Risk governance: foundation for long-term value.

• Author: Atkinson, Joe

Fallout from the global economic crisis exposed a vulnerability in some organizations: Inadequate risk governance. Companies that staved off catastrophic losses were those that addressed risk issues promptly, delineated clear roles and accountabilities and implemented a risk culture that encouraged candid discussions of risk between the business and risk control functions that had equal stature and clear independence.

Regulatory reform may soon raise the risk-management bar for all companies, and new mechanisms to control irresponsible risk taking--such as vesting periods for options, "claw back" programs to reclaim unwarranted bonuses and compensation and incentives policies rooted in long-term value rather than short-term gain--are being evaluated.

To achieve true risk resilience, however, an organization needs effective risk governance--the structural, cultural, process and accountability improvements that support good decision-making and serve as the foundation of risk management. Only with a strong foundation in place can companies navigate regulatory and economic challenges.

Structure, Roles and Responsibilities

Risk governance not only provides a portfolio view of the risks a company faces--strategic, compliance, operational or financial--it constructs the operating model and decision-making framework for optimal response. It requires that the board and senior management oversee the implementation and effectiveness of three lines of defense: The business units, independent risk and control functions and the internal audit department.

Business units are responsible for managing risk in conjunction with embedded risk managers, with the goal of achieving risk-adjusted performance targets. Placing risk managers within business units allows companies to manage risk at the operational level. The resulting collegial tension can uncover risks that might otherwise go unnoticed or fail to be addressed properly.

Embedded risk managers generally report directly to the chief risk officer (CRO) and have autonomy to make crucial decisions in keeping with the organization's business objectives.

Independent risk and control functions communicate a defined enterprise view of risk, delineating standards around governance, process, technology and culture. These authoritative and independent centralized functions can challenge and monitor the business as it consolidates risk data from each business unit. In this model, the CRO reports to the chief executive officer.

Increasing emphasis is placed on enterprise risk management (ERM) to understand and oversee the highly inter-dependent relationships across credit, market, operational, compliance and other risk categories. That ensures that the board and senior management are provided with a portfolio view of enterprise risk. During strategic planning, merger and acquisition activity or other key strategic decisions, the risk and control functions brief senior...