In response to withering criticism by shareholders and investor watchdogs following the London Whale incident, JPMorgan Chase (JPM) has finally made additions to its board risk committee. At best, the move amounts to a half-measure intended to put this issue behind the company.

JPMorgan missed an opportunity to begin reestablishing the company's image as a risk leader in the industry. More important, the change underscores one of the more fundamental issues that put the industry at risk for another crisis, namely weak risk governance processes and controls.

The essence of a financial institution is about taking prudent risks. The risk appetite and culture of the firm should emanate from the board, with strong oversight by those members charged with assessing management's adherence to the company's risk tolerance. By that yardstick, banks should embrace rather than recoil from adding board members who have direct risk expertise. Current practice is that banks required to comply with Dodd-Frank provisions for risk governance typically go through the motions of minimally meeting the standards for establishing a risk committee and for its composition, to the detriment of shareholders, employees and customers.

For the largest institutions, Dodd-Frank requires that at least one member of a board's risk committee be a "risk expert." JPMorgan satisfied that requirement by selecting a former associate of JPMorgan's CEO and chairman. However, the reconstitution of the risk committee should have gone further by overhauling the whole risk governance process, including how management organizes and communicates risks across the company. For a firm as large and complex as JPMorgan, it should have replaced all four risk committee members with independent members who each specialized in one of the following areas: credit risk; market, interest rate and liquidity risk; operational risk; and compliance/regulatory risk.

Having a single risk expert certainly is better than none, but it is a bit like having a general physician in an operating room when a heart surgeon, oncologist or anesthesiologist is really needed. Each risk is unique in its own way, including how risk is measured, the type of data available to measure exposures and risk mitigation strategies. Understanding the effects of trading asset price movements on the bank's value-at-risk, after all, is a completely different exercise than assessing the risk of denial-of-service attacks.

Bank products and hedge strategies have far outstripped the industry's efforts to strengthen its risk governance practices. Couple that with increasing concentration for the largest firms and this should send shudders down the back of any investor in large banks.

The Whale trading losses at JPMorgan pointed out just how complex risk management has become. The use of arcane derivative instruments ostensibly for risk mitigation rather than risk-taking is front and center in the seemingly age-old issue of whether banks should be allowed to engage in proprietary trading. Who on the risk committee is in any kind of position to challenge the strategy and risk assessment of management if they themselves do not possess some skills and expertise in understanding these risks? Loading up risk committees with senior executives from other companies or nonprofits might be helpful in forming business strategy, but is limiting in keeping management on their toes with regard to communicating risk exposures and mitigation activities.

Risk committees, if composed properly, could very well provide a company a competitive advantage depending on the quality of the members selected. Organizations that establish strong processes and controls are in the best position to take greater risks and be compensated for them. Having risk committee directors that are experts in their fields could be a game changer for bank strategy. One of the more difficult questions in a crowded field of players is where the firm should focus in order to grow. Banks with a risk committee stacked with risk experts could add enormous value to management in picking their way through potentially disastrous outcomes. That next option adjustable-rate or stated income mortgage program might very well be avoided given the right set of risk committee members.

Five years from the collapse of Lehman Brothers and a near-meltdown of global financial markets – brought on by a systemic breakdown in risk controls and processes at institutions large and small, banks and nonbanks – it is surprising that risk governance and risk management are not priority No. 1 for the industry. Some will take issue with that view, for there has been a great expenditure of resources and time over the last few years in strengthening risk management. However, dollars and intentions do not always translate well into a sustainable solution to a problem. Risk is alive and well in our banking system and the relatively poor state of risk governance at the board and company level leaves the industry exposed to unexpected risk events.

Clifford Rossi is the Professor-of-the-Practice at the Robert H. Smith School of Business at the University of Maryland.