Risk Oversight Failures: Lessons from Société Générale, Amazon, and the Boardroom

Jerome Kerviel’s “feat” will remain the perfect textbook example of monumental risk oversight, not to say systemic failure. Internal controls were bypassed, alerts went unnoticed, and senior leaders lacked visibility into the very risks they were responsible for overseeing. Despite years of reforms and regulatory tightening, similar failures continue to surface. So the question remains: why does history keep repeating itself?

Reflecting on my time in risk management, I feel there is an opportunity to rethink what effective risk oversight entails. In my mind, it provides the assurance that a business’ threats and vulnerabilities are addressed, and that the strategic business objectives can be met. In practice, the connection between risk oversight and strategic decision-making rarely occurs in a meaningful way.

This observation also connects to another one on the role of top executives and board directors.

The response to the J. Kerviel crisis from Daniel Bouton, the Société Générale CEO at the time, was symptomatic. In his view, risk and audit had failed and it wasn’t his fault. And I agree that both functions failed … but they failed under his watch.

I see this type of response as an abdication of management and leadership responsibilities, and one of the main causes of risk oversight failure underpinned by ineffective risk culture.

What Is Risk Oversight?

Risk oversight is the responsibility of senior leaders, especially the board of directors and executive management, to ensure that an organisation identifies, assesses, and manages risks in a way that supports its long-term strategic objectives.

It goes beyond compliance and control. Effective risk oversight involves setting the tone from the top, clarifying risk appetite aligned to business objectives and strategy, ensuring governance structures are fit for purpose, and regularly reviewing how risks are monitored and escalated.

At its core, risk oversight connects strategic decision-making with the reality of business operations. It helps organisations stay resilient, seize opportunities within acceptable risk boundaries, and respond confidently to emerging threats.

👉 Learn how IRM strengthens strategic and operational alignment in your governance approach.

Is Risk Oversight about billions or trillions?

There are tremendous benefits to achieving oversight “excellence,” beyond simply protecting firms against life-threatening situations.

When Jeff Bezos decided to launch Amazon Prime in 2004, he understood that Amazon’s profitability came from the volume of sales. And he seemingly put that profitability at risk by changing the way the firm charged customers for delivery. He had connected the dots between the risks Amazon faced and what those risks meant from a business strategy and objective point of view.

His decision also triggered internal tensions and healthy debates, which helped make Prime a resounding success. Amazon was valued at $18 billion at the time and reached a market capitalisation of $1 trillion in January 2020, with Prime being one of the key drivers of that meteoric rise.

This example also illustrates the value of understanding risk appetite and tolerance. Specifically, knowing the level of losses a company can absorb while remaining a going concern enables such bold strategic decisions. Of course, exceeding a firm’s risk-taking capacity is often a synonym for business failure, just as underutilising that capacity can mean missed opportunities and suboptimal profitability.

In contrast, many firms shy away from bold moves because their oversight frameworks are overly focused on constraint rather than enablement. Risk becomes a blocker, not a strategic compass. Effective risk oversight should help leaders understand where risk-taking creates value, not just where it must be reduced.

👉 Explore our Risk Culture & Leadership Solutions

Risk Oversight is not a popularity contest!

Risk oversight only works when board directors are free to ask the hard, necessary questions, especially when those questions make others uncomfortable.

I have worked with board directors who did not feel they had the mandate to perform their legal duties. Some were visibly uncomfortable raising any form of challenge to the executive team. They did not control the strategy or the resources. They could not describe the regulated activities they were accountable for, and in many cases, had little understanding of how the business actually operated.

As a result, they were disconnected from the link between strategy and execution. They could not act as a sounding board for executives, let alone serve as a voice of reason.

In that context, these directors were not worried about losing the popularity contest. But the truth is, they never stood a chance of winning it either.

After many difficult discussions, including a detailed reminder of their personal duties and liabilities, the directors eventually agreed that putting the board back in control could generate significant value for the business and help the wider group meet its objectives.

Situations like this might sound strange, but they are not uncommon. I have seen them often, particularly in the oversight of regulated subsidiaries within large financial conglomerates where board members struggle to exercise their responsibilities.

Without psychological safety at board level, challenge becomes rare, independence becomes symbolic, and oversight loses its meaning.

Independence enables freedom

I heard this expression during a leadership podcast and I found it particularly relevant to illustrate why both the Board and Risk need to be independent. And why both are crucial to the business executives.

Back to my example - this Board needed a nudge. It also needed to be put in a situation where it could provide that “reflection” back to the business and move from being perceived as “tick box” to “value-add”.

Changes were required. For example:

1. We aligned EXCO and Board membership, and clarified/documented the escalation protocols and decision-making mechanisms to strengthen and simplify the governance. This was required to address one of the main imbalances in governance that I had observed over the years: the decision makers are not necessarily the ones “going to jail” if there is a problem. So, we gave the executives (legal) “skin in the game” and this had a material impact on decision making and board dynamics as the real issues started surfacing;

2. We established financial, business and risk monitoring mechanisms. For instance, the financials were completely scrubbed, top risk completely reviewed and compliance requirements fully mapped across all regulated activities. These processes were structured to be standardised and repeatable, including the risk register and top and emerging risk processes; and

3. We documented the end-to-end operating model and business capabilities. This proved particularly difficult to do and my team was able to document up to (only) 90% of the operating model with the rest being “unknown”. This exercise fleshed out many gaps and unnecessary complexity in the business setup.

   
   

Ultimately, this was not just a governance reform; it was an exercise in rebuilding risk oversight from the ground up. Independence alone was not enough. What mattered was how that independence was used to clarify responsibility, drive transparency, and support informed decision-making.

All these activities opened the door to granular and informed discussions at Board level on business strategy, adequacy of resources and capabilities to execute the strategy and roadmap to address the major gaps which included

• a change in business strategy when it became clear that the current plan could not be achieved, coupled with a material recapitalisation after it became transparent the capital resources did not align to the risk profile of the business

• a material simplification of the business operating model and, as a result, of the legal entity footprint and regulatory exposure, which also removed many constraints on the business

This example also illustrates the role, and challenges, a chief risk officer (CRO) can face.

For instance, the role of the Board and Risk can be reversed. In the above situation, I provided a “mirror image” to the boards, and the executives, on the culture they were fostering and effectively their own values. And they didn’t necessary like what they saw.

This led to very challenging internal discussions, at first, on why a risk officer would effectively imply a number of executives and directors had “an opportunity to do their job better”.

To address “the challenge on my challenge”, I had to shift the emotions out of the way and focus on the key levers to get right. This required a sound understanding of the business strategy and operations to focus people’s minds on the key business enablers and what was required to effectively reach the business objectives.

>>> One way to prevent these failures is by fostering the right risk culture, explored in our article on the Four Stages of Psychological Safety.

So, what is a Chief Risk Officer?

In my experience: a debater, a salesperson, an influencer, a disruptor, a police officer, an accountant, a trader/business manager, a “punching-ball’, a technician, an innovator and more.

CROs are expected to protect their firm, enable strategic value creation through effective risk taking, management and oversight or challenge of group-think. In that context, CROs must also adjust to an ever-changing environment and scope, whilst justifying and demonstrating the value they create. Specifically, they must ensure (and constantly evidence) that the perceived costs of managing risks, especially through internal controls, do not exceed the benefits risk management generate.

In that context, CROs are still not universally perceived as a “must-have” strategic function, despite their formal presence. According to Deloitte’s 2024 Global Risk Management Survey, 100% of participating financial institutions reported having a chief risk officer or equivalent role in place, up from 89% in 2012. However, only 70% of CROs report directly to the CEO, and just 53% have a direct reporting line to the board or its risk committee. This suggests that while the role is widely adopted in name, many CROs still lack the authority or access required to embed risk oversight meaningfully at the executive and board levels【source: Deloitte Global Risk Management Survey, 12th Edition, 2024】.

Risk Oversight, art or science?

Both credit risk and market risk are mature disciplines. Their quantitative nature helps to establish very clear monitoring frameworks. The risk-taking process (e.g. lending, trading) enables a clear segregation between risk taker and controller which in turn lends itself neatly to effective risk oversight.

Non-Financial Risk (NFR) is not so clear cut. Firms get exposed to NFR through “WHAT” (e.g. managing client money) they do and also “HOW” (e.g. fragmented, complex and manual end to end operating model and process set up) they do it. They do not enter “non-financial risk exposure” through a very clear and structured process like financial risks, at least most of the time.

For instance, the “HOW” is very often the result of years of organic evolution and increased process complexity and/or fragmentation. In that context, identification of NFR tends to be backward looking – we fix the problem when something goes wrong – and any forward-looking assessment tends to mix art and science.

A Focus on Non-Financial Risk Oversight

This observation raises an interesting question - what is the value of independent non-financial risk oversight?

The expertise required to identify, assess and manage such risks seems better located in the business operations (i.e. 1stLine of Defence) where the “WHAT” and “HOW” are effectively created and managed.

In that context, more and more firms have created business risk function in addition to 2nd Line of Defence risk function in charge of “independent oversight”. Invariably both functions end up overlapping with each other and their value becomes clear as mud; the business only sees many (costly) “risk managers” asking them to do a lot of stuff. Stated differently, the costs of managing risks seem to exceed the perceived benefits.

On the opposite extreme, I have seen NFR functions solely focused on frameworks and methodology, policy, capital and losses management. Their approach was so theoretical and high level that they were completely disconnected from any strategic and operational reality.

In my view, NFR oversight functions can generate significant value by bridging strategy and execution, and defining how the management of such risks should be prioritised considering business imperatives and directions including regulatory requirements. Effective NFR management can lead to material cost benefits through business simplification, scalability and loss avoidance – please see my previous blog on this.

In addition, the function can take a strategic view on the core operational enablers required to deliver on the business strategy and inform executives and the board on desirable and undesirable risk profile arising from the business operating model setup.

In my above example, I established that having seven regulated entities to perform the firm’s activities had no legal/regulatory justifications whilst the in-built complexity acted as a vector of increased regulatory requirements and management distraction, and ultimately costs and risks. Though the unwinding of five regulated entities was always going to be a complex task, the board agreed it would ultimately remove significant noise and would enable both executives and directors alike to focus on strategic business management decisions.

Are We Getting the Basics of Risk Management Right?

Huge and complex organisations are the enemy of effective risk oversight. The noise they create enables risks to creep in unnoticed and prevent board directors, business executives and chief risk officers to focus on business strategy and execution.

In my view, this enabled the Societe Generale’s situation, and so many other oversight failures.

A lot can go wrong and has to be considered. Businesses are faced with a never ending and changing list of risks, driven by their organisational strategy and setup, industry and the wider global economic/societal/environmental context. They can only control part of them, and as a result, must be ready to respond to many unexpected situations.

In that context, risk functions must strengthen their approach to risk oversight by focusing their resources on protecting the core strategic business enablers, monitoring and assessing the culture of the organisation and providing that “mirror image” the Directors and Executives need so thoroughly. They must also increase the management of risk processes, such as risk and control self-assessment or risk events, to the business and enable the business folks to manage their risks autonomously.

Sources

https://www.icgn.org/sites/default/files/ICGN%20Corp%20Risk%20Oversightweb_0.pdf

https://deloitte.wsj.com/riskandcompliance/2018/10/02/risk-oversight-and-the-role-of-the-board/

https://www.pwc.com/us/en/services/governance-insights-center/library/risk-oversight-series.html

https://www2.deloitte.com/global/en/pages/governance-risk-and-compliance/articles/risk-angles-risk-oversight.html

https://www.openriskmanual.org/wiki/Independent_Risk_Management

https://www.protiviti.com/UK-en/insights/bpro85

https://erm.ncsu.edu/library/research-report/2019-the-state-of-risk-oversight-an-overview-of-erm-practices

https://www.enliveningedge.org/features/managing-world-rapidly-increasing-complexity/

https://www.vox.com/recode/2019/5/3/18511544/amazon-prime-oral-history-jeff-bezos-one-day-shipping

https://www.coso.org/documents/COSOBoardsERM4pager-FINALRELEASEVERSION82409_001.pdf

https://deloitte.wsj.com/riskandcompliance/2013/04/02/creating-value-through-effective-risk-management/

https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial-services/deloitte-nl-risk-cro-taking-the-reins.pdf

https://www.corporatecomplianceinsights.com/5-common-risk-management-failures/