Governance is where operational risk management either becomes real or remains theoretical. Firms can have good templates, detailed registers and polished reports, but if accountability is unclear, oversight is weak and challenge is not independent, the framework will not hold when pressure increases. That is why governance and the three lines model remain central to modern operational-risk practice. [1]
The board does not manage day-to-day operational risk, but it does define the environment in which risk is managed. It approves strategy, sets appetite, reviews key reporting and ensures the firm has adequate resources and challenge mechanisms. That “tone at the top” matters because it signals whether risk ownership is an embedded management expectation or a periodic compliance exercise. [2]
The first line owns risk in the flow of work. Business and process owners understand where failures can happen, what controls exist and where trade-offs arise between efficiency and assurance. First-line ownership is not optional; it is the operating centre of the framework. [3]
The second line provides independent oversight, challenge and framework design. It reviews assessments, monitors emerging issues, proposes indicators and checks consistency across the organisation. In smaller firms, this line may be lean, but it still needs enough independence to challenge the business credibly. [4]
Internal audit provides independent assurance over the effectiveness of the first and second lines. That does not mean it repeats their work. It tests whether the overall system is designed and operating as intended, and it reports its findings to governing bodies in a way that drives improvement. [5]
Smaller firms frequently combine roles, use external audit partners or run flatter structures. That is workable if it is deliberate and documented. The mistake is not having fewer people. The mistake is leaving responsibilities ambiguous. Boards should document charters, reporting lines, committee mandates and escalation routes so independence is preserved as far as the organisation’s size allows.
Start with five documents: a governance map, committee terms of reference, role-accountability matrix, reporting calendar and board-approved risk policy. Those documents create structure around decisions, remove duplication and make it easier to demonstrate governance maturity to auditors and supervisors. [6]
Good governance is not bureaucracy added on top of operational risk. It is the mechanism that makes ownership, challenge and assurance visible. If a board wants better operational resilience, the first question is not “what tool do we need?” It is “who owns what, who challenges what, and who assures the whole system?” [7]
