Risk governance

Risk governance is the structured approach through which organizations, governments, and societies identify, assess, manage, and communicate risks. It goes beyond traditional risk management by enhancing accountability, strengthening decision-making frameworks, increasing stakeholder involvement, and integrating ethical considerations.

Accountability in Risk Governance

Traditional risk management in a company typically focuses on risk mitigation at an operational level. Risk governance ensures responsibility and accountability at all levels, including the Board of Directors and executive management. It also ensures that risks are managed in a way that aligns with an entity’s strategic objectives, regulatory requirements, and societal expectations.

As an example, imagine an international bank that handles millions of customer transactions daily. Cybersecurity is a critical risk for the bank, and risk governance ensures that accountability is clearly defined at different levels.

The Board of Directors is accountable for ensuring that the bank has a robust cybersecurity risk governance framework. They must decide the cybersecurity risk appetite, ensure compliance with regulations like the EU DORA (Digital Operational Resilience Act), if they have EU operations, and oversee risk management and reporting.

The Chief Risk Officer (CRO) is accountable for overseeing cybersecurity risks within the enterprise risk management framework. The Chief Information Security Officer (CISO) ensures that cybersecurity controls align with the risk governance framework. Front-line teams (IT security, business operations, and employees) are responsible for implementing security measures and following policies.

Decision-Making in Risk Governance

Risk governance establishes formal decision-making structures such as Board-level risk committees, and integrates risk considerations into strategic planning. It ensures that decisions about risks are made in collaboration with senior leadership and the Board.

Stakeholders in Risk Governance

Risk governance involves internal and external stakeholders, such as regulators, investors, and business partners.

Example: A manufacturing company managing supply chain risks may traditionally focus on contract terms. Under risk governance, the company engages suppliers, regulators, and investors to ensure ethical sourcing and compliance with environmental regulations.


Case Study: Risk Governance in the Corporate Sustainability Due Diligence Directive (CSDDD) of the EU

The CSDDD is a good example of risk governance in action. It extends beyond traditional risk management by requiring companies to integrate sustainability-related risks, ethical considerations, and stakeholder engagement into their governance structures.

Accountability in Risk Governance under the CSDDD

The Board of Directors and senior executives are now explicitly accountable for overseeing human rights and environmental due diligence. Companies must ensure compliance with sustainability obligations, not just operational risk management.

Directors' duties include considering the long-term sustainability impact when making decisions. For example, a multinational brand can no longer just outsource due diligence to suppliers. Instead, its Board is accountable for ensuring fair labor practices and environmental protection across its entire supply chain.

Decision-Making in Risk Governance under the CSDDD

The CSDDD formalizes risk governance structures, including mandatory risk due diligence processes for sustainability, decision-making mechanisms that integrate sustainability risks into corporate strategy, and a remediation framework for addressing human rights and environmental violations.

For example, a multinational mining company cannot simply react to environmental violations. It must implement a formal risk governance framework, including regular risk assessments, Board-level reviews of sustainability risks, and a clear escalation mechanism for handling supplier violations.

Stakeholders in Risk Governance under the CSDDD

The CSDDD asks companies to engage with stakeholders, such as local communities, workers and trade unions, NGOs, and regulators. Transparency obligations include public reporting on sustainability risks.

As an example, a car manufacturer sourcing cobalt for electric vehicle batteries must consult local communities in mining regions to assess and mitigate risks related to human rights violations and environmental harm.

Ethical Considerations in Risk Governance under the CSDDD

Companies must evaluate ethical risks related to forced labor, child exploitation, and environmental degradation. Failure to act on these risks can lead to legal liability, reputational damage, and financial penalties.

As an example, a global food company cannot ignore deforestation risks in its supply chain. It must ensure ethical sourcing policies and take action against suppliers contributing to illegal deforestation.

For some of our clients, the Corporate Sustainability Due Diligence Directive (CSDDD) feels less like risk management and more like fiction, full of unexpected obligations, mysterious due diligence quests, and the ever-present villain: compliance deadlines. This is not a joke, if you thought it was. You can find more below:

Corporate Sustainability Due Diligence Directive (CSDDD): https://www.corporate-sustainability-due-diligence-directive.com

This website (above) is owned and updated by Cyber Risk GmbH (Dammstrasse 16, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341), a strategic partner of the IARCP.


Case Study: Risk Governance in the U.S. Uyghur Forced Labor Prevention Act (UFLPA)

The U.S. Uyghur Forced Labor Prevention Act (UFLPA), enacted in 2021, is a prime example of how risk governance extends beyond traditional risk management. Like the Corporate Sustainability Due Diligence Directive (CSDDD) in the EU, the UFLPA requires companies to integrate human rights due diligence, supply chain transparency, and ethical considerations into corporate governance.

Both the UFLPA and the CSDDD require corporate Boards and senior executives to take accountability for supply chain risks and actively manage and disclose these risks. Both laws mandate supply chain transparency and require companies to investigate, mitigate, and report risks related to human rights violations. Firms must engage with regulators, investors, NGOs, and consumers and publicly disclose their actions. Failure to comply in both cases can lead to fines, trade restrictions, legal action, and reputational damage.


New job descriptions

Job Description: Supply Chain Due Diligence & Ethical Sourcing Risk Manager

Job Summary (example): We are seeking a Supply Chain Due Diligence and Ethical Sourcing Risk Manager to lead and enhance our supply chain risk governance, regulatory compliance, and ethical sourcing strategies. This role ensures that our global supply chains comply with human rights, sustainability, and trade regulations, such as:

- Corporate Sustainability Due Diligence Directive (CSDDD) (EU)

- Uyghur Forced Labor Prevention Act (UFLPA) (U.S.)

- German Supply Chain Due Diligence Act (LkSG)

- UK Modern Slavery Act

The ideal candidate will understand supply chain transparency, ethical sourcing policies, and risk mitigation strategies while engaging with suppliers, auditors, regulators, and internal stakeholders.

Key Responsibilities. The ideal candidate must:

1. Develop and implement due diligence processes to assess human rights, environmental and labor risks in global supply chains.

2. Conduct risk mapping of suppliers across multiple tiers to identify vulnerabilities.

3. Collaborate with internal teams, auditors, and third-party verification bodies to ensure compliance.

4. Oversee supplier audits and on-site assessments to validate ethical sourcing.

5. Ensure corporate compliance with CSDDD, UFLPA, LkSG, and other international supply chain laws.

6. Lead reporting and documentation efforts for regulatory bodies, investors, and customers.

7. Establish frameworks for legal liability protection related to supply chain risks.

8. Engage with government agencies, trade organizations, and NGOs on regulatory developments.

9. Build and maintain strong relationships with suppliers, manufacturers, and logistics partners to promote compliance and ethical standards.

10. Develop supplier training programs on due diligence, human rights, and sustainable sourcing.

11. Work with procurement teams to integrate ethical sourcing into supplier selection and contracts. Act as a liaison between internal risk, legal, sustainability, and procurement teams.

12. Establish real-time monitoring systems to track supply chain risks.

13. Manage internal and external ESG (Environmental, Social, Governance) reporting, including sustainability disclosures.

14. Create supply chain risk dashboards and Key Risk Indicators (KRIs) for senior leadership.

15. Prepare annual due diligence reports for stakeholders and regulatory bodies.

16. Develop strategies for remediating supplier non-compliance while maintaining business continuity.

17. Collaborate with legal teams on supplier contract enforcement and risk mitigation.

18. Recommend alternative sourcing solutions for high-risk regions and industries.

Career Growth Opportunities: This role provides a path to Director of Supply Chain Risk Governance, Chief Sustainability Officer (CSO), Head of Corporate Compliance.

Is this fiction? No. In March 2025, visiting indeed.com you could find over 1,300 job listings related to supply chain due diligence. In LinkedIn there were more than 400 job openings in the United States for ethical sourcing positions. In ZipRecruiter, there were 9,600 job listings for supply chain due diligence roles, highlighting the demand for expertise in this area. McKinsey & Company was hiring a Sourcing Specialist focused on environmental sustainability.


Membership and certification

Become a standard, premium or lifetime member. Get certified.

RR

In the Reading Room (RR) of the association you can find our weekly newsletter - "Top risk and compliance management news stories and world events, that (for better or for worse) shaped the week's agenda, and what is next". Our Reading Room

Contact IARCP

contact us

Lyn Spooner

Email: lyn@risk-compliance-association.com

George Lekatis

President of the International Association of Risk and Compliance Professionals (IARCP)

1200 G Street NW Suite 800, Washington DC 20005, USA - Tel: (202) 449-9750

Email: lekatis@risk-compliance-association.com

Privacy, legal, impressum

Go
IARCP