By
Lauren Mitchell
Contributing Analyst, Strategic Infrastructure Policy
March 18, 2026
Corporate boards are under increasing pressure to demonstrate meaningful oversight of operational and cyber risk. Regulatory expectations have evolved, investor scrutiny has intensified, and a growing body of incident history has made clear that inadequate board engagement with operational risk is not only a governance failure but a material liability.
The challenge for most boards is not willingness. It is the absence of a structured framework for asking the right questions. The following five questions represent the standard of informed oversight that operational environments now require.
1. Do We Know Where Our Critical Dependencies Are?
Every organization operating physical infrastructure, industrial systems, or complex supply chains has critical dependencies — single points of failure whose disruption would cause disproportionate operational harm. Boards should expect management to maintain a clear and current inventory of these dependencies, including technology vendors, sole-source suppliers, and key personnel, and to demonstrate that mitigation strategies exist for the most consequential ones.
2. How Would We Know If We Were Compromised?
Detection capability is one of the most important and most frequently underinvested dimensions of operational security. The question is not whether the organization has security tools in place. It is whether those tools provide meaningful visibility into the environments where operational risk actually resides, and how long it would realistically take to identify an intrusion.
3. Have We Tested Our Continuity Plans Under Realistic Conditions?
A continuity plan that has never been exercised under stress conditions is a document, not a capability. Boards should expect organizations to conduct realistic exercises that test leadership decision-making, communication protocols, and operational fallback procedures rather than tabletop scenarios designed to produce favorable outcomes.
4. How Are We Managing Third-Party Risk?
Vendors, contractors, and technology partners represent an extension of the organization’s risk perimeter. Boards should understand the standards applied to third-party security assessments, how vendor compliance is monitored over time, and whether contractual frameworks create meaningful accountability for security failures.
5. What Would a Significant Incident Actually Cost Us?
Organizations that have never modeled the financial, operational, and reputational consequences of a significant disruption are not in a position to make informed risk investment decisions. Boards should expect management to present credible impact scenarios that inform capital allocation and insurance strategy.
These questions do not require technical expertise to ask. They require the institutional discipline to ask them consistently, evaluate the answers critically, and hold leadership accountable for the quality of the response.
