Financial and securities regulators around the world are increasingly concluding that deficient board oversight of risk management processes generally, and risk culture in particular, has been a recurring root cause of major corporate governance failures. This article overviews the evolution of these new board risk oversight expectations, outlines handicaps boards face meeting these expectations, and proposes specific steps boards that want to meet the new expectations can take. Handicaps boards face of particular note include, ironically, traditional point-in-time internal audit processes and ERM programs built around an annual update of the company’s “risk register” that is seen as a compliance exercise not a way to integrate risk management in to core business processes, particularly strategic planning. An absence of tangible and practical guidance how boards should actually assess and oversee their company’s risk culture compounds the problem. Recommendations proposed by the authors focus on the significant changes many companies must make to ensure their boards are equipped with the information necessary to oversee management’s “risk appetite/tolerance” and the organization’s risk culture.