Strengthening Board Oversight in a Shifting Risk Environment

In 2026, the risk environment remains fast-paced and increasingly complex. Rapid advances in artificial intelligence (AI) are reshaping operational and governance strategies and expectations. Capital markets continue to respond to shifting liquidity conditions and interest-rate uncertainty. Talent management, particularly leadership readiness and succession planning, continue to be key issues for enterprise risk management. The Public Company Accounting Oversight Board (PCAOB) has sharpened its focus on internal controls, particularly in respect to cybersecurity.

The following questions are intended to frame the board’s discussion across these key risk trends and support preparedness and confidence.

1. Is the board equipped to effectively oversee AI adoption and its impact on risk and value creation?

As AI becomes embedded in core business processes, the board’s role increasingly extends beyond awareness to informed oversight. Directors are not expected to be technologists, but they should have sufficient AI fluency to support responsible adoption and examine whether AI initiatives are delivering measurable results. Board members should have a sufficient baseline understanding of AI concepts and limitations, with ongoing board training tailored to the business model and risk profile. Questions board members should be asking are:

Do we have sufficient AI fluency, ongoing training and the knowledge needed to oversee management on AI uses and risk considerations?

• The basics: Do directors have a baseline understanding of AI concepts and limitations of use to effectively engage management?
• Training: Is AI education ongoing and tailored to the business model and risk profile?
• AI uses: Can the board distinguish between incremental automation and more transformative AI use cases?
• Challenging management: Can the board challenge management on AI trade-offs involving speed, cost, control, data quality and ethical considerations?
• AI risk considerations: Does the board understand how AI impacts enterprise risks such as cyber, regulatory, operational and reputation?

Can we recognize where AI affects strategy, competitive positioning and long-term value creation?

• AI initiatives: Does the board distinguish which AI initiatives will have the most impact?
• Strategic alignment: Which objectives are we expecting AI to advance, and how do they align with our broader strategy?
• Measuring success: How is success measured, and when should we expect to see tangible results? Do we have milestones to help decide when to pivot?

Do we have sufficient guardrails to effectively manage AI-related risks?

• Data integrity and bias: How does management validate the quality and completeness of data used by AI models, and is there ongoing testing to detect bias, drift or unintended outcomes?
• Security and access guardrails: What controls protect sensitive data, models and outputs from misuse, leakage or third-party exposure, and are these controls independently tested?
• Regulatory and accountability readiness: How does management track AI regulatory expectations to ensure compliance and model governance?
• AI whiplash and adoption discipline: How does the organization avoid “AI whiplash” — rapid adoption followed by retrenchment, and are there clear AI use cases, success metrics and kill-criteria?

2. What should boards understand about trends in capital markets, liquidity and interest rate shifts moving into 2026?

Capital markets are becoming more selective and interest rates less predictable than in prior economic cycles. While interest rate expectations typically focus on the timing of cuts, the key risk for boards is how persistent borrowing costs, tighter underwriting and market volatility affect access to capital. These dynamics elevate the importance of balance sheet management and stress testing under multiple rate and liquidity scenarios. Boards should be asking the following related to capital market trends:

Does our planning include options for accessing liquidity using equity markets, private credit or traditional bank lending under certain stress scenarios?

• Stressed scenario access and risk: Under downside market scenarios, how confident are we in our ability to execute a capital raise or refinancing — including timing, approvals, covenants and pricing before liquidity conditions deteriorate?
• Valuation and strategy: How are market conditions expected to affect our ability to pursue acquisitions, divest underperforming assets or defend valuations heading into 2026?

Have we discussed with lenders how rate expectations can impact debt covenants, possibly shorter maturities and higher borrowing costs?

• Covenant sensitivity to rate changes: How do changes in interest rates flow through our financial covenants (e.g., leverage, interest coverage, liquidity thresholds), and have we modeled the stress points where covenants can tighten or break?
• Maturity compression and rollover risk: Are lenders pushing for shorter maturities, tighter amortization or reduced flexibility in refinancing or credit rollover options?
• All-in borrowing cost: How are spreads, fees, hedging costs and covenant concessions impacting our true cost of borrowing?

How are interest rates expected to trend in 2026?

• A comment for boards: As we head into 2026, the interest rate risk is less about where rates will settle and more about:
  • How selective lenders will be
  • How volatility will affect refinancing, liquidity planning and financing flexibility
  • Not underestimating both full borrowing cost and execution risk by assuming there will be a return to cheap money if there is an interest rate cut

3. Does the board evaluate management’s succession planning and how does our culture influence strategy execution, talent retention and overall enterprise risk?

Effective leadership succession should be an intentional process. A solid succession plan identifies individuals at all levels of the organization who can take over when the person above them departs. Mitigating the impact of a personnel loss requires multiple components to function effectively: recruiting the right people, identifying high performers, providing new challenges and quality professional development, mentoring those with high potential and compensating them fairly. Succession planning reaches beyond leadership levels, crossing all critical operational functions. It is shaped by culture and strengthened by helping individuals develop skills needed for future leadership success. Boards that treat succession as a continuous process rather than a one-time event are better prepared to accelerate leadership readiness, reinforce cultural expectations and support smooth transitions. Here are key questions boards should ask about succession, culture and emerging risk:

How is the entity preparing for succession while developing a culture where people want to work and thrive?

• Succession process: Is our succession planning process an ongoing discipline with periodic assessments to evaluate readiness of key leadership roles?
• Culture that enables performance and retention: Does our coaching and mentoring process reinforce leadership behaviors and create an environment where high-performers desire to stay and grow?
• Creating growth opportunities: Are we challenging our most talented employees by giving them opportunities to take on complex and critical projects? Do those opportunities lead to promotions or other incentives?
• Focus on professional development: Are we getting the most out of our professional development opportunities? Is professional development tied to performance evaluation? Does it include cross-functional training? Mentorship?
• Compensation structure: When was the last time we performed a compensation study comparing us to our competitors and our regional labor market?

What skills do we expect in our key leadership roles?

Skills that stand out in leadership:

• Regardless of an organization’s size, there are certain traits that stand out among leaders:
  • Ability to have difficult conversations
  • Adaptability in evolving operating environments
  • Active listening — being present with empathy, without judgment
  • Emotional intelligence
  • Supportive leadership — coaching others and fostering success without fear
  • Executive presence — composure, confidence, authenticity

Attributes that stand out in strong cultures:

• Continuous and clear communication of purpose and direction
• Accountability and trust — creating psychological safety and enabling open dialogue without fear of retaliation
• Modeled behaviors from leadership — demonstrating consistency, credibility, confidence and stability under pressure
• Support for continuous learning, coaching and sustainable performance, reducing burnout and retaining and developing high-potential talent

Do we assess our culture to measure the impact of leadership development and identify indicators that signal emerging risk?

Measuring the impact of leadership development:

• Assessing whether coaching impacts retention rates and promotion opportunities
• Evaluating whether leadership development programs are aligned with an individual’s sense purpose and the organization’s vision
• Objectives and key results (OKRs — defining what you want to achieve and how success will be measured) or other measures that ensure strategy, execution and accountability are aligned

Assessing culture and identifying risk:

• Surveys, exit data, 360 feedback and cultural assessments are used to identify:
  • Culture gaps
  • Turnover trends
  • Employee satisfaction
  • Emerging risks that identify departures from values, behavior and mission
• The level of a person’s emotional intelligence is measured through testing or other techniques, with skill gaps identified and addressed.
• When talent development is combined with targeted executive coaching, it will strengthen leadership readiness, improve retention, reduce burnout and mitigate enterprise risk.

4. Does management brief the board on PCAOB inspection priorities and recent inspection results that could impact internal controls?

In recent years, the PCAOB has sharpened its focus on audit quality, moving from identifying isolated engagement deficiencies to addressing systemic firm-level quality control failures. Because PCAOB inspection priorities often shape your external auditor’s focus areas, effective board oversight now requires understanding how these priorities relate to the company’s internal controls and how management is preparing for them. A briefing on PCAOB inspection results can help board members understand how critical judgment is involved with certain internal controls, along with remediation expectations that may be necessary. Boards should be asking the following questions about how management evaluates and responds to PCAOB inspections and priorities:

Has management outlined current PCAOB inspection priorities and examined ways they align to the entity’s high-risk control areas?

• Inspection findings and themes: Has management summarized PCAOB inspection results, trends and recurring deficiencies for evaluation?
• Control impact assessment: Has management identified which internal controls, processes or accounting judgments could be most affected by inspection results?
• Response and readiness: Has management explained actions to address inspection risks, strengthen controls and prepare for auditor inquiry?

Has management discussed PCAOB themes with the external auditor and confirmed alignment on audit risk areas?

• Audit risk and testing focus: Has management confirmed alignment with the auditor on high-risk areas, control testing emphasis and areas requiring increased professional judgment? Is management prepared to address potential inspection risks before they are raised by the auditor?
• Issue escalation and communication: Has management confirmed clear escalation paths and communication protocols with the auditor for emerging issues tied to PCAOB inspection priorities?

Has management highlighted where PCAOB inspection results may drive changes in board oversight?

• Governance and accountability: Has management highlighted whether PCAOB findings may warrant adjustments in control ownership, accountability or governance structures and how such adjustments will be reported to the board?
• Forward-looking oversight: Has management outlined how inspection trends will be monitored over time and incorporated into future board and audit committee agendas?

5. What should boards understand about emerging cyber risk and the organization’s posture to keep pace with response expectations?

The frequency of cyber threats continues to accelerate in speed and sophistication. This requires boards to not just focus on whether controls exist but on whether the organization can quickly detect and effectively respond to cyber threats. Third-party data breaches, ransomware incidents, AI-enabled attacks and regulatory scrutiny have raised expectations on response times. As a result, cyber resilience is no longer simply prevention. Rather, resilience is measured by how prepared the entity is to respond and recover quickly from an incident. Boards should, therefore, be aware of how management: (a) assesses cyber risk, (b) validates response readiness and (c) ensures the organization can respond decisively when a cyber incident occurs.

What are the emerging cyber threats that pose the greatest risk to our operations, customers and financial position?

• Cyber risk assessment: Does management perform a recurring, enterprise-wide cyber risk assessment that includes identifying critical assets, threat scenarios, control gaps and response readiness?
• Third-party risk: Where do vendors, customers and other service providers present the most significant cyber exposure and is the risk monitored effectively?
• Data privacy and regulatory risk: How do privacy laws, accelerated incident-notification requirements and litigation trends heighten the fallout from a data breach?

Are roles, decision responsibility and escalation paths during a cyber event clear and tested to ensure that response and recovery can occur quickly?

• Governance and decision authority: Are executive, legal, IT, risk, communications and board roles clearly defined for cyber incidents, including who has authority to make time-critical decisions over areas such as system shutdowns, disclosures and ransom responses?
• Escalation and communication protocols: Are escalation thresholds clearly documented and understood so incidents are elevated promptly to senior management and the board?
• Incident response readiness: Does management conduct regular tabletop exercises and simulations that test cross-functional coordination, decision-making speed and recovery actions under realistic scenarios?
• Post-incident recovery and accountability: After an event or exercise, are lessons learned captured, remediation actions documented and ownership assigned to ensure gaps are closed?

Supporting Boards With Insight‑Driven Governance

Weaver offers insights to help boards strengthen oversight, anticipate regulatory change and identify emerging compliance blind spots before they escalate. Subscribe to our monthly insights for guidance on governance, risk and regulatory trends that shape board decision-making. Contact us to learn how Weaver can help your organization align compliance strategy with effective oversight and long-term resilience.

©2026

Featured

The Board’s Role in Managing Regulatory Risk and Identifying Blind SpotsRead Article

 

Executive Resource

The Board’s Role in Managing Regulatory Risk and Identifying Blind Spots