CRO Outlook

The Risk Governance Power Structure: How Does it Work?

Black swans, white swans, volatility and a collapsing economy are shining a bright light on risk governance and the ability of organizations to respond to challenges. When outcomes are risky or uncertain, is the organization poised to make fast, sound decisions, with the help of responsibilities assigned to the board, the CEO, the CRO and employees?

Friday, May 15, 2020

By Brenda Boultwood


Whether in good times or bad, risk-taking is how companies generate earnings. In times of crisis, the effectiveness of response determines an organization's agility and resilience.

If corporate governance is the system by which the whole organization is directed, controlled and held accountable to achieve its core purpose over the long term, then risk governance is the decision-making framework for both managing within an agreed risk appetite and adapting to what is new (e.g., risks, products, information) and what is changing.

Brenda Boultwood headshot
Brenda Boultwood

In times of crisis, risk governance delivers accountability, transparency and risk-based decision-making. It should apply to all enterprise risks, both qualitative and quantitative, and is often more art than science.

Risk governance, moreover, is a system that allows employees to acknowledge and take the right risks, make decisions about new activities and escalate when things go wrong. It offers clarity about the past, present and future, including who is authorized to take risks, and what, why, when and how they are taken.

Organizational strategy is the context for risk governance - the high-growth innovative company will have a different risk governance approach than the mature organization seeking stable earnings. The purpose of this article is to demonstrate that risk governance is not ephemeral, but, rather, a system that must be built over time on concrete and objective actions.

Understanding Risk Governance: Integral Mechanisms

What are the mechanisms of risk governance, and what happens if they don't exist? This question can only be answered through a quick risk governance overview:

Risk Appetite

The risk appetite statement must clarify the types and levels of risk the organization is willing to accept. Quantitative risk appetite statements can be articulated as some combination of acceptable aggregate operational losses, levels of residual risk and risk metric thresholds. Qualitative risk appetite statements reflect a desired organizational norm - for example, zero tolerance for compliance failures or employee drug use.

An organization that does not have a risk appetite statement chooses to operate without guardrails and without clear authority for taking risks.

Risk Reporting

Reporting lines enhance the visibility of expertise. For example, not all companies need a chief safety officer reporting to the CEO. But the large energy company that faces regulatory scrutiny after a mishap may decide this is important.

Risk reporting provides needed analytics for decision-making, while risk communication explains the risk culture and provides disclosures. When evaluating risk reporting, consider the following question: Does the management team agree on the top opportunities and risks facing the organization, and are these views clearly communicated? If the answer is “no,” the organization chooses to operate in silos, leaving employees in the dark.

Policies and Procedures

Policies and procedures describe an organization's control environment. These include risk management policies, a code of conduct and data privacy notices. All establish acceptable levels of residual risk. The lack of a policy for a specific risk is an indicator that the risk is viewed as either acceptable or irrelevant.

Risk Committees

Risk committees of the board and management, as well as thematic committees, have charters that outline accountabilities, approval authorities and hard and soft risk escalation criteria. If these are not in place, it means the organization has decided to make authority figures opaque.


Accountability can be tracked through issue and action management, incident management, case management and corrective actions. This allows employees, customers and suppliers to report a problem or concern. If this tracking does not exist, it signals that accountability does not matter to the organization.

Roles and Responsibilities: Who Executes Risk Governance?

The full board is responsible for risk oversight, and will delegate oversight to specific board committees. It should (1) foster a safe zone for challenging decisions; (2) reward management team members who manage and mitigate risks; (3) understand and approve risk appetite; and (4) understand how current, emerging and strategic risks create either upside or downside to the organization's strategy. What's more, the board must understand any risk management competency gaps.

Agile, Risk-Based Decision-Making: Five Illustrative Questions

The CEO has overall accountability for risk management, and overtly or tacitly delegates risk-taking authorities to the management team. The CRO, meanwhile, typically designs and administers the risk governance framework.

Management team members should manage risks through well-understood processes and strong internal controls; use the key risks in their business to define their staff meeting agendas at all levels in the organization; co-chair “risk” governance committees; and understand business continuity plans.

Employees must understand the organization's risk culture. Moreover, they should be trained in relevant policies and procedures, recognize when business activities are outside risk appetite, and “raise their hand” to report any issue. Customers and other third-parties should understand the company strategy and associated level of risk.

A Roadmap to Strong Risk Governance

How do you put the mechanisms in place and empower the right employees to run the system? The mechanisms create the pathways; the people apply analytics and corporate culture to make the right decisions.

The first step is the tone from the top and a leader's desire to empower the organization to make decisions. The second step is ensuring accountability for risk governance execution. Under the direction of the CEO and CRO, the mechanisms for risk governance can be put in place and socialized.

Without proper risk governance, employees, customers and investors can easily become disengaged.

Resilient organizations are nimble and adapt to changing risks and regulations through their risk governance approach. Risk governance ensures there is transparency about risks and that people have the right information to make decisions.

Brenda Boultwood is an independent risk management consultant. She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Previously, she was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. Before that, she worked in a number of risk management, business roles and as the global head of strategy, Alternative Investment Services, at JPMorgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services. She currently serves on the board of directors at the Anne Arundel Workforce Development Corporation.


BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals