Agility and therefore change is beneficial to all organisations; being able to change products, services and internal processes allows a firm to stay ahead of competitors. But with change comes risk. Risk which must be managed correctly in order to maximise the benefit of the change by minimising the risks associated with it. Technology undoubtedly plays an important role in the modern regulated firm’s approach to risk management.

What does good risk governance look like?

Imagine a scenario. Your risk management team meet with each department quarterly to hold a risk review. Risks are identified, logged on your brand new risk management system, mitigation is proposed by the risk owner and, again, recorded on the system. At the monthly risk committee the risks and proposed mitigating actions are debated, actions are agreed. The committee also ensures that previous mitigating actions are updated, with any amends re-debated.

Everything sounds great with the above scenario, but what is missing?

That’s right, your senior managers are not gaining a “bird’s-eye view” of the risks affecting the business and the development of mitigating actions to control those risks.

Risk Governance

Governance is the process by which senior individuals administer the organisation, this is always reliant upon being able to achieve a “bird’s eye view”.     

Risk governance, therefore, applies governance to the conventions, processes and mechanisms by which decisions about risks are taken and implemented. 

Your risk governance must address the following questions:

  1. Do people within your firm understand the consequences of the risk?
  2. Do they have the capacity to mitigate and manage the risk?
  3. Does the firm have the resilience to deal with unavoidable consequences of the risk?
  4. What process do we have in place to address elements of the risk or its mitigation we are uncertain about? To what extent should these be used?

What does good risk governance look like?

Carrying on with our ideal scenario, you might be used to the risk committee pulling together reports for senior managers to discuss at certain governance or board meetings, but there is a better way.

A fluid third line, reporting into senior managers, prevents the risk team from presenting, or failing to present, inaccurate information and issues that they want to display. Imagine a third line of defence which has access to the risk management system, reviewing its usage each week to benchmark use against the company’s agreed risk management process and industry best practice. Truly independent reports can then be produced for senior managers alongside the usual risk updates.

Robert Bell, Compliance Consultant at RB Compliance Consultancy Limited

If you are interested in a discussion then call  07849774401 or email:


RB Compliance specialise in providing apprenticeships for non-levy paying firms within the regulated sector and have created compliance officer and collector pathways to serve this. We also have superb courses outside of the apprenticeship standards, such as our Level 4 Compliance and Audit distance learning course.  If you would like to explore any of learning and development offerings then make contact.

Find out more: