Six months later, the company defaulted. The financial statements had been polished to impress, but what really mattered, the morale, the fragile operations, the hidden cultural weaknesses were never captured in the models.
That experience changed how I see risk. It taught me that numbers tell a story, but never the full story. And it is a lesson I carry into my boardroom training sessions today: a good risk manager must be able to read both the balance sheet and the body language.
The Boardroom Illusion of Control
Leading the credit risk function as Head of Credit Risk Management gave me a wide view of how decisions were made at the very top. I quickly learned that credit approvals were never just financial transactions. Each one carried a deeper meaning about governance, culture, and the organization’ s appetite for risk.
In many boardrooms, risk was often reduced to a compliance routine. A glossy report landed on the table, filled with red, amber, and green markers. The report was acknowledged, the agenda moved on, and everyone left with a sense of order. But beneath that order, the substance was missing.
Real oversight is not about the colors on a chart. It is about pressing into the tough questions. What trade-offs are we making in approving this loan or contract? What reputational message are we sending when we agree to a restructuring? What is the worst-case scenario here, and are we truly prepared for it?
In my consulting work today, I often stop board sessions midway and pose a different kind of test. I ask:“ Imagine tomorrow morning your institution suffers a major cyber breach and customer data is exposed. Who speaks first? What do you say to regulators, to customers, and to your staff?”
The silence that usually follows is not a sign of incompetence. It is a sign of vulnerability. It reveals that while the board may have registers and reports, it has not yet rehearsed reality. And that gap is where the real risk lies.
Lessons That Travel Across Sectors
Over the past years, I have been privileged to work with not just banks but government entities, NGOs, SACCOs, institutions and corporates across the East African region. Each sector has its own language of risk, yet the blind spots repeat:
Overconfidence in track record
Success, when left unquestioned, becomes a risk in itself. I have seen government entities assume stability is guaranteed because“ government cannot fail.” NGOs often assume donor loyalty is permanent and unshakable. Corporates sometimes assume market dominance is secure simply because it has been so for years. The reality is that past success can create a false sense of security that blinds leaders to emerging threats and shifts in the environment. Complacency sets in, challenge is discouraged, and early warning signals are ignored. In governance terms, this is one of the most dangerous postures an organization can adopt because it breeds apathy at precisely the moment when agility is needed most. Complacency is not just a weakness; it is the deadliest form of risk exposure.
Risk relegated to compliance
Too often I hear,“ Risk is handled by Audit,” or“ That’ s Compliance’ s job.” This mindset is both common and dangerous. Risk is a control function, forwardlooking, embedded in strategy, and meant to guide decision-making before exposures crystallize. Audit, on the other hand, is an assurance function, independent, retrospective, and designed to evaluate whether the controls( including risk) are working as intended.
When risk is buried under audit, the organization loses both objectivity and effectiveness. Risk becomes reactive instead of proactive, and audit loses the independence it requires to provide credible assurance. The result is a governance blind spot where no one truly owns risk. In reality, risk is everyone’ s responsibility, especially frontline staff who engage daily with customers, suppliers, and communities, but it must be structurally distinct from audit to serve its purpose.
Failure to connect risk and strategy
In many organizations, boards approve strategy first and only afterwards invite a discussion on risk. This sequence creates a dangerous disconnect. Strategy without risk insight is incomplete, and risk management without strategic alignment is irrelevant. As I often emphasize in board inductions, risk appetite is not a footnote to strategy, it is its foundation. If risk appetite does not actively shape the choices, priorities, and pace of the organization’ s strategy, then the strategy itself is already exposed. Strong governance demands that risk and strategy be developed in tandem so that ambition is balanced with realism and opportunity is pursued with resilience.
When Risk Became Personal: From Banking to Hope Foundation
Today, alongside my corporate consulting, I volunteer with the Hope Arthritis Foundation, an organization that supports children living with arthritis and other rheumatic conditions. It is a world far removed from balance sheets, credit models, and Basel accords, yet the principles of risk are just as alive here.
For these children and their families, risk is painfully immediate. It is the uncertainty of whether critical medication will arrive on time. It is the strain of managing donor fatigue, navigating sudden policy shifts, and coping with the unpredictability of healthcare costs when treatment options are scarce.
In March this year, during a free medical camp organized by the Foundation, I met a young girl and her mother who brought this reality home for me. The child’ s face lit up with hope as doctors examined her, yet her mother’ s eyes told a different story, one of deep worry about whether treatment could be sustained beyond that day. In that brief encounter, I saw how risk is not a distant concept; it is woven into their daily lives in the most human of ways.
That experience reminded me that risk management is not about preventing abstract“ loss events” or ticking compliance boxes. At its heart, it is about preserving futures. And whether in the boardroom of a bank, the governance structure of an NGO, or the quiet resolve of a parent fighting for their child’ s care, the responsibility is the same: to ensure that what matters most to those who depend on us is protected, sustained, and given the chance to thrive.
Five Imperatives for Boards and Senior Executives
After years of watching risks unfold, sometimes well managed and other times painfully mishandled, I have come to see certain patterns repeat themselves. From those experiences I have distilled what I call the Five Imperatives of Board Risk Leadership.
The first is to elevate risk beyond compliance. Registers and reports have their place, but culture ultimately determines whether risk is genuinely managed or merely documented. Risk has to be lived in the day-to-day decisions of the organization, not filed away in a binder.
The second is to ask uncomfortable