The Relationship between Risk Governance and Risk Management

Having been working in the ‘risk space’ a lot for the last few years I was asked recently to put together some ideas on the relationship between Risk Governance and Risk Management and how they are linked.

Here are those ideas… I would love to get your feedback (please comment below).

  • One key element in any governance framework is the governance of risk;
  • Risk governance is not the same as risk management – it precedes it and is a necessary first steps, a risk governance framework must be put in place before the risks are managed in a risk management plan. Without the risk governance framework the management of risk happens in a vacuum – the space for it is not clearly defined;
  • The primary governance tool in organisations is the organisations policy framework – policies create the “space” for people to act – without a policy the “space” is undefined and people don’t know how to act;
  • Governance can be seen as the expression of the organisational philosophy (what drives its behaviour, including values, strategy, reputation) in a set of cohesive policies (the governance framework) put together at board level that management uses to as a guide as it determines processes and procedures aimed at achieving the organisational goal in a sustainable way. Policies are therefore the primary governance tool in determining organisational behaviour – at both group and individual level;
  • Risk governance policies in an organisation include;
    • Risk Appetite – the level of risk an organisation is prepared to accept, risk appetite must be identified for each and every area within the organisation, or even better still at the specific risk level. Risk appetite is determined to an organisations objective/goal/strategy – i.e. the things the organisation wants to do determine the kinds of risks it will face, the governance of risk sets limits in place to indicate when systems need to be put in place and managed to ensure that the organisation stays within these limits. Some of the main categories of risk appetite include;
      • Financial
      • Health and safety (wellness)
      • Ethical
      • Conduct
      • Social Impact
      • Information
      • Technology
      • Recreational
    • Risk Tolerance – the degree of variance in the risks (around the targeted/expected risk appetite) and where the line is drawn between acceptable and unacceptable variances;
    • The relationship between risk appetite and risk tolerance is as follows;
      • Strategy is determined (formulated)
      • Risk areas are identified
      • Risk Appetite is established for each area
      • Risk Tolerances are identified around the risk appetite for each risk area
      • Some areas may have very narrow risk tolerances, other very wide – the profile of the organisation, its strategy and its resources determine this.
  • One of the main reasons governance of risk is required before risk can be managed is that management is a behavioural function – sure it uses tools of policy, process and procedure but organisations are ‘alive” due to the people within them, and people act or behave in certain ways dependent on what the organisation allows or disallows. The governance framework of the organisation – including its governance of risk – determines what people are allowed and not allowed to do in the pursuit of the organisations strategy;
  • As such an organisations governance structure – the policy framework that gives life to the behaviour of the people in the organisation – determines the culture of the organisation. Culture is the composite expression of the organisation – it is what both insiders and outsiders “know” the organisation to be. People decide what the organisation is to be “known” for based on the composite behaviour they experience – either from the inside as an employee, or from the outside as a consumer, a supplier or the members of the community within which the organisation operates.
  •  Risk is also a function of behaviour – including both decision making and implementing decisions. If an organisations governance framework is inadequate people in the organisation will lack guidance in how to act in certain situations. Any action they take could involve unanticipated risks – even if they do not act (due to fear or indifference) unanticipated risks could emerge.
  • In conclusion;
    • People do things in the name of organisations every single day;
    • It is the responsibility of the board to construct an appropriate governance framework for the organisation that governs the actions of people;
    • One of the key elements in any governance framework is how risk is addressed;
    • The governance of risk involves determining the risk appetite of the organisation in all the areas its objectives determine, and then identifying the acceptable and unacceptable variances around this appetite (risk tolerance);
    • The risk governance policy framework should enable management to identify specific tools that can be used to manage the risks as they are encountered in the operation of the organisation;
    • Management should provide feedback on the effectiveness of the risk governance framework to the board;
    • Gaps in the policy framework should continually be addressed at board level so that the behaviour of all people within the organisation falls within acceptable levels of risk.

Too many organisations simply jump into managing the risks they face – this is certainly better than nothing but a robust Risk Governance framework is necessary for risk management to be sustainable and effective in the long run.

Your thoughts would be valued.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: