Boards at Risk: Corporate Governance Institute warns legacy frameworks can’t handle modern threats

Institute calls for urgent overhaul of outdated risk management practices as boards face growing pressure from cyber threats, AI, geopolitical disruption, ESG scrutiny, and regulatory complexity

Today’s world is shaped by disrupted alliances, rising protectionism, and stakeholder activism—from cancel culture to targeted boycotts. Current frameworks fail to account for this new volatility. Boards must urgently adapt by bringing geopolitical expertise onto the board, investing in scenario planning, and diversifying supply chains to reduce exposure to global shocks.

According to the Institute, many organisations are still using legacy risk management models that were designed for slower, more stable times—models that rely on static risk registers, siloed reporting, and retrospective reviews. These approaches increasingly leave boards blind to emerging threats.

According to Ciaran Bollard, CEO of the Corporate Governance Institute, boards can no longer afford to treat risk as a once-a-quarter reporting obligation, “The nature of risk has changed—it’s fluid, it’s complex, and it’s often existential. Yet too many organisations are still relying on models that were built for a different era.”

The rise of AI and the evolving cyber threat landscape present risk dimensions that legacy models simply cannot process.

“Cyberattacks have scaled in sophistication since the pandemic, while the fast proliferation of AI is creating inconsistent adoption and oversight across organisations. Risk frameworks must be rewritten to incorporate digital threats as central pillars of governance—requiring expert leadership, ongoing digital risk reviews, and the full integration of these issues into enterprise-wide risk planning.”

The Institute warns that directors are often presented with risk reports that are overly technical or lack relevance to the organisation’s strategic objectives. As a result, risk oversight is frequently reduced to a compliance exercise rather than a vital strategic function.

“It’s not enough to see risk—you have to understand it in context,” Bollard explains:

“Boards need timely, actionable insights that help them make informed decisions. Without that, they’re flying blind. If you’re waiting three months for a risk update, you’re already behind.”

ESG obligations are another area where legacy frameworks fall short. While regulatory demands have intensified, public discourse around ESG remains polarised, with growing backlash from various stakeholders.

“Boards must strike a delicate balance—aligning ESG initiatives with both their mission and stakeholder expectations, while ensuring directors have the appropriate training and support to manage ESG as a central and often contentious risk area.”

The Corporate Governance Institute is calling on directors to make three urgent shifts in their governance practices:

• Modernise risk reporting – Risk information must be delivered in real time, tailored to the board’s strategic concerns, and stripped of unnecessary technical jargon.

• Align risk with strategy – Risk should be integrated into boardroom conversations around growth, investment, innovation, and stakeholder expectations—not treated as a separate function.

• Embed a risk-aware culture – Boards must set the tone from the top, fostering a culture where risk is proactively identified, openly discussed, and managed at every level of the organisation.

Bollard continues: “The boards that will thrive in this volatile environment are those that treat risk not just as a threat, but as a source of insight and advantage. Governance today isn’t about avoiding failure—it’s about navigating uncertainty with confidence. That requires a new mindset, new tools, and a stronger connection between directors and the real risks their organisations face.”

Bollard concludes: “As businesses grapple with the rise of AI, supply chain disruption, climate-related risks, and increased regulatory scrutiny, it is essential that clear warnings are made to directors who fail to act. They will not only put their organisations at risk—but also their own reputations and responsibilities as stewards of long-term value.”