Risk Governance: Evolution in Best Practices for Boards

  • Sheila Judd, Executive-in-Residence, Global Risk Institute

Glasses sitting on top of a book on a desk in black and white

Since the 2008 financial crisis, the role of the board has expanded and expectations for performance have increased. Directors are to guide development of strategy and risk appetite and oversee risk taking activities in the short and longer term, digest extensive reporting packages covering all facets of the firm’s operations, root out areas where risk taking may be out of line with risk appetite, provide effective challenge of senior management’s assessments of risk and action plans, and more.

To do all that effectively is challenging. The right structure, the right people and the right information flow provide the foundation for an effective board.

There is, however, no “one size fits all” or static solution. The right mix of people will change over time as strategy and risks evolve. For example, expertise in technology, cyber risk and climate science have become increasingly important. In addition, directors will need to continually determine the right level of, and areas for, constructive challenge. Too much probing could create an environment of mistrust and too much discussion on less important matters could detract from time available for key issues. The right volume and depth of reporting to deal with the inherent information imbalance between directors and senior management will also be dynamic.

Boards must also keep up with evolving best practices. We recommend that boards give consideration to their approaches to strategic risk, longer term thinking, corporate culture, crisis management, and technology risks to ensure they provide robust oversight in these important areas.


Banks and their regulators learned a lot from the 2008 global financial crisis. As a result, there have been significant changes in how financial institutions assess and manage risks, and in regulatory expectations.

The changes have not been confined to the risk management function: the role of the business as the “first line of defense” is now widely accepted, and boards play a more active role in overseeing risk taking activities. At the Global Risk Institute (GRI), we emphasize that the most important role of the board is risk management.

The adoption of enhanced risk management and governance practices has not been limited to the banking sector. Other financial firms as well as non-financial firms and governments have been applying some of the key learnings, including strengthening board membership and engagement.

Many firms are now transitioning from building their enhanced structures and practices to improving their effectiveness. Regulators are also refining their requirements. Specific to risk governance, in 2017 Canada’s Office of the Superintendent of Financial Institutions and the U.S. Federal Reserve each issued draft guidance to clarify the supervisory expectations for the role of boards.
Drawing from the regulatory guidance across major jurisdictions, along with the lessons that can be learned from recent examples of risk governance failures (two prime examples are Wells Fargo and Volkswagen), we have developed a “formula” to help firms implement enhanced risk governance practices.

A word of caution: our formula appears deceptively simple. We raise some of the many complexities in our commentary that follows, and further note that our formula is not intended to be the definitive answer for effective governance. Rather, it serves as a foundation to support robust discussion and more informed decision making.

The formula for risk governance


Strategic risk:

Approval of strategy is a key role of the board, as is approval of a firm’s risk appetite. Boards could improve their understanding and consideration of risk implications of strategic choices in both the near and longer term, better integrating the decisions made in the pursuit of earnings with the assessment of downside risks.

Longer term thinking:

Boards should ensure sufficient focus on identifying, assessing and planning for risks and trends that could impact longer term sustainability. Consequences of poor direction in this area can include missed opportunities, losses or in the extreme, corporate failure.

Corporate culture:

Boards should ensure that the firm’s desired culture, including expectations for managing risk, is well defined, and embraced throughout the firm. Compensation systems should reinforce desired behaviours, balancing management of goals with management of culture.

Crisis management:

Boards should ensure management have developed a robust crisis management plan that includes stakeholder communication strategies. Senior leaders responsible for plan implementation should be trained, and the plan should be tested and kept up to date.

Technology risks:

Technology is an increasingly important and multi-faceted area of risk, comprising operational risks associated with system performance, cyber security risks, and risks to the business model arising from technological advancements. In addition, large scale technology projects involve a high degree of risk. Boards need to ensure they have the expertise to provide effective oversight.

The author is an independent contributor to the Global Risk Institute and is solely responsible for the content of the article.