Commerce risk belongs on every board's standing agenda by 2026. Platform dependency, the DTC challenger threat, first-party data erosion, and AI-native buying behavior are trajectory-level questions with three to five-year consequences. Most S&P 500 boards have no governance framework for any of them, even where direct consumer relationships determine growth.
- Boards have frameworks for financial, cyber, regulatory, and succession risk, but rarely for commerce risk.
- The pace of platform and channel change has outrun the typical board cadence.
- Directors need specific questions and metrics to put commerce risk on the agenda.
Commerce risk belongs in every board's standing agenda by 2026. Platform dependency, DTC challenger threat, first-party data erosion, and AI-native buying behavior are trajectory-level questions with 3 to 5-year consequences. Most S&P 500 boards have no governance framework for any of them, even in companies where direct consumer relationships determine long-term growth. This post gives directors the questions and metrics to change that.
The average board has detailed oversight frameworks for financial risk, cybersecurity risk, regulatory risk, and executive succession. It frequently has no comparable framework for commerce risk, even in companies where the ability to reach consumers directly, build lasting customer relationships, and adapt to channel shifts determines the long-term growth trajectory of the business.
This is changing, but slowly. The pace of change in commerce, platform evolution, channel fragmentation, the emergence of AI-native buying behaviors, the acceleration of DTC challengers, is faster than most governance frameworks can absorb. Management teams presenting commerce updates to boards often compound this problem by presenting metrics that are comfortable to report rather than the ones that would actually allow a board to evaluate the company's position.
I have briefed boards on the commerce risk landscape and advised the management teams presenting to them. The conversation fails in both directions: directors without a commerce framework asking the wrong questions or none at all, and management teams without a clear model for what good governance of commerce looks like. This post is an attempt to fix both sides of that conversation.
Commerce used to be
operational. It became
strategic. Now it's a risk.
The elevation of commerce from operational to strategic to risk-level concern happened in roughly three phases. Pre-2015, commerce was largely a channel management question: how do we show up in retail, and how do we manage the transition to e-commerce? Boards didn't need a framework beyond "is e-commerce growing as a share of revenue?"
From 2015 to 2022, commerce became a strategic question: which platform do we build on, how do we build a direct channel, how do we respond to DTC challengers taking share? Boards started asking about DTC strategy and digital investment levels, but governance frameworks lagged behind the decisions being made.
Now, commerce is a risk in the governance sense, a domain where the wrong decisions, made at the wrong time, can cause irreversible damage to the company's competitive position. Platform dependency risk (what happens if the platform that drives 40% of digital revenue changes its algorithm or economics?). Customer data risk (what is the long-term competitive consequence of not owning the customer relationship directly?). Challenger brand risk (which competitors are compounding in ways that will be expensive to reverse in three years?). AI commerce risk (how is AI-native buying behavior changing customer acquisition, and is the company positioned to benefit from it?)
These are not operational questions the management team can handle below the board level. They are trajectory-level questions whose consequences will be visible (or invisible) on a 3–5 year timeframe. That is exactly the timeframe board governance is designed to monitor.
The questions boards
should be asking, and
usually aren't.
The metrics that matter
at board level, versus the
ones management often presents.
| What Gets Presented | What the Board Should Be Asking For | Why It Matters More |
|---|---|---|
Digital Revenue Growth % |
Direct Channel Revenue % of Total, trend over 4 quarters | Growth in a rented channel builds the retailer's data asset, not the company's |
Website Traffic / Sessions |
Customer Acquisition Cost, direct channel; LTV/CAC ratio | Traffic without economics is a vanity metric; the board needs to know if the direct channel earns its keep |
Social Media Followers/Engagement |
First-party list size (email + SMS), growth rate, engagement rate | Followers are rented; first-party lists are owned, this is the actual data asset question |
NPS Score (aggregate) |
Repeat Purchase Rate, cohort retention at 90/180/365 days | NPS describes sentiment; cohort retention describes customer behavior, the board governs behavior |
Technology Roadmap Summary |
Platform dependency map + contingency for top 3 dependencies | Boards govern risk; platform dependencies are concentration risks that require governance |
How to evaluate the
platform question without
getting lost in the technology.
Board members without a technology background are often reluctant to engage substantively with platform and infrastructure questions, they don't want to appear technically naive, and the management team rarely presents the question in terms that enable a governance-level conversation. The result: significant platform decisions, replatforming the commerce stack, major integrations, AI tooling investments, get ratified by boards without meaningful scrutiny.
The governance question is not technical. It is: what is the platform dependency this decision creates, what is the cost to exit if the dependency becomes a problem, and is the company building toward a more or less diversified architecture than it has today? A board member asking these questions isn't pretending to be a CTO. They are asking the same governance questions they would ask about any significant long-term commitment with exit costs.
"The board doesn't need to evaluate the technology. It needs to evaluate the strategic dependency the technology creates, the same way it evaluates any other dependency."
The specific questions a board should ask before ratifying major platform decisions: What is the estimated cost and timeline to exit this platform if required in 3 years? What customer data will we own versus the platform at the end of the contract? What AI capabilities does this platform's roadmap include, and how does that affect our competitive position in channels that are moving toward AI-native purchasing?
DTC challenger risk belongs
in governance, not just
competitive intelligence.
Most enterprise companies have some form of competitive intelligence function that monitors DTC challengers. It produces reports. The reports inform strategy discussions. The board occasionally hears about the most prominent challengers on a competitive landscape slide. That is monitoring. It is not governance. Turning that monitoring into a real category defense function means reading the early signals while the strategic options are still open.
Governance requires: a defined framework for assessing challenger threat level (not just revenue and funding), explicit decision rights for the three possible responses (compete, acquire, ignore), a mechanism for escalating a challenger from the monitoring queue to an active response decision within a defined timeframe, and board-level awareness of any challenger that has crossed the threshold where the acquisition window is closing. Management that brings a challenger acquisition proposal to the board after the company has grown to $80M in revenue and has institutional investors on its cap table is bringing a preventable problem, the acquisition opportunity existed at $15M, when the challenger was invisible to the board.
M&A as a commerce strategy:
what the board needs before
approving.
DTC acquisitions have become a standard commerce strategy for enterprise brands. The thesis is sound in principle, acquire a brand with proven consumer demand, proven direct channel economics, and a customer relationship the acquirer couldn't build from scratch. The execution record is poor in practice, as described elsewhere in this series. The board is the last institutional checkpoint before an acquisition closes, and board approval is often based on a presentation that tells the financial story well and the integration story superficially.
Before approving any DTC acquisition, the board should require a specific integration plan that addresses the four most common sources of post-acquisition value destruction: talent retention structure (not just an earnout, but explicit authority preservation for the brand's leadership), brand autonomy framework (which decisions stay with the brand, which require parent approval), technology migration timeline (the plan for avoiding the tech integration that disrupts the brand's customer experience during the integration period), and a defined integration success scorecard with an 18-month measurement horizon rather than a quarterly P&L assessment.
Before approving any DTC acquisition, the board should ask management one direct question: "What is the mechanism by which this brand earns consumer attention and loyalty, and does this integration plan preserve that mechanism?"
If management cannot answer this question specifically (not generically ("we plan to preserve the brand voice") but specifically ("the brand's growth is driven by the founder's organic social presence and the creative team's 48-hour content cycle, and here is how we are preserving both")) the integration plan is not complete enough to approve.
What good board oversight
of commerce looks like
in practice.
Good board oversight of commerce is not deep technical knowledge or active management of strategy. It's the governance function applied to the right questions, on the right cadence, with the right information. In practice, it looks like this:
Quarterly commerce risk update: a standing agenda item that covers channel dependency metrics, challenger threat scorecard (updated quarterly with the framework described in B31), first-party data health, and any active acquisition targets or competitive response programs in progress. Not a marketing update. A risk update.
Annual platform/infrastructure review: a review of the company's major platform dependencies, the exit cost and timeline for each, and the AI commerce roadmap, with explicit board discussion about which dependencies are acceptable and which require mitigation.
Pre-approval acquisition briefing: for any commerce acquisition, a specific briefing on the integration plan that addresses the four value-destruction risk areas (talent, brand, technology, reporting) before the financial approval discussion.
Commerce-fluent board representation: at least one director with direct operating experience in consumer commerce, not a board advisor who "worked with digital companies," but someone who has operated a consumer brand at meaningful scale and understands what the key indicators actually mean. The audit committee analogy is apt: just as boards are expected to have financial expertise, boards of consumer companies should have commerce expertise.
The AI commerce question
boards need to add
to the framework.
Commerce boards are beginning to ask about AI. Most of the questions are wrong. They tend to focus on internal efficiency: are we using AI in our operations, is marketing using AI tools, what is the AI roadmap? These are legitimate management questions. They are not the board-level risk question.
The board-level AI commerce risk question is: how is AI-native buying behavior changing the customer acquisition model, and is our company positioned to benefit or lose from that shift? Specifically: is our product and brand information appearing in AI-generated shopping recommendations, what share of our traffic now originates from AI referral rather than search, and are we building the content and structured data infrastructure that AI buying assistants can use to recommend our products?
The brands that are winning in AI-referred commerce are not necessarily the ones with the biggest marketing budgets. They are the ones whose product information is structured in ways AI can synthesize, whose review profile is strong across multiple touchpoints, and whose content answers the questions buyers are asking AI assistants. This is a governance-level question because the companies that fall behind in AI commerce visibility are facing the same kind of irreversible compounding that Google SEO disadvantage created, just faster. For the detailed mechanics, I covered what AI-referred traffic looks like in actual Shopify data in AI-referred traffic and Shopify conversion data.
The board question to add to the quarterly commerce risk update: what percentage of new customer acquisition came through AI referral in the last quarter, what is the trend, and what is the plan to increase it? Most management teams cannot answer this question yet. That is the problem.
Frequently
asked
questions.
The board conversation on commerce is failing on both sides: directors who lack the framework to govern it, and management teams that have learned to present it in ways that avoid the scrutiny the decisions deserve. The fix is not complicated. A defined framework, the right metrics, the right cadence, and at least one person in the room who has actually run a consumer business at scale.
For the management team preparing the commerce update, the most important shift is from reporting outputs (revenue, traffic, social engagement) to reporting risk indicators (platform dependency, first-party data health, challenger threat level, AI acquisition share). For the board, the most important shift is treating commerce oversight with the same governance rigor applied to financial and cybersecurity risk. The consequences of doing it poorly are just as permanent.
Fixing the board conversation on commerce takes someone who has sat on both sides of the table. The enterprise innovation practice is where that work gets done. The form takes two minutes: start the conversation.
Preparing a board conversation on commerce?
I advise management teams on how to bring commerce strategy to the board effectively, and have briefed boards directly on the commerce risk landscape. If you're preparing for a board presentation or trying to build a governance framework for commerce, the form takes two minutes.
Start a conversation More about Taylor →