Andrew Sheen January 27, 2021

How to Set Up Robust Risk Governance Framework


When I first became a bank supervisor, I was surprised by the number of firms that had failed to establish effective and robust risk governance. Now, over 20 years later, I continue to meet and read of firms that exhibit the same deficiencies. This often manifests itself as poor decision taking, ineffective directors and non-executive directors, a failure to actively challenge senior management and ignorance of regulatory, stakeholder and societal expectations. In other words, a recipe for disaster.

These deficiencies can usually be laid at the feet of the Board of Directors who are responsible for the governance of their companies. The failure of many executive directors to understand the components of an effective and robust governance framework is further compounded by the failure of many non-executive directors to challenge the existing governance framework. This is often a consequence of their own inability to understand the requirements and components of a clear governance framework.

In an era when many regulators have introduced measures to strengthen individual accountability, including the Senior Managers and Certification Regime in the UK, this seems particularly astonishing. These deficiencies could lead to the regulator requiring a capital add on, a skilled persons review (section 166) and individual censure of members of the Board and senior management. All of which have significant cost and reputational damage implications.

Reference sources for effective governance

Firms looking to create a risk governance Target Operating Model, either as a benchmark for their existing framework or as a direct replacement, have a number of reference sources available to them. It is an ongoing concern that many Board members are not aware of the existence and/or content of these sources. The starting point must be the Corporate Governance Principles for Banks published by the Basel Committee on Banking Supervision in July 2015. The first 12 of these 13 principles (the final principle applies to bank supervisors) provide a governance foundation for UK banks that can also be applied to other firms. However, firms should also take into account the Financial Reporting Council’s Corporate Governance Code published in July 2018.

The risk governance framework should include a clear organisational structure with well defined, transparent and consistent lines of responsibility. Many firms use the three lines of defence for this purpose, although their understanding and implementation of this methodology is often deficient. Firms using the three lines of defence should take account of the updated Three Lines Model published by the Chartered Institute of Internal Auditors last year. The Target Operating Model should also evolve as a firm grows, products become more complex and markets become more disrupted. Risk governance arrangements considered acceptable in the early years of a firm will not be appropriate as the customer base grows and the degree of complexity increases.

Validating risk governance

The importance and role of the non-executive directors in implementing robust and effective risk governance cannot be understated. It is difficult to envisage a situation where there is no need for the Board to contain NEDs with demonstrable and industry recognised recent and relevant financial and risk experience.

Caution should be exercised by firms seeking to self-validate their risk governance framework, including when this process is led by the Board Chair and NEDs. Many firms seeking to self-validate risk governance effectiveness and suitability often lack the knowledge, independence (to ensure appropriate challenge) and rigour needed for this process. As a result, they fail to identify weaknesses. The Financial Reporting Council’s July 2018 Guidance on Board Effectiveness is a useful starting point that is often ignored.

As we have seen, these weaknesses can subsequently be the focus of regulatory attention and perhaps reputational damage, to both the firm and individual members of the Board and senior management.

The value of independent review

Only through seeking independent advice can the Board and senior management demonstrate that they have effectively discharged their Governance responsibilities. This extends to both the review of existing risk governance, as well as, establishing new frameworks. This independent perspective should help overcome internal politics or an individual’s sensibilities as committee structures and reporting lines change.

For further information, or to discuss this paper, please contact us.