Risk Governance is not a combination, but a discipline in itself.

1. Establish a board-level risk committee that supports the board's role in approving the firm's risk appetite and that oversees the risk professionals and infrastructure. The risk committee's core mission should be to shape the firm's risk appetite within the context of the firm's chosen strategy and then to present it to the full board for approval. It must ensure the risk culture supports the desired risk profile and must ensure risk leaders and professionals are capable, empowered, and independent. It must also ensure the firm has the necessary risk infrastructure in place.
2. Ensure the presence of a CRO who is independent, has stature within the management structure and unfettered access to the board risk committee, and has the authority to find the appropriate balance between constraint and support of risk taking. The CRO must have the independence, skills, and stature to influence the firm's risk-taking activities. The board should approve the appointment of the CRO, and the risk committee should annually review the CRO's compensation.
3. Determine a risk appetite that is clearly articulated, properly linked to the firm's strategy, embedded across the firm, and which enables risk taking. The risk appetite framework should frame the choices regarding risks in terms of the type of institution the board and management are trying to build and sustain, and it should clearly link risks and returns. To be fully effective, the risk appetite framework must be embedded deep within the firm and linked to key management processes, such as capital allocation decisions, new product and businesses approvals, and compensation arrangements.
4. Actively assess and manage the risk culture so that it supports the firm's risk appetite. The risk committee and full board play a critical role, with management, in ensuring that the risk culture is consistent with the firm's risk profile aspirations. The tone set at the top of an organization is important, but non-executive directors also need to be attuned to the culture deep in the organization and how the messages at the top are communicated and interpreted by employees. They should seek out the views of supervisors and the external auditor.
5. Ensure directors have access to the right level of risk information so as to see and fully comprehend the major risks. Management must strike a balance between being thorough and concise in reporting to the board. They must avoid overwhelming directors with details, while still providing sufficient and unbiased risk information.
6. Maintain robust risk information technology (IT) systems that can generate timely, comprehensive, cross-geography, cross-product information on exposures. Ultimately, the quality of risk information that boards and management teams receive depends largely on the quality of the organization's IT systems. Ideally, organizations need risk IT systems that can gather risk information quickly and comprehensively, producing estimates of their exposures within hours.
7. Maintain an ongoing focus on emerging risks by having a holistic, vigilant view of all major risks, strategic and product creep, excess complexity, and areas of over performance. Boards should take a broad perspective when overseeing risk, including operational and reputational risks that are difficult to measure and mitigate. They should look for early warning signs of emerging risks arising from increasingly complex organizational structures and products or businesses with unexpected over performance.
8. Strengthen the firm's ability to withstand exogenous shocks, recognizing that it is impossible to avoid financial stresses when they come. No Organization is resistant to all possible crises, but judicious advance planning and testing increases institutional robustness. Boards and management teams should also examine how their firms have reacted to actual unanticipated events in the past, since historic reactions can be very informative about the firm's resiliency.