Over the last two decades, risk management has evolved from a responsibility shared by all employees of an institution to a profession in and of itself, with risk functions separate from business functions. Ensuring that the risk functions have an adequate and appropriate voice in corporate decision making is the goal of effective risk governance.
Risk governance is the framework that ensures that risks are appropriately reported and considered by senior management and boards of directors. It sets forth roles and responsibilities for the risk management function, including reporting lines and escalation points. Effective risk governance ensures organizational alignment with the risk appetite of the institution and that effective enforcement mechanisms are in place.
Companies have hired Promontory to conduct in-depth reviews to assess the effectiveness of their risk governance structures, identify gaps, and make recommendations for improvement. To gauge the effectiveness of risk governance, we evaluate how organizations are structured and operate. We interview a broad cross section of stakeholders, including board members, senior risk officers, the head of internal audit, and the chief compliance officer; we talk to members of the management and risk committees; and we review risk management reports and supporting materials. Our thorough reviews answer critical questions:
- Are risk reporting functions sufficiently separate from the profit-and-loss reporting functions of the business?
- Are the boundaries clear?
- What is the scope of the risk function?
- How does compensation of the chief risk officer affect his or her stature and ability to effectively manage risk?
- How does compensation for junior risk officers align incentives for performance with independence and effective risk management?
- Is there an effective risk committee in place? Are there gaps in risk coverage among various committees reporting to the board, such as audit, risk and credit?
- What is the impact and effect of risk-related reporting on executive management and the board?
Following the review, we provide recommendations to address any identified gaps and ensure that the institution’s risk governance structure is appropriate for the institution, is in line with the risk governance structures of competitors and is informed by leading practices.