Although many books discuss what enterprise risk management (ERM) is and how to implement it, our discussion reverses the usual order because we wish to focus on the independence of risk oversight and that takes us immediately to governance. Royal Bank of Canada's¹ risk-governance framework provides an interesting overall view of a structure to ensure independent oversight to improve profitability by limiting the downside while promoting the upside. Figure 4.1 presents the structure. We recognize that this may be overkill for less complex or smaller organizations. So, we would like to call attention to the following key features. The first is the need for independent oversight. The agent cannot be the overseer. Second, there is a need to ensure the quality of the data provided to the oversight function. In all organizations there are a number of oversight functions and these can be combined in various ways depending on the needs of the organization and the nature of its operations. In smaller organizations risk and finance oversight could be combined within the finance function while data assurance could be delegated to the accounting function or other function responsible for management information and reporting. The nature of the reporting will also vary among organizations with large, sophisticated firms requiring extensive data analytics and ongoing reporting. Smaller firms will still need to ...