Risk management: Why companies need sound risk governance frameworks

According to the World Economic Forum, the world faces several risks that stakeholders perceive as potential triggers for an immediate global crisis, including state-based armed conflict, geoeconomic confrontation, extreme weather events, misinformation and disinformation, and societal polarization. To address these risks, companies, governments and civil societies might pursue diplomatic efforts, economic diversification, climate action, media literacy, fact-checking, community engagement and inclusive policies to promote stability and resilience. 

Effective risk management is crucial for a business’s success as it helps identify, assess and mitigate potential threats. It enables informed decision-making, ensures financial stability and builds trust with stakeholders, fostering long-term success. A structured approach, such as a risk governance framework, is essential for effective risk management. This framework helps organizations systematically identify, assess, manage and monitor risks. 

Central to this framework is the involvement of a dedicated role or committee at the board level, tasked with overseeing risk management. The framework typically incorporates the three lines of defense model: operational risk ownership (first line), risk management and compliance oversight (second line) and an independent audit unit (third line). The first and second lines execute and monitor risk management activities, while the third line operates independently to assess the effectiveness of these processes. To ensure success, collaboration between the board and senior management is vital. While the board holds ultimate responsibility for risk management, senior management must translate the board’s strategic direction into suitable policies and ensure their implementation and monitoring.

Within our ESG Scores and data, underpinned by the S&P Global Corporate Sustainability Assessment (CSA), we assess whether companies are adopting risk governance frameworks and the extent to which these frameworks include board-level risk oversight or dedicated operational risk management functions — the first, second and third lines of defense.

The CSA is an annual evaluation of sustainability practices covering about 14,000 companies from around the world. In this review, we analyze 12,269 public companies’ risk governance frameworks 

According to figure 1, on average, 75% of companies have a risk governance framework in place. The financial sector leads the way by a notable margin, with 90% of companies reporting on their risk governance frameworks. This high prevalence may be linked to the stringent legal and regulatory requirements that financial institutions face, necessitating robust risk management. Utilities also have a high percentage of publicly reported risk governance frameworks. Utility infrastructure is fundamental to governments and societies functioning as a whole; therefore, their capacity to deal with regulatory, market and environmental risks — fluctuations in energy prices, competition, extreme weather events and climate change — is crucial. In contrast, the healthcare sector, which emphasizes innovation, especially in the initial development stage of a company, has a significantly lower implementation of risk governance frameworks.

While most companies publicly report having a risk governance framework, not all frameworks are equally developed in terms of oversight and dedicated functions. Figure 2 shows that 49% of companies have established dedicated board-level risk oversight, demonstrating a clear line of accountability for risk management at the highest level of the organization. In contrast, only 30% of companies have established a first line of defense responsible for executing risk management activities. Additionally, 45% have a second line, focused on monitoring and supporting these activities, while 40% have implemented a third line, which operates independently to evaluate the effectiveness of risk management processes. This gap highlights that, although companies emphasize high-level risk oversight, there is a significant opportunity to enhance their operational risk management practices.

Having a dedicated role or committee at the board level for risk oversight, along with a specific operational risk management function, enables companies to navigate an increasingly complex risk landscape. This instills confidence among stakeholders, including investors and customers. The data indicates room for improvement, as less than half of the assessed companies have designated operational processes for risk management in terms of the first, second and third lines of defense. By addressing these gaps, companies can better navigate today’s risks and strengthen their resilience while enhancing their capacity to achieve sustainability-related goals. Ultimately, prioritizing risk governance will be crucial for organizations aiming to thrive in uncertainty.