The Governance of Risk Management

After completing this reading, you should be able to:

  • Explain changes in corporate risk governance that occurred as a result of 2007-2009
    financial crisis.
  • Compare and contrast best practices in corporate governance with those of risk management.
  • Assess the role and responsibilities of the board of directors in risk governance.
  • Evaluate the relationship between a firm’s risk appetite and its business strategy, including the role of incentives.
  • Illustrate the interdependence of functional units within a firm as it relates to risk management.
  • Assess the role and responsibilities of a firm’s audit committee.

Corporate governance can be defined as the way the firms are run. That is, corporate governance postulates the roles and the responsibilities of a company’s shareholders, a board of directors, and senior management. The relationship between corporate governance and the risk has become fundamental since the 2007-2009 financial crisis. The critical questions to be answered in the following text are about the relationship between corporate governance practices and risk management practices, the organization of risk management authority through committees, and the transmission of risk limits to lower levels so that they can be observed in daily business decisions.

Lack of transparency, lack of correct and sufficient information about economic risks, and a breakdown in the transmission of relevant information to the board of directors are some of the leading causes of corporate failures in nonfinancial as well as financial sectors in 2001-03 and 2007-09. The subprime crisis was caused by the relegation of risk management activities in the boom years. The risk associated with structured financial products was almost ignored, and this resulted in failed institutions and a global financial crisis.

The post-discussion of corporate governance includes some key issues, especially in the banking industry. These include the composition of the board, the risk appetite, compensation, and the stakeholder priority.

  • Risk appetite

The regulators have forced banks to come up with formal and board-approved risk appetite that reflects the firm’s willingness to accommodate risk without the risk of running insolvent. This can be amplified to enterprise risk limits while engaging the board.

The boards have been tasked with the responsibility to cap overcompensation settings. The payment structure should capture the risk-taking adjustment to capture the long-term terms’ risks. A good example is where some banks have limited the bonus compensation schemes and also introduce delayed bonus structures.

  • Board composition

The financial crisis led to a discussion on the independence, engagement, and financial industry skills of the firm’s board. However, statistical analysis on the failed banks does not show any correlation between the prowess of a bank and the predominance of either the insiders or outsiders.

  • Stakeholder Priority

The analysis of the 2007-2009 financial crisis led to the realization that there was little attention to controlling the tail risks and worst-case scenarios. This has led to discussions on the stakeholders of a bank and their impact on corporate governance.

  • Board Risk Oversight

After the crisis, the significance of the boards being proactive in risk oversight became a significant issue. Consequently, the boards have been educated on the risks and the direct relationship of the risk management structure, such as delegating CRO’s power to report to the board directly.

The Infrastructure of Risk Governance

A clear understanding of business strategies and associated risks and returns is necessary for risk governance. The risks associated with business activities should be made transparent to the stakeholders. Appropriate risk appetite should be set for the firm, and the board should oversee the managerial operations and strategy formulation process. There should be an involvement of risk management in business planning, and risks associated with every target should be adequately assessed to see if they fit into the firm’s risk appetite. The choices in risk management are as follows:

  • Scrapping activities to avoid the risk
  • Reducing risk exposure by hedging/buying insurance
  • Risk mitigation, for example, reduction of operational risks by control measures
  • Accepting risks to generate values for the shareholders.

risk management strategiesRisk management strategies should be directed to impact economic performance rather than accounting performance. Policies, directives, and infrastructure related to risk management should be appropriately placed in a firm. The seriousness of a firm about its risk management process can be gauged by assessing the career path in the risk management division of the firm, the incentives awarded to the risk managers, the existence of ethics within the firm, and the authority to whom the risk managers report.

The Board and the Corporate Governance

The primary responsibility of the board of directors is:

  • To steer the firm according to the interests of the shareholders. Other stakeholders like the debt holders are, also, to be kept in mind while making strategies at the corporate level. The assumption of particular risks to attain projected returns should be weighed against the sustainability of the profits from such activities. Agency risks, i.e., the conflict of interests between the management and the stakeholders, should be avoided at all costs. For example, managers may turn to short term profit making while assuming long-term risks, so that they may make some bonus. Corporate governance roles should be independent of the roles of the executive, i.e., the board and the CEO should act independently of each other. Chief risk officers have been put to task in many corporations to integrate corporate governance and risk management activities.
  • The board should make sure that staff gets rewarded according to their risk-adjusted-performance—this checks fraud related to financial manipulation and stock price boost.
  • The board should check the quality and reliability of information about risks, and it should be able to assess and interpret the data. This ensures that all the risk management related operations are aligned to value creation for shareholders.
  • The board should be educated on risk management and should be able to determine the appropriate risk appetite for the firm. There should also be an assessment of risk metrics over a specified time horizon that the board may set. Some technical sophistication is required to build clear strategies and directives in relation to crucial risk disciplines. A risk committee of the board should be qualified enough to handle these technicalities. It should also be separated from the audit committee on the grounds of differences in skills and responsibilities.

The Transition of Corporate Governance to Best-Practice Risk Management

As stated earlier, the 2007-2009 financial crisis reflected the weakness in the risk management and oversight of the financial institutions. Consequently, the post-crisis regulatory has emphasized on risk governance with an aim to check both the financial risks.

Risk governance is all about coming with an organizational structure to address a precise road map of defining, implementing, and authoritative risk management. Moreover, it touches on the transparency and establishment of channels of communication withing which an organization, stakeholders, and regulators engage.

For instance, the board directors have a responsibility for shaping and authority in risk management. Being one of the risk governances, the board director has a duty to analyze the major risk and rewards in a chosen firm’s business strategy.

In other words, the risk governance must ensure that it has put a sound risk management system in place to enable it to expand its strategic objectives within the limits of the risk appetite.

The Risk Appetite Statement (RAS)

A statement of risk appetite is one of the critical components of corporate governance. RAS contains a precise aggregated amount and types of risks a firm is willing to accommodate or avoid to achieve its business objectives.

Clear articulation of the risk appetite for a firm helps in maintaining the equilibrium between the risks and return, cultivating a positive attitude towards the tail and even risks, and attaining the desired credit rating.

The RAS should contain the risk appetite, and the risk tolerance measures the maximum amount of risks taken at the business level as well as enterprise risk. Moreover, it should be the relationship between the risk appetite, the risk capacity, the risk profile, and the risk tolerance.

capacity, appetite, and toleranceRisk tolerance is the number of acceptable results relative to business objectives (dotted line on the diagram above). Risk tolerance is a tactical measure of risk, while the risk appetite is the aggregate measure of risk. Note that the risk appetite is below the risk capacity of a firm. A firm operating within the risk tolerance can attain the risk-adjusted return objectives relative to the amount of risk.

Implementation of the Board-Level Risk Governance

In the banking industry, the board of directors charges the committees like risk management committees, among others with ratifying policies and directives for activities related to risk management. The committees frame policies related to division level risk metrics in relation to the overall risk appetite set by the board. They also look after the effective implementation of these policies.

Role of Audit Committee of the Board

Audit committee’s responsibility is:

  • To look into the accuracy of financial and regulatory reporting of the firm and the quality of processes that underlie such activities.
  • It also ensures that a bank complies with standards in regulatory, risk management, legal, and compliance activities.
  • The audit committee verifies the activities of the firm to see if the reports outline the same.

The members should ideally be nonexecutives to keep the audit committee clear from executive influence. The audit committee should interact with the management productively and should keep all channels of communication open.

The Role of the Risk Advisory Director

There may be a few nonexecutives in the board of directors, who may not have the necessary expertise to understand the technicalities behind risk management activities of a sophisticated firm. In this case, executives may dominate the nonexecutives, and this may lead to corporate scandals. Training programs and support systems may be put in place to the aid of such nonexecutives. Another method is to have a specialist in risk management as a risk advisory director on the board. Its functions are:

  • The risk advisory director would oversee risk management policies, reports, risks related to the overall business.
  • Mitigation of risks like credit risk, market risk, etc. The risk advisory director should be familiar with financial statements and accounting principles.
  • The risk advisory director should oversee financial reporting and the dealings between the firm and its associates, including issues like intercompany pricing, transactions, etc.
  • The risk advisory director should look into the requirements from regulatory agencies and should lay appropriate directives for the firm to comply with the requirements.
  • Participation in audit committee meetings, outlining risk profiles of strategic business segments, sharing insights into corporate governance and risk management policies, and overseeing the conduct of business.

The Role of the Risk Management Committee

The risk management committee in a bank independently reviews different forms of risks like liquidity risk, market risk, etc. and the policies related to them. The responsibility of approving individual credits also usually rests with the risk management committee. It monitors securities portfolios and significant trends in the market as well as breakdowns in the industry, liquidity crunch, etc.  It reports to the board about matters related to risk levels, credits, and it also provides opportunities for direct interaction with the external auditor, management committees, etc.

The Role of the Compensation Committee

Its responsibility is to determine the compensation of top executives. Since the CEO could convince the board to pay the executives at the expense of shareholders, compensation committees were put in place to check such occurrences. In the previous decade, compensation based on short-term profits, without much concern about long-term risks, have sealed the fate of many institutions. Since then, compensation based on risk-adjusted performance has gained recognition. Such compensation helps in aligning business activities with long-term economic profitability.

Various caps have also been put in place on the bonuses of executives across the world, to prevent reckless risk-bearing attitude while eying for the upside but bearing no responsibility for the downside of the risky activity. Stock-based compensation may encourage risk-taking as the upsides are not capped while the downsides are. For making employees concerned about the financial health of the firm, they may be made the creditors of the firm by providing compensations in forms of bonds. For example, UBS has adopted such a strategy.

The Risk Appetite and the Business Strategy

Many firms wish to examine how the regular activities of a firm run within the confines of the set risk appetite and limits defined by the board and executive committees. The process of examining the firm’s risk appetite include:

  • Risk approval by the board risk committee: The board risk committee approves the risk appetite statement on an annual basis.
  • The firm’s senior management (such as CEO and CRO) are tasked by the board to implement the risk appetite framework.
  • With the approval from the board, the senior management comes up with the limiting financial risk parameters (for example, credit risk) and nonfinancial risk (for instance, operational risk) excited by the firm. At this point, the subcommittees can be set up to deal with each risk-type independently.
  • After setting the risk limit, the senior risk committee then reports the outcome to the board risk committee accompanied by the recommendations on the total risk acceptable, which again subject to the board risk committee’s consideration and approval.

The Role of the Chief Risk Officer (CRO)

The CRO is a member of the risk committee whose responsibilities are:

  • Designing the risk management program of the firm;
  • Risk policies, analysis dimensions, and methodologies;
  • Risk management infrastructure and governance in the firm;
  • Monitoring the firm’s risk limits set by the senior risk management; and
  • In many financial institutions such as banks, the CRO is an intermediary between the board and the management. The CRO keeps the board informed on the firm’s risk tolerance and condition of the risk management infrastructure and informs the management on the state of the risk management.

The Role of Incentive

As realized in the global crisis, the executive compensation schemes at many financial institutions motivated short-run risk-taking, leading to management ignoring the long-term risks. That is, the bankers were rewarded based on short-run profits. Consequently, it led to the formation of the compensation committee to cap executive compensation. This prevents a scenario where the CEO can convince the board member to compensate themselves at the expense of other shareholders.

The compensation is part of the risk culture of a firm. Thus, it should be made in accordance with the long-term interest of the shareholders and other stakeholders and the risk-adjusted return on the capital.

For instance, the central bank governors and the finance ministers of the G-20 countries met in September 2009 to discuss the framework for financial stability, one of which is reforms on compensation. The reforms included:

  • Scrapping of the multi-annual guaranteed bonuses;
  • Controlling the amount of variable compensation given to the employees with respect to total net revenues;
  • Promoting transparency through disclosure;
  • Recognizing the interdependence of the compensation committee to ensure that they work either respect to performance and risk; and
  • The inclusion of the executive downside exposure by deferring an appropriate compensation, the implementation of the share-based incentives, and the introduction of the claw back mechanism where the bonuses are reimbursed if the longer-term losses are incurred after the bonuses are made.

The Interdependence of Organizational Units in Risk Governance

Primary responsibility is put on the firm’s staff to implement the risk management at all scopes of the firm. The executives and the business lines managers should work collaboratively to manage, monitor, and report the various types of risk being undertaken. The figure below illustrates the risk management lows and divided by various management functions. risk management and management functions

Limits and Limit Standard Policies

A firm should set appropriate limits for each type of risk associated with each portfolio in the business, as well as for the entire business. This enables the firm to steer business strategies appropriately so that it conforms to the risk appetite set by the board. Market risk limits are set to control risks arising from fluctuation in asset prices. Credit risk limits control the number of defaults and deterioration in the quality of loans etc. Appropriate risk limits may be set for liquidity risks and asset management risks as well.

The process by which the limits are established should be documented since each limit depends on the scale and sophistication of the firm’s activities. Risk metrics like VaR are implemented to express risks of portfolios in normal market conditions, although they don’t serve the purpose in extreme market conditions. Worst case scenario analysis and stress testing should be done to figure out strategies for countering extreme conditions.

Mostly, two types of limits are employed by firms:

  • Tier 1 limits: These include the overall limit for each asset class, overall stress test limit, and total loss if the peak limit is realized; and
  • Tier 2 limits: These cover authorized business and concentration limits; for example, risks by industry, credit class, etc.

In the normal course of events, risk limits should not be fully utilized. In typical markets, exposures of about 85% of risk limits should be acceptable.

Standards for Monitoring Risk

Let’s take the example of market risk. While monitoring market risk, all the positions, with exposure to market risk, should be valued daily. There should be a preparation of P&L statements by units independent of traders, and the reports should be provided to the senior management. Further, there should be verification of all the assumptions underlying the models used to price transactions and to value positions. Compliance with risk policy should be duly measured and monitored so that any breach of limits may be escalated in time. Impacts of significant market or credit risk changes should be determined by stress testing, and there should be an evaluation of how closely the values of portfolios, as predicted by risk models, follow the actual costs. Although data from the front office can be used in analyses, where timeliness is required, the data used in limit monitoring should be independent of the front office, should be reconciled with the books of the bank to ensure their integrity, should allow for proper risk measurements, and should be taken from consolidated feeds.

There should be an explicit instruction that reports related to the potential breach of risk limits should be handed over to the management well in advance of the breach. The risk committees should then decide whether to increase the limits temporarily based on the merits of the project. A breach in tier 1 risk limits should be dealt with immediately while a tier 2 risk limit breach can be dealt with slightly less quickly. All such limit excesses should be reported in the excess daily report. Relaxation of limits should be done after careful consideration of opportunity costs of limits.

The Role of the Audit Function

The audit function is responsible for an independent assessment of the framework and implementation of risk management. It reports to the board about the strategies of business managers and executives, and whether these strategies are in line with the board’s expectations. Regulatory guidelines require audit groups to monitor the adequacy and reliability of documentation, the effectiveness of the risk management process, etc. For example, if market risk is under consideration, auditors are required to assess the process by which derivative pricing models are examined, changes in measures for quantifying risks, and scope of risks captured by the models in use. The integrity and independence of position data should also be examined.

There should be an evaluation of the design and conceptual soundness of risk metrics and measures, and that of stress testing methodologies. The risk management information system, including the process of coding and implementing models, should also be checked and evaluated. The same would include the examination of controls over market position data capture and that over the process of parameter estimation. The audit function reviews the design of the financial rates database, which is used to generate parameters for VaR models, and things like risk management system upgrade, adequacy of application controls in risk management information system, etc. Documentation related to compliance should be examined, and the audit function should independently assess VaR reliability. The guidelines for the audit function are provided in the International Professional Practices Framework (IPPF). The audit should, essentially, be independent of operational risk management. This ensures that the assessment done by the audit function is reliable.


It is not possible to control the financial health of a firm without an excellent risk management function and appropriate risk metric. Historically, many corporate failures have been associated with the relegation of risks, which would turn fatal later. An important example of this is the subprime crisis in the United States. Therefore, a clear risk management policy should guide the strategies of the firm, and appropriate risk appetite should limit the exposures of the firm. Such directives make it easy for the executives down the business line to understand their role in the risk management activity.

The risk committees should participate in framing risk management methodologies, and they should have appropriate knowledge of all the risks as well as their metrics so that they can clearly understand the risk reports. A careful delegation of authorities and responsibilities to each risk management mechanism should ensure that all the gaps are filled, and all the activities are complementary to each other. After taking risk into account, risk measures like VaR, economic capital, etc. can be used to set risk limits, and also be used to determine the profitability of various business lines.

Risk infrastructure can be used as a tool in the analysis and pricing of various deals. It can also be used to formulate incentive compensation schemes so that business decisions and strategies are aligned with risk management decisions.


Which of the following statements best describes the role of the board in risk management?

A. Issuing guidelines on how to manage risks

B. Developing the risk appetite statement and objectives the managers should strive to meet within the risk management framework.

C. Regularly reviewing decisions made by managers regarding risk exposures

D. Choosing the risk exposures to hedge, the risks to mitigate, and those to avoid altogether


The correct answer is: B

The board sits above the managers in the hierarchy of management in most for-profit organizations. It is the board that assembles and develops a comprehensive risk appetite statement, specifying the risks the company should assume and those to avoid, including the preferred methods of risk mitigation. The managers consult the risk appetite statement when choosing the projects to undertake.

Jaak Jay
Jaak Jay
Awesome content, kudos to Prof.James Frojan
sindhushree reddy
sindhushree reddy
Crisp and short ppt of Frm chapters and great explanation with examples.
Hui Ni
Hui Ni
Thanks for the effort and time spent in making these wonderful video! Not only did it help with it academically, it makes me feel motivated and comfortable that have someone guiding me through every chapter after chapter! Appreciated very much! ?
Geoff Graae
Geoff Graae
With the help of analystprep I cleared both FRM 1 & 2. The videos posted online are some of the best resources I used and I would recommend them for anyone looking to clear this program. Thank you!!
Nithin Nallusamy
Nithin Nallusamy
FRM instructional videos was very helpful for my exam preparation! Prof.James is such a good heart and his way of teaching is impressive! Thanks a lot prof for free YouTube videos...
Isha Shahid
Isha Shahid
Literally the best youtube teacher out there. I prefer taking his lectures than my own course lecturer cause he explains with such clarity and simplicity.
Artur Stypułkowski
Artur Stypułkowski
Excellent quality, free materials. Great work!

Leave a Comment