“Fraud, cyber, and strategy do not fail separately; they collapse together when the board asks the wrong question.”
What if the biggest risk in your organisation is not fraud, not cyber, not strategy, but the fact that you treat them as three different conversations?
I walk into the boardroom ready to deliver what I think is a sharp, structured session on integrated risk management, slides clean, arguments tight, feeling slightly pleased with myself, only to realise a few minutes later that the room is struggling with something far more basic. One director asks whether management is following up on audit findings. Another asks why the strategy has not translated into results. A third asks about a recent cybersecurity incident that no one seems to fully understand. Three questions, each valid, each treated as a separate issue, and yet they are all symptoms of the same underlying problem.
I pause, smile, and admit it openly. I came here to speak about advanced risk integration, but it seems we have not yet agreed on who owns risk in the first place. That usually gets a laugh, including from me, because I have made this mistake before. I assume sophistication. The room reminds me that clarity beats sophistication every time.
The setting is familiar, a regulated institution, strong brand, respected board, capable management team. The board packs are thick, and the audit reports are detailed. The cybersecurity updates are technical enough to intimidate most people into silence. Strategy documents exist and are beautifully written. On paper, everything is in place.
In reality, nothing connects.
- Management presents a fraud incident. It is treated as an operational failure, the audit committee asks for tighter controls, and the board notes the issue and moves on.
- Management presents a cybersecurity update. It is treated as a technology matter, the IT team is asked to strengthen firewalls and update policies, while the board nods and moves on.
- Management presents strategy performance. It is treated as a planning issue, targets are adjusted, timelines extended, explanations accepted, and the board moves on.
While learning about leadership, they always advised us to read the room. I read the room, and it is polite, too polite. No one asks the key question. How did a fraud event, enabled by system weaknesses, affect our strategic outcomes, and why was it not seen as a risk to the entire organisation?
That is the turning point. I ask a simple question, and I keep it hanging in the air longer. Where, exactly, do fraud, cybersecurity, and strategy meet in your organisation? Silence follows, not the defensive silence of disagreement, but the reflective silence of realisation.
One director leans forward and says, “We review them separately.” That is the problem. A bank does not lose money because of fraud alone, it loses money because a fraud vulnerability exists within a system that sits within a business model, and that business model is part of a strategy the board has approved. When fraud happens, it is not just a control failure, it is a strategic failure that passed through a cyber weakness.
A house does not burn because of fire alone, but because someone stored fuel carelessly, ignored a spark, and built the structure without thinking about how fire spreads. You do not solve that by buying a better fire extinguisher, but by changing how the house is designed.
The tension in the room shifts, and directors begin to see that they have been asking detailed questions within narrow lanes, while missing the system that connects those lanes.
I push further. Your fraud report tells you what happened, the cybersecurity report tells you how it could happen, and our strategy report tells you what is at stake when it does. If those three reports do not speak to each other, the board is governing in fragments.
At this point, I bring in a global example, not to impress, but to ground the lesson. Allow me to take you back in time in history lessons. When Equifax suffered its major breach, it was initially treated as a cybersecurity issue. A vulnerability in a web application framework was not patched. That sounds technical, but the real failure was strategic. The company held sensitive consumer data as a core asset, yet the governance around protecting that asset was not treated as a board-level strategic priority. The breach became a reputational crisis, a regulatory issue, and a financial loss all at once. Cyber failed, fraud risk escalated, and strategy collapsed in a single event.
The lesson is not about technology, it is about integration. For this reason, ISO 31000:2018, defines risk as the “effect of uncertainty on objectives.” That means you must link objectives to risk events that threaten them. Fraud, cyber breach, etc., are risk events that threaten organizational performance.
Back in the room, I can see the shift. Directors are no longer asking, “Did we have a fraud?” They are asking, “What does this tell us about how our business is designed, and what we are not seeing?” This is where most boards hesitate. They either dive into operational detail and start micromanaging, or they retreat into high-level oversight and lose grip on reality, but neither works.
Governance is not about reading reports, it is about making disciplined decisions that shape the future of the organisation. Halfway through the session, I introduced a simple tool. No slides, no complexity, just a rule.
Before approving any paper, every director must answer three questions out loud.
- Where is the money exposed?
- Where can the system be manipulated?
- What happens to our strategy if this fails?
We test it immediately. Management presents a proposal to expand digital lending. It looks attractive, with strong growth projections, and the risk section mentions standard controls. Normally, the board would approve with minor comments.
Now the room is different. One director answers the first question. Money is exposed in instant loan disbursements tied to mobile wallets. Another answers the second. The system can be manipulated through identity verification gaps and API integrations with telecom providers. A third answers the third. If defaults spike due to fraud or system abuse, the entire growth strategy collapses and damages the brand.
The conversation changes in five minutes. Instead of approving the proposal as presented, the board reframes it. Approval is conditional on integrated controls that link credit risk, fraud detection, and system security. Management is asked to redesign the rollout with those connections built in. No one micromanages or disengages. The board does its job. I step back and laugh quietly, not at them, but at myself. I had come prepared to teach integrated risk management using models and frameworks. The room did not need models, it needed a simple discipline.
Ask better questions. The deeper issue becomes clear. Boards fail not because they lack intelligence or experience, but because they allow complexity to hide simplicity. They accept separate reports, separate committees, separate conversations, and assume integration will somehow happen automatically. It does not.
Integration is a deliberate act of governance. A system with three strong walls and one open side does not protect anything. It only creates the illusion of protection. Fraud walks through the open side, cyber threats exploit it, and strategy collapses behind it.
The boards that win do something different, they refuse to see risk in categories and see it as a flow. They track how value moves through the organisation, where it can be distorted, and what that distortion means for the future.
They do not ask, “Are we compliant?” They ask, “Are we in control?” They do not ask, “Did this incident happen?” They ask, “Why was this even possible?” As the session closes, I turn back to the room, and the tone is no longer theoretical but direct. Before your next board meeting, answer this honestly. When you review a fraud report, do you see a control issue, or a strategic signal? When you review a cybersecurity update, do you understand what part of your business model is at risk, or do you rely on technical language to carry you through? When you approve a strategy, can you clearly explain how it will fail, and what you have done to prevent that failure? If you cannot answer these questions without hesitation, then the risk is not in your systems, it is in how you govern them.
Copyright IFIS 2026. All rights reserved.
