Risk Governance

Definition of Risk Governance

Risk Governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk management strategies to avoid and/or reduce the human and economic costs caused by disasters. Risk governance goes beyond traditional risk analysis to include the involvement and participation of various stakeholders as well as considerations of the broader legal, political, economic and social contexts in which a risk is evaluated and managed. The scope of risk governance encompasses public health and safety, the environment, old and new technologies, security, finance, and many others.^[1]

Risk governance is the architecture within which risk management operates in an organisation. It will reflect, and seek to sustain and evolve, the organisation’s risk culture. Since risk management is fundamental to running any business, risk governance is a fundamental part of corporate governance. The British Standard BS13500 defines governance as: ‘system by which the whole organization is directed, controlled and held accountable to achieve its core purpose over the long term’. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk governance should put in place a structure of risk responsibility throughout the organisation. As a result, everybody in the organisation will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. Governance delivers effective accountability, including the accountability of the governing body to its owners.Risk governance is an integral part of the day to day running of the business and is not about just complying with a set of rules. Since operational risk management involves everybody in the organisation, the risk governance framework should encompass everybody. That means that it can only operate successfully if there are clear and effective lines of communication both up and down the organisation and a culture in which good and bad news is allowed to travel freely.^[2]

The Concept of Risk Governance^[3]

The guidance states that Risk Governance:

• Is the architecture within which risk management operates in a company
• Defnes the way in which a company undertakes risk management
• Provides guidance for sound and informed decision-making and e!ective allocation of resources

Successful Risk Governance is therefore contingent on how e!ectively the Board and Management are able to work together in managing risks. Central to this is the Enterprise Risk Management (ERM) framework, which articulates and codifies how an organisation approaches and manages risk.

Effective Risk Governance^[4]

Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks. It refers to the formal structures used to support risk-based decision making and oversight across all operations of an organisation. Risk governance involves the board, board committees, delegations, management structures (i.e. CEO, senior management team, etc.) and related reporting. Risk governance structures must be designed to fit the size, business mix and complexity of each organisation’s operations. To manage risk effectively, the board must ensure it has adequate systems to measure, manage and report the material risks to which it is exposed. The risk management system must be sufficient to:

• Provide the board, board committees and the SMT with regular, accurate and timely information regarding the organisation’s risk profile;
• Measure, assess and report all material risks;
• Provide robust (relevant, timely, complete and accurate) data;
• Measure risk against pre-determined limits (tolerances) and promptly report and escalate when limit breaches occur;
• Provide a sound basis for making risk-based decisions.