What is risk governance?

Risk governance is the system by which the board and senior management direct, authorize, and oversee how an enterprise confronts uncertainty. It defines who decides, on what basis, with which information, subject to which constraints, and accountable to whom.

In legal terms, risk governance expresses the duties of care, loyalty, and prudence through structures, mandates, and evidence. It determines the organization’s risk appetite and tolerance, approves the framework and resources for control, establishes the criteria for escalation and exception, and ensures independent assurance of effectiveness.

Risk management is the set of processes that operate within this system. It is the disciplined, repeatable, and continuously improving execution of policies, procedures, and controls for establishing context, identifying, assessing, evaluating, mitigating, monitoring, and reporting risks.

Risk governance allocates decision rights among the board, executive management, risk and compliance functions, business lines, and internal audit. It defines the independence and remit of second-line challenge, the scope of third-line assurance, and the conditions under which decisions must be escalated to a higher authority. Risk management then acts within those delegations to perform analyses, run scenarios, select and operate controls, and monitor indicators. When a tolerance threshold is breached, the governance design compels escalation and review. The management system provides the data, impact analysis, options, and recommendations.

Culture is principally a governance matter. The board and senior leadership shape incentives, tone, and consequences that determine whether issues surface early or are suppressed, and whether challenge is encouraged or penalized. Governance sets the conflict-of-interest policies and expectations for transparency and remediation. Risk management translates cultural intent into training, attestations, surveillance, disciplinary processes, and measurable indicators. When regulators or courts evaluate culture, they look for governance documentation that shows design, and for risk management evidence that shows operation.

Risk governance defines the perimeter of responsibility, including subsidiaries, joint ventures, and outsourced service providers. It designs audit rights, regulatory cooperation clauses, notification duties, data localization requirements, and termination strategies in contracts and intra-group service agreements. It also defines the oversight model for critical providers and shared services, including reporting obligations and consequences for breach. Risk management conducts due diligence, risk assessments, continuous monitoring, and testing in accordance with the risk governance requirements. If a vendor failure leads to a regulatory breach, the question is whether controls functioned, but also whether governance adequately designed the contractual and oversight environment.

In enforcement and litigation, authorities and courts ask who owned the risk, what information was presented to decision-makers, and how the organization responded to warning indicators. Risk governance provides the policies, procedures, minutes, and decision memoranda that demonstrate prudence, proportionality, and timeliness. Risk management provides the records of what has happened. An organization that can show both layers, sound governance directing sound management, has a defense grounded in process and execution.

Risk governance makes decisions between growth and safety, speed and control, innovation and compliance. It sets the policy for model risk, data ethics, and the responsible use of artificial intelligence, determining what uses require heightened scrutiny, human-in-the-loop oversight, or outright prohibition. Risk management operationalizes the policy by cataloguing models, implementing monitoring for drift and bias, and enforcing change control.

The Three Lines Model is useful in understanding how risk governance and risk management interact in practice. Governance is the architecture of these lines and their interfaces, defining authority, responsibility, and assurance that connects operational execution to strategic oversight. It is through this architecture that an organization demonstrates the integrity of its control environment and the transparency of its accountability chain. The board of directors, as the ultimate governing body, establishes and maintains this structure, ensuring that each line operates with clarity of purpose, independence of function, and coherence of reporting.

The first line of defense includes those who own and manage risk as part of their day-to-day responsibilities. In this line are the business units, operational functions, and service providers who make decisions, design and deliver products or services, and operate the systems and processes that expose the organization to risk. Their primary duty is to identify, assess, and control risks within their activities, to adhere to approved policies and risk tolerances, and to report exposures and incidents accurately and promptly.

The second line of defense provides the standards, policies, and methodologies that ensure the first line performs its responsibilities in a controlled and consistent manner. This line includes the risk management and compliance functions. They establish the framework for risk assessment, monitor adherence to limits, evaluate the effectiveness of controls, and provide thematic reviews and expert interpretation of legal and regulatory requirements.

The independence of the second line is both a governance and a legal necessity. It must be sufficiently separate from the business it oversees to challenge it objectively, but also sufficiently integrated to understand its context.

The third line of defense, internal audit, provides independent and objective assurance to the board and senior management regarding the adequacy and effectiveness of both the first and second lines. It evaluates whether policies and procedures are followed, but also whether they are designed appropriately to achieve lawful and effective risk control.

The third line operates under a direct reporting line to the audit committee or the board, ensuring functional independence from executive management. Its work provides evidence of accountability, documenting whether the control environment functions as intended, and whether the risk governance system remains fit for purpose. In regulatory and legal terms, internal audit answers the question of verification, the ability of the organization to demonstrate that its risk management system is not only well designed, but also verified by an independent function.

Effective risk governance ensures that the interfaces between these lines are neither blurred nor fragmented. It defines where one line’s responsibility ends and another’s begins, avoiding both duplication and gaps.

Risk governance is the whole design, the architecture of authority, accountability, and assurance that defines how an organization exercises control under uncertainty. Within this design, the Three Lines Model provides a practical expression of structure. Risk management is located primarily within the second line of defense, functioning as the central oversight and coordination mechanism.

However, while risk management resides institutionally within the second line, it interacts continuously with all others. The first line executes the organization’s core activities and carries direct responsibility for adhering to risk policies and tolerances set by the second line. The second line defines the methodologies, metrics, and escalation thresholds that ensure operational conduct remains within appetite and compliant with law. The third line independently evaluates the effectiveness of both, explaining to the board if the governance system functions as designed.

In simple words, risk governance is the entire design, including board oversight, organizational structure, policies, culture, reporting lines, and assurance mechanisms. Risk management represents a critical component within that design. Governance gives the system legitimacy and authority, and risk management gives it operational coherence.

---

Case Study: Risk Governance in the Corporate Sustainability Due Diligence Directive (CSDDD) of the EU

The CSDDD is a good example of risk governance in action. It extends beyond traditional risk management by requiring companies to integrate sustainability-related risks, ethical considerations, and stakeholder engagement into their governance structures.

Accountability in Risk Governance under the CSDDD

The Board of Directors and senior executives are now explicitly accountable for overseeing human rights and environmental due diligence. Companies must ensure compliance with sustainability obligations, not just operational risk management.

Directors' duties include considering the long-term sustainability impact when making decisions. For example, a multinational brand can no longer just outsource due diligence to suppliers. Instead, its Board is accountable for ensuring fair labor practices and environmental protection across its entire supply chain.

Decision-Making in Risk Governance under the CSDDD

The CSDDD formalizes risk governance structures, including mandatory risk due diligence processes for sustainability, decision-making mechanisms that integrate sustainability risks into corporate strategy, and a remediation framework for addressing human rights and environmental violations.

For example, a multinational mining company cannot simply react to environmental violations. It must implement a formal risk governance framework, including regular risk assessments, Board-level reviews of sustainability risks, and a clear escalation mechanism for handling supplier violations.

Stakeholders in Risk Governance under the CSDDD

The CSDDD asks companies to engage with stakeholders, such as local communities, workers and trade unions, NGOs, and regulators. Transparency obligations include public reporting on sustainability risks.

As an example, a car manufacturer sourcing cobalt for electric vehicle batteries must consult local communities in mining regions to assess and mitigate risks related to human rights violations and environmental harm.

Ethical Considerations in Risk Governance under the CSDDD

Companies must evaluate ethical risks related to forced labor, child exploitation, and environmental degradation. Failure to act on these risks can lead to legal liability, reputational damage, and financial penalties.

As an example, a global food company cannot ignore deforestation risks in its supply chain. It must ensure ethical sourcing policies and take action against suppliers contributing to illegal deforestation.

For some of our clients, the Corporate Sustainability Due Diligence Directive (CSDDD) feels less like risk management and more like fiction, full of unexpected obligations, mysterious due diligence quests, and the ever-present villain: compliance deadlines. This is not a joke, if you thought it was. You can find more below:

Corporate Sustainability Due Diligence Directive (CSDDD): https://www.corporate-sustainability-due-diligence-directive.com

This website (above) is owned and updated by Cyber Risk GmbH (Dammstrasse 16, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341), a strategic partner of the IARCP.

Case Study: Risk Governance in the U.S. Uyghur Forced Labor Prevention Act (UFLPA)

The U.S. Uyghur Forced Labor Prevention Act (UFLPA), enacted in 2021, is a prime example of how risk governance extends beyond traditional risk management. Like the Corporate Sustainability Due Diligence Directive (CSDDD) in the EU, the UFLPA requires companies to integrate human rights due diligence, supply chain transparency, and ethical considerations into corporate governance.

Both the UFLPA and the CSDDD require corporate Boards and senior executives to take accountability for supply chain risks and actively manage and disclose these risks. Both laws mandate supply chain transparency and require companies to investigate, mitigate, and report risks related to human rights violations. Firms must engage with regulators, investors, NGOs, and consumers and publicly disclose their actions. Failure to comply in both cases can lead to fines, trade restrictions, legal action, and reputational damage.

---

New job descriptions

Job Description: Supply Chain Due Diligence & Ethical Sourcing Risk Manager

Job Summary (example): We are seeking a Supply Chain Due Diligence and Ethical Sourcing Risk Manager to lead and enhance our supply chain risk governance, regulatory compliance, and ethical sourcing strategies. This role ensures that our global supply chains comply with human rights, sustainability, and trade regulations, such as:

- Corporate Sustainability Due Diligence Directive (CSDDD) (EU)

- Uyghur Forced Labor Prevention Act (UFLPA) (U.S.)

- German Supply Chain Due Diligence Act (LkSG)

- UK Modern Slavery Act

The ideal candidate will understand supply chain transparency, ethical sourcing policies, and risk mitigation strategies while engaging with suppliers, auditors, regulators, and internal stakeholders.

Key Responsibilities. The ideal candidate must:

1. Develop and implement due diligence processes to assess human rights, environmental and labor risks in global supply chains.

2. Conduct risk mapping of suppliers across multiple tiers to identify vulnerabilities.

3. Collaborate with internal teams, auditors, and third-party verification bodies to ensure compliance.

4. Oversee supplier audits and on-site assessments to validate ethical sourcing.

5. Ensure corporate compliance with CSDDD, UFLPA, LkSG, and other international supply chain laws.

6. Lead reporting and documentation efforts for regulatory bodies, investors, and customers.

7. Establish frameworks for legal liability protection related to supply chain risks.

8. Engage with government agencies, trade organizations, and NGOs on regulatory developments.

9. Build and maintain strong relationships with suppliers, manufacturers, and logistics partners to promote compliance and ethical standards.

10. Develop supplier training programs on due diligence, human rights, and sustainable sourcing.

11. Work with procurement teams to integrate ethical sourcing into supplier selection and contracts. Act as a liaison between internal risk, legal, sustainability, and procurement teams.

12. Establish real-time monitoring systems to track supply chain risks.

13. Manage internal and external ESG (Environmental, Social, Governance) reporting, including sustainability disclosures.

14. Create supply chain risk dashboards and Key Risk Indicators (KRIs) for senior leadership.

15. Prepare annual due diligence reports for stakeholders and regulatory bodies.

16. Develop strategies for remediating supplier non-compliance while maintaining business continuity.

17. Collaborate with legal teams on supplier contract enforcement and risk mitigation.

18. Recommend alternative sourcing solutions for high-risk regions and industries.

Career Growth Opportunities: This role provides a path to Director of Supply Chain Risk Governance, Chief Sustainability Officer (CSO), Head of Corporate Compliance.

Is this fiction? No. In March 2025, visiting indeed.com you could find over 1,300 job listings related to supply chain due diligence. In LinkedIn there were more than 400 job openings in the United States for ethical sourcing positions. In ZipRecruiter, there were 9,600 job listings for supply chain due diligence roles, highlighting the demand for expertise in this area. McKinsey & Company was hiring a Sourcing Specialist focused on environmental sustainability.

---