Back to Study Notes
๐Ÿ›๏ธ Foundations of Risk Managementโ€ข 18 min readโ€ขWeight 20%

Risk Governance and Enterprise Risk Management

How organizations structure risk oversight, the board's role, and the ERM framework that ties everything together.

Free Preview Note

Study depth

6

structured sections

Exam lens

20%

topic blueprint weight

Access

Open

visual summary included

Concept visual

Governance Strength by Line of Defense

A simple view of why first-line ownership, second-line challenge, and third-line assurance need to work together.

Exhibit
Loading chartโ€ฆ

Why it matters

Governance failures usually come from weak separation of duties and delayed escalation, not from a lack of policy documents.

What Is Risk Governance?The Board's RoleERM FrameworkThree Lines of DefenseRisk Appetite & ToleranceExam Tips

Risk Governance and Enterprise Risk Management

What Is Risk Governance?

Risk governance is the organizational architecture that determines who makes risk decisions, how risk is monitored, and what happens when risk limits are breached. It is the structural foundation that every other risk management activity depends on.

At its core, risk governance answers three questions:

  1. Authority โ€” Who has the authority to take risk, and up to what level?
  2. Oversight โ€” Who watches the risk-takers, and how often do they report?
  3. Accountability โ€” When something goes wrong, who is responsible?

Without clear governance, even sophisticated quantitative models are useless. The 2008 financial crisis demonstrated that many institutions had advanced risk models but lacked the governance structures to act on them.

Key Governance Components

  • Risk Committee โ€” A board-level committee that sets risk policy, reviews major exposures, and approves the risk appetite statement.
  • Chief Risk Officer (CRO) โ€” The senior executive responsible for firmwide risk management. The CRO should have direct access to the board and independence from business line heads.
  • Risk Policies โ€” Documentation that specifies acceptable risk types, limits, escalation procedures, and reporting frequencies.

Exam Tip: GARP frequently tests the distinction between the risk committee (board-level) and the risk management function (operational level). The committee sets policy; the function implements it.

The Board's Role in Risk Management

The board of directors holds ultimate responsibility for the organization's risk profile. This does not mean the board manages day-to-day risk โ€” it means they are responsible for ensuring that a competent risk management framework exists.

Board Responsibilities

ResponsibilityDescription
Approve risk appetiteDefine how much risk the organization is willing to accept in pursuit of its objectives
Oversee risk cultureEnsure that risk awareness is embedded throughout the organization
Review major exposuresRegularly examine the largest risk concentrations and potential tail events
Ensure independenceThe CRO and risk management function must be independent of business lines
Stress test oversightReview stress testing scenarios and their implications for capital adequacy

Common Exam Pitfall

Students often confuse the board's oversight role with an operational role. The board does not approve individual trades or set position limits for specific desks. They approve the framework within which those limits are set.

Enterprise Risk Management (ERM)

Enterprise Risk Management is a firmwide, integrated approach to managing all material risks. ERM is the opposite of "silo" risk management, where market risk, credit risk, and operational risk are managed independently without considering their interactions.

Why ERM Matters

Traditional risk management treats each risk type independently:

  • The market risk team monitors VaR
  • The credit risk team monitors default probabilities
  • Operational risk tracks loss events separately

The problem: risks interact. A market crash (market risk) can cause counterparties to default (credit risk), which overwhelms back-office systems (operational risk), which triggers a liquidity crisis. ERM recognizes these cascading effects.

COSO ERM Framework

The Committee of Sponsoring Organizations (COSO) published the most widely referenced ERM framework. Its key components:

  1. Governance and Culture โ€” Tone at the top, risk appetite, organizational structure
  2. Strategy and Objective-Setting โ€” Aligning risk appetite with strategy
  3. Performance โ€” Identifying, assessing, and prioritizing risks
  4. Review and Revision โ€” Monitoring performance and reviewing changes
  5. Information, Communication, and Reporting โ€” Leveraging data for risk decisions

ERM Benefits for the FRM Exam

  • Diversification recognition โ€” ERM allows firms to recognize that not all risks hit simultaneously. A combined view may require less capital than the sum of standalone risk capitals.
  • Risk aggregation โ€” Combines risks across business units using correlation assumptions.
  • Better strategic decisions โ€” When risk is measured at the enterprise level, capital allocation decisions improve.

Three Lines of Defense Model

This model is heavily tested on the FRM exam. It describes how risk management responsibilities are distributed:

First Line: Business Units

  • The people who take risk (traders, loan officers, sales teams)
  • They own the risk and are the first checkpoint
  • They must follow risk policies and limits set by the second and third lines

Second Line: Risk Management & Compliance

  • The CRO, risk management function, and compliance teams
  • They design policies, set limits, and monitor the first line
  • They report to senior management and the board
  • They are independent of the business units

Third Line: Internal Audit

  • Provides independent assurance that both the first and second lines are working
  • Reports directly to the board or audit committee
  • Does not manage risk โ€” audits the risk management process itself

Critical Exam Point: The third line (audit) must be independent of both the first and second lines. If internal audit reports to the CRO, that independence is compromised.

Risk Appetite and Risk Tolerance

These terms are often confused by candidates but have distinct meanings:

Risk Appetite = The total amount of risk an organization is willing to accept in pursuit of its strategic objectives. This is a broad, strategic statement.

Example: "We are willing to accept annual trading losses of up to $500 million in pursuit of a 15% return on equity."

Risk Tolerance = The specific, measurable limits set for individual risk categories, business units, or positions. Tolerance is the operational translation of appetite.

Example: "The fixed-income trading desk has a daily VaR limit of $10 million at the 99% confidence level."

Risk Capacity = The maximum amount of risk the firm can absorb before it becomes insolvent or violates regulatory requirements. Capacity is determined by capital, liquidity, and regulatory constraints.

The relationship: Appetite โ‰ค Capacity. A firm should never set its appetite above its capacity.

Exam Tips for This Reading

  1. Three Lines of Defense โ€” Know which activities belong to each line. A common question format presents a scenario and asks which line is responsible.
  2. Board vs. Management โ€” The board sets strategy and policy; management implements it. Don't confuse the two.
  3. ERM vs. Silo โ€” Be prepared to explain why ERM is superior to siloed risk management, especially regarding risk aggregation and diversification.
  4. Risk Appetite Statement โ€” Know the components: types of risk accepted, quantitative limits, qualitative boundaries, and link to strategic objectives.
  5. CRO Independence โ€” The CRO must have direct board access and cannot be overruled by business line heads on risk matters.