1. Lack of a robust process for prioritizing, managing and monitoring the enterprise’s critical risks.
2. Lack of understanding of, or a failure to monitor, the significant assumptions underlying the strategy.
3. Executive management and the board are not on the same page with respect to the entity’s risk appetite.
4. Failure to identify and manage emerging risks.
5. Insufficient time to think about the future.
6. The company practices “enterprise list management".
7. Drowning in data with little knowledge or insight.
8. Deficiencies in the enterprise’s “tone at the top” and culture.
9. Lack of an effective chief risk officer
10. The board isn’t organized effectively for risk oversight