When Risk Management Fails, Governance Fails
Written by Mauro Da Cunha, Skytop Contributor / January 23, 2026
Mauro R. da Cunha has served as an independent director for more than 25 years, He currently is a director on the boards of Hypera Pharma, Klabin, and Tupy, serving as Chairman of the Audit Committee of the latter. He is also the founder of Engage.MC, an advisory firm focused on corporate governance, strategy and stewardship.
Goodbye to the Check Box Exercise
Risk management is a core fiduciary duty — yet in many companies it remains weak, siloed, and disconnected from real decision‑making. Boards may invest time in ERM frameworks, but if those systems don’t shape strategy or capital allocation, they create only the appearance of safety. The result is a dangerous gap between what stakeholders believe and what actually protects the business.
Too often, ERM becomes a box‑ticking exercise: a system that looks sound on paper but isn’t embedded in how leaders run the company. It’s an airbag that isn’t connected to the engine.
Disclosure Versus Reality
Public risk disclosures rarely match internal risk management. Filings are written to limit litigation, not to illuminate material risks or process. They become generic, cluttered, and disconnected from internal risk maps — and sometimes omit the most critical risks entirely,. The system fails to detect emerging risks. This weakens transparency, undermines discipline, and signals that ERM isn’t trusted as a governance tool.
Leadership and Governance
ERM succeeds only when risk leadership has authority. In many non‑financial companies, the CRO sits too low in the organization or reports to a risk owner, limiting influence. Yet having the CRO report directly to the board blurs accountability.
The strongest model: a senior CRO reporting to the CEO, with a dotted line to the board through the Audit Committee. This ensures independence while embedding risk into executive decisions — including reputational, cultural, sustainability, and cybersecurity exposures.
Risk on the Board Agenda
Most boards discuss risk once or twice a year, leaving directors unclear about what they’re expected to do. That cadence is misaligned with today’s volatility.
Effective oversight requires a structured ERM cycle:
reviewing the risk inventory
approving risk appetite and parameters
assessing mitigation plans
monitoring emerging risks
Boards must own risk appetite. When management defines it informally, accountability erodes.
Risk in Decision‑Making
Even strong ERM systems fail if they’re not used. Too many strategic and capital decisions proceed without formal risk analysis tied to the ERM framework. When decisions bypass risk, ERM becomes irrelevant — no matter how polished the dashboards.
Boards must require documented risk analysis for all material decisions and enforce this expectation through policy and culture.
Making ERM Work
Effective risk oversight is not compliance — it’s culture. Boards must set clear governance, empower risk leadership, own risk appetite, and insist that ERM informs real decisions. When risk management is integrated and forward‑looking, it becomes a strategic asset rather than a procedural burden.
Directors must ensure that risk management not only exists, but work.