Who’s responsible for risk governance at global banks?
Boards and senior management, at the urging of regulators, are taking a fresh and far more rigorous approach to defining and institutionalizing a robust risk appetite. As they move through the process, they are discovering that risk appetite is a powerful management tool.
A bank’s statement of risk appetite should complement the firm’s vision and strategy and set the rules of the road for the entire organization, clarifying the board and senior management’s overarching views on what constitutes acceptable risk at all levels within the business.
So who’s responsible?
Risk appetite governance responsibilities
Ownership of risk appetite starts at the very top of the organization and systematically cascades downward to the front line business managers. The key players in the risk appetite development and implementation process include:
- Board of directors. The role of the board in risk management has evolved significantly post-crisis, from pure oversight to active participation in defining risk appetite and approving the broad risk parameters for the enterprise.
- Risk committee. More and more banks are adding or strengthening the mandate of board risk committees to focus and enhance their risk oversight responsibilities, including active monitoring of the level of risk exposure for the institution versus the parameters set in the risk appetite.
- CEO. Ultimately the CEO is responsible for managing risk throughout the organization. The CEO, together with the board, is responsible for creating the risk framework and articulating and enforcing the appropriate risk appetite.
- CRO. The chief risk officer plays a central role in the risk appetite development and monitoring process — driving the discussions between the board, business management and independent control groups. The CRO is concerned with identifying disconnects between strategy and operations. This role owns the internal assessment of tolerances, limits and indicators to support measurement against the risk appetite, as well as plan development, execution and management.
- Business unit leaders. Business unit leaders must communicate their business and competitive imperatives and related inherent risks to achieving those objectives during the risk appetite development phase. Once the risk parameters are formulated and communicated, business unit leaders are accountable for ensuring that limits, escalation triggers and other provisions are aligned with the risk appetite and meticulously observed in the execution of strategy.
- Independent risk management and control groups. Control and oversight groups must have sufficient knowledge of the business activities of the organization and have the clout to force a review or escalation when risk parameters have been breached.
Read the full 2010 annual global bank risk survey report for complete findings.