From the root of the word - Governance means to steer.
A cliché definition for governance is the manner in which an organization is directed and controlled. Governance and Risk Management do indeed overlap and are both important to achieving the To-Be state. While the board is the custodian for both, you cannot exercise the same control with risk management as with governance, and good governance does control the practice of good risk management, but not the other way around. More specifically, how would you define the relationship between governance and risk management?
1. Governance vs. Risk Management is Hand in Glove
Here are ten bullet points, like ten-finger hands in a pair of gloves:
- Governance is “Framework,” Risk Management is “Mechanism”: The difference between Governance and Risk Management is that Governance is the creation of Theory and Risk Management is Applied Theory. The two go hand-in-hand. They really can not exist exclusive of each other. The business framework "rules of engagement" are set out by the members of the board, stakeholders and investors that drive business strategy, business value, corporate responsibility and managed risk - ensuring that risks are identified, minimized and controlled within acceptable "risk-appetite".
- Governance is a "Framework" of Policies and Processes: It enables the Board to 'govern" and report to shareholders /stakeholders. Governance is first followed by risk management as delegation flows from the board down to the rest of the organization. This includes governance of the 1st line of defense (the Operations), the second line of defense (Risk Management), and the third line of defense (Audit -internal /external), each of these defenses either creates value or protects against losing value and act as enablers for the company.
- Governance and risk management are completely inter-related: One introduces governance artifacts - strategic plan, policies, processes, etc. - to reduce risk. One identifies, quantifies, and evaluates risk in part to determine where more or less governance is appropriate. Governance is more about effectiveness, and risk management is more on efficiency.
- Governance is one of the Purposes of Enterprise Architecture: Governance is mainly about getting from an As-Is state to the desired To-Be state. This begins with defining goals and a target architecture to support them. Once this is done, governance provides a monitoring, measuring, and enforcement mechanism. Risk management is a major component of that effort.
- Governance and Risk Management are literally 'hand in glove': Governance is the glue that holds Enterprise Risk Management together. Unless Governance is structured right, the risk function cannot function effectively; Governance is at the 'policy creation' level and Risk Management is as the 'applied policy' level.
- Governance is all about conformance and performance: It means to conform to laws/regulations etc., and performing well to achieve business goals. A risk factor is integral or inherent to Conformance and Performance to manage that risk management is essential. So Risk management and Governance both are interdependent on each other you cannot effectively achieve one without other
- It is an uneven partnership, with a natural tension: Risk management must strive to establish integrated tactics to establish consistent policies and procedures and measurements. Governance must assure that this process is constantly looking for new approaches and topics, almost antithetical to preserving baseline data. In its extreme, the governance function would be looking for two standard deviations or everything -- creating mission impossible. Governance would demand reverse stress tests for everything -- just not practical. The most responsible leaders have to negotiate the difference
- Mutual enforce with each other: Governance defines the controls that are required to manage the risks, governance can exist without risk management being in place, but RM without governance is pointless; though governance can exist without risk management, however, RM gives it strength. Weak governance is portrayed by weak risk management; Without good Governance, Risk Management is working in a Blue Sky environment. Without good Risk Management, Corporate Governance is in a Bootstrapping environment.
- Both forces would find a balance between one another: Governance is the guiding force behind risk management, ensuring boundaries are appropriately set and adhered to. Risk management is simply what it says on the tin. Silos at any level of an organization are counter to good governance and risk management. Governance and risk have to walk hand in hand for organizations to strategically manage exposures. This is not a big brother relationship.
- In the simplest terms, governance is who you are and how you do it: The risk is the uncertainty associated with doing business, and compliance is the process of protecting your business from that risk. The relationship between governance and risk management should be defined in a nutshell. It is no use developing long definitions that do not focus on the critical point.
2. Value Creation are Purpose Behinds Governance & Risk Management
The fundamental reason to run all organizations is value- creation (economical value & socioeconomic value), not risk management. We create organizations to create value, not to manage risk. The risk is inherited in the value-creation process.
- The best practice of governance takes a value-creation approach: Value creation or destruction, for that matter, is embedded in the myriad day-to-day decisions and behaviors taking place at all levels of the entire organization, then governance is about guiding and regulating those decisions and behaviors to serve the fundamental purpose for which the organization was created in the first place.
- Effective governance Enforces multi-dimensional, sustainable value creation: Accordingly, governance, which is over sighted by Board of Directors, as the act of guiding, influencing and regulating the decisions and behaviors of the entire workforce, management included, to drive multi-dimensional, sustainable value-creation to the shareholders and customers. The risk is inherent in everything an entity does, governance is the procedural steps taken in the value creation process that is intended to mitigate the perceived level of risk. Strong governance actions contribute to reduced risk and vice versa. Set up right, IMO governance should not restrict the achievement of vision and mission, it is embedded within the value structure of how the entity wants to conduct its business
- Don’t just see governance as constraints, but rather an opportunity: It helps manage collaborative results and best practices that view the organizational objectives holistically and with the correct strategy lenses/focus. Effective governance facilitates the successful functioning of an organization while ensuring there are adequate controls in place to operate responsibly in accordance with its values but not to the extent of restricting the aspiration to achieve its vision through an ambitious mission. Governance takes a value-creation approach where managing risk at the decision and activity level, whether strategic or operational and through the "governance system", set decision/behavior guidelines through policy making and provide oversight through the audit.
- High-performance businesses have better governance discipline: Statistically, the organizations with better governance usually result in 20% better performance than their competitors, and they are doing better in well-embedding risk management into key business processes more seamlessly. Governance is indeed about how well an organization is being run and if set up right, it should effectively oversee the achievement of the vision, mission, and objectives. Needless to say, effective governance leads to effective risk management
- Governance and Risk Management combine conceptually to ensure long-term sustainability: The enterprise’s culture comes into play here because people tend to do what they are rewarded for doing, the ignorance of the current environment of very large companies without effective leadership and governance body can put the long-term sustainability of the organization at risk if not monitored, but not just in theory. The day to day detailed testing and challenging and questioning and monitoring should fit in the 21st-century reality.
- Governance and Risk need to be closely aligned with top-line corporate goals (financial, strategic, reputation), and above all seen as a "business enabler" vs. a cost center: An organization’s success is, in large part, driven by how wisely it takes risks and how effectively it manages the risks, so find ways to create and leverage programs that facilitate revenue goals; easy to use digital tools for external communication, interaction, and collaboration, still, the human is the master.
- Board oversights Governance: Risk oversight should not be viewed as a process unto itself — it’s the foundation for everything the board and management do to properly govern the organization and make sound decisions. Many boards frame their activities for the oversight of risk into two areas: oversight of enterprise risk programs (risk management), and oversight of critical risks and risk decisions (risk governance). The latter includes setting risk appetite and risk tolerances and monitoring strategic risks and related trends.
3. Metaphorically, Governance is “Steer”, Risk Management is “Brake”
- Governance is “Steer”: The word governance derives from the Greek verb κυβερνάω [kubernáo] which means to steer. As a process, a reasonable or rational purpose of governance might aim to assure, (sometimes on behalf of others) that an organization produces a worthwhile pattern of good results while avoiding an undesirable pattern of bad circumstances. Hence, one could say that in order to avoid unwanted outcomes one has to steer the organization so as to achieve good results.
- Risk Management is like brake, though it’s nothing to do with the lexical root, the purpose is not just for stopping the car, but about how to run car with proper speed safely; "Risk is the unwanted subset of a set of uncertain outcomes.", and risk taking is an aspect of social behavior. Then governance kicks in with the internal rules that are put in place. Risk Management is the mechanism to mitigate the impact of unexpected events effectively.
Corporate Governance focuses on oversight by a company Board of Directors and shareholders while Operational Governance supports the effective decision-making by the management team. At the same time, Enterprise Risk Management provides a control mechanism to support adequate governance arrangement by facilitating risk owners in identifying key risk areas and devising appropriate mitigation plan. It can be concluded that ERM is part of the overall governance arrangement.