Corporate history showcases many failures where boards were unprepared. Postmortems often assign blame to poor management, fraud, or external threats but overlook a key question: Who is responsible for the board’s unpreparedness?

A headline-grabbing scandal or crisis can shake a company to its core. When the board claims to be “surprised,” it raises a critical issue: How could they not have known?

Such surprises indicate serious governance, communication, and oversight failures. The essential question becomes: Who failed in their duty?

The Myth of “We Didn’t See It Coming”

Whether it’s a financial restatement, a toxic culture exposed, or a compliance failure with regulatory consequences, corporate debacles rarely come out of nowhere. They are typically preceded by red flags, whistleblower complaints, internal audit findings, and operational anomalies. Someone knew something. The real question is whether that knowledge ever made it to the board—or whether the board was listening.

As I wrote last year, too often, boards and their audit committees rely on overly sanitized reports, polished presentations, and siloed information that fail to reflect the full picture. When management filters the narrative, or when oversight functions like internal audit are marginalized or under-resourced, the board’s line of sight becomes dangerously limited.

But when the music stops, pointing fingers isn’t enough. It’s time to dissect the chain of accountability.

Management: The First Line of Responsibility

Executives bear the immediate responsibility for day-to-day operations. It’s their responsibility to assess risks, design and maintain effective internal controls, promote ethical conduct, and escalate issues as necessary. When a crisis erupts, management is usually the first to be scrutinized—for what they did, or didn’t do.

But the failure to inform the board isn’t always about bad intent. Sometimes, it’s about bad systems. A risk that’s been “accepted” quietly or left to fester because it seemed too complex or too remote can grow into a reputational inferno. If management lacks a culture of transparency, promotes ends over means, or fears board scrutiny, even well-meaning leaders may withhold information.

Still, management’s accountability does not absolve others in the governance ecosystem.

Internal Audit: The Third Line of Defense

Internal audit is often referred to as the eyes and ears of the board—particularly the audit committee. If there were warning signs, and internal audit saw them but didn’t communicate effectively, then we may end up sharing in the blame.

Corporate debacles frequently elicit what I call the “5 scariest words in the English language:” Where were the internal auditors? But such failures should raise another question: Was internal audit empowered to do its job? All too often, internal audit teams are understaffed, underfunded, or treated as compliance clerks rather than strategic advisors. Worse yet, when internal audit raises concerns, they may be downplayed or quietly buried.

If a crisis erupts and no one asked internal audit, or if internal audit tried to speak up but was ignored, the blame may lie not with the function—but with the executives and system that marginalized it.

The Board Itself: Accountable, Always

Ultimately, the buck stops with the board.

Directors have a fiduciary duty to ask tough questions, seek unfiltered information, and ensure the organization has effective risk management processes in place. If a board is “surprised” by a scandal, they need to ask themselves: Were we asking the right questions? Were we too reliant on management’s narrative? Did we cultivate the kind of environment where dissent, transparency, and candor were welcomed?

Boards must take ownership not just of what they knew, but what they should have known. In the postmortem of every corporate crisis, the most damning conclusion is this: The signs were there. We just didn’t connect the dots.

That’s not just a failure of oversight—it’s a failure of curiosity, skepticism, and governance.

Cultivating a Board That Doesn’t Get Blindsided

Avoiding these surprises requires proactive measures:

1. Strengthen Internal Audit – Ensure the CAE (Chief Audit Executive) reports functionally to the board through the audit committee, not just administratively to the CEO (or worse yet CFO). Host genuine executive sessions with only the CAE in the room to answer questions. Give internal audit the resources and mandate to assess the complete portfolio of risks—not just financial compliance.
2. Demand Transparency – Boards should insist on direct access to key functions beyond internal audit – like risk management, compliance, human resources, and legal. Waiting for management to filter all communication can create blind spots.
3. Engage in Deep Dives – The board should have regular conversations enabling it to dig deeper into areas of potential risk, especially those related to culture, cybersecurity, supply chain, and regulatory compliance.
4. Encourage a Speak-Up Culture – If employees fear retaliation or believe the board won’t listen, the warning signs will remain hidden until it’s too late.
5. Self-Assess Frequently – Board members should regularly evaluate their effectiveness and ensure they’re staying current on emerging risks and governance best practices.

Beware of the Potted Plants

In times of crisis, there’s usually plenty of blame to go around. But if a board is truly surprised by a corporate debacle, that surprise is not an excuse—it’s an indictment.

Governance is not about reacting to problems after they explode; it’s about anticipating them, challenging assumptions, and demanding a culture of accountability. Boards that wait passively for problems to be presented to them are not stewards—they are potted plants.

The organizations that weather storms best are those with boards that never stop asking, “What aren’t we hearing or seeing?”

Because in the end, it’s not the surprises that implode companies—it’s the silence before them.