Risk isn’t a checklist: 10 insights on enterprise risk
Intuition’s Juanita Mega recently sat down with risk management expert Dr. Christopher Goh to discuss the intricacies of the practice in a modern business. Christopher set out the many mistakes organizations are making when it comes to risk management strategy, gave some real world examples of how to set out an effective risk management plan, and gives plenty of practical advice in this enlightening discussion.
You can browse the insghts using the below menu, or watch the full ocnversation at this link.
Highlights:
- CEO: The ultimate risk owner
- Turning learning into leadership: Embedding real accountability in risk training
- Ethiopian bank CEO’s $700,000,000 fraud
- Risk management: The first step nobody talks about
- Risk management: Important strategies and frameworks
- Risk management training: Coaching vs. consultancy
- Strategic planning’s biggest flaw: No risk management expertise
- Scope, context, and criteria: Successful risk management elements
- Top risk management challenges in 2026 and where to start
- Why linear planning fails in risk management
CEO: The ultimate risk owner
Many CEOs do not realize that they are the primary risk owner. They delegate strategic objectives and targets to divisional directors, but they are still ultimately accountable for the outcome.
This means they need to understand how to delegate effectively, and once they delegate, how to monitor and control progress. They cannot check everything themselves, but they need clarity on what to oversee and where to intervene.
There is often a misunderstanding here. Everyone reporting to the CEO also carries risk ownership, and staff across the organization contribute to delivering the strategic plan. When this is not understood, risk culture can break down because people do not feel connected to the organization or responsible for its outcomes.
Turning learning into leadership: Embedding real accountability in risk training
So the participants are currently in the seventh or eighth week of the ten-week program. As you mentioned, there are assessments throughout, and then a final assessment at the end.
The final assessment is essentially the culmination of all ten weekly activities. It requires participants to bring everything together at a portfolio level, demonstrating their understanding and ability to apply what they have learned to a real company problem.
They pull together company data and explain why an issue is a challenge, where misalignment or mismatch exists, and why it represents a risk. They also identify past near-misses or incidents. The final report includes the CEO’s signature, which is an important part of the process. When a CEO signs, they must be fully confident in what they are endorsing. Typically, before signing, the CEO circulates the report to divisional directors to confirm agreement, which builds buy-in across leadership.
Once that buy-in is established, the risk manager, who may not be a senior leader, can then engage each division director to move forward with implementation or further investigation. This creates alignment and avoids the common situation in other training programs where participants complete an assignment but lack organizational endorsement or executive support.
If the CEO disagrees with something in the report, they highlight where and why, which helps uncover blind spots and creates valuable learning on both sides. This approach has been extremely successful. Over the last five years, many participants have been promoted before even receiving their certificate, and they often share that news with pride.
Ethiopian bank CEO’s $700,000,000 fraud
Two years before I was appointed, the organization experienced a major internal fraud. The CEO and the chairman colluded, and because the chairman held the final approval authority, they were able to remove approximately seven hundred million dollars. The company ultimately went into receivership, and the government had to step in. It created a significant crisis.
Risk management: The first step nobody talks about
Many training providers and risk management gurus teach a sequence that starts with identifying risks, then analyzing, evaluating, and treating them. That is the traditional approach.
But identification is not actually the first step. It is step two. The real starting point is understanding the scope, context, and criteria. You need clarity on why you are doing this, why you are selecting a product, and what the external environment looks like. Without that context, you risk pushing products and initiatives blindly, without direction.
Risk management: Important strategies and frameworks
What is our fallback?
Companies should really be reviewing their strategic plans more frequently. In current times, it needs to be once every four months. Not once a year. Even twice a year, I don’t think that is going to be sufficient, because then you’re still reacting and firefighting.
And yet companies are still struggling to integrate all of this at the strategic planning phase. So how can this certification help solve that issue for companies and risk officers?
Very insightful question, and thank you, Janita. Globally, there are three major frameworks. One is in the banking sector, called Basel. And Basel primarily focuses on capital adequacy. If the bank has losses and cannot recover loans, do they have enough capital to survive? Because it is a global framework, it becomes a challenge. It is one size fits all — the most advanced countries and banks and the most emerging markets are expected to follow the same model. Capital requirements are good, but not enough. That is why we still see banks going into Chapter 11 or going bankrupt. There are cases like that.
The second framework is called COSO ERM. COSO comes from five accounting bodies that set this up for internal auditors. So the framework tends to be biased toward internal audit — how they look at things — but not really risk management per se.
COSO was in 2004. Basel was in 1988. So we are talking about a long time ago.
Risk management training: Coaching vs. consultancy
It goes beyond consultancy. In consultancy, I do it for you. But in coaching, I ask you questions. Why did you do this? Why did you omit that? How come you have not thought about this?
So I use questioning techniques to build awareness. Because sometimes in consultancy, you talk down. And when you talk down, people feel resistance. But when you ask questions, people do not mind. It is a more psychologically friendly method.
Strategic planning’s biggest flaw: No risk management expertise
So for example, in the strategic planning process, normally there will be a director of strategy or a senior strategy manager spearheading it. Usually this person is not equipped or well trained in risk management. They are just looking at the formation of strategy from the revenue generation perspective. And anything about cost, they will speak to the accountant. What is missing is the risk management lens.
Scope, context, and criteria: Successful risk management elements
Yes. For the company, how much product and services you want and why. What is the reason? Without understanding the context and the criteria, the scope is useless. Why this product? Why now? So when you are able to put the three together — scope, context, and criteria — you get a very holistic answer for risk appetite. And this is what we incorporate.
Top risk management challenges in 2026 and where to start
So Chris, you spoke about how risk is something every business will face. But we also see a lot of corporate failures where companies do not manage risk effectively. So what do you think are the most pressing risk challenges corporations are encountering in today’s market?
Thank you for that question. It is very current. Many organizations are facing a lot of problems with the ever-changing global dynamics, especially coming from the United States, all the tariffs and so on. And clearly you can see it is very important for companies to embed risk management.
And the way they should incorporate risk management is at the start of strategic planning. This is something that is still lacking or not up to the level required by external forces and external stakeholders.
For example, in the strategic planning process, normally there will be a director of strategy or a senior manager of strategy leading it. Usually this person is not equipped or well trained in risk management. They are looking at strategy formation mainly from the revenue generation perspective. And anything about cost, they speak to the accountant. What is missing is the risk lens.
Now, referring to ISO 31000. The ISO standard for risk management has been around since 2009, and the latest revision was in February 2018. They added more elements. In the ISO definition, it says risk starts from the implementation of strategic objectives, because once you implement, there will be risks. The CEO’s role is to delegate to all the divisional directors to roll out the strategy. Once that happens, risks begin to emerge, so it has to be integrated from the very start.
Why linear planning fails in risk management
Which is quite pathetic, right? Because nothing in the real world is linear. And yet people still plan in such a linear way.
So they forget about risk. Because they do not have these three parts in place, they are forced into linear planning. Once they have these three parts — what is the past, what is the current — then they do not need to think so linearly anymore.
