red graphs and charts


The roles of the board and chief risk officer in risk governance

Risk governance spotlight: Five ways to reimagine risk management

Boards and chief risk officers (CRO) may need to transform their risk management practices to address new challenges, according to our 2018 global survey of more than 94 leading financial institutions. To respond to a rapidly evolving environment, we explore five key takeaways regarding the governance of nonfinancial risks.

Clarifying the mandate of the board of directors

Since 2008, boards of directors have become much more active in providing oversight of the risk management programs at their institutions. Yet the lines have often blurred between the oversight responsibilities of the board of directors and the operational responsibilities more appropriate for the province of management. Financial institutions and regulatory authorities are now recalibrating the role of the board of directors to have it focus more clearly on providing oversight.

Core oversight responsibilities

More than 90 percent of institutions reported that their board has several core risk management oversight responsibilities, such as:

  • Review and approve the organization’s formal risk governance framework (93 percent)
  • Review and approve the overall risk management policy and/or enterprise risk management (ERM) framework (91 percent)
  • Review regular risk management reports on the range of risks facing the organization (91 percent)
  • Approve the enterprise-level risk appetite statement (91 percent)

Although business strategy can often drive an institution’s risk profile, the role of the board in considering these impacts is far from universal. Seventy percent of respondents said that it’s the board’s responsibility to review corporate strategy for alignment with the organization’s risk profile.

Monitoring conduct risk

Even though conduct and culture risk are an increasing focus of regulatory authorities, only 50 percent of respondents said monitoring conduct risk was a board responsibility. This may reflect the fact that many institutions see this as more of a management responsibility. In contrast, 67 percent said that a board responsibility was to help establish and embed the risk culture of the enterprise and promote open discussions regarding risk.

The percentage of respondents who said their board of directors has the responsibility to monitor risk appetite utilization, including financial and nonfinancial risk, was 77 percent, which is down from 89 percent two years ago. This is consistent with the trend that more institutions are having their boards concentrate on oversight, rather than activities more traditionally the province of management.

Placing oversight responsibility for risk management in a board risk committee is a regulatory expectation and has become a widely accepted practice.

  • Sixty-three percent of respondents reported that the primary responsibility for risk oversight lies with a risk committee of the board of directors
  • Twenty-one percent of respondents said that oversight responsibility is placed with other committees, such as jointly with the combined risk and audit committees (7 percent)
  • Only 14 percent of institutions said that the full board of directors has risk management oversight responsibility
Independent directors

There has also been a trend among regulators to expect risk committees to include independent directors who have risk management expertise and skills—and these expectations have had an impact.

  • Seventy percent of respondents said their board’s risk committee comprises a majority or entirely composed of independent directors
  • Six percent said it doesn’t contain any independent directors
  • Eighty-four percent of respondents said their institution has one or more risk management experts on its board risk committee, up from 67 percent in Deloitte’s survey two years ago

Overall, the move toward independent directors is most pronounced in the United States and Canada, where 87 percent of respondents reported their board risk committee was composed of either entirely or a majority of independent directors. This is compared to 67 percent in Europe and 58 percent in Asia-Pacific.

Back to top

Establishing an effective chief risk officer position

Over the course of Deloitte’s global risk management survey series there has been progress in meeting the regulatory expectation that financial institutions have an independent risk management function. Ninety-five percent of respondents in the most recent survey reported that their institution has a chief risk officer position or equivalent.

Institutions can benefit by having the CRO report both to the chief executive officer (CEO) and to the board of directors, but this is not always the case.

  • Seventy-five percent of respondents said their CRO reports to the CEO. This means that in one quarter of institutions the CRO doesn’t report to the most senior management executive
  • Only 52 percent of respondents said that their CRO reports to the board of directors or a board committee
  • But 97 percent of respondents said that their independent risk management group headed by the CRO meets regularly with the board of directors or with the board committees responsible for risk management oversight

Still, there remains room for improvement. The percentage of institutions that reported a responsibility of their board of directors was to conduct executive sessions with the chief risk officer increased to 66 percent from 53 percent in the previous survey two years ago. But more institutions should consider having their boards adopt this practice. Having the board of directors meet with the chief risk officer, ideally sometimes without the CEO or other members of senior management present, can allow the board to receive an unvarnished assessment of the institution’s risk management program.

Back to top


“The strategic planning process is a joint exercise between the business and risk management. Dedicated senior risk leaders are also responsible for providing advice and oversight pertaining to a business risk.”

– Senior risk executive of a large diversified financial services company

Assigning accountability for managing nonfinancial risks

An important governance decision is how to assign responsibility for each risk type. In particular, a single individual should be responsible for oversight of the risk across the organization or that responsibility should be decentralized across business units or geographies. Having a single individual accountable has become common for financial risks, such as:

  • Market (86 percent)
  • Liquidity (85 percent)
  • Credit (79 percent)

When it comes to nonfinancial risks, there is much less consistency. With some nonfinancial risks, most institutions reported that a single executive is responsible, such as:

  • Regulatory/compliance (80 percent)
  • Information security (85 percent)
  • Cybersecurity (82 percent)

In contrast, it is much less common to centralize responsibility for other risks, such as:

  • Third party (54 percent)
  • Strategic (43 percent)
  • Reputational (38 percent)
  • Conduct and culture (33 percent)

Institutions may want to consider centralizing accountability for some of these nonfinancial risks to raise their profile in the organization and clarify responsibility.

Back to top

Illuminate your path forward on strategic risk

Explore the 2018 CEO and board risk management survey

Learn more

Meeting challenges in defining risk appetite

A written risk appetite statement approved by the board of directors provides guidance to senior management. This is especially useful when setting business strategy and considering the lines of business when making business decisions, and it should be periodically revisited. The importance of establishing risk appetite statements has received greater attention from regulatory authorities in recent years, such as the Financial Stability Board and the Basel Committee. Ninety percent of respondents said their institutions either have a risk appetite statement that has been approved by the board of directors (84 percent) or are developing a statement for approval (6 percent).

Yet institutions face a variety of challenges in defining and implementing an enterprise-level risk appetite statement, especially with respect to defining risk appetite for hard-to-quantify nonfinancial risks. The risk types that were cited most often as being extremely or very challenging in defining risk appetite were:

  • Strategic (51 percent)
  • Cybersecurity (44 percent)
  • Reputational (39 percent)
  • Operational (36 percent)
  • Conduct (33 percent)

Back to top


Reassessing the three lines of defense risk governance model

Virtually all institutions (97 percent) reported employing the three lines of defense risk governance model, but many said they face significant challenges in deploying it. The issues most often cited as significant challenges typically involved the role of line one (business units), including:

  • Defining the roles and responsibilities between line one and line two (risk management) (50 percent)
  • Getting buy-in from line one (44 percent)
  • Eliminating overlap in the roles of the three lines of defense (38 percent)
  • Having sufficient skilled personnel in line one (33 percent)
  • Executing line one responsibilities (33 percent)

There is also the related issue of eliminating overlap in the roles of the three lines of defense, considered to be a significant challenge by 38 percent of respondents. To address these challenges, 43 percent of institutions said they have revised their three lines of defense model, reassessed their model, or plan to reassess it.

Many institutions have been focusing on the role of the first line of defense but have found it difficult to have their business units always assume full responsibility for actively managing the risks they assume. Some business units may resist accepting their responsibility for risk management, seeing it as outside their core mission of generating revenues and profits. Beyond securing buy-in, many business units will find they need to hire or develop a sufficient number of professionals who bring both risk management expertise and experience in the specific business.

Back to top

Learn how to embrace complexity and accelerate performance

Navigate risk and financial advisory

Learn more

Looking ahead

To successfully confront the array of economic threats and growing nonfinancial risks in today’s shifting business environment, financial institutions will need to reengineer their risk management programs and adopt fundamentally new approaches.

As they introduce new methods, institutions must make parallel enhancements to the governance of their risk management programs. The three lines of defense risk governance model will need to be reassessed to clarify the roles and responsibilities of each line of defense, especially the business units comprising the first line. The second line of defense should have a reporting connection to the board’s risk committee and, in many cases, a “dotted line” connection to the CEO. Accountability for managing nonfinancial risks, such as conduct and culture risk and third-party risk, will need to be reexamined. Institutions must develop more robust methodologies and gain access to relevant data to allow them to quantify their risk appetite for nonfinancial risks.

Boards of directors should play a key role in fostering new approaches to risk oversight. At many institutions, boards will need to:

  • Expand their focus to encompass oversight of the nonfinancial risks, while confirming that they truly concentrate on oversight rather than duplicate management responsibilities.
  • Assess if management has sufficiently tied risk to strategy and incorporated hard-to-quantify nonfinancial risks into the organization’s risk appetite statement.
  • Make sure they understand and are comfortable with those changes as their oversight role continues to evolve.

Back to top

Did you find this useful?