Corporate Governance and Risk Management

The 20th century was the era of a preoccupation with management. There were a lot of management theories, management consultants and even management gurus. However, the primary focus for the 21st century will be corporate governance. Corporate governance is about the way power is exercised over corporate entities which all have to be governed. They all need a governing body. In the case of companies the governing bodies are the boards of directors. Corporate governance covers the activities of the boards and their relationships with the shareholders or members, and also with company’s managers, external auditors, regulators, and other legitimate stakeholders.

Corporate governance is not the same as management. Executive management is responsible for running the enterprise, but the governing body is responsible that company is run in the right direction and that it is being run well. Directors are setting the organization’s direction, formulating strategy, and making policies. The board is supervising management, which means that it is responsible for the organization’s decisions and its performance.

The board of directors is also responsible for the enterprise risk management and for assuring business continuity. Failure in some critical area of business can expose a company to strategic risk and threaten business continuity.

Companies add values in different ways to achieve their corporate goals. However, some studies have shown that some outside directors did not know where value is added in their company. Consequently, they did not know how and where the company was exposed to strategic risk. That means that the most significant risks for the company may be the least well understood by the boards.

Identification and assessment of critical risks need to be crucial activities for the boards. Directors should understand how value is added within their business. They should know the company’s critical exposure to risks and also what policies are in place to manage those risks. Managers can handle managerial and operational risks, while the board of directors should ensure that the enterprise risks management policies and systems are working. Decisions about risks at the strategic level should not be delegated to managers because they are essential part of the board’s responsibilities for formulating company’s strategy. The conclusion is that corporate governance involves creating business value while managing enterprise risks.

Board-level commitment to enterprise risk assessment has been reinforced by the global financial crisis. In 2004., in the United States, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission provided an integrated framework for the enterprise risk management, building on the 2002. Sarbanes-Oxley Act. It states that ”an entity’s board of directors plays a critical role in overseeing an enterprise-wide approach to risk management.”

COSO’s Enterprise Risk Management Framework[1] highlights four areas that contribute to board oversight of enterprise risk management:

  • understanding the entity’s risk philosophy and concurring with the entity’s risk appetite
  • knowing the extent to which management has established effective enterprise risk management of the organization
  • reviewing the entity’s portfolio of risk and considering it against the entity’s risk appetite
  • being apprised of the most significant risks and of whether management is responding appropriately.

Every board has a duty to ensure that:

  • significant risks facing its company are recognized
  • risk assesment systems exist and are effective throughout the organization
  • risk evaluation procedures are developed and operational
  • risk monitoring systems are robust, efficient and effective
  • business continuity strategies and risk management policies exist, are regularly updated, and are applied in practice

Boards of directors have responsibility to recognize, understand and accept the risk profile inherent in their corporate strategies.

In every organization, risks arise at various levels. There are:

  • corporate strategic risks – exposure to threats from outside the organization
  • management-level risks – exposure to risks arising from organization’s activities
  • operational risks – exposure to hazards within the enterprise

Risks arising from (mis)use of information systems and information technology may appear in all three levels, but are mostly recognized as operational risks. Information system malfunctions may severely endanger the business continuity and information security. Those risks should be treated seriously enough. The treatment of these specific risks will be described in more details in other article.


[1] An executive summary of COSO's Enterprise Risk Management Integrated Framework provide san overview oft he key principles for effective enterprise risk management and is available for free online at


Suzana Stojaković – Čelustka, PhD is an expert in the field of information security. Some of her related duties were: CEO of CARNet CERT (Croatian Academic and Research Network Computer Emergency Response Team) in 1997., CEO of CARNet Department for security of computer networks in 1998., assistant for information security related jobs in Office for internetization of Croatian Government – 2002. - 2004., senior advisor for information security in Central State Office for e-Croatia, including development of National program of information security in the Republic of Croatia - 2004. – 2006., CISO (Chief Information Security Officer) in Croatian Bank for Reconstruction and Development (current position).

She is also a lecturer on information security topics at various occasions and editor at Croatian Information Security Portal ( She received her BSEE and M.Sc. at Faculty of Electrotechnical Engineering, University of Zagreb, Croatia, and Ph.D at Faculty of Electrical Engineering, Czech Technical University of Prague, Czech Republic. Her Ph.D thesis, Building Secure Information Systems, can be found at Her other interests include research in: computer architecture, distributed systems (networking), algorithmics, artificial intelligence and artificial life.

She is an active member of IFIP W.G. 9.6/11.7 (Working Group 9.6/11.7 - Information Technology Mis-Use and the Law, IFIP Technical Committee 9 - Relationship between Computers and Society) and IFIP W.G. 16.5 (Working Group 16.5 – Social and Ethical Issues in Entertainment Computing – IFIP Specialist Group on Entertainment Computing)

Comments (2)
  • Rubina  - Management, Governance and ICT

    Assuming that the research focus is shifting from management to governance, what does this mean for ICT? Is there any impact?

    Thank you.

  • Rubina  - directors did not know where value is added


    "...some studies have shown that some outside directors did not know where value is added in their company..."

    Could you please give us these references?

    Thank you.

Only registered users can write comments!