What is risk governance and how does it differ from enterprise risk management?

Risk governance sets the framework for how risk is managed across the organization. It involves oversight by boards and senior management, defining roles and responsibilities, establishing risk policies and appetite, and ensuring accountability and escalation mechanisms for risk issues. ERM, by contrast, is the integrated, ongoing process that identifies, assesses, prioritizes, and treats risk across the enterprise, coordinating responses and monitoring outcomes to support strategic objectives. Together, governance provides the structure and authority, while ERM delivers the practical management of risk across all functions. Focusing only on metrics, or limiting governance to compliance, misses the broader oversight and policy role, and describing governance as day-to-day risk management confuses operational work (ERM) with the governing framework.