Boards talk about growth. They talk about strategy. They talk about brand and expansion. What they often miss is risk literacy.
Frank Elsner has spent more than 30 years in law enforcement, including time as a Chief of Police, and now serves as Chief of Safety and Security for the Natural Factors Group of Companies in Vancouver. He has worked undercover, led intelligence units, chaired provincial policing groups, and advised organizations on security strategy. He has seen what happens when leaders underestimate risk. He has also seen what strong governance can prevent.
“Early in my career, I watched a small issue turn into a national headline because no one wanted to escalate it,” he says. “The warning signs were there. They just were not taken seriously at the board level.”
Boards do not need to become security experts. They do need to understand risk.
The Risk Gap in Modern Governance
Corporate risk is growing.
According to global risk surveys, over 60 percent of executives say their organizations face more complex threats than five years ago. Cybercrime alone is expected to cost the world trillions annually. Workplace violence incidents remain a concern. Supply chain disruptions continue to hit global companies.
Yet many boards still treat security as an operational issue.
That is a mistake.
“When I became Chief of Police in Sudbury, I learned fast that you cannot treat risk as someone else’s job,” he says. “If the board or council does not understand exposure, they will underfund prevention every time.”
Boards often focus on financial reports and quarterly results. Risk reports may get ten minutes at the end of a meeting. That structure signals priorities.
Security should not be an afterthought.
What Risk Literacy Actually Means
Risk literacy is not fear. It is awareness.
It means board members understand:
- Where the organization is vulnerable
- How threats could escalate
- What early warning signs look like
- What a real crisis would cost
Risk-literate leaders ask sharper questions.
They ask about incident trends. They ask about near misses. They ask whether safety systems are tested or just written on paper.
In policing, Elsner worked in intelligence. That role required connecting small dots before they became big problems.
“In intelligence work, the biggest failures happen when people dismiss small signals,” he says. “A strange pattern in data. A rumor. A minor breach. Boards should think the same way. Small issues matter.”
That mindset translates directly into corporate governance.
When Boards Ignore Security
History offers clear examples.
Major companies have faced massive losses due to weak oversight of security and compliance. Data breaches have led to executive resignations. Workplace safety failures have resulted in lawsuits and reputational damage.
The average cost of a major data breach now runs into millions of dollars. Operational shutdowns can cost even more. Insurance premiums are rising as claims increase.
But the real cost is trust.
“When you lose public trust, it takes years to rebuild,” he says. “I saw that in policing. Once confidence drops, every decision gets questioned.”
Boards that lack risk literacy often react too late. They approve spending only after an incident. They bring in consultants after damage is done.
Prevention is cheaper. Governance must reflect that.
Frank Elsner’s View from Both Sides
Few leaders have worked both as a police chief and as a corporate security executive. That dual perspective matters.
As Deputy Chief and later Chief of Police, he sat in rooms where budget decisions shaped frontline capacity. Later, in the private sector, he had to justify security investments in business terms.
“When I moved into corporate leadership, I stopped talking about threats first,” he says. “I talked about downtime. Insurance costs. Regulatory exposure. Once you frame risk in business language, boards pay attention.”
This shift is critical. Boards respond to impact.
Security leaders must translate technical issues into governance risks. That includes legal exposure, brand damage, and shareholder value.
What Boards Should Be Asking
Risk-literate boards ask direct questions.
1. Where are our top three exposures?
Not a long list. Three clear areas. Physical security. Cyber systems. Supply chain. Regulatory compliance.
Clarity drives action.
2. When was our last full risk assessment?
If the answer is more than a year ago, that is a red flag.
Threats evolve. Assessments must evolve too.
3. Do we test our crisis plans?
Tabletop exercises matter. Simulations reveal gaps.
“In policing, we trained constantly,” he says. “You do not wait for a crisis to test your system. You practice before it counts.”
Boards should expect the same from corporate teams.
4. Who owns risk?
Is it fragmented across departments? Or is there clear accountability?
Without ownership, nothing improves.
Actionable Steps for Risk-Literate Governance
Boards can take simple, concrete steps.
Add Security as a Standing Agenda Item
Not a once-a-year review. A recurring discussion.
Five focused minutes can shift culture.
Bring in Independent Assessments
External reviews reveal blind spots. Internal teams can miss patterns.
Independent voices add credibility.
Invest in Board Education
Short briefings on emerging risks help directors stay informed.
Board members do not need technical depth. They need awareness.
Tie Risk to Strategy
If the company is expanding into new markets, security must scale with it.
Growth without protection creates exposure.
Measure Leading Indicators
Do not track only incidents. Track training completion rates. Near-miss reports. Audit findings.
Leading indicators show trends before crises happen.
Culture Starts at the Top
Governance shapes culture.
If boards treat safety as compliance, managers will do the minimum. If boards treat risk as strategic, leaders will follow.
In his years leading police services, culture often determined outcomes.
“When officers felt leadership cared about preparation, they trained harder,” he says. “The same applies in business. When boards show interest in security, teams respond.”
Culture is not built through slogans. It is built through consistent oversight.
Why This Matters Now
Organizations operate in a volatile environment. Global supply chains stretch across continents. Information moves instantly. Reputation shifts fast.
Risk is not static.
Boards that ignore this reality expose their organizations to preventable harm.
Risk-literate leaders do not panic. They prepare. They ask better questions. They allocate resources with foresight.
Security is not a cost center. It is a stability engine.
Frank Elsner has seen what happens when leaders prepare and when they do not. He has watched small issues grow into major failures. He has also helped organizations prevent those outcomes through planning and discipline.
Boards that build risk literacy protect more than assets. They protect trust, continuity, and long-term value.
Governance without risk awareness is incomplete.
The smartest boards understand that security is not separate from strategy. It is part of it.