Despite mounting threats and repeated warnings, many boards continue to undervalue enterprise risk management. From SVB’s leadership vacuum to global survey data, evidence suggests structural fixes alone are not enough. True resilience requires strategic integration and cultural change at the top.

In March 2023, Silicon Valley Bank (SVB), a $212 billion-asset bank, collapsed. As a lender, it held a high proportion of uninsured deposits and, after rising interest rates devalued its investment securities portfolio, the company failed.

While senior management took the brunt of the blame, it became an instant risk management cautionary tale. How could the bank’s risk manager let this happen? 

Banking risk

However, SVB went more than eight months without a chief risk officer. From April 2022 to January 2023, as interest rate volatility and liquidity pressures mounted, the bank’s top risk role sat vacant — raising questions about whether the board truly understood, or valued, the function of risk management.

James Lam, a risk management consultant, called the collapse a stark reminder “of the cost of not managing risk effectively on an ongoing basis.”

A leadership vacuum in risk

The absence of a chief risk officer during a time of mounting systemic pressures sparked further scrutiny. How did SVB’s board allow the company to go without a CRO for so long? Was the role of risk management simply not valued?

In the aftermath, Michael Barr, vice chair for supervision at the Federal Reserve, was direct in his assessment: “SVB failed because of a textbook case of mismanagement by the bank. Its senior leadership failed to manage basic interest rate and liquidity risk. Its board of directors failed to oversee senior leadership and hold them accountable.”

“Globally, effective enterprise-wide risk management should be one of the organisation’s most important strategic tools.”

Despite an increasingly complex and unpredictable risk landscape, many boards around the world continue to fall short when it comes to fully embracing risk as a strategic tool. That’s the central concern emerging from the 2024 Global State of Risk Oversight report, published by AICPA & CIMA and North Carolina State University.

Now in its 15th edition, the global survey finds that 66% of executives believe the volume and complexity of risks their organisations face has increased “extensively” over the past five years. Yet only 32% of respondents rate their risk management processes as “mature” or “robust.”

“Globally, effective enterprise-wide risk management should be one of the organisation’s most important strategic tools. Unfortunately, many organisations view risk management as a distraction from more important strategic tasks,” said Mark Beasley, Director of the ERM Initiative at NC State.

Awareness isn’t action

That gap between awareness and action is growing harder to ignore. Nearly half (48%) of the organisations surveyed reported experiencing a “significant operational surprise” due to an unanticipated risk event in the past five years. Yet only 24% say their ERM processes provide “important strategic input” to executive-level decision making.

While many organisations have taken steps to improve their risk infrastructure - 64% report having a management-level risk committee and 47% have appointed a chief risk officer or equivalent - the report suggests these structural moves are not always translating into deeper strategic integration.

The authors urge boards to embed risk thinking more deeply into strategic processes, encourage regular engagement with risk data, and foster a culture that sees ERM as a source of foresight rather than a back-office safeguard.

Shifting the culture

Without these changes, many organisations risk remaining reactive in the face of disruption. As the report makes clear, evolving threats, from cyber attacks to geopolitical shifts, require not only new tools and processes but also a new mindset at the top.

“For volunteer boards, many of whom are juggling roles, responsibilities, and real-world constraints, it’s easy to treat risk as something that sits in the finance or audit file or with the audit and risk committee,” said Patrick Downes, managing partner at Governance Ireland. “But actually, I think that risk should be part of everyday conversations – not a tick-box exercise once or twice a year.”

“Risk management is not about managing risks. It’s about managing how people take decisions.”

Cristina Martinez Garcia, chief risk officer at Sacyr, echoed the sentiment in an interview with StrategicRISK: “Risk management is not about managing risks. It’s about managing how people take decisions. It’s about bringing together the two sides of the same coin, and we need to think like a business executive or board member.”

For risk managers, the message is clear: structural fixes aren’t enough. True progress requires boardroom buy-in, strategic integration, and a culture where risk is part of everyday decision-making, not an afterthought. As the SVB collapse and global data both suggest, undervaluing risk doesn’t just cost influence, it can cost everything.

 

SR Q2 2025 Edition