The "Unfettered Guardian": Why Malaysian Boards Must Rethink Risk Governance Structures

By Dr. Shaharin Abdul Samad

The Strategic Imperative

In the wake of high-profile corporate failures, from the global shocks of Enron to the local governance complexities involving 1MDB, one lesson remains stark: inadequate risk governance is not merely a technical failing; it is an existential threat. Today, Enterprise Risk Management (ERM) has moved from the periphery of compliance to the strategic core of organisational resilience.

However, a dangerous paradox persists in many Public Listed Companies (PLCs). While Boards increasingly acknowledge that they are ultimately accountable for risk, the organisational structures they approve often undermine the very function meant to protect them.

This brief argues that the prevailing reporting lines for the Chief Risk Officer (CRO), specifically reporting to the CEO or CFO, create inherent conflicts of interest that silence critical risk intelligence. To safeguard shareholder value, Malaysian Boards must transition to the “Unfettered Guardian” model: a structure where the risk function reports exclusively to the Board.

The “Policing Your Own Boss” Dilemma

Agency theory reminds us that management (agents) and shareholders (principals) often have diverging interests. Managers may prioritise short-term stock performance or bonuses, potentially at the expense of long-term sustainability. The ERM function exists to bridge this gap, providing the Board with an objective view of the risks attached to management’s strategies.

Yet, in many organisations, the CRO reports directly to the C-suite. This creates a structural flaw comparable to asking a film critic to write an impartial review of a movie in which they hold the leading role.

The Three Flawed Scenarios

My research identifies three common reporting structures that, despite being “industry standard,” critically compromise governance:

Reporting to the CFO: When Risk reports to Finance, it is often reduced to a cost-control function. Strategic risks that challenge capital allocation plans or financial projections are easily deprioritised or silenced.
Reporting to the CEO: While this elevates the status of risk, it erodes Behavioral Independence. The CEO is the organisation’s chief “business-getter.” If the CRO’s bonus and career progression depend on the CEO’s appraisal, the CRO is incentivised to support the CEO’s strategy rather than challenge it. This “good news culture” filters out the warning signals the Board desperately needs to hear.
The “Dotted Line” Trap: The most deceptive model is the “hybrid”- a solid line to the Board but a dotted line to the CEO. While it appears to offer independence, the “dotted line” is often where the real power resides. If the CEO still influences the CRO’s daily resources, political capital, and remuneration, the CRO remains beholden to management.

The Solution: The “Unfettered Guardian” Framework

To ensure the ERM function serves as a genuine strategic asset, Boards must implement a structure that guarantees both Structural and Behavioral Independence.

The “Unfettered Guardian” model demands two non-negotiable shifts:

Exclusive Solid-Line Reporting: The CRO must report only to the Board (via the Risk Committee). There should be no reporting line to the CEO. This ensures the CRO communicates directly and without filtration.
Board-Controlled Remuneration: The CRO’s salary, bonus, and dismissal must be determined solely by the Board, not management. Performance metrics should be tied to the effectiveness of risk oversight, not the company’s financial profit, which creates perverse incentives.

Implications for Directors

Adopting this model does not mean the CRO operates in isolation. A highly effective CRO must still maintain a partnership with the CEO, but as a constructive peer, not a subordinate.

For Malaysian Boards, the path forward is clear. You must move beyond “appearance based” governance. By amending committee charters to give the Risk function true independence, you send a powerful signal to investors and regulators that your organisation is committed to the highest standards of integrity and long-term value preservation.

The cost of structural reform is minimal. The cost of silence, however, can be catastrophic.

About the Author

Dr. Shaharin Abdul Samad is a Governance & Assurance strategist with over 28 years of international experience transforming risk management from a compliance checklist into a driver of business value. A certified Enterprise Risk Management (ERM) professional, he holds a Ph.D. in Management with a research focus on corporate governance structural reform.

Dr. Shaharin has executed high-impact governance mandates across the Oil & Gas, Banking, and Infrastructure sectors in Malaysia, Qatar, and the UAE. His portfolio includes driving advanced risk frameworks for major energy conglomerates like QatarEnergy and Borouge (ADNOC Group). At MBSB Bank Bhd, he was the architect behind the institution’s corruption risk management ecosystem, building it from the ground up. Additionally, he spearheaded the Enterprise Risk and Business Continuity agendas for key national stakeholders, including TRX City Sdn Bhd and Malayan Railways (KTMB).

Dr. Shaharin specialises in guiding Boards and C-Suites through complex regulatory landscapes. He champions the strategic adoption of the “Unfettered Guardian” framework – a robust governance model designed to ensure true independence, agility, and integrity. He maintains active engagement with the Malaysian corporate sector and is available to provide expert guidance to Boards seeking to elevate their Assurance functions.

Connect with Dr. Shaharin: shaharin.abdulsamad@gmail.com

Read the full academic paper here: Strengthening ERM Independence.

The article is written by Dr Shaharin Abdul Samad.

Photo by Markus Spiske on Pexels.com.