Directors’ Duties and Risk Governance

  • Sergio BerettaEmail author
Conference paper
Part of the Springer Proceedings in Business and Economics book series (SPBE)


In recent years, growing expectations from financial markets, increasing requirements by regulators and dedicated guidelines on risk governance have raised the bar for board involvement in the management of risks. Board risk oversight refers to the practices used by directors to define the appropriate level of risk for their companies to communicate appetite for risk and to oversee the institution and functioning of controls aimed at keeping the company operating within established boundaries. Managerial literature offers anecdotal evidence that board risk oversight is mainly driven by the search for compliance with regulatory requirements, thus turning a value creation mechanism into an ineffective bureaucratic exercise. The inadequate risk culture of most boards is often reported as the main determinant of the gap between the expected and the actual effectiveness of board risk oversight. We provide an additional explanation based on a review of the leading guidance on corporate governance. We contend that the image of board risk oversight marketed through most of the governance literature is a simplified, unrealistic representation of a complex set of activities whose effectiveness depends on the solution of theoretical as well as practical problems. In our view, leading risk management frameworks and guidance do not address most of those critical issues but merely provide one size fits all solutions that are frequently derived from concepts and practices developed in highly regulated industries and later transferred to different and distant industries without adequate contextualization. We argue that this practice has led to some significant biases that make the implementation of risk oversight in different contexts less effective than the original one. We also re-examine board risk oversight in the light of directors’ fiduciary duties. We contend that the well-established jurisprudential orientation of courts, inspired by the business judgment rule, may even encourage boards to be uninformed of aggressive risk-taking by officers and management. Nonetheless, recent jurisprudence seems to reconsider directors’ responsibility (and liability) for risk oversight, apparently recognising the conflict between the weak fiduciary standards set by previous jurisprudence and the increasing requests from investors for boards to play a more active role.


Risk governance Board risk oversight Risk appetite 



The Author acknowledges the financial support of the Accounting Department of Bocconi University. The Author thanks Marco Ventoruzzo (Department of Legal Studies, Bocconi University) for sharing his views on the topic and for providing useful comments.


  1. Aguilar, L.A.: The important work of boards of directors. In: 12th Annual Boardroom Summit and Peer Exchange, New York, 15 October, 2015. Last accessed 25 July 2018
  2. Arboleda, P., Bagheri, S., Khakzad, F.: Model risk. In the context of the regulatory climate change. Working Paper (2016),…/eb8f4afc5add139265982d0a46f459be. Last accessed 26 July 2018
  3. Aronson vs. Lewis, 473 A.2d 805, 812 (1984)Google Scholar
  4. Aven, T.: The risk concept. Historical and recent development trends. Reliab. Eng. Syst. Saf. 99, 33–44 (2012)CrossRefGoogle Scholar
  5. Basel Committee on Banking Supervision: Principles for the Sound Management of Operational Risk, pp. 1–27. Bank for International Settlements, Geneva, June 2011Google Scholar
  6. Beasley, M., Branson, B., Hancock, B.: An Overview of Enterprise Risk Management Practices, 7th edn., pp. 1–31. American Institute of Certified Public Accountants—AICPA, North Carolina State University—Poole College of Management, April 2016Google Scholar
  7. Black, B.S.: The Principal Fiduciary Duties of Boards of Directors. Presentation at Third Asian Roundtable on Corporate Governance Singapore, 4 April 2001Google Scholar
  8. Board of Governors of the Federal Reserve System: Supervisory Guidance on Model Risk Management, April 4, 2011. Last accessed 25 July 2018
  9. Board of Governors of the Federal Reserve System: Re: Performance of the Wells Fargo & Company Directors, February 2, 2018. Last accessed 25 July 2018
  10. Brennan, N.M., Kirwan, C.E., Redmond, J.: Accountability processes in boardrooms: a conceptual model of manager-non-executive director information asymmetry. Acc. Auditing Accountability J. 29(1), 135–164 (2016)CrossRefGoogle Scholar
  11. Brodeur, A., Buehler, K., Patsalos-Fox, M., Pergler, M.: A board perspective on enterprise management. McKinsey Working Papers on Risk, Number 18, pp. 1–22. McKinsey & Company (2010). Last accessed 25 July 2018
  12. Brooke, G.T.F.: Uncertainty, profit and entrepreneurial action: Frank Knight’s contribution reconsidered. J. Hist. Econ. Thought 32(2), 221–235 (2010)CrossRefGoogle Scholar
  13. Caldwell, J.E.: A Framework for Board Oversight of Enterprise Risk, pp. 1–90. The Chartered Professional Accountants of Canada (2012)Google Scholar
  14. CCGG (Canadian Coalition for Good Governance): Building High Performance Boards, CCGG, pp. 1–22 (2013).,_2013_last_update_.pdf. Last accessed 25 July 2018
  15. CGC (Corporate Governance Council): Risk Governance Guidance for Listed Boards, pp. 1–45. Monetary Authority of Singapore (2012). Last accessed 27 July 2018
  16. Chalmers, K., Godfrey, J.M.: Reputation costs: the impetus for voluntary derivative financial instrument reporting. Acc. Organ. Soc. 29(2), 95–125 (2004)CrossRefGoogle Scholar
  17. Cheng, M.M., Humphreys, K.A., Zhang Y.: Does integrating strategic risk information in the balanced scorecard affect managers’ strategy evaluations and recommendations? WP (2014). Last accessed 27 July 2018
  18. CIMA-IFAC (Chartered Institute of Management Accountants, International Federation of Accountants): Enterprise Governance. Getting the Balance Right, pp. 1–61 (2004). Last accessed 27 July 2018
  19. Cleden, D.: Managing Project Uncertainty. Gower Publishing Ltd, Aldershot (2009)Google Scholar
  20. Connelly, K.M., Eadie, C.C., Harper, V.R.: The Growing Role of the Board in Risk Oversight. Point of View, pp. 1–6. Spencer Stuart (2010)Google Scholar
  21. COSO (The Committee of Sponsoring Organizations of the Treadway Commission): Enterprise Risk Management. Conceptual Framework, pp. 1–121 (2004)Google Scholar
  22. COSO (The Committee of Sponsoring Organizations of the Treadway Commission): Enterprise Risk Management. Integrating with Strategy and Performance, pp. 1–227 (2017)Google Scholar
  23. Deloitte: Reducing Financial Reporting Risk, pp. 1–12. Deloitte Development LLC (2010). Last accessed 25 July 2018
  24. Deloitte: Risk Appetite and Assurance, pp. 1–12. Deloitte Development LLC (2014a).…/Deloitte/…/risk/lu-risk-appetite-ass. Last accessed 25 May 2018
  25. Deloitte: Risk Appetite in the Financial Services Industry. A Requisite for Risk Management Today, pp. 1–19. Deloitte Development LLC (2014b). Last accessed 25 July 2018
  26. Deloitte: Model Risk Management. Driving the value in modellin, Risk Advisory. Deloitte Network, April 2017. Last accessed 27 July 2018
  27. ECB (European Central Bank): SSM Supervisory Statement on Governance and Risk Appetite, pp. 1–21, June 2016. Last accessed 25 July 2018
  28. ECB (European Central Bank): ECB guide to internal models, European Central Bank, pp. 1–55, March 2018. Last accessed 5 Oct 2018
  29. FRC (Financial Reporting Council): Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, pp. 1–30. The Financial Reporting Council Limited (2014a)Google Scholar
  30. FRC (Financial Reporting Council): Guidance on the Strategic Report, pp. 1–60. The Financial Reporting Council Limited (2014b)Google Scholar
  31. FRC (Financial Reporting Council): The UK Corporate Governance Code, pp. 1–636. The Financial Reporting Council Limited (2014c)Google Scholar
  32. FSB (Financial Stability Boar): Increasing the Intensity of Effectiveness of Supervision. Guidance on Supervisory Interaction with Financial Institutions on Risk Culture. Consultative Document, pp. 1–13 (2013a)Google Scholar
  33. FSB (Financial Stability Board): Principles for an Effective Risk Appetite Framework. Consultation Draft, pp. 1–15 (2013b)Google Scholar
  34. Gius, D., Mieszala, J., Panayiotou, E., Poppensieker, T.: Value and resilience through better risk management. McKinsey & Co., October 2018. Last accessed 5 Oct 2018
  35. Gupta, P.P., Leech, T.: The Next Frontier for Boards: Oversight of Risk Culture, Director Notes, pp. 1–12. The Conference Board (2015). Last accessed 25 July 2018CrossRefGoogle Scholar
  36. Gurrea-Martínez, A.: Re-examining the law and economics of the business judgment rule: notes for its implementation in Non-US jurisdictions. J. Corp. Law Stud. 18(2), 417–438 (2018)CrossRefGoogle Scholar
  37. Hida, E.: Global Risk Management Survey, Inside Magazine, pp. 1–6. Deloitte (2016)Google Scholar
  38. Holton, G.A.: Defining risk. Financ. Anal. J. 60(6), 19–25 (2004)CrossRefGoogle Scholar
  39. ICGN (International Corporate Governance Network): Guidance on Corporate Risk Oversight, pp. 1–24 (2015). Last accessed 25 July 2018
  40. IIA (Chartered Institute of Internal Auditors): Risk Appetite and Internal Audit, pp. 1–15 (2017). Last accessed 27 July 2018
  41. In re Citigroup Inc. Shareholder Derivative Litigation, No. 3338-CC, 2009 WL 481906 (Del. Ch. Feb. 24 (2009). Last accessed 27 July 2018
  42. IRM (The Institute of Risk Management): Risk Appetite and Risk Tolerance. Guidance paper, pp. 1–42 (2011)Google Scholar
  43. ISO (The International Organization for Standardization): ISO/IEC CD 2 Guide 73:2008 Risk Management—Vocabulary (2008)Google Scholar
  44. ISO (The International Organization for Standardization): ISO 31000:2009(en). Risk management—Principles and guidelines (2009). Last accessed 25 July 2018
  45. Ittner, C.D., Keusch, T.: The Influence of Board of Directors’ Risk Oversight on Risk Management Maturity and Firm Risk-Taking, pp. 1–70. Working Paper, March 12, 2015Google Scholar
  46. Kahneman, D.: Thinking, Fast and Slow. FSG, New York (2013)Google Scholar
  47. Kaplan vs. Centex Corp., Del. Ch., 284 A.2d 119, 124 (1971)Google Scholar
  48. Knight, F.H.: Risk, Uncertainty and Profit. Hart, Schaffner, and Marx, New York (1921). Last accessed 25 July 2018
  49. KPMG: Developing a Strong Risk Appetite Program. Challenges and Solutions, pp. 1–20. KPMG International (2013). Last accessed 25 July 2018
  50. Lipton, M., Niles, S.W., Miller, M.L.: Risk Management and the Board of Directors, Harvard Law School Forum on Corporate Governance and Financial Regulation, March 20, 2018. Last accessed 25 July 2018
  51. Mahon, J.F.: Corporate reputation: research agenda using strategy and stakeholder literature. Bus. Soc. 41, 415–445 (2002)CrossRefGoogle Scholar
  52. Moody’s Investor Services: Best Practices for a Board’s Role in Risk Oversight, pp. 1–8. Moody’s Investors Service, Inc., August 2006. Last accessed 25 July 2018
  53. NACD (National Association of Corporate Directors): Mitigating Board Information Risk, pp. 1–15. White Paper, Washington DC, (2013). Last accessed 25 July 2018
  54. NYSE (New York Stock Exchange): Corporate Governance Guide, pp. 1–358 (2014). Last accessed 25 July 2018
  55. NYSE (New York Stock Exchange): Listed Company Manual. Last accessed 25 July 2018
  56. NYT (The New York Times): Citigroup Saw No Red Flags Even as It Made Bolder Bets. The New York Times, 22 Nov 2008. Last accessed 15 Oct 2018
  57. OECD (Organization for Economic Co-operation and Development): Glossary of Environment Statistics, Studies in Methods, Series F, No. 67, United Nations. New York (1997)Google Scholar
  58. OECD (Organization for Economic Co-operation and Development): Corporate Governance and the Financial Crisis—Conclusions and Emerging Good Practices to Enhance Implementation of the Principles, pp. 1–34. OECD Publishing (2010). Last accessed 25 July 2018
  59. OECD (Organization for Economic Co-operation and Development): Risk Management and Corporate Governance, Corporate Governance, pp. 1–96. OECD Publishing (2014). Last accessed 25 July 2018
  60. Ormazabal, G.: Are Risky Boards Getting Riskier? Risk Oversight: What Every Director Should Know, IESE Insight, Issue 28 (2016)Google Scholar
  61. OSC (Ontario Securities Commission): Securities Law & Instruments—National Instrument. Last accessed 25 July 2018
  62. Pan, E.J.: A board’s duty to monitor. New York Law School Law Review 54, 717–740 (2010)Google Scholar
  63. Perry, J., De Fontnouvelle, P.: Measuring reputational risk: the market reaction to operational loss announcements. Federal Reserve Bank of Boston (2005). Last accessed 27 July 2018
  64. Power, M.: The risk management of nothing. Acc. Organ. Soc. 34, 849–855 (2009)CrossRefGoogle Scholar
  65. Presley, H.: Vioxx and the Merck team effort. The Kenan Institute for Ethics (2008). Last accessed 5 Oct 2018
  66. Purdy, G.: Risk appetite: is using the concept worth the risk? Broadleaf Risk Post, Sept 2011. Last accessed 20 May 2018
  67. RIMS: Exploring Risk Appetite and Risk Tolerance, pp. 1–14 (2012). Last accessed 25 July 2018
  68. RIMS: Enterprise Risk Management Benchmark Survey, pp. 1–19 (2017). Last accessed 25 July 2018
  69. Rittenberg, L., Martens, F.: Understanding and Communicating Risk Appetite, pp. 1–32. COSO (2012)Google Scholar
  70. Roach, D.R.: The board of directors’ role in compliance and ethics. J. Health Care Compliance 53–56 (2007) (Nov–Dec)Google Scholar
  71. Roberts, P.W., Dowling, G.R.: Corporate reputation and sustained superior financial performance. Strateg. Manag. J. 23(12), 1077–1093 (2002)CrossRefGoogle Scholar
  72. Robinson vs. Pittsburgh Oil Refinery Corp., Del. Ch., 14 Del. Ch. 193, 126 A. 46 (1926)Google Scholar
  73. Scandizzo, S.: A framework for the analysis of reputational risk. J. Oper. Risk 6(3), 41–63 (2011)CrossRefGoogle Scholar
  74. SEC (United States Securities and Exchange Commission): Final Rules. Last accessed 25 July 2018
  75. SEC (United States Securities and Exchange Commission): Final Rules: Proxy Disclosure Enhancements, Release No. 33-9089 (Dec 16, 2009) [74 FR 68334 (Dec. 23, 2009)] (2009). Last accessed 25 July 2018
  76. Shaev vs. Baker et al. Case No.16-cv-05541-JST, United States District Court—Northern District of California (2017). Last accessed 25 July 2018
  77. SSG (Senior Supervisors Group): Risk Management Lessons from the Banking Crisis of 2008, 21 Oct 2009. Last accessed 25 July 2018
  78. SSG (Senior Supervisors Group): Observations on Developments in Risk Appetite Frameworks and IT Infrastructure, pp. 1–17 (2010). Last accessed 25 July 2018
  79. Standard & Poor’s Ratings Services: Standard & Poor’s Ratings Direct, Evaluating The Enterprise Risk Management Practices of Insurance Companies, pp. 1–17. Standard & Poors, 17 Oct 2005Google Scholar
  80. Standard & Poor’s Ratings Services: Standard & Poor’s RatingsDirect, Enterprise Risk Management, pp. 1–29. Standard & Poors, 7 May 2013Google Scholar
  81. Stone vs. Ritter, 911 A.2d 362, Supreme Court of Delaware (2006). Last accessed 25 July 2018
  82. Stulz, R.: Risk management failures: what are they and when do they happen? J. Appl. Corp. Finan. 20(4), 39–48 (2008)CrossRefGoogle Scholar
  83. Stunda, R.: Financial restatements by industry and their market impact. Int. J. Acad. Bus. World 11(1), 49–56 (2017)Google Scholar
  84. Taleb, N.N.: The Black Swan. The Impact of the Highly Improbable. Random House, New York (2007)Google Scholar
  85. Taleb, N.N.: Errors, robustness and the fourth quadrant. Int. J. Forecast. 25(4), 744–759 (2009)CrossRefGoogle Scholar
  86. Taleb, N.N., Goldstein, D.G.: The problem is beyond psychology: the real world is more random than regression analyses. Int. J. Forecast. 28(3), 715–716 (2012)CrossRefGoogle Scholar
  87. Taleb, N.N., Goldstein, D.G., Spitznagel, M.W.: The six mistakes executives make in risk management. Harvard Bus. Rev. 87, 78–81 (2009)Google Scholar
  88. Terris, H.: Citi-ACC: A Bet Vertical Integration Still Has Legs, American Banker (Sept 13, 2007)Google Scholar
  89. The English Cambridge Dictionary: Last accessed 24 Apr 2018
  90. The Vanguard Group Inc.: An open letter to directors of public companies worldwide (2017a) (31 Aug). Last accessed 25 July 2018
  91. The Vanguard Group Inc.: Investment Stewardship 2017 Annual Report, pp. 1–36. The Vanguard Group Inc. (2017b). Last accessed 25 July 2018
  92. Towers Watson: Another Bite at the Apple. Risk Appetite Revised, pp. 1–20. Towers Watson (2013)Google Scholar
  93. USSC (United States Sentencing Commission): Guidelines Manual, Nov 2016. Last accessed 25 July 2018
  94. Walker, K.: A systematic review of the corporate reputation literature: definition, measurement, and theory. Corp. Reputation Rev. 12, 357–387 (2010)CrossRefGoogle Scholar
  95. Wartick, S.L.: Measuring corporate reputation: definition and data. Bus. Soc. 41(4), 371–393 (2002)CrossRefGoogle Scholar
  96. Willows, R., Connell, R.: Climate adaptation: Risk, uncertainty and decision-making, UKCIP Technical Report, pp. 1–166, May 2003. Last accessed 25 July 2018
  97. Wilmarth, A.E.: Citigroup: a case study in managerial and regulatory failures. Indiana Law Rev. 47, 69–137 (2013)Google Scholar
  98. WSJ (The Wall Street Journal): U.S. Agrees to Rescue Struggling Citigroup. Wall Street J. (Nov 24, 2008). Last accessed 15 Oct 2018
  99. WSJ (The Wall Street Journal): Merck to Pay $830 Million to Settle Vioxx Shareholder Suit. The Wall Street J. (Jan 15, 2016). Last accessed 15 Oct 2018

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Accounting DepartmentBocconi UniversityMilanItaly

Personalised recommendations