Last week's theatrical Senate hearing and intriguingly detailed report on the JPMorgan Chase synthetic credit portfolio missed the mark by ignoring perhaps the biggest contributing factor to the bank's losses: the breakdown in risk governance.

The Senate Permanent Subcommittee on Investigations' surprising omission of risk governance from the recommendations outlined in its report on JPMorgan's trading losses underscores why these are recurring issues in banking. When risk disasters arise it is easy to jump on the bandwagon for tighter regulation, such as bans on proprietary trading. However, addressing the governance structure of risk management could significantly reduce if not eliminate many banking missteps. A number of the  subcommittee's recommendations, such as requiring contemporaneous hedge documentation and enhancing reporting and analytics in valuing derivatives, are certainly useful. But they pale in comparison to having a culture that actively embraces risk management rather than paying lip service to it.

In the years leading up to the financial crisis, many firms touted their risk management prowess to regulators and investors while at the same time finding ways to circumvent or even marginalize their risk management organizations. If the  subcommittee's facts regarding JPMorgan's chief investment office are correct, it serves as a stark reminder that if these kinds of breakdowns in risk management can occur at ostensibly one of the more risk-aware organizations, it is likely that this is just a minor infraction compared to what we would find across the industry.

To be sure, after the crisis banks found religion by embracing risk management practices, even if out of necessity. However, a lasting risk management foundation is built first on the quality of the governance infusing risk processes and controls, and only second by the infrastructure needed to identify, measure and manage risks. The  subcommittee's report sheds light on problems in risk model management and reporting, risk communications and other deficiencies, yet many of these problems could have been flagged and addressed with a strong risk oversight function independent from the business, with deep trading experience and air cover provided by senior management.

At the hearing and in the report, JPMorgan's safety and soundness regulator, the Office of the Comptroller of the Currency, was widely criticized for its reaction to the bank's response to regulatory inquiries for information. While strengthening the ability of OCC to actively engage banks on emerging risk issues should improve the oversight process, it is simply impractical to expect examiners to be in a position to ferret out risks the size and complexity of the credit derivative transactions given the scale and scope of institutions the size of JPMorgan. While there was no excuse for such breakdowns in risk management to occur, at the same time we need to keep the perspective that the losses sustained were small when compared with JPMorgan's total risk exposure.

That implies that the first line of defense in guarding bank risk lies with the risk management teams at these companies. Until executive compensation packages are structured to reward bank leaders for risk management skill as well as risk-taking, the business is unlikely to be in the best position to objectively balance risk and return. The financial crisis was born out of a systemic failure of the industry to provide strong risk governance. Attempts to force such structure on banks, such as the Fed's risk management prudential standards, are well-intended but in the end even the best regulation cannot completely rein in bad behavior.

But if tougher regulations, stricter regulatory oversight and enhanced risk reporting and analytics cannot sufficiently prevent future risk disasters, what is the answer? A bank CEO can no longer afford to be myopic about building short-term profits if it ultimately leads to the destruction of shareholder value brought about by episodic unexpected risk disasters. In an age of nearly constant information flows and the immediacy of social media, preserving brand quality and firm reputation is essential. Executives who do not factor in these intangibles directly when contemplating that next business initiative expose their firms to unnecessary risk. Boards and shareholders bear responsibility in selecting CEOs who are aware of the risk environment and are willing to sacrifice market share in order to maintain risk discipline.

Clifford V. Rossi is the Executive-in-Residence and Tyser Teaching Fellow at the Robert H. Smith School of Business at the University of Maryland.