Chapter 2 — Governance, Risk Management and Organizational Structure

Governance frameworks, board oversight, ERM integration, risk appetite, and risk governance

1. Describe how an organization should select, adapt, and integrate a governance framework (e.g., COSO ERM, ISO 31000) to ensure consistent board oversight across multiple business lines and jurisdictions.
2. Critically evaluate the roles and limits of the board of directors in establishing and monitoring enterprise risk appetite for a multinational financial institution.
3. Explain how ERM can be embedded into strategic planning such that risk considerations materially change strategy selection and resource allocation.
4. Discuss the mechanisms by which internal audit should provide independent assurance on both the design and operating effectiveness of an organization’s risk governance structure.
5. Propose a method to cascade a single enterprise risk appetite statement into meaningful unit-level tolerances while preserving aggregation integrity.
6. Analyze the tension between short-term performance targets and long-term risk appetite, and recommend governance changes to mitigate misalignment.
7. Develop a governance maturity model for risk governance; include the criteria to move from reactive to anticipatory risk management.
8. Explain how the board’s composition, skills matrix, and committee structure should change when an organization transitions from domestic to global operations.
9. Describe the steps and governance controls to integrate third-party and supply-chain risks into enterprise-level risk assessment and reporting.
10. Assess how a board should oversee emerging technology risks (AI, machine learning models) including model risk, bias, and explainability concerns.
11. Construct an assurance map that shows how different assurance providers (internal audit, risk management, compliance, external audit) coordinate to cover major enterprise risks without duplication.
12. Explain the governance implications of delegating significant risk-taking authority to a Chief Risk Officer who also has profit-and-loss responsibilities.
13. Critically discuss principles and trade-offs when defining quantitative versus qualitative risk appetite measures for reputational and strategic risks.
14. Describe how stress testing and scenario analysis should be governed to validate whether the current risk appetite remains fit for purpose under plausible extreme events.
15. Propose a governance approach for reconciling regulator-imposed constraints with management’s stated risk appetite in a highly regulated industry.
16. Examine how internal audit should evaluate the effectiveness of risk appetite communication and reinforcement throughout the organization.
17. Design a board-level reporting package that provides actionable oversight of aggregate risk exposure, concentrations, and risk trend drivers.
18. Explain how risk governance should change during mergers and acquisitions, from due diligence through post-merger integration.
19. Analyze how incentive systems (compensation, promotions, bonus structures) should be governed to align behaviors with stated risk appetite.
20. Discuss the board’s role in establishing and approving a risk taxonomy and the governance practices required to keep it current.
21. Describe governance practices that ensure reliable risk data and analytics (risk data architecture, lineage, quality) for ERM decision-making.
22. Explain how the board should monitor the organization’s residual risk profile and require remediation where residual risk exceeds approved thresholds.
23. Critically evaluate the independence and reporting lines of risk management versus internal audit and their governance implications.
24. Propose governance steps to integrate ESG-related risks into the enterprise risk appetite and reporting cycles.
25. Describe an escalation framework for critical risks, including triggers, timelines, and the board’s intervention thresholds.
26. Discuss how to govern concentration risk (clients, products, geographies) to prevent systemic exposures that breach appetite limits.
27. Explain how a board should verify that management has appropriately modelled, quantified, and aggregated risks for capital allocation decisions.
28. Design a governance mechanism for ensuring consistent risk definitions and measurement across decentralized business units.
29. Analyze the governance implications of allowing line managers discretionary exceptions to the enterprise risk policies.
30. Explain how risk culture should be assessed and governed, including leading indicators the board can use to sense cultural drift.
31. Propose a governance framework that integrates business continuity planning (BCP) and ERM to preserve critical operations during crises.
32. Discuss how the audit committee and risk committee should coordinate oversight while avoiding gaps or overlaps.
33. Describe governance controls for validating the scenario selection process used in enterprise stress testing.
34. Explain how to govern reputational risk when reputational impacts are non-linear and subject to social media amplification.
35. Evaluate the governance challenges in aggregating cyber risk across the enterprise and propose reporting remedies for the board.
36. Construct a governance checklist for board review when the organization seeks to change its overall risk appetite.
37. Discuss how to incorporate qualitative expert judgment into quantitative enterprise risk models while preserving governance rigor.
38. Propose governance standards for third-party risk transfer such as insurance, hedging, and contractual indemnities.
39. Explain the governance responsibilities for ensuring consistent risk ownership and accountability across matrix structures.
40. Analyze how boards should oversee the use of risk-adjusted performance metrics in budget-setting and capital allocation.
41. Describe how the board should ensure that management’s strategic risk acceptance does not create conflicts with legal or regulatory obligations.
42. Propose governance metrics (KRIs) that a board could require to monitor the adequacy of risk controls in a high-growth company.
43. Explain how to govern model risk for pricing and valuation models that materially influence financial results.
44. Discuss governance approaches to manage and approve the organization’s risk taxonomy changes when new business models emerge.
45. Describe how leading versus lagging indicators should be governed and balanced in board reporting to provide early warning signals.
46. Propose a governance process to validate remediation effectiveness when significant risk-control failures have occurred.
47. Analyze the governance trade-offs between centralized ERM versus line-owned risk management in a federated organization.
48. Explain how the board should oversee the integrity and independence of whistleblowing channels as part of risk governance.
49. Describe governance safeguards for risk data aggregation systems to prevent manipulation and misreporting.
50. Discuss how to design a board workshop to recalibrate enterprise risk appetite following a strategic pivot.
51. Propose governance protocols for cross-border data privacy and security risk management in a multinational enterprise.
52. Explain how boards should oversee reputational risk stress tests and incorporate outcomes into appetite settings.
53. Analyze governance issues when regulators and investors have differing expectations about acceptable risk levels.
54. Describe the governance responsibilities related to ethical risk and conduct risk in financial services organizations.
55. Propose a governance approach to manage accumulation risk arising from correlated exposures across business lines.
56. Explain how internal audit can evaluate the sufficiency of risk governance for outsourcing and cloud service usage.
57. Discuss how the board should govern the trade-off between speed-to-market and compliance with risk controls in digital transformations.
58. Describe governance practices for aligning enterprise risk appetite with enterprise sustainability commitments.
59. Propose governance guidance for determining which emerging risks should be promoted from “watchlist” to “active” in the risk register.
60. Explain how scenario plausibility should be governed and who should approve the extreme-event scenarios used for policymaking.
61. Analyze the governance implications of using risk transfer mechanisms that shift risk without reducing underlying exposures.
62. Describe how boards should assess management’s capacity to respond to a simultaneous multi-risk event (cyber + supply chain + reputational shock).
63. Propose a governance structure for ensuring conflicts of interest are identified and managed in strategic risk-taking.
64. Explain the role of the board in overseeing the alignment between the organization’s mission/values and its risk-taking behaviours.
65. Discuss governance practices for dynamic risk appetite that changes with macroeconomic cycles and business phases.
66. Describe how the board should evaluate the credibility of management’s risk mitigations when approving new strategic initiatives.
67. Propose governance indicators that reflect the effectiveness of the three lines of defense in practice, not just on paper.
68. Explain governance measures to ensure risk appetite is understood by external stakeholders such as investors and regulators.
69. Analyze how the board should...