Skip Ribbon Commands
Skip to main content

Governance, Policy, Assurance: The Pillars of Risk Management


In my series of enterprise risk management (ERM) posts to date, we’ve covered regulatory pressures and industry trends that have led to an increased focused on risk preparedness and board involvement.

I last left you with a note that board members who recognize the importance and benefits of ERM planning can build a strong foundation for risk oversight through three key pillars – governance, policy and assurance. Today we’re going to take a look at what each of those three areas cover.


Where the board’s role is to support and alleviate responsibility for effective risk management, it’s critical to clearly outline what authority and accountability lies with management and the board, respectively. Determining reporting lines, decision structures and information flow at the outset makes it easier for your risk committee to be effective, instead of getting caught up in bureaucracy or personal disagreements.

There are also a number of considerations to be made within the board itself. First, you need to determine whether the board as a whole will provide risk oversight, or if a separate audit / risk committee will be formed. A mandate also needs to be set to determine what kinds of risk the board will oversee. In the past, risk oversight was limited to financial concerns, however these days businesses tend to see their fiscal performance as part of a bigger picture that also considers risk in strategic, operational and environmental settings.

Once you’ve determined your risk committee’s structure and focus, it’s time to appoint the appropriate people to it. Members of the committee should ideally have deep risk management expertise. If your board has a shortfall in this arena, consider bringing in outside advisors to help guide your team, especially in the early stages of development.


One of the board’s greatest tools in risk governance is the creation of an ERM policy. This strategy outlines the board’s position on risk, and can be used as a benchmark in monitoring acceptable levels of exposure. It’s also a place to cement and document your governance structure.

Ideally your board will recognize that risk is a necessary – and in many ways, healthy – aspect of business. The ERM policy should establish the organization’s overall approach to risk management, including what level of risk appetite and tolerance is acceptable to achieve your strategic goals. Your policy must also contain a framework for how your organization will work together in managing risk and ensure alignment for risk policy standards.


While the board is responsible for setting and monitoring risk standards, it’s management’s job to adequately review and report on the effectiveness and security of your risk management strategy. Executives and managers must regularly provide a summary of organization and risk performance, and bring key discussion and decision points for the board’s feedback and approval.

Regular reporting is just one part of effective risk management assurance – your team also needs to know what to report on. Board members are looking for an integrated perspective on risks faced by the organization; insight which only management can provide. They’re also expecting analyses that are future-oriented as opposed to historically-focused and take into consideration performance and risk indicators in relation to specified targets or limits.

That’s not to say management bears all the responsibility when it comes to assurance. The board should also oversee an independent review of your ERM system every couple of years to ensure it’s current and competent as your organization and the market as a whole changes.

Although an external analysis of your ERM is essential, you must also learn to measure the effectiveness of your risk strategy internally. I’ll be reviewing some benchmarks for successful risk management in my final post in this series on ERM in today’s markets.