School of Information Systems


Definition of Risk Governance

Risk is something that is uncertain but if it happens it will cause losses. This risk is a consequence of the ongoing process and future events.

Risk governance is concerned with the processes and mechanisms when decisions about these risks are taken and implemented. Risk governance also provides guidelines for making all decisions based on the best information. The scope of risk governance itself includes work safety, environment, security, finance, all old and new technology, and others. Risk governance aims to minimize all forms of negative consequences from previously identified risks.

Enterprise Risk Governance is a type of systemic approach that functions to carry out the decision-making process by leaders of an organization regarding all risks that may occur in the organization. The principles of implementing ERG in an organization are the principles of cooperation, participation, mitigation and sustainability. These principles must be applied to the organization in order to achieve its main objective, namely conducting better and effective risk management. The objective of Enterprise Risk Governance is to reduce risk exposure as well as vulnerability by filling in all forms of gaps in risk management policies, and avoiding or reducing human and economic costs that are indeed caused by risks that can have a systemic impact.

Risk Governance line of defense

According to ISACA, there are 3 lines of defense in a company’s risk governance, namely:

  1. Risk Management Committee

This committee has responsibility and accountability in terms of planning, establishing, implementing, and monitoring risk management activities. This committee also functions to provide advice and direction on all responses to risks that the company risks can no longer tolerate.

  1. Fulfillment and monitoring function of risk management within the company

This function aims to assist organizations in carrying out the process of monitoring all risk management activities carried out by risk management personnel. The purpose of this function is to ascertain whether all risk management activities are running well or not.

  1. Internal and external auditors.

The role of internal and external auditors is that they participate in monitoring the risks that the organization may face. The auditor is also responsible for overseeing all risk management activities of the risk management committee and the fulfillment and monitoring function of risk management within the company and also reports the results of their supervision to the company’s board of directors.

Success factors and the ERG framework

The whole success of implementing an ERG in an organization depends on the human resources involved. The human resources involved must also be of high quality and must have an attitude of integrity. So, the critical success factors for implementing ERG in an organization are as follows.

  1. There is a control policy, system and process followed by a risk culture. Risk culture is a culture of being aware of the risks that will be faced.
  2. Have good communication
  3. Doing learning or training well
  4. Every staff involved must have an attitude of responsibility
  5. Have a commitment from the Board of Directors, Board of Commissioners, and senior management. The Board of Directors’ commitment is an important factor in achieving the goal of successful ERG implementation


Miftha Ningrum Saristika