In a recent LinkedIn post, I posed a question that has quietly lingered in governance circles for years. If courts in the United States have already made clear that boards are expected to oversee risks tied to Mission Critical Objectives, why haven’t regulators directly addressed deficient board oversight in this area?
There is a moment that repeats itself across countless science-fiction stories. A ship’s sensors detect something unusual. Signals arrive that do not quite align with expectations. Perhaps it is a gravitational anomaly, a sudden communications blackout, or an unexpected hostile vessel appearing where none should exist. The bridge crew does not simply stare at the blinking lights. They interpret them. The captain asks the science officer what the signals mean, the engineer considers how the ship might respond, and the tactical officer evaluates defensive posture. Information becomes interpretation, interpretation becomes decision, and decision becomes action . . . capability.
I’m proud to share a defining milestone in our company’s journey. We were AuditBoard. Now we are Optro. This is more than a new name. Optro represents who we’ve become and where we’re headed next. From the very beginning, our founders, Daniel Kim and Jay Lee, had a clear vision. As former internal auditors who lived the daily challenges of the profession, they set out to build cutting-edge solutions for practitioners, by practitioners.
Separating how often from how bad gives the future shape, and for a lot of decisions, that shape is enough. The problem is that both frequency and magnitude are uncertain, and human intuition can strain when asked to hold too many combinations of uncertain factors at once.
Governance frameworks have made genuine progress on audit independence. Dual reporting lines - administrative to the CFO, functional to the audit committee - are now standard in most mature organizations. The IIA Global Internal Audit Standards codify functional reporting to the board. Audit committee charters address it. Regulators ask about it.
If you want credibility and trust from management, your reports need not only to be accurate but also fair and balanced. Let me give you a real-life example from my time as a VP in IT at a large financial institution.
In my recent LinkedIn post, I argued that risk appetite is the most profound and important principle in risk management, and yet, in practice, it often results in the most shallow and trivial application. The more I reflect on it, the more this paradox seems to explain many of the shortcomings we see in modern risk frameworks.