The risk governance model depends on the management and shareholders’ expectations, the regulatory requirements as well as on the risk manager’s competencies and on the resources available for risk management implementation.

The risk governance can be structured using the classical three lines of defence concept:

• 
  
• The 1st line of defence - Business units: executives, business department management as well as employees. As part of their daily duties, those listed above are responsible for timely identification, assessment, management, monitoring and reporting on risks. Senior management and the Board of Directors determine the strategy for risk management, approve risk appetite and monitor how major risks are managed.
  
• The 2nd line of defence - Functions of risk management and other support functions (such as safety and quality, finance, insurance, etc. are business consultants and are responsible for developing the methodology for managing risks, awareness and training, and methodological support. Sometimes the risk management team also performs a quality control function and aggregates information about the risks.
  
• The 3rd line of defence - Internal audit: Independent bodies, such as internal audit, provide independent monitoring that the risk management is carried out as in line with internal policies and procedures, and that the management of key corporate risks is performed.
  

While commonly accepted and simple in theory, the three lines of defence model is overly idealistic and doesn’t work well in non-financial services. Risk managers may want to consider an alternative and better risk governance structure where:

• 
  
• The risk management function is the centre of competence for all risk analysis and is responsible for an independent, timely and quantitative risk analysis for the decisions proposed by management. This approach is different from the traditional three lines of defence, as risk managers take greater responsibility and ownership over some of the risk analysis and maybe even some risks. This allows the risk manager to be directly involved in the process of decision making and to assume the responsibility for the outcomes on par with other executives.
  
• In certain cases, the risk manager may have the mandate to block excessively risky transactions or projects that do not meet the strategic goals of the company.
  

Based on the experience of the authors the second option is much more effective. CEOs rarely are prepared to pay good salaries for facilitators and methodology experts that have nothing valuable to contribute to a specific decision. Nassim Taleb calls it ‘having the skin in the game’. To him, this is the only way to manage risks. We agree.

Another interesting analogy for the risk manager is the Advocatus Diaboli (Latin for Devil's Advocate) was formerly an official position within the Catholic Church: one who "argued against the canonization (sainthood) of a candidate in order to uncover any character flaws or misrepresentation of the evidence favouring canonization".[1] Supplements to this chapter a five short recording on how a risk manager can play a devils advocate role and what is required.