Board Governance and Accountability: Strengthening Oversight and Leadership Responsibilities

The Financial Services Authority provided excellent insights on the RBS bankruptcy and its subsequent £45bn UK Government bailout, outlining the importance of adequate Board governance and accountability. Whilst recognising the context in which certain decisions were made, the report also pointed to the lack of understanding of the risks involved and issues with skills and experience, as well as poor risk culture, especially in the context of the ABN AMRO acquisition.

Though the RBS case dates back more than 15 years, it remains a key reference point in understanding how systemic failures in governance can lead to large-scale institutional collapse. It also triggered a wave of regulatory reforms that continue to shape today’s expectations of Board and Senior Management accountability, including the UK’s Senior Managers and Certification Regime (SMCR).

Following the 2007–08 financial crisis, many regulators increased their requirements on Boards of Directors and Senior Management, and specifically targeted individual roles and responsibilities. Though many enforcements and fines were directed at financial firms, far fewer individuals were held to account. This was primarily due to the lack of linkage between control or process failures and individuals’ responsibilities, which enabled senior managers to claim that someone else was responsible. To quote Martin Wheatley, the former Chief Executive of the UK Financial Conduct Authority:

This change in regulatory focus forced many financial institutions to enhance and align both governance and integrated risk management capabilities to support these new responsibilities. As a result, Board governance requirements have been overhauled, including upgrading membership, enhancing risk decision-making accountabilities, and ensuring that governance information is challenged to enable effective oversight of the risks within their organisation.

This article will first explore both Board and Senior Management risk oversight responsibilities for regulated and non-regulated firms. Then, it will look at good practices in terms of Board composition and supporting governance structure. Finally, practical guidance will be provided on developing relevant risk management frameworks and systems, aligned to Board governance and accountability expectations and designed to protect the firm and its key stakeholders.

Board Governance and Senior Management Accountability

The Board of Directors is ultimately accountable to the shareholders of the firm. It is appointed to define and oversee the strategy and structure and capabilities of the firm, and to ensure, through effective delegation to senior management, the day-to-day management of the firm. Directors look after the affairs of the company and are in a position of trust. Local legislators impose many duties, responsibilities, and burdens upon directors to enforce their fiduciary obligations.

For more on how leadership behaviours influence risk oversight, read Risk Oversight? The Billion Dollar Question.

The National Association of Corporate Directors (NACD) identified ten principles to underpin effective board governance and accountability. These are applicable to all types of firms and provide useful guidance for designing both risk management systems and governance structures. These include:

• Understanding the company’s key drivers of success

• Assessing the risks in the company strategy

• Defining the role of the full Board, and its standing committees, in relation to risk oversight

• Considering whether the company’s risk management system, including people and processes, is appropriate and sufficiently resourced

• Working with management to agree on the type and format of risk information the Board requires

• Encouraging dynamic and constructive risk dialogue between management and the Board, including a willingness to challenge assumptions

• Monitoring potential risks to the company’s culture and its incentive structures

• Ensuring critical alignment across strategy, risk, controls, compliance, incentives, and people

• Considering emerging and interrelated risks

• Periodically assessing the Board’s own risk oversight processes to determine whether they meet their objectives

Financially regulated firms have additional requirements they must comply with. The Board of Directors must ensure that appropriate mechanisms and frameworks are in place to monitor adherence to the granted licences. Being a registered firm may also require regular Internal Capital or Liquidity Adequacy Assessment Processes. Without going into the details of these regulated processes, the Board should, at a minimum, ensure the firm has a documented business strategy and financial plan, appropriate corporate governance arrangements, and risk and treasury frameworks to identify, assess, manage, and monitor its risk and capital or liquidity position.

To enable effective governance and oversight, delegated duties and responsibilities to Senior Management should be clearly defined and regularly monitored. These delegated duties underpin Senior Management’s oversight role, including the day-to-day management of risk. Senior managers are accountable for the risks arising from the activities within their remit, from running the business and managing processes to oversight of employees, contractors, or vendors. They are expected to have tools in place to monitor their risks, implement mitigation activities, and escalate any risk falling outside of appetite or tolerance. In the UK, the Senior Managers and Certification Regime (SMCR) has significantly increased transparency around accountability structures. It introduced the Responsibility Map, a Statement of Responsibilities, and a statutory Duty of Responsibility. These mechanisms require senior management to take reasonable steps to prevent regulatory breaches and support a sound organisational culture. In combination, they create a strong incentive for senior managers to clarify their responsibilities and identify the mechanisms used to manage them.

Boards of Directors and Senior Managers face a structural challenge when implementing effective oversight. Directors are typically accountable for risks from a legal entity standpoint, while senior managers often assess risk through a functional lens. These perspectives frequently do not align. The challenge is often amplified by the operating model and legal entity structure that financial firms adopt, creating complex relationships between parent and subsidiary entities, or between functional lines and legal entity governance. Boards of financial subsidiaries can be particularly exposed when decisions made by a parent company or senior manager affect their entity without prior consultation. Their resources may also be limited or insufficient to support independent oversight. This highlights the need for clarity in the roles of Boards and Executive Committees, and these relationships should be formalised through Board or Committee Terms of Reference, defining who decides what. Boards should also consider appointing representatives of key functions as directors to ensure better alignment of resources and accountability.

Table 1: Who owns what? (An illustration)

Board Composition and Supporting Structure

The Board of Directors is typically composed of executive directors and non-executive directors, though its exact structure varies by country. For example, in the UK, the expectation is to have a unitary Board. In contrast, Germany operates a two-tier system, where Independent Non-Executive Directors (iNEDs) sit on a separate Supervisory Board overseeing the Management Board, which is made up of executive directors. Regardless of structure, the Board should be balanced to ensure that no individual or small group can dominate decision-making.

Independent Non-Executive Directors play a critical role in providing oversight of senior managers and executive directors. They may chair key committees such as Audit, Risk, Remuneration, or Nomination. Since they are not involved in the day-to-day management of the organisation, iNEDs rely primarily on governance structures and bilateral engagement to access the information required to fulfil their responsibilities. This must be considered when designing governance arrangements and reporting structures, particularly in relation to risk information.

Explore how governance dynamics can impact board performance in Mastering Risk and Corporate Governance.

The Board should also ensure that its composition reflects a diverse and appropriate mix of knowledge, background, and professional experience. A formal skills matrix can help assess the collective capabilities of directors and ensure they are equipped to oversee evolving business and risk areas, such as cybersecurity, technology transformation, financial crime, or environmental and social responsibility. Boards should also consider succession planning and periodic refreshment to support long-term continuity and introduce new perspectives. This helps avoid stagnation and ensures that strategic oversight remains effective as the business and external environment evolve.

The Board must ensure that all matters within its remit are covered through appropriate governance structures. It should also define how governance should operate to ensure efficient coverage and eliminate duplication. One effective approach is to identify key themes and associated sub-activities, such as the employee life cycle, financial matters, client life cycle, and risk and regulatory oversight, and allocate them clearly across the governance framework. For example, a Risk Committee may be established to oversee the firm’s risk profile and regulatory compliance. It could be composed of representatives from the risk and control functions and chaired by an iNED. Separately, a Client Forum may monitor the full client life cycle from sales and Know Your Customer checks to onboarding, contract execution, and offboarding. This forum would include sales, operations, and compliance functions.

This approach provides two key benefits. First, it ensures that each theme is overseen by a dedicated governance body with membership aligned to relevant functions. Second, it supports systematic and efficient coverage of operational, financial, risk, compliance, and reporting matters relied upon by the Board, particularly by iNEDs. The governance structure should also align with Directors' and Senior Managers’ defined roles and responsibilities and provide a clear basis for demonstrating compliance with accountability expectations such as the UK’s SMCR or Hong Kong’s Manager-in-Charge regime.

Effective governance is not only structural but also cultural. The Board must promote a culture of openness and constructive challenge, ensuring that all directors feel able to question assumptions and raise concerns. This is particularly important for non-executives who depend on robust information flows and boardroom transparency to carry out their oversight role.

Psychological safety, clarity of expectations, and a willingness to engage with dissenting views are essential to strong board dynamics and decision-making.

Governance also plays a vital role in evidencing how decisions are made and how actions and issues are tracked. The Board must ensure that decisions are clearly documented. This includes recording deliberations, supporting materials such as risk assessments and recommendations, and key challenges raised during review, along with how those challenges were addressed. A Board may make a poor decision, but there is no justification for making one without performing and documenting proper due diligence. Under SMCR, the same expectation applies to Senior Management. Given the regulatory emphasis on assigning personal responsibility, similar expectations are increasingly being adopted in other jurisdictions.

Rethinking Models from First Principles

To support continuous improvement, the Board should regularly evaluate the effectiveness of its governance structure and processes. Regular board evaluations, including periodic external reviews, help identify opportunities to improve committee composition, information flow, and strategic alignment. These assessments are an important part of maintaining strong board governance and accountability in a dynamic and complex environment.

The Risk function plays a key role in providing the Board with the information necessary to support its oversight and decision-making responsibilities. It also provides an important source of independent challenge. The positioning of the Risk function within the corporate governance structure remains a topic of debate. Should the Risk function have a seat at the table? Should the Chief Risk Officer be appointed as a Board member? Should they have veto power over strategic or operational decisions? Whatever the governance model, the Risk function must be able to present its analysis and opinions directly and unfiltered to the Board or a relevant committee. Its recommendations must be given proper consideration. This relationship is fundamental to the integrity of governance, the quality of risk management, and the organisation’s broader risk culture.

Risk Management Framework & Systems

The Risk Management function provides the structured frameworks and governance needed to support the identification, assessment, mitigation, and monitoring of risks arising from the firm’s activities. Building on the previous sections, it is clear that risk information must accommodate a multi-dimensional view of ownership and oversight, including legal entity, country, and business or functional levels.

A fundamental starting point is the definition and implementation of a risk appetite and tolerance framework. This provides both the Board and Senior Management with clarity on how much risk the firm is willing and able to take, as well as the risk levels necessary to support its business strategy. The framework should include both qualitative statements and quantitative metrics. For example, a firm might state that it has a very low tolerance for business disruption, and measure this through the number and quality of its business continuity plans. All frameworks should include capital and liquidity thresholds and define escalation points where corrective action is required. In some cases, excessive risk-taking may lead to failure, as in the case of Lehman Brothers, while in others, excessive caution may hinder strategic delivery. The granularity of the risk appetite framework should reflect the regulatory and operational context—for example, regulated subsidiaries may require their own thresholds, while further breakdown by function may not always be necessary.

Learn why aligning controls with strategy matters in Risk vs. Control – A Paradigm Shift Required.

Clarity around risk ownership is essential. For example, operational risk includes risks related to people, processes, external events, business applications, and outsourced activities. Each area of the business should be assigned a responsible owner with a defined inventory of key processes, controls, systems, and third-party dependencies. Owners must have adequate authority and resources to manage risks effectively.

The Risk function supports these owners with tools and frameworks that allow for consistent identification and assessment of risk. This includes, but is not limited to, Risk and Control Self-Assessments (RCSAs), vendor and technology risk assessments, market risk modelling (e.g. Value at Risk), and credit risk monitoring. The set of tools used should be proportionate to the complexity of the business. For example, an asset manager may focus primarily on operational risk, while a bank would require deeper monitoring of credit and market risk. These frameworks must also support reporting across all key oversight dimensions—legal entity, geography, and function—and be designed with this in mind from the outset.

When risks fall outside of tolerance, mitigation must be initiated. The form this takes will depend on the type of risk. A bank may need to reduce lending to manage credit risk exposure, while an asset manager may implement new controls to meet fiduciary requirements. A custodian might address systemic processing risks by automating manual tasks. Whatever the response, mitigation actions must be tracked and verified through appropriate governance and assurance mechanisms.

A common challenge many organisations face is the fragmentation of risk, audit, and compliance frameworks. This often results in duplicated efforts and conflicting remediation plans. For example, the same issue may be raised by Audit, Risk, and Compliance functions independently, each triggering separate remediation processes. This not only wastes resources but also obscures the true risk profile. Organisations can streamline this by implementing a single incident management process that integrates risk events, compliance breaches, and technology incidents, and by using a common repository and taxonomy for issues and actions.

For an in-depth look at how digitalisation can enable integrated frameworks, see Digitalisation: Rethinking Risk Management.

The tools and frameworks described above generate the data points that feed risk monitoring and reporting. Monitoring should cover policy compliance, inherent and residual risk levels, and the status of mitigation efforts. While some aspects, such as control effectiveness, may be overseen by internal audit or other second-line functions, all outputs must be integrated into reporting for the Board and Senior Management. This requires consistent standards for risk data and clear reporting formats. In some firms, risk reporting is generated by business units with input from the Risk function; in others, it is owned centrally. Regardless of the model, reporting must align with the firm’s governance structure and support the information needs of both the Board and its committees.

Conclusion

The regulatory shift toward assigning individual accountability is prompting many organisations to revisit their risk oversight models, governance structures, and risk management infrastructure. Traditionally, risk frameworks were designed to support oversight by function or business line. Today, firms are increasingly required to support more granular oversight, including at the legal entity level.

Improving transparency around risk ownership, controls, and emerging issues enhances the quality of oversight and enables more effective decision-making at both executive and board levels. As firms continue to refine their governance and accountability frameworks, they will be better positioned to prioritise resources, meet regulatory expectations, and manage risks in a structured and strategic way.

Explore how integrated governance can drive better outcomes in Integrated Risk Management: From Operational Efficiency to Strategic Excellence.

Frequently Asked Questions (FAQs)

1. What is the primary responsibility of the Board in relation to risk management?

The responsibility of the Board includes setting the organisation’s risk appetite, overseeing key risks, and ensuring that appropriate frameworks are in place to identify, assess, and manage risk. The Board must also ensure that actions and decisions taken by the executive team align with the long-term interests of shareholders and other stakeholders.

2. How does the Audit Committee contribute to board governance and accountability?

The Audit Committee plays a crucial role by reviewing the effectiveness of internal controls, risk management systems, and financial reporting. It supports the Board in monitoring emerging risk areas, overseeing audit findings, and ensuring transparent communication with stakeholders including regulators and shareholders.

3. How should Boards track and oversee key risks across the organisation?

Boards should rely on structured risk reporting that covers legal entities, functions, and geographies. Reports should highlight inherent and residual exposures, control effectiveness, and alignment with the firm’s risk appetite. Effective oversight requires clear delegation of ownership across the executive team and integration of risk insights into strategic actions and decisions.

4. What is the difference between executive management and Board oversight roles?

The executive team is responsible for the day-to-day management of risks, including implementing controls and executing strategy. The Board, in contrast, provides independent oversight, sets the strategic direction, and challenges the executive team on risk exposures, resource allocation, and the interests of shareholders and other stakeholders.

5. How should the Board engage with stakeholders including regulators, investors, and staff?

Boards must ensure regular, transparent communication with all relevant stakeholders including shareholders, employees, and regulators. This includes disclosing material risks, governance structures, and how emerging risk factors are being addressed. Stakeholder engagement should reflect both accountability and trust.

Source

- FSA Royal Bank of Scotland Report - https://www.fca.org.uk/publication/corporate/fsa-rbs.pdf

- Governance Operating Model: A Tool for More Effective Board Oversight by Deloitte

- Best Practices for Board Composition by Diligent

- UK Board Index 2017

https://www.spencerstuart.com/research-and-insight/uk-board-index-2017

- 10 Principles for Effective Board Risk Oversight https://www.corporatecomplianceinsights.com/10-principles-for-effective-board-risk-oversight/

- Senior Managers Regime Individual accountability and reasonable steps

https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/financial-services/deloitte-uk-senior-manager-regime.pdf

- Senior Management Regime: top tier enforcement risks

https://www.burges-salmon.com/news-and-insight/legal-updates/senior-management-regime-top-tier-enforcement-risks/

- Composition and structure of the board – the UK Corporate Governance Code

https://www.out-law.com/page-8216

Notes

1. The Financial Service Authority, former UK financial services regulator, was replaced on 1st April 2013 by the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA)

2. e.g. Senior Managers and Certification Regime (SMCR) in the UK, Securities and Exchange Commission enhanced proxy disclosure or the Manager in Charge (MIC) in Hong Kong

3. Speech by Martin Wheatley, Chief Executive of the FCA, delivered at Bloomberg, March 2015

4. The National Association of Corporate Directors (NACD) is the recognised authority on corporate governance delivering the information and insights that corporate board members need to confidently confront complex business challenges and enhance share owner value.

5. This includes the identification of required functions such as Chief Risk Officer depending on the type of licence granted to the firm.

6. New Senior Manager must prepare a Statement of Responsibilities describing the scope of responsibilities of the individual; this must be maintained at all time by the firm, including in case of departure of the individual (e.g. replacement) This must also consider prescribed responsibilities identified by the Regulator, which must be allocated across Senior Managers

7. In case of a breach, the Senior Manager responsible for that area could be held accountable by the regulator if they did not take reasonable steps to prevent or stop the breach from occurring. Penalties against individuals include prohibition/withdrawal of approval, fines and other disciplinary sanctions and warnings.

8. The Monetary Authority of Singapore recently issued a consultation paper: “Guidelines on Individual Accountability and Conduct”

9. In most firms, risk information is structured to support a managerial view, which typically aligns to a functional structure. This can create a real challenge to support ongoing regulatory and legal oversight which is typically done by legal entity.

10. Risk Appetite provides an estimate of the amount of risk the organisation is prepared to accept and can be exposed to at any one point in time.

11. For example, risk owners should identify and escalate risk issues within a certain time frame.