TLDR
- The FSB's 2013 peer review examined risk governance across 36 financial institutions and 24 jurisdictions—exposing structural gaps that persist in governance frameworks today.
- Firms often outpaced their supervisors' formal requirements, yet CRO independence and risk appetite embedding remained consistent weak points.
- At weaker firms, risk appetite frameworks existed on paper but had no connection to decisions, incentives, or board monitoring.
- Boards—not just management—are accountable for these gaps, and supervisors are increasingly assessing board effectiveness directly.
- The principles extend beyond financial services: any board overseeing material operational, cyber, or strategic risk faces the same structural vulnerabilities.
What Is the FSB Thematic Review on Risk Governance?
The Financial Stability Board published its Thematic Review on Risk Governance: Peer Review Report in February 2013. The review examined how major financial institutions and their national supervisors implement risk governance—covering 36 banks and broker-dealers across 24 FSB member jurisdictions, including 17 parent G-SIFIs.
Four Areas the Review Evaluated
| Review Area | What It Examined |
|---|---|
| Board and committee oversight | How boards set and monitor risk governance |
| Firm-wide risk management function | CRO authority, independence, and stature |
| Independent assessment | Internal audit and third-party review of risk frameworks |
| Supervisory practices | Whether national regulators were assessing governance effectively |
The FSB's methodology combined questionnaire responses from both jurisdictions and firms, direct discussions with risk committee directors and CROs, and cross-jurisdictional benchmarking. The result is a multi-regulator view with genuine cross-jurisdictional depth—not a finding any single country's supervisor could produce alone.
Key Finding: Persistent Gaps in the Risk Management Function
The FSB found that while "good progress has been made toward elevating the CRO's stature, authority, and independence," significant gaps remained across many institutions.
CRO Independence and Board Access
The risk management function needs "stature, authority and independence to challenge decisions on risk made by management and business lines." Where that stature was absent, the CRO's access to the board was often filtered through the CEO or CFO—meaning boards received a risk picture shaped by management rather than an independent one.
Direct board access is the structural mechanism that makes independent challenge possible. When that channel is filtered, boards lose the ability to detect when business-line pressure is distorting the risk picture.
In practice, distinguishing genuine CRO independence from structural presence requires asking specific questions:
- What decisions can this person make without approval?
- Who do they report to, and can they escalate directly to the board?
- Do board meeting minutes reflect direct CRO input, or does the risk narrative always arrive pre-packaged from the CEO?
Three Lines of Defense in Practice vs. on Paper
The FSB observed that first-line business units had become "much more accountable for the risks created by their activities"—but inconsistency persisted. Common failure modes:
- First line: unclear risk ownership, with accountability defaulting to the CISO or risk function rather than the business unit creating the exposure
- Second line: risk functions that existed structurally but lacked authority to challenge or escalate effectively
- Third line: the FSB found that "no jurisdiction had specific expectations for internal audit to periodically provide a firm-wide assessment of risk management or risk governance processes", so audit wasn't evaluating governance quality itself
These upstream failures don't stay contained. When ownership is blurred at the first line and audit has no mandate to assess governance, the board's information ultimately reflects those same gaps.
Risk Reporting Quality
The FSB described board information as "voluminous and not easily understood," and noted that boards should be satisfied that information is "comprehensive, accurate, complete and timely." Boards receiving fragmented, lagging, or activity-heavy reporting face a structural problem: they can't make defensible risk decisions from data that obscures rather than illuminates material exposures.
A useful diagnostic test: if every metric in the board pack is green while the organization is navigating a known risk event, the reporting infrastructure is broken—not the risk environment.
Key Finding: Risk Appetite Frameworks Are Underdeveloped
The FSB defined a Risk Appetite Framework (RAF) as the "framework of policies and processes that establish and monitor adherence to the firm's risk appetite." Most large institutions had one. The problem was implementation.
What Weak RAFs Actually Look Like
For firms with underdeveloped frameworks, the FSB found that "numerous gaps exist"—with coverage that didn't extend to subsidiaries and risk appetite not clearly articulated at the business level. The report notes that "all firms surveyed considered risk limits to be the vehicle for operationalising the RAF at the business line level"—but limits that weren't cascaded to real decisions were just numbers on a page.
Common signs that a RAF has become a compliance artifact rather than a governance instrument:
- Appetite statements use terms like "low" or "moderate" with no measurable thresholds
- No connection between risk limits and budget allocation or capital decisions
- Exceptions are approved informally and persist indefinitely without named owners or expiry dates
- The board receives RAF updates but hasn't defined what "out of appetite" actually triggers
- The dashboard shows all green even when threat conditions are worsening
What Active Board Ownership of Risk Appetite Requires
The FSB is direct: "A key responsibility of the board is to approve the firm's overall business strategy and RAF." That's not the same as endorsing what management proposes.
Active ownership means boards define appetite in measurable terms—hours of acceptable downtime, dollar thresholds for loss, coverage percentages—rather than approving adjectives. Escalation triggers should be pre-agreed, so board engagement happens before a limit is breached, not after the fact.
Compensation structures matter here too. The FSB specifically noted that linking "risk objectives with either compensation or career advancement prospects" is a key driver of better risk culture—meaning incentive design is a governance question, not just an HR one.
Mature RAFs, per the FSB's findings, are integrated into strategy, budgeting, M&A evaluation, new product approval, and stress testing. Without that integration, the RAF answers every governance question on paper while influencing almost nothing in practice.
Key Finding: Firms Outpace Supervisors—But Governance Gaps Persist
One of the review's more notable findings: "Many of the best risk governance practices at surveyed firms are now more advanced than national guidance." The FSB attributed this partly to market pressure—firms most affected by the financial crisis advanced fastest, "perhaps necessitated by a need to re-gain market confidence rather than regulatory requirements."
That gap between regulatory minimums and genuine best practice is exactly where governance failures hide.
The Supervisory Gap
National authorities were not engaging "on a sufficiently regular and frequent basis with the board, risk committee and audit committee." Some supervisors lacked the tools or integrated assessment capabilities to evaluate board-level governance quality effectively. A few had limited powers to scale sanctions based on severity.
The consequence: boards at weaker institutions faced less external pressure to improve. Supervisory minimums became the de facto ceiling.
What This Means for Boards Using Compliance as a Proxy
Compliance with regulatory minimums and genuine governance effectiveness are not the same thing. The FSB's findings make that explicit. Organizations that define "well-governed" as "compliant" are relying on an incomplete test—particularly in jurisdictions where supervisory capacity to assess board effectiveness is still developing.
The practical response is for boards to set their own governance standard above the regulatory floor. Three behaviors mark that shift:
- Require decision-grade reporting rather than accepting activity updates
- Hold executive sessions with the risk function independently of the CEO
- Test whether escalation pathways actually work before an incident forces the question
The FSB also found significant variation in board risk committee effectiveness. Some committees were active, challenged assumptions, and operated with clear mandates. Others had no independent standing—risk oversight existed structurally but not functionally.
Committees that add genuine governance value share three distinguishing behaviors:
- Ask for decisions on the top one or two risks rather than receiving status updates on ten projects
- Tie every risk to a named business owner
- Insist on independent validation rather than management-produced evidence
Translating FSB Findings Into Governance Action
The FSB's findings point toward specific structural improvements—most of which don't require regulatory pressure to implement.
A Practical Governance Gap Assessment
A useful starting framework examines four dimensions:
- CRO/CISO independence: Does the risk function have direct board access, or does it flow through management? Can it escalate without permission?
- RAF implementation quality: Are appetite statements written in measurable terms? Are limits cascaded to business units? Do escalation triggers exist and have they been tested?
- Board risk committee effectiveness: Does the committee receive decision-ready reporting? Are risks tied to named owners? Is there independent validation?
- Reporting adequacy: Does the board receive trend-based information in plain language, or activity-heavy data that requires interpretation?
The FSB's observation that many frameworks "looked complete on paper but had not been stress-tested operationally" is the critical diagnostic question. A tabletop exercise that forces executives to make real decisions under pressure—who declares the incident, who can shut systems down, who speaks externally—reveals whether decision rights and escalation thresholds hold in practice or only in documentation.
When the Gap Widens
For organizations in transition—new leadership, post-incident, pre-regulatory examination, or during strategic change—the distance between documented governance and functional governance expands quickly. Decision rights that worked informally under previous leadership become unclear. Risk reporting that served one board may not serve another. Escalation pathways that existed on paper get tested for the first time under pressure.
When that gap opens, an outside perspective that can assess governance posture and stabilize oversight infrastructure before scrutiny arrives matters far more than a reactive update. Tyson Martin's board advisory and interim CISO engagements are built specifically for that window, conducting structured governance assessments in 10 to 15 business days. Each engagement produces:
- A decision-rights map with clear escalation thresholds
- Top risks with named owners
- A control maturity snapshot
- A 90-day plan with measurable outcomes
The FSB's findings remain a credible benchmark. The boards and risk committees that take them seriously—before a regulator or incident makes them unavoidable—are the ones with the fewest unpleasant surprises.
Frequently Asked Questions
What exactly did the FSB's thematic peer review on risk governance examine?
The FSB reviewed how 36 major financial institutions and their supervisors across 24 jurisdictions implement risk governance. The review covered four areas: board and committee oversight, the firm-wide risk management function including the CRO, independent assessment by internal audit or third parties, and supervisory assessment of governance frameworks.
What were the most significant gaps the FSB identified?
Two gaps stood out: insufficient independence and authority for the risk management function—particularly around CRO access to the board—and risk appetite frameworks that existed as documented policies but weren't embedded in actual business decisions, incentive structures, or board-level monitoring.
What is a risk appetite framework and why does the FSB consider it critical?
A RAF sets the boundaries within which an organization is willing to operate. The FSB found that without active board ownership and integration into budgeting, compensation, and business decisions, RAFs function as compliance documents rather than governance tools.
What does the FSB expect boards—not just management—to do differently?
The FSB expects boards to actively set and monitor risk appetite, ensure the CRO has direct and unfiltered board access, and critically evaluate the quality of risk reporting rather than passively receiving it. Board accountability for the RAF is explicit in the report's findings.
Why did the FSB note that some firms exceeded supervisory requirements—and why is that a concern?
It shows voluntary governance leadership, but it also reveals that regulatory minimums are insufficient proxies for sound governance. Boards relying solely on compliance standards may still carry significant unaddressed structural risk.
How should non-financial organizations apply the FSB risk governance findings?
The FSB's review was scoped to financial institutions. But the underlying principles—independent risk oversight, embedded risk appetite, and active board engagement—apply to any board accountable for material operational, cyber, or strategic risk. Boards outside financial services should treat the FSB's findings as a diagnostic: if your risk appetite framework isn't driving real decisions, the gap is structural, not sector-specific.
