Chapter 21Risk Governance and Organization
Before embarking on a detailed description of each core risk framework (risk identification, underwriting and controlling), it is worthwhile to make a few general comments on risk governance and organization.
This chapter begins by describing the “textbook” answer to the question, “What defines ‘good’ risk governance?” We start with general principles and continue with the definition of the three-line-of-defense model. We then answer some common questions with regards to the organization of the risk function.
Risk Governance Principles
There are a few high-level principles which define good risk governance:1
- senior management and Board “ownership” of both risk and returns;
- an explicit articulation of the firm's risk appetite and its strategy for creating value by taking risk;
- clear accountability and incentives to take the right risk/reward decisions;
- an effective risk culture promoting transparency as well as personal integrity and ethical behavior;
- the design, implementation and testing of a comprehensive system of controls, periodically validated by independent, external personnel;
- as part of the control framework, independent checks and balances including independent risk management and audit, separation of duties and definition of the first, second and third lines of defense;
- sufficient skilled and experienced personnel in the front line as well as the risk and control functions.
Because these are principles and not detailed ...