The Governance of Risk Management

The Governance of Risk Management

After completing this reading, you should be able to:

  • Explain changes in regulations and corporate risk governance that occurred as a result of the 2007-2009 financial crisis.
  • Describe best practices for the governance of a firm’s risk management processes.
  • Explain the risk management roles and responsibilities of a firm’s board of directors.
  • Evaluate the relationship between a firm’s risk appetite and its business strategy, including the role of incentives.
  • Illustrate the interdependence of functional units within a firm as it relates to risk management.
  • Assess the role and responsibilities of a firm’s audit committee.

Corporate governance can be defined as the way the firms are run. That is, corporate governance postulates the roles and the responsibilities of a company’s shareholders, a board of directors, and senior management. The relationship between corporate governance and risk has become fundamental since the 2007-2009 financial crisis. The critical questions to be answered in the following text are about the relationship between corporate governance practices and risk management practices, the organization of risk management authority through committees, and the transmission of risk limits to lower levels so that they can be observed in daily business decisions.

Lack of transparency, lack of correct and sufficient information about economic risks, and a breakdown in the transmission of relevant information to the board of directors are some of the leading causes of corporate failures in nonfinancial as well as financial sectors in 2001-03 and 2007-09. The subprime crisis was caused by the relegation of risk management activities in the boom years. The risk associated with structured financial products was almost ignored, and this resulted in failed institutions and a global financial crisis.

The post-discussion of corporate governance includes some key issues, especially in the banking industry. These include the composition of the board, the risk appetite, compensation, and stakeholder priority.

Risk Appetite

The regulators have forced banks to come up with a formal and board-approved risk appetite that reflects the firm’s willingness to accommodate risk without the risk of running insolvent. This can be amplified to enterprise risk limits while engaging the board.

The boards have been tasked with the responsibility to cap overcompensation settings. The payment structure should capture the risk-taking adjustment to capture the long-term terms’ risks. A good example is where some banks have limited the bonus compensation schemes and also introduce delayed bonus structures.

Board Composition

The financial crisis led to a discussion on the firm’s board’s independence, engagement, and financial industry skills. However, statistical analysis on the failed banks does not show any correlation between the prowess of a bank and the predominance of either the insiders or outsiders.

Stakeholder Priority

The 2007-2009 financial crisis analysis led to the realization that there was little attention to controlling the tail risks and worst-case scenarios. This has led to discussions on the stakeholders of a bank and their impact on corporate governance.

Board Risk Oversight

After the crisis, the significance of the boards being proactive in risk oversight became a significant issue. Consequently, the boards have been educated on the risks and the direct relationship of the risk management structure, such as delegating CRO’s power to report to the board directly.


To determine risk behavior, the board takes control over compensation schemes. Boards should assess the impact of pay structures on risk-taking and also examine whether risk-adjustment mechanisms carters for all key long-term risks. Several banks have already started practicing this for example, by limiting the spread of bonuses in compensation schemes, deferred bonus payments, and clawback provisions.

The Infrastructure of Risk Governance

A clear understanding of business strategies and associated risks and returns is necessary for risk governance. The risks associated with business activities should be made transparent to the stakeholders. Appropriate risk appetite should be set for the firm, and the board should oversee the managerial operations and strategy formulation process. Risk management should be involved in business planning, and risks associated with every target should be adequately assessed to see if they fit into the firm’s risk appetite. The choices in risk management are as follows:

  • Scrapping activities to avoid the risk
  • Reducing risk exposure by hedging/buying insurance
  • Risk mitigation, for example, reduction of operational risks by control measures
  • Accepting risks to generate values for the shareholders.

risk management strategiesRisk management strategies should be directed to impact economic performance rather than accounting performance. Policies, directives, and infrastructure related to risk management should be appropriately placed in a firm. The seriousness of a firm about its risk management process can be gauged by assessing the career path in the risk management division of the firm, the incentives awarded to the risk managers, the existence of ethics within the firm, and the authority to whom the risk managers report.

The Board and the Corporate Governance

The primary responsibility of the board of directors is:

  • To steer the firm according to the interests of the shareholders. Other stakeholders like the debt holders must also be kept in mind while making strategies at the corporate level. The assumption of particular risks to attain projected returns should be weighed against the sustainability of the profits from such activities. Agency risks, i.e., the conflict of interests between the management and the stakeholders, should be avoided at all costs. For example, managers may turn to short-term profit-making while assuming long-term risks, to make some bonuses. Corporate governance roles should be independent of the roles of the executive, i.e., the board and the CEO should act independently of each other. Chief risk officers have been put to task in many corporations to integrate corporate governance and risk management activities.
  • The board should ensure that staff gets rewarded according to their risk-adjusted performance—this checks fraud related to financial manipulation and stock price boost.
  • The board should check the quality and reliability of information about risks, and it should be able to assess and interpret the data. This ensures that all the risk management-related operations are aligned to value creation for shareholders.
  • The board should be educated on risk management and should be able to determine the appropriate risk appetite for the firm. There should also be an assessment of risk metrics over a specified time horizon that the board may set. Some technical sophistication is required to build clear strategies and directives concerning crucial risk disciplines. A risk committee of the board should be qualified enough to handle these technicalities. It should also be separated from the audit committee because of the differences in skills and responsibilities.

The Transition of Corporate Governance to Best-Practice Risk Management

As stated earlier, the 2007-2009 financial crisis reflected the weakness in the risk management and oversight of the financial institutions. Consequently, the post-crisis regulatory has emphasized risk governance with an aim to check both the financial risks.

Risk governance is all about coming with an organizational structure to address a precise road map of defining, implementing, and authoritative risk management. Moreover, it touches on the transparency and establishment of channels of communication within which an organization, stakeholders, and regulators engage.

For instance, the board of directors has the responsibility for shaping and authority in risk management. The board of directors to analyze the major risk and rewards in a chosen firm’s business strategy.

In other words, the risk governance must ensure that it has put a sound risk management system in place to enable it to expand its strategic objectives within the limits of the risk appetite.

The Risk Appetite Statement (RAS)

A statement of risk appetite is one of the critical components of corporate governance. RAS contains a precise aggregated amount and types of risks a firm is willing to accommodate or avoid to achieve its business objectives.

Clear articulation of the risk appetite for a firm helps maintain the equilibrium between the risks and return, cultivating a positive attitude towards the tail and even risks, and attaining the desired credit rating.

The RAS should contain the risk appetite, and the risk tolerance measures the maximum amount of risks taken at the business level as well as an enterprise risk. Moreover, it should be the relationship between the risk appetite, the risk capacity, the risk profile, and the risk tolerance.

capacity, appetite, and toleranceRisk tolerance is the number of acceptable results relative to business objectives (dotted line on the diagram above). Risk tolerance is a tactical measure of risk, while risk appetite is the aggregate measure of risk. Note that the risk appetite is below the risk capacity of a firm. A firm operating within the risk tolerance can attain the risk-adjusted return objectives relative to the amount of risk.

Implementation of the Board-Level Risk Governance

In the banking industry, the board of directors charges the committees like risk management committees, among others with ratifying policies and directives for activities related to risk management. The committees frame policies related to division-level risk metrics in relation to the overall risk appetite set by the board. They also look after the effective implementation of these policies.

Role of Audit Committee of the Board

The audit committee’s responsibility is:

  • To look into the accuracy of financial and regulatory reporting of the firm and the quality of processes that underlie such activities.
  • It also ensures that a bank complies with standards in regulatory, risk management, legal, and compliance activities.
  • The audit committee verifies the activities of the firm to see if the reports outline the same.

The members should ideally be nonexecutives to keep the audit committee clear from executive influence. The audit committee should interact with the management productively and should keep all channels of communication open.

The Role of the Risk Advisory Director

There may be a few nonexecutives on the board of directors, who may not have the necessary expertise to understand the technicalities behind the risk management activities of a sophisticated firm. In this case, executives may dominate the nonexecutives, and this may lead to corporate scandals. Training programs and support systems may be put in place to aid such nonexecutives. Another method is to have a specialist in risk management as a risk advisory director on the board. Its functions are:

  • The risk advisory director would oversee risk management policies, reports, risks related to the overall business.
  • Mitigation of risks like credit risk, market risk, etc. The risk advisory director should be familiar with financial statements and accounting principles.
  • The risk advisory director should oversee financial reporting and the dealings between the firm and its associates, including issues like intercompany pricing, transactions, etc.
  • The risk advisory director should look into the requirements from regulatory agencies and should lay appropriate directives for the firm to comply with the requirements.
  • Participation in audit committee meetings, outlining risk profiles of strategic business segments, sharing insights into corporate governance and risk management policies, and overseeing the conduct of business.

The Role of the Risk Management Committee

The risk management committee in a bank independently reviews different forms of risks like liquidity risk, market risk, etc., and the policies related to them. The responsibility of approving individual credits also usually rests with the risk management committee. It monitors securities portfolios and significant trends in the market as well as breakdowns in the industry, liquidity crunch, etc.  It reports to the board about matters related to risk levels, credits, and it also provides opportunities for direct interaction with the external auditor, management committees, etc.

The Role of the Compensation Committee

Its responsibility is to determine the compensation of top executives. Since the CEO could convince the board to pay the executives at the expense of shareholders, compensation committees were put in place to check such occurrences. In the previous decade, compensation based on short-term profits, without much concern about long-term risks, have sealed the fate of many institutions. Since then, compensation based on risk-adjusted performance has gained recognition. Such compensation helps in aligning business activities with long-term economic profitability.

Various caps have also been put in place on the bonuses of executives across the world to prevent a reckless risk-bearing attitude while eying for the upside but bearing no responsibility for the downside of the risky activity. Stock-based compensation may encourage risk-taking as the upsides are not capped while the downsides are. To make employees concerned about the firm’s financial health, they may be made the firm’s creditors by providing compensations in the form of bonds. For example, UBS has adopted such a strategy.

The Risk Appetite and the Business Strategy

Many firms wish to examine how the regular activities of a firm run within the confines of the set risk appetite and limits defined by the board and executive committees. The process of examining the firm’s risk appetite include:

  • Risk approval by the board risk committee: The board risk committee approves the risk appetite statement on an annual basis.
  • The firm’s senior management (such as the CEO and CRO) is tasked by the board with implementing the risk appetite framework.
  • With the approval from the board, the senior management comes up with the limiting financial risk parameters (for example, credit risk) and nonfinancial risk (for instance, operational risk) excited by the firm. At this point, the subcommittees can be set up to deal with each risk type independently.
  • After setting the risk limit, the senior risk committee then reports the outcome to the board risk committee accompanied by the recommendations on the total risk acceptable, which again subject to the board risk committee’s consideration and approval.

The Role of the Chief Risk Officer (CRO)

The CRO is a member of the risk committee whose responsibilities are:

  • Designing the risk management program of the firm;
  • Risk policies, analysis dimensions, and methodologies;
  • Risk management infrastructure and governance in the firm;
  • Monitoring the firm’s risk limits set by the senior risk management; and
  • In many financial institutions such as banks, the CRO is an intermediary between the board and the management. The CRO keeps the board informed on the firm’s risk tolerance and condition of the risk management infrastructure and informs the management on the state of the risk management.

The Role of Incentive

As realized in the global crisis, the executive compensation schemes at many financial institutions motivated short-run risk-taking, leading to management ignoring the long-term risks. That is, the bankers were rewarded based on short-run profits. Consequently, it led to the formation of the compensation committee to cap executive compensation. This prevents a scenario where the CEO can convince the board member to compensate themselves at the expense of other shareholders.

The compensation is part of the risk culture of a firm. Thus, it should be made in accordance with the long-term interest of the shareholders and other stakeholders and the risk-adjusted return on the capital.

For instance, the central bank governors and the finance ministers of the G-20 countries met in September 2009 to discuss the framework for financial stability, one of which is reforms on compensation. The reforms included:

  • Scrapping of the multi-annual guaranteed bonuses;
  • Controlling the amount of variable compensation given to the employees with respect to total net revenues;
  • Promoting transparency through disclosure;
  • Recognizing the interdependence of the compensation committee to ensure that they work either with respect to performance and risk; and
  • The inclusion of the executive downside exposure by deferring an appropriate compensation, implementing the share-based incentives, and introducing the clawback mechanism where the bonuses are reimbursed if the longer-term losses are incurred after the bonuses are made.

The Interdependence of Organizational Units in Risk Governance

Primary responsibility is put on the firm’s staff to implement the risk management at all scopes of the firm. The executives and the business line managers should work collaboratively to manage, monitor, and report the various types of risk being undertaken. The figure below illustrates the risk management lows and divided by various management functions. risk management and management functions

The Role of the Audit Function

The audit function is responsible for an independent assessment of the framework and implementation of risk management. It reports to the board about the strategies of business managers and executives, and whether these strategies are in line with the board’s expectations. Regulatory guidelines require audit groups to monitor the adequacy and reliability of documentation, the effectiveness of the risk management process, etc. For example, suppose the market risk is under consideration. In that case, auditors are required to assess the process by which derivative pricing models are examined, changes in measures for quantifying risks, and the scope of risks captured by the models in use. The integrity and independence of position data should also be examined.

There should be an evaluation of the design and conceptual soundness of risk metrics and measures, and stress testing methodologies. The risk management information system, including the process of coding and implementing models, should also be checked and evaluated. The same would include examining controls over market position data capture and that over the process of parameter estimation. The audit function reviews the design of the financial rates database, which is used to generate parameters for VaR models, and things like risk management system upgrade, adequacy of application controls in risk management information system, etc. Documentation related to compliance should be examined, and the audit function should independently assess VaR reliability. The guidelines for the audit function are provided in the International Professional Practices Framework (IPPF). The audit should, essentially, be independent of operational risk management. This ensures that the assessment done by the audit function is reliable.


It is not possible to control the financial health of a firm without an excellent risk management function and appropriate risk metric. Historically, many corporate failures have been associated with the relegation of risks, which would turn fatal later. An important example of this is the subprime crisis in the United States. Therefore, a clear risk management policy should guide the strategies of the firm, and an appropriate risk appetite should limit the exposures of the firm. Such directives make it easy for the executives down the business line to understand their role in the risk management activity.

The risk committees should participate in framing risk management methodologies, and they should have appropriate knowledge of all the risks as well as their metrics so that they can clearly understand the risk reports. A careful delegation of authorities and responsibilities to each risk management mechanism should ensure that all the gaps are filled, and all the activities are complementary to each other. After taking risk into account, risk measures like VaR, economic capital, etc. can be used to set risk limits, and also be used to determine the profitability of various business lines.

Risk infrastructure can be used as a tool in the analysis and pricing of various deals. It can also be used to formulate incentive compensation schemes so that business decisions and strategies are aligned with risk management decisions.


A recently appointed risk management director at an investment firm is concentrating on enhancing the company’s governance structures to strengthen its risk oversight. The director reviews possible challenges in the initiation phase. Which of the following is most likely a corporate governance obstacle for the risk manager?

A. The executive board and portfolio managers have differing priorities.

B. The firm establishes a consistent risk assessment framework across all departments..

C. The compliance committee is independent of the risk management team.

D. The firm’s remuneration system aligns with the company’s ethical standards and risk appetite.


The correct answer is A.

This option identifies a common challenge in corporate governance. Portfolio managers may be motivated by short-term gains and higher returns, even if they involve higher risks, whereas the executive board may focus on the long-term stability and reputation of the firm. This conflict of priorities can create obstacles in implementing coherent risk management practices. Therefore, this is the correct answer.

B is incorrect. This statement describes a desirable situation rather than a challenge. Having a consistent risk assessment framework ensures alignment across different parts of the organization and helps in the systematic evaluation of risks, thus supporting the risk management process.

C is incorrect. While independence can sometimes lead to communication challenges, it is generally seen as a good practice in corporate governance. It helps to maintain checks and balances and ensures that the compliance committee can objectively evaluate the risk management practices without any bias.

D is incorrect. This statement describes a scenario where the firm’s pay structure is designed to promote ethical behavior and align with the company’s risk tolerance. This is a positive aspect of governance, not a challenge, as it encourages behavior that is in line with the firm’s risk management objectives

Things to Remember

  • Corporate governance refers to the system by which companies are directed and controlled. It encompasses practices and policies to ensure the company’s integrity, transparency, and alignment with stakeholders’ interests.
  • A misalignment between the priorities of different stakeholders (such as the executive board and portfolio managers) may lead to challenges in implementing consistent risk management practices.
  • This conflict of interests might arise from differing short-term and long-term goals, where some stakeholders focus on immediate profitability, and others prioritize long-term stability and reputation.
  • Effective risk management requires the alignment of goals and shared understanding between different levels of the organization to create a cohesive strategy that balances risk and reward.



Shop CFA® Exam Prep

Offered by AnalystPrep

Featured Shop FRM® Exam Prep Learn with Us

    Subscribe to our newsletter and keep up with the latest and greatest tips for success
    Shop Actuarial Exams Prep Shop MBA Admission Exam Prep

    Daniel Glyn
    Daniel Glyn
    I have finished my FRM1 thanks to AnalystPrep. And now using AnalystPrep for my FRM2 preparation. Professor Forjan is brilliant. He gives such good explanations and analogies. And more than anything makes learning fun. A big thank you to Analystprep and Professor Forjan. 5 stars all the way!
    michael walshe
    michael walshe
    Professor James' videos are excellent for understanding the underlying theories behind financial engineering / financial analysis. The AnalystPrep videos were better than any of the others that I searched through on YouTube for providing a clear explanation of some concepts, such as Portfolio theory, CAPM, and Arbitrage Pricing theory. Watching these cleared up many of the unclarities I had in my head. Highly recommended.
    Nyka Smith
    Nyka Smith
    Every concept is very well explained by Nilay Arun. kudos to you man!
    Badr Moubile
    Badr Moubile
    Very helpfull!
    Agustin Olcese
    Agustin Olcese
    Excellent explantions, very clear!
    Jaak Jay
    Jaak Jay
    Awesome content, kudos to Prof.James Frojan
    sindhushree reddy
    sindhushree reddy
    Crisp and short ppt of Frm chapters and great explanation with examples.

    Leave a Comment