Focus: From Performance to Uncertainty
Most reporting is backward-looking. Governance requires a forward-looking view. For each MCO, management should explicitly assess the level of uncertainty:
- Acceptable (within tolerance)
- Unacceptable (requiring action), with severity clearly indicated
This is the moment of truth. It requires management to move beyond reporting results and provide a candid view of what could prevent success. Risk and assurance functions should support—but not replace—management’s accountability for this assessment.
Integrate Assurance—Don’t Fragment It
The MCO Register should become the single point of integration for:
- Performance reporting
- Risk/uncertainty assessment
- Decisions on acceptable risk/uncertainty
- Assurance insights (internal audit, compliance, etc.)
This eliminates the fragmentation that characterizes most governance systems today, where boards receive disconnected reports that don’t add up to a clear picture.
Use the Register to Drive Real Board Dialogue
A well-constructed MCO Register changes the nature of board discussions. Instead of reviewing risk lists or audit findings in isolation, boards engage directly on:
- Which mission critical objectives are at risk
- Whether uncertainty is acceptable
- What actions are required
This is how governance becomes proactive rather than reactive. It also helps break the “Don’t Tell / Don’t Ask” governance syndrome—the silent barrier where management hesitates to fully disclose uncertainty and boards fail to explicitly request it.
From Register to Results
Populating an MCO Register is not a one-time exercise. It is a continuous discipline that evolves with strategy and external conditions. Done well, it replaces fragmented oversight with a clear, shared view of what matters most—and the uncertainties that could derail it. That is the essence of Mission Critical Governance: not more reporting, but better focus, better questions, and ultimately, better decisions.