Completion of the assessment and development of risk mitigation strategies help the organization understand their risks and what it can do to bring these risks within the levels of its risk tolerance and appetite. The elements that ensure that these risks stay within the permissible levels are risk governance and system controls.
Controls are what help keep the system in equilibrium or prompt a reaction where things begin to deviate from ‘normal’. Governance provides oversight to ensure that the risk management system is operating properly and that risks are being identified, elevated and managed at the appropriate levels.
This article will look at the objectives and key activities for an organization’s governance function along with what the governance structure and routines could look like.
The Role of Governance
Governance fulfills two main functions. Its primary function is to ensure that the organization’s understanding of its risk is as accurate, objective and as widely understood as possible. This focuses on the quality and application of the risk management system. However, governance also functions as an oversight mechanism to ensure that the risk management system is being operated and maintained properly. This second activity can also be thought of as a compliance or audit function.
Governance should have a semi-autonomous structure running parallel to the organization’s normal management structure up to and including the Board or senior oversight body. This governance hierarchy should include representatives from multiple disciplines and departments so that all risks are addressed and understood.
This allows a better understanding of risks and their implication. It avoids the potential for a single department that owns the risk function to focus on – or bury – their own risks. This parallel, streamlined structure will help move risk information through the system more effectively, elevating the risks to the appropriate level and allocating appropriate ownership for risk mitigation.
Members of the risk governance structure do not have to be risk subject matter experts (SMEs) nor risk owners although there is likely to be good representation of both groups in any risk forum. However, everyone involved in risk governance should be ‘risk aware’ to allow them to participate in the process and some non-expert voices should be encouraged to bring different perspectives into the conversation and to challenge assumptions. The most senior risk committee will be comprised of senior executives and board members because this is the only level of management that can tackle the organization’s most severe risks.
Governance should be supported by internal and external auditors who will ensure that the details provided in risk reports are accurate and supported by appropriate evidence. Auditors will also conduct compliance checks of the system itself to ensure that it is being operated and maintained properly. Auditors should not participate in the risk assessment or strategy development because it is important to maintain separation between the audit function and any advisory services.
The exact risk governance structure will depend on the organization but a simple structure is shown below. This structure outlines the teams that would oversee risk at the different levels of an organization with a three-tier structure.
Two terms are used here to differentiate between the working groups that meet at the operational level and the risk committees that convene at the organizational or regional / departmental level. The general activities of these groups will be very similar but the severity and complexity of the risks will be different. These two terms are used to help differentiate between these groups and to avoid organizations having dozens of risk committees which could become confusing.
Example of a risk governance structure.
The exact structure will depend on the organization but some considerations to keep in mind when designing the structure are:
- Try to mirror the structure of the organization as much as possible to utilize overlaps. Other than the Executive Risk Committee (ERC), the risk committees and working groups should be primarily staffed by the relevant regional, local or team managers. The ERC should have a mix of executives and non-executive directors.
- Try to have both regional and functional risk teams. This ensures 1) that a series of functional risks in separate regions aren’t overlooked and, 2) that interlinked or associated regional risks can be linked together. This might seem like a duplication of effort but, if the risk manager has integrated the risk meeting schedules into existing meetings, very little additional work is required as regional and functional teams will already hold regular meetings. A single set of regional OR functional meetings will lead to ‘stove-piping’ where the only time the full risk environment is considered is at the ERC level. This will overload the ERC and means that lower-level risks are not addressed in a timely manner.
- Ensure that internal and external audit is linked into the system. In most cases, internal audit will focus on the lower levels of the organization and external audit will focus on the top-level. Often, external audit is a mandatory requirement for organizational risk reporting and this will be its primary focus. Some ‘spot checks’ by external auditors at lower levels will help with compliance, quality and accuracy. This audit function is key to ensuring that risks are not being underplayed or overstated and a key audit function is to ensure that the evaluation of the risks is accurate, evidence-based and that standards are being applied consistently.
The main activities conducted at each level of the risk governance structure are as follows.
- Review risk reporting. The risk committees and working groups will be the primary users of risk registers and reports. They should review these materials to ensure that risks are presented clearly and that the ratings used are consistent with the organization’s risk criteria. Reviews should ensure that risk evaluations are supported by evidence and that ratings are being applied consistently.
- Elevate and assign risks. Risks that exceed the mandate for that particular group should be elevated upwards for consideration and action. This also applies to aggregated risks where individual risks do not exceed a threshold but where a combination of smaller risks create a more severe situation. The appropriate working group or committee will allocate or confirm the owner for risks that falls within their remit.
- Approve risk mitigation strategies. The working group or committee will review and approve the appropriate strategy to address each risk within their portfolio. When necessary, the working group or committee can solicit expert advice or additional input to help with the decision-making.
- Track risk mitigation progress. Once mitigation strategies are in place, the working group or committee should receive regular updates to ensure that progress is being made on mitigation activities. If necessary, the risk committee or working group will assist when a program needs additional assistance to achieve it’s goal.
- Program oversight and audit. The risk committees and working groups have an internal audit responsibility to ensure that the risk management program is being complied with and managed properly. Often, shortfalls in the system quickly become apparent to the governance teams as out of date risk registers or poor reporting indicate that the system is not being followed. The risk committees and working groups will also be responsible for commissioning and reviewing the work of any internal or external audit team.
- Determine risk appetite and tolerance (executive committee only). The ERC or equivalent is responsible for setting the organization’s risk tolerance and appetite. Wide consultation across the organization, including Board members, should be conducted to develop a realistic and representative set of guidelines for both risk appetite and risk tolerance. Once agreed on, it is important that these parameters are complied with and not exceeded which is both an oversight and audit function. Exceeding these parameters can be a particular challenge where a significant upside risk is being considered as this can lead organizations to overlook the associated downside risks. Transparency, supporting evidence and open risk discussions can help overcome this tendency.
Risk Governance Schedule
The exact schedule for governance activities is largely dictated by reporting schedules. For example, key risks are normally included in an organization’s annual report. For example, if this report must be completed by February, that becomes the deadline that all other risk reporting activities must meet. Similarly, external reporting requirements can impose deadlines so quarterly filings for a regulator must also be incorporated into the risk governance and reporting schedule. A sample schedule is shown below to illustrate how risk governance activities at each level can feed into each other.
￼Example of a risk governance schedule
Again, the exact activities and routine of the various committees and groups will depend on the organization. This illustrates the kind of monthly, quarterly and annual risk activities that might need to be scheduled. It also shows how sequencing is important.
For example, in order to allow the ERC to conduct their quarterly meeting in the last week of each quarter, the regional or functional committees would have to meet two weeks earlier to allow them to complete their work and to report to the ERC. In turn, the risk working groups would have to complete their work an additional two weeks earlier meaning that they would have to complete their quarterly reporting at the end of the previous month. Similarly, preparation for the annual report will begin weeks ahead of the ERC’s schedule meeting.
Importantly, this doesn’t mean that these periods are totally dominated by risk management activities. The ‘little and often’ approach promoted in the integration article, should ensure that the risk register and associated materials are maintained throughout the year. Therefore, although there is an increased amount of risk activity around the quarterly and annual reporting deadlines, it shouldn’t overshadow other activities.
Risk governance provides oversight of the organization’s risk management system from a quality control and compliance perspective. This ensures that the organization understands its risks properly and that these are being addressed at the appropriate level. Governance is the key to ensuring that findings of the risk assessment are put into practice.
The governance function also oversees the compliance aspect of the system through its own observations and with the assistance of internal and external auditors. All governance activities should be conducted in an objective, semi- autonomous fashion to ensure that the organization remains fully aware of all of it’s risks, no matter how unpalatable these might be.
Governance is a critical function in the success of a risk management program. However, this does not mean that governance should become disruptive. With careful planning, an effective but light governance structure can be implemented, utilizing existing structures to provide risk committees and working groups at the appropriate levels with minimum disruption to the organization.
Similarly, scheduling the governance activities to align with the reporting deadlines, sensible scheduling and a little-and-often approach will ensure that risk management and risk governance are blended into day-to-day activities and cause minimum disruption while still remaining effective.
 This separation is not simply good practice and is often mandated by legislation. A large part of the impetus behind the US 2002 Sarbanes-Oxley Act was due to conflicts of interest arising from firms providing both audit and advisory services.
 See the article on integrating the risk management system for more information on overlapping with existing teams.
 See the article on integrating the risk management system for more information on this.
 The regulatory requirements for reporting should have been identified during the risk assessment process but these should be reviewed while developing the governance system. These will have particular importance when the governance schedule is being developed.