Governance involves “evaluating” and “directing” the risk management plans, ensuring resources are used responsibly, and “monitoring” the contribution of risk management in achieving the enterprise strategy. Risk and strategy are linked through risk appetite.

The organisational design defines how the organisation implements its strategy including where final responsibility for risk management lies, what the mandate and value add of the risk function can be, and how the Board influences risk related decisions. It also defines the role, structure, and staffing of the risk organisation, and various risk committees.

Successfully transforming risk governance and the risk organisation requires direct Board and executive management sponsorship as well as direct Chief Risk Officer leadership. It also requires defining the role of various management levels within the risk process, as well as strengthening and streamlining risk committee structures.

Some questions to ask include

“How effective is our governance of risk management and where do we need to improve?”
“What risks are fundamental to the enterprise strategy?”
“What is the risk to the strategy and the risk of the strategy?”

Governance is essential to transformation of the risk value shop “problem finding” activity – deciding the accountability and triggers for changes in risk models, and what human intervention is required within automated processes. Risk governance is also needed to decide whether analytically determined risks need to be cascaded upwards, and to decide how data quality errors and model risk should be dealt with.

Current risk decision structures and processes (the “choice” value shop activity) have developed organically without standardised process flows or a clearly defined end state, and will need redesigned before automation can occur. The risk appetite in many organisations is not explicitly defined, or used to determine a strategic approach to risk and will need to be defined and articulated. The risk appetite statement should include the board’s attitude to risk, the business and risk environment, as well as the organisational risk culture and the value proposition for the risk function. The end state of the “choice” activity is risk integrated with the corporate strategy and business management weighing risk-return implications and potential risk trade-offs in their strategic and operational decisions.

The role of a transformed risk function is to make business functions more self-sufficient and help embed risk management in regular operational processes. The governance oversight of this “execution” value shop activity is establishing risk within the functional model and operating plan (resources, budget, goals) for each business function (resources, budget, maturity goals) and mapping risk goals to their strategic business goals. Defining and enforcing an enterprise metrics framework including risk metrics is an important governance “control / evaluation” value shop activity. Challenges will exist in getting consensus on the most important metrics to measure or standardise and how metrics relate to each other.

To ensure the right people receive the right information and are empowered to make risk aware decisions, policies, standards and guidelines must be designed and promulgated. These “execution” enabling documents need to ensure roles and responsibilities are well articulated, and be both flexible to changing business objectives and easy to follow at all levels of the organisation.