“In my opinion, the most important thing in governance is management control.” — Joko Widodo
WHEN people hear “risk management,” they often think only of controls designed to reduce specific risks. What is often overlooked is the role governance plays in shaping how an organisation understands and responds to risk.
Governance structures influence an organisation’s overall risk profile. They determine how risk is identified, assessed and managed across the enterprise.
Governance is not responsible for day-to-day operations. Its role is to provide strategic oversight and direction.
Boards of directors, trustees and similar bodies set the tone from the top. They define the organisation’s mission, values and the boundaries within which management operates.
While management is tasked with execution, governance remains accountable for ensuring the organisation operates within the frameworks it has established. It provides oversight, demands accountability and ensures value is preserved.
Separating risk management from governance ignores the context in which risk exists. Risk evolves within strategy, culture and leadership, not in isolation.
Effective risk management begins with strategic clarity. ISO 31000 defines risk as “the effect of uncertainty on objectives.”
Without clearly defined objectives—set and reviewed by governance—risk assessments lose relevance. In such cases, risk management becomes a technical exercise rather than a strategic one.
Policy is one of the most important tools governance uses to maintain alignment. Governance bodies approve policies that guide management’s day-to-day decisions.
Yet many organisations treat policies as static and bureaucratic. When they are not updated to reflect strategic changes, policies quickly become ineffective.
Well-crafted policies play several critical roles. They prevent outdated controls from continuing after the strategic environment has shifted.
They also define performance measures used in reports and dashboards for governance oversight. In addition, they provide a consistent benchmark across assurance functions, including risk, compliance, internal and external audit, and regulators.
Although management often drafts policies, it does so on behalf of governance. Final approval must rest with governance to ensure legitimacy and strategic alignment.
Policies should not be viewed as compliance checklists. They are governance instruments that link strategic objectives with operational decisions.
When properly integrated, policies promote consistency, reduce inefficiencies and help build a risk-aware culture across the organisation.
Organisations should not create policies simply to satisfy auditors or regulators. Policies should align stakeholder expectations and clearly explain how risk is managed across the business.
They must be treated as living documents—purposefully designed, regularly reviewed and clearly communicated.
In conclusion, policies are governance documents, not administrative ones. They are owned by governance and are essential to aligning strategy, accountability and effective risk management.
