Book 1. Foundations of Risk Management

FRM Part 1

FRM 3. The Governance of Risk Management

Presented by: Sudhanshu

Module 1. Corporate Governance and Risk Management

Module 2. Risk Governance Implementation

Module 1. Corporate Governance and Risk Management

Topic 1. Introduction to Corporate Governance and SOX

Topic 2. Lessons From the 2007-2009 Financial Crisis

Topic 3. Sound Risk Management Practices

Topic 4. Basel Accords Timeline

Topic 5. BCBS 2015 Governance Guidelines

Topic 6. Dodd-Frank Act (2010)

Topic 7. Best Practices in Corporate Governance

Topic 8. Risk Management Duties of the Board

Topic 1. Introduction to Corporate Governance and SOX

• Corporate governance refers to the system of rules and practices guiding company management.

• Key stakeholders: Shareholders, senior management, board of directors.

• Corporate scandals (Enron, WorldCom) led to the Sarbanes-Oxley Act (2002):

  • CEO/CFO must certify financial statements.

  • Enhanced internal controls.

  • Independent audit committees.

• EU approach: “Comply-or-explain” rather than rigid legislation.

Topic 2. Lessons from the 2007–2009 Financial Crisis

• 2007–09 financial crisis revealed:

  • Diverse stakeholders.

  • Board independence and industry expertise had little impact on outcomes

  • Weak board oversight.

  • Lack of clear risk appetite and communication.

  • Short-term incentives misaligned with long-term health.

• Result: Emphasis on proactive risk governance and transparency.

Practice Questions: Q1

Q1. Which of the following statements was a lesson learned in the aftermath of the financial crisis of 2007–2009?

A. Firms need to prioritize stakeholder interests when diverse/competing stakeholder goals are present.

B. There should be independence on the board of directors, and the role of chief executive officer (CEO) and chairperson should be combined when possible.

C. It is the firm stakeholders who bear the responsibility to clearly articulate an enterprise-level risk appetite.

D. The chief risk officer should exercise control over management compensation regimes to not incentivize undesired risk-taking behavior.

Practice Questions: Q1 Answer

Explanation: A is correct.

When a firm has a diverse group of stakeholders with potentially competing interests, the board needs to prioritize which stakeholder goals will have the highest priority. The board should include independent members, but the role of CEO and chairperson should be separated if possible.

When they are combined, there is a potential governance issues because the chairperson  cannot effectively supervise the CEO if they are the same person. The board of directors is responsible for articulating enterprise-level risk appetite. Their decision is usually informed by the work of risk committee. The board should exercise control over management compensation regimes to not incentivize undesired risk-taking behavior.

Topic 3. Sound Risk Management Practices

• Shift focus to economic (not just accounting) performance.

• Embed risk management into strategic planning.

• Key board responsibilities:

  • Define and communicate enterprise risk appetite.

  • Oversee CRO and risk committee.

  • Continuously monitor risk exposures.

Topic 4. Basel Accords Timeline

• Basel I (1988): 8% capital ratio for credit risk.

• Basel II (2006): Covered credit, market, and operational risk.

• Basel III (2010 onward):

  • Tightened Tier 1 capital definition.

  • Introduced LCR, NSFR, and leverage ratio.

  • Emphasized systemic risk reduction and stress testing.

Topic 5.  BCBS 2015 Governance Guidelines

• 12 principles including:

  1. Responsibility of the board of directors.

  2. Board composition.

  3. Policies of the board.

  4. Senior Management

  5. Governance for a conglomerate.

  6. Risk management function.

  7. Risk identification, monitoring, and control.

  8. Risk Communication.

  9. Compliance.

  10. Internal Audit.

  11. Compensation.

  12. Disclosure.

Topic 6. Dodd-Frank Act (2010)

• Enacted in response to 2008 crisis; focused on financial system stability.

• Seven key elements:

  1. Oversight of SIFIs by the Federal Reserve.

  2. Ended too big to fail theory

  3. “Living wills” and resolution plans.

  4. Transparency in derivatives markets.

  5. Volcker Rule: Ban on proprietary trading.

  6. Consumer Financial Protection Bureau (CFPB).

  7. Mandatory derivatives clearing and stress testing.

Topic 7. Best Practices in Corporate Governance

• Board composition:

  • Independent majority.

  • Chairperson ≠ CEO.

• Address agency risk via clawbacks, deferred bonuses.

• Establish CRO and risk committee.

• Focus on long-term stakeholder value over short-term gains.

Topic 8. Risk Management Duties of the Board 

• Set and communicate risk appetite.

• Decide whether risks should be retained, transferred, or mitigated.

• Ensure integration of risk goals with business objectives.

• Oversee committee functions and ensure risk governance is implemented effectively.

Practice Questions: Q2

Q2. Which of the following statements is not a key responsibility of the board of directors relative to risk management?

A. Establish an enterprise-level risk appetite.

B. Establish an audit committee, which is chaired by the firm’s chief financial officer (CFO).

C. Establish a risk committee to inform the risk management process for the full board.

D. Establish and maintain a chief risk officer (CRO) role that reports to the chief executive officer (CEO) but retains full access to the board.

Practice Questions: Q2 Answer

Explanation: B is correct.

The board of directors does establish an enterprise-level risk appetite. They should establish an audit committee, but it must be independent from management. It would be a conflict of interest to have the CFO on the committee, much less acting as the committee chair.

The risk committee is a subset of the full board, and they inform the risk management process for the full board. Anotherresponsibility is to create a CRO role who will report to the CEO but retains access to the full board if any issues arise.

Module 2. Risk Governance Implementation

Topic 1. Risk Advisory Director

Topic 2. Risk Management Committee

Topic 3. Compensation Committee

Topic 4. Risk Appetite Vs Business Strategy

Topic 5. Interdependence of Functional Units

Topic 6. Audit Committe

Topic 1. Risk Advisory Director

• Appointed when board lacks specific industry risk knowledge.

• Attends audit and risk committee meetings.

• Liaison between board and senior management.

• Educates board on governance and risk exposures.

• Board's duties include:

  • The firm’s risk management policies

  • The firm’s periodic risk management reports

  • The firm’s risk appetite and its impact on business strategy

  • The firm’s internal controls

  • The firm’s financial statements and disclosures

  • The firm’s related parties and related party transactions

  • Any audit reports from internal or external audits

  • Corporate governance best practices for the industry

  • Risk management practices of competitors and the industry

Practice Questions: Q3

Q3. The role of a risk advisory director is to:

A. lead the compensation committee.

B. assume responsibility for setting the enterprise-level risk appetite.

C. provide advice to the executive team of the company.

D. provide risk-oriented expertise to the board when it is primarily comprised of people from industries unrelated to the subject firm.

Practice Questions: Q3 Answer

Explanation: D is correct.

A risk advisory director is a board member who is brought in specifically to provide industry-specific risk expertise to board members who are from other industries. This individual is a member of the full board and may be placed on other committees such as the compensation committee, the risk committee, or the audit committee without a mandatory mandate for leadership. This person’s role is to advise the board and not just the executive team.

Topic 2. Risk Management Committee

• Subcommittee of the board.

• Approves risk appetite and policy.

• Engages with CRO and auditors to monitor exposure.

• Oversees high-risk decisions like large credit approvals

Topic 3. Compensation Committee

• Independent of management.

• Ensures alignment of pay with long-term risk and performance.

• Tools: Clawbacks, deferred pay, bonus bonds.

• Avoids incentives that promote short-term risk-taking.

Topic 4. Risk Appetite Vs Business Strategy

• Risk appetite must reflect strategy:

  • Lending? → Credit risk controls.

  • Expansion? → Operational risk planning.

• CRO oversees risk limit breaches and escalations.

• Use of VaR and stress testing to align risk with strategy.

• Introduction of bonus bonds by compensation committees.

Practice Questions: Q4

Q4. Which of the following statements regarding the firm’s risk appetite and/or its business strategy is most accurate?

A. The firm’s risk appetite does not consider its willingness to accept risk.

B. The board needs to work with management to develop the firm’s overall strategic plan.

C. Management will set the firm’s risk appetite and the board will provide its approval of the strategic plan.

D. Management should obtain the risk management team’s approval once the business planning process is finalized.

Practice Questions: Q4 Answer

Explanation: B is correct.

The board needs to develop/approve the firm’s risk appetite as well as assist management in developing the firm’s overall strategic plan. The firm’s risk appetite considers its willingness to accept risk.

Both management and the board will set the firm’s risk appetite. Management should involve the risk management team in the business planning process right from the outset to ensure the consistency between risk appetite and business strategy.

Topic 5. Interdependence of Functional Units

• Senior Management: Sets policy and evaluates outcomes.

• Business Units: Execute policy and flag breaches.

• Finance/Operations: Hedge risk, manage capital.

• CRO: Coordinates, monitors, and reports on risk.

Practice Questions: Q5

Q5. The various functional units of a firm are highly interconnected. Which unit is responsible for executing risk mitigation and transfer?

A. Senior management.

B. Individual business units.

C. Finance and operations.

D. Risk management office.

Practice Questions: Q5 Answer

Explanation: C is correct.

Each functional unit has a role to play. Senior management sets risk policy. Business units implement risk policy. The finance and operations unit executes risk mitigation and transfer strategies, while the risk management office supervises and manages the overall risk management process.

Topic 6. Role of the Audit Committee

• Ensures accuracy of financials and compliance.

• Validates internal risk models (e.g., VaR).

• Assesses control systems and disclosure quality.

• Must be independent and financially literate.

Practice Questions: Q6

Q6. Which of the following statements regarding the role of the firm’s audit committee is most accurate?

A. At least one member of the audit committee must possess sufficient financial knowledge.

B. The audit committee has responsibilities related to the firm’s risk management process.

C. The audit committee is only responsible for the accuracy of the financial statements.

D. The audit committee is meant to work dependently with management.

Practice Questions: Q6 Answer

Explanation: B is correct.

The audit committee has responsibilities related to the firm’s risk management process. All members of the audit committee have responsibilities related to the firm’s risk management process. The audit committee is responsible for the accuracy of the financial statements but that alone does not comprise its main responsibility.

Additionally, the audit committee monitors the underlying systems in place regarding financial reporting, regulatory compliance, internal controls, and risk management. The audit committee is largely meant to be independent of management, but it should work with management and communicate frequently to ensure that any issues arising are addressed and resolved.