A Framework For Risk Governance

Risk Governance

By Pedro B. Agua

When it comes to approaching risks, we find that compliance is a necessary condition, but, not a sufficient one. Risk has progressively become a significant part of governing board’s agenda. But what do we mean by risk and what types of risks do corporate boards face? Approaches to risk governance have been particularly influenced by regulation focused on financial risks, as a consequence of past governance crises. There are, however, many other types of risks, potentially more damaging for organisations. The role of the boards of directors has undergone a long evolution in its recent history, and today, without replacing executive management, are expected to be more interventionist, especially in the context of risk governance.

Organisations are living systems that proceed in their action across multiple dimensions on a day-to-day basis. Beyond compliance to codes or good practice and standards, boards of directors’ mission is centred on making the chosen future a reality. This implies going beyond mere compliance, not least because achieving the future is a matter of initiative, not optimisation or compromise. Therefore, the due governing bodies shall use the best of their skills and knowledge to achieve their organisations’ objectives while being constrained by the need for proper governance of the multiple risks, some more strategic, which have the power to collapse organisations.

The etymological origin of the word “risk” suggests semantics associated with “running into danger”. On the other hand, the word “governance”, of older origin, was originally related to the art of steering or setting the course of a ship. From the Latin gubernare, to set a course or guide, or from the Greek kybernan, to steer or command a ship. Therefore, risk governance can be defined as the art and science of steering an organisation towards the intended direction while keeping it away from potential dangers, however diverse they may be. There are risks, perhaps more dangerous than the strictly financial ones, and which require special attention from those responsible for corporate governance in order to avoid blind spots. It is also clear that in recent decades, Force Majeure and Acts of God events are occurring more frequently and with increasing impact. However, when compared to the financial costs of catastrophes caused by human behaviour, they often fall short.

The current corporate risk context with the increased threats of disruptive technologies, such as artificial intelligence, conflicts, inflation, and geopolitical issues that threaten to affect major economies, places increasing demands on board directors, which may lead to a growing tendency for many to decline such roles, making it more difficult to recruit them.

There have been considerable efforts to better understand and govern risk. From the development of the ISO 31000 standard, to spending hundreds of millions on Enterprise Risk Management (ERM) systems, in some cases with results that fell short of initial expectations. ERM systems tend to cover every single identifiable risk in organisations, generating an overwhelming amount of data that distracts those responsible for risk governance. Moreover, the use of ERMs has brought with it a “false” sense of safety due to their mere existence. Most of these systems treat risks as independent, when this is not necessarily true, producing amplified and catastrophic effects when risks materialise 4. This is associated with the complexity that is so much talked about but so little understood. This complexity is rooted in the non-linear dynamics and behaviour of systems – such as organisations. In this sense, there are decisions within an organisation that affect some parameters that, in turn, are interconnected with other parameters. Such interconnections and non-linear behaviour often result in amplified side effects that no one anticipated. For example, decisions such as underestimating the potential disruptive effects of a new technology being introduced by an obvious (sometimes non-obvious) competitor could produce such impacts. It is worth pondering about the Kodak board´s decision making a few years ago when they decided that the digital camera was not going to have a significant impact on the film market. The dynamics that occurred across the photographic industry not only changed the technology but fostered the massification of photography and filming to unprecedented levels.

It is within this paradigm of balancing risk and reward that risk governance develops and is demanding an increasing involvement and accountability of directors worldwide. This whole new context of attention to risk may make boards of directors “too” risk averse, which is a risk in itself, as such an attitude could slow down the level of initiatives in a company; initiatives that are the engine of innovation and the guarantee of the future sustainability of organisations.

The current risk environment and the increasing responsibility of directors

current risk environment

Governance implies legitimacy and overall supervision – typical of ownership. Management, on the other hand, involves a great deal of technical knowledge of how things are done and supervision of execution details. To manage is to execute something decided by someone else who “directs”, within aims and ways. Thus, the ones who govern define and choose organisational objectives and the people responsible for their achievement – but then limit themselves to supervision and control. Therefore, one could say that corporate “governing” is exercised ‘‘in practice’’ by the top management together with the board of directors.

Senior management is made up of a small number of executives, in some cases only one, who hold the highest executive power within the organisation. The board of directors as a governing body entrusted by the shareholders, is one of the control mechanisms within corporate governance, constituting one of the main figures for the proper functioning of the company and occupying a key position for the fulfilment of the interests of different stakeholders. Therefore, among its main tasks, one finds the supervision of the management team, the approval and monitoring of the chosen strategy, as well as the governance of risks that may jeopardise business continuity.

The current corporate risk context with the increased threats of disruptive technologies, such as artificial intelligence, conflicts, inflation, and geopolitical issues that threaten to affect major economies, places increasing demands on board directors, which may lead to a growing tendency for many to decline such roles, making it more difficult to recruit them. Moreover, partial approaches, whether by way of law, management or engineering, among other areas of knowledge, are insufficient on their own because they are incomplete, which is a risk in itself. Hence, the first useful step is always to classify and analyse the problem at hand.

Risks and their types – A considerable diversity of risks

working in collaboration for success

Although in recent decades risk management has been focused on the financial industry, due to the well-known problems of the recent past involving such industry, attention should be drawn to a wider multitude of risks, many of them of a non-financial nature per se. One example is the issue of trust. Trust is not, stricto sensu, a financial issue, but it can dictate the fate of financial institutions because it can trigger chains of cause and effect, which in turn can negatively affect purely financial variables. In this sense, it is important to bear in mind the concept of tautology and not to confuse effects with causes, or vice versa. Confidence, a similar issue, can be a determining factor in a “race to the bank”, to extract funds, which in turn would further aggravate a hypothetical situation, under the effect of a vicious and catastrophic cycle originating from a lack of confidence.

Risk governance can be defined as the art and science of steering an organisation towards the intended direction while keeping it away from potential dangers, however diverse they may be.

The question then arises as to what risks shall be taken into account. Let us not forget that it took until the 17th century to start applying probability in a systematic way. Most organisations’ approach to risk is still superficial and unrelated to cause and effect 1. This is related to our inability to estimate distant quantities in time and space, which may in turn be related to systems thinking not being as developed and widespread an area as would be desirable.

Organisations are systems; systems that need to be governed. Natural systems have evolved over thousands of years and, as such, are in relatively stable conditions. Human systems, including businesses and other organisations, are relatively young and their governance rules (policies) are often difficult to design and establish. In any case, the first step shall be the identification of the relevant variables, i.e. the typologies of risks to pay attention to.

A short definition of risk would be a situation or endeavour which may lead to adverse outcomes, caused by decisions we have made or a situation we are facing. Typically, their magnitude is measured in terms of two main parameters, the probability of occurrence and the impact it would cause. The risks faced by organisations must be managed, which consists of seeking their disappearance, their mitigation or end at their acceptance, but in no case should they be ignored. These risks can be classified into three broad types: avoidable, strategic, and external, each of which requires a different risk management approach 2.

Avoidable risks. These are the risks to which an organisation is exposed by doing things wrongly and are usually caused by mistakes, lack of professionalism or inappropriate behaviour. The objective when considering these risks shall be to eliminate them (there is no strategic benefit in assuming them). The control approach regarding these risks is normally based on the establishment of adequate procedures on processes, internal control and audit systems, which will verify whether the controls put in place are sufficient and functioning. The board’s role in addressing such risks is overseeing the control model and following up on the arising action plans. If the board has an audit committee, this should be one of its main tasks.

External risks: This category of risks includes all those variables that can negatively affect a company and over which it has no influence. The objective, therefore, shall be to mitigate their impact. A global economic crisis, a natural disaster, or an epidemic are clear examples of this type of risk, which is one of the main causes of serious crises affecting companies. But if it is not possible to influence the variables that cause them or to foresee when and how they will occur, does the board have any role in their management? If so, what should this role be and how should it be carried out?

We know for sure that any company, sooner or later, will be impacted and step into crisis mode as a consequence of external risks. What is important for companies and their boards is not to try to predict the cause, but to concentrate on reducing its fragility. Boards have some procedures for managing them, but what is really important upstream is to assume that the management of external risks, and not just avoidable or strategic risks, should be part of the board’s agenda.

Strategic risks. The company is exposed to them when a business opportunity is pursued with the expectation of making a profit, as such a business opportunity involves uncertainties that may lead to failure. In these cases, the expectation of profit outweighs the risk of failure. In general, the greater the profit expectation, the greater the will to assume risks. The assumption of such risks is what gives life to capitalism, as it enables improbable initiatives and projects to be carried out, through which our world progresses. A historical example of risk-taking on an improbable project relevant for progress was the first globe circumnavigation (1519-1522) carried out by Magellan and Elcano, whose financing was sort of “public-private” (23% was paid for by merchants from Burgos and the rest by the crown).

The objective when managing these risks is to minimise them, i.e. to take the appropriate precautions to reduce, in a cost-efficient manner, their probability of occurrence and mitigate their impact in the event that they do occur and to learn from what has happened. In this case, the control of the risks assumed is based on analysis and discussion using different procedures and tools such as scenario planning, probability and impact maps of the identified risks as well as key risk indicators scorecards. The role of the board of directors, supervision and control, is crucial for the proper management of this type of risks, but how can this be done? Certain practices are effective within the dynamics of the board, such as:

  • Asking timely questions and challenging the answers
  • Defining a company’s acceptable level of strategic risk.

Ask appropriate questions and challenge the answers received:

This is one of the most important features of a good advisor. Monitoring risks involves:

  1. Knowing the main strategic risks the company faces, their interrelationships, the probability and impact of their occurrence and the measures to be taken in such cases.
  2. Identifying how the organisation’s main interest groups or stakeholders would be affected.
  3. Ensuring that management remuneration systems, especially for top executives, do not incentivise undesirable risk-taking behaviour. There are many examples of this, and in many cases, with devastating outcomes.
  4. Gathering relevant information from external sources (auditors, legal advisors, regulators, etc.) and, above all, internal sources. However, the ability of directors to obtain good internal information (sufficient, relevant, reliable, and timely) is often weak 3. It is clear that the chief executive can control both the information provided to directors and their access to the company’s management.
  5. Spending time and effort in preparing the board meetings and actively participating in the sessions.

Define the company’s strategic risk level:

The board of directors must assess, clearly define and approve the level of risk appetite the company is willing to assume. To this end, directors need to be well aware of the pros and cons of establishing a lower or higher risk appetite, so there is no room for the all too frequent and surprising ex-post justifications (“we were not aware of…”, “in our industry it was common practice…”, “management never warned us of…,” etc.). Accepted risk tolerance need not be static and should be revisited as often as necessary, depending on the moment, the context, the sector and, the company.

The Business Policy Model and Risk Governance

The board’s job is to act in such a way that they can make the future situation of the company better than the current one, in relative terms. This requires, firstly, addressing the organisation holistically to ensure that undesirable side effects are minimised. Among the various possible approaches, António Valero and José Luís Lucas 5, proposed the Business Policy Model, a conceptual framework, which seeks to offer assistance to senior managers in their task of managing a company. They identified four areas of action on which the “governance action” of senior management is applied: (i) the Business; (ii) the Management Structure; (iii) Professional Commitment; and (iv) Institutional Configuration. Distinguishing these four aspects is useful in order to maintain a comprehensive perspective (Figure 1).

figure 1Choosing the business means deciding to carry out the content of particular activities or operations which, when harmoniously related, allow for an optimal evolution of the organisation’s results. Bringing people together and putting them to work is one of the basic pillars of management. Therefore, creating a directing structure means entrusting people with certain parts of what needs to be done to move the organisation forward. Through Professional Commitment, management seeks procedures that help people to do their work, ensuring the right incentives and motivation of the entire organisation is in alignment with the chosen strategy. After all, getting the people who make up the organisation to work professionally, proposing new ideas through creativity and knowledge, and promoting innovation, are some of the key tasks of a manager. Finally, the Institutional Configuration, which is key for the organisation sustainability over time, requires agreements between shareholders and stakeholders at large in relation to the levels of Initiative, Financing and Power, in order to be able to carry out the strategy. Each of these four areas can be impacted by risks in multiple ways. Since organisations are systems, it is useful to keep this concept in mind for good corporate governance.

After all, getting the people who make up the organisation to work professionally, proposing new ideas through creativity and knowledge, and promoting innovation, are some of the key tasks of a manager.

In what concerns board directors and management, each type of actor must work in harmony while being conscious of their different roles. Board members must keep up to date with the company but not interfere with the work of management (nose in, fingers out). In this sense, the Business Policy Model is a useful framework for framing the issue of risk governance, approaching the organisation as the system it really is. This model also facilitates the classification and framing of a multitude of potential risks which may face a company or organisation.

Risk governance and the Business Policy Model

The board’s focus should be on strategic risks management instead of trying to cover all the risks that an enterprise risk management (ERM) system may suggest (risking “not being able to see the forest because of focusing on so many trees”). In this sense, it is useful to relate risks to each of the four governance areas of the enterprise policy model, as suggested below:

How does risk X affect the company, and how does it relate to the management structure of the organisation?

What is the relationship between professional commitment in the company and the incentive systems with respect to risk? Remember the case of incentive systems that induced less ethical behaviour in employees, in order to increase their scorings or even short-term performance bonuses? How is the professional culture of the organisation affected by risk?

How does a certain institutional set-up aggravate corporate risks when facing certain typologies of risks? Does a certain financial structure of the organisation increase risk? How does the level of initiative and innovation affect sustainability and competitiveness in the future? And how does power affect or is affected by risks, in its various typologies?

To generate similar questions, it is useful to have a holistic model of organisations – a framework that facilitates the identification of risks, their mitigation, or even their transfer to third parties more qualified to deal with them.

For each of the four governance areas of the Business Policy Model, it is necessary to analyse how the three types of risk – avoidable, external and strategic – affect them (Table 1).

table 1 The above table is useful for the board for, at least, two good reasons: (1) it allows them to classify risks by company governance area, and (2) it allows them to seek the most appropriate solutions to manage the identified risks.



The board’s focus should be on strategic risks management instead of trying to cover all the risks that an enterprise risk management (ERM) system may suggest (risking “not being able to see the forest because of focusing on so many trees”).

The tasks to be addressed by the board of directors are essentially those that determine the prosperity and sustainability of their organisations. The board of directors may delegate its authority to the managing director or CEO, but it cannot delegate its responsibility for the actions of the company’s management, including accountability for the governance of risks that the company may face. In this sense, it is necessary to go beyond the focus on financial risks and pay more attention to any kind of risks that may be considered strategic, i.e. the kind of risk that can seriously damage the company or cause its collapse. In other words, compliance is necessary but not a sufficient condition in itself for excellence in risk governance, and having a comprehensive framework for risk governance is of great help.

About the Author

Pedro B. AguaPedro B. Agua is a Senior Manager and currently a Professor of General Management at the Portuguese Naval Academy and Senior Teaching Fellow at AESE Business School, Lisbon. Professor Agua has authored many articles and book chapters featuring various systems, governance and business policy subjects. Currently the Navy Research Centre Deputy Director, and NED at AFCEA Portugal, he combines his teaching profile with an extensive business background of more than 28 years dedicated to cutting-edge fields such as defence, telecommunications, and the subsea industry. Agua holds an MBA from AESE and IESE Business School and a Ph.D. in Engineering and Management awarded by the University of Lisbon.


  1. Hubbard, D. W. (2009). The Failure of Risk Management. Why It’s Broken and How to Fix It. New Jersey: John Wiley & Sons, Inc.
  2. Kaplan, R., and Mikes, A. (2012). Managing Risks: A New Framework. Harvard Business Review. June.
  3. Água, P.B. (2021). Covering Blind Spots. The European Business Review. September.
  4. Bromiley, P., and Rau, D. (2016). Strategic Risk Management. A Better Way of Managing Major Risks. IESE Insight. Issue 28, 1st Quarter.
  5. Valero, A. and Lucas, J.L. (2018). Business Policy. Seville, Spain: San Telmo Ed.


Please enter your comment!
Please enter your name here