Firm governance starts with a definition of the roles and responsibilities of the different stakeholders in the firm. Similarly, proper risk governance must ensure that the roles and responsibilities of those involved in the firm's risk management – arguably, everybody – are clearly defined, understood and executed accordingly.
Effective governance can be described as clearly defined roles and responsibilities across the organization with an executable decision‐making process and enforceable discipline.
Worldwide, corporate governance codes use similar terms to express that the board is responsible for determining the nature and extent of the significant risks it is willing to take to achieve its strategic objectives and to maintain sound risk management and internal control systems. In other words, the board is responsible for setting the risk appetite of the firm and for making sure that it operates within the limits of its risk appetite.
Following the development of non‐financial risk management and the recommendations of regulators and large consultancy firms, most banks and insurance companies have now articulated their risk governance according to the three lines of defense model (3 LoD). Originally derived from risk management organization in the military, the 3 LoD model is now commonplace in the financial industry.
Although straightforward in theory, risk governance and the 3 LoD model are ...