THE BASIC PREMISE IN this book is that risk‐taking is necessary and desirable to fulfil the overarching goal of creating long‐term value, and that risks arise as a natural consequence of doing business. Risk‐taking can become excessive, however, or there may be a negligence and lack of oversight with respect to important risks. Risk culture attempts to fix these problems by way of instilling values and behaviours that promote proactive risk management. Risk governance, in contrast, aspires to do so by formal processes and protocols. It sets out to establish who does what in the risk management process.

When practitioners speak of risk governance, they usually have in mind the clarification of roles and responsibilities as they relate to the risk management process. The general idea is that for a risk to be managed properly, somebody has to take responsibility for it. It has been observed that often accidents and failures happen simply due to lack of attention when managers do not feel personally responsible, or just assume somebody else is going to deal with it. Shared responsibility is no responsibility, as the adage goes.

On a theoretical level, risk governance can be viewed as a set of mechanisms that counteract the agency problem of risk management, which we met earlier in this book. To recap, it refers to the fact that the managers, at various levels in a decentralized organization, may have incentives and behavioural biases that cause risk management ...