Since the crisis, the flood of new regulations — the most expansive since the Great Depression — have largely led to suboptimal economic outcomes. Indeed, policymakers seem to be operating in accordance with the "public choice" model. Among the precepts of this academic theory, which James M. Buchanan and Gordon Tullock wrote about in the '60s, is that politicians will seek policy changes to maximize their utility.

Such behavior misses the root cause of the crisis: namely a pervasive lack of effective risk governance among key financial market participants. Had such firms embraced a culture of risk management marked by strong corporate governance practices at the highest corporate levels, executive compensation plans aligned with shareholder interests, a long-term view of risk-taking and balanced risk-return management, it is very likely the housing and mortgage market bubble would have been a nonevent.

Regulation of bank risk governance practices in the form of the "heightened expectations" and "three lines of defense" standards has attempted to address this concern principally for large banks (i.e., technically applied to those with assets at or above $50 billion). However, mandating good risk governance is not an effective or efficient policy response to the issue.

Rather, financial incentives that lead firms to strengthen their risk governance practices would be far more effective in the long term in influencing attitudes and preferences toward risk management. Mandating risk governance standards potentially undercuts the risk management function within an organization as it may be viewed as a regulatory "tax" by virtue of its direct linkage to these regulations and not as a valued business decision. No set of regulations can influence a truly genuine change in a bank's risk management culture. If risk management DNA does not already exist at a firm, financial incentives to inculcate the right attitudes and norms toward investing in good risk governance put management in a better position of leading such change rather than if that governance is forced from the outside.

Even with "heightened expectations" and "three lines of defense," critical components of risk governance remain incomplete. As highlighted in a recent American Banker article, interest appears to have waned over separating chairman and CEO duties. Such separation is a well-established corporate governance practice that is aimed at strengthening the checks and balances between management and the board.

In another example, even though poor executive compensation structures were a well-known contributor to abnormal risk-taking at many firms embroiled in the crisis, momentum to better align executive compensation plans with the long-term interests of shareholders has slowed. In a study by Meridian Compensation Partners, significant variation exists among the adoption of executive compensation plans, suggesting that some do not incorporate long-term strategic goals as part of the incentive structure. Of greater concern is that compensation plans remain heavily weighted toward plans focused on financial metrics rather than ones that are risk-focused.

Regarding the specific implementation of "heightened expectations," while it focuses on the largest banking institutions, it does not affect nonbank institutions and so leaves a gap in the quality of risk governance among competitor institutions. That could erode risk governance universally over the long term. Moreover, while the largest banks have at least one member of their boards with some level of risk experience, there remains a clear imbalance at the board level overall in terms of directors with experience weighing trade-offs between risk and market outcomes. Those trade-offs lie at the heart of virtually every bank decision.

These examples provide clear evidence that regulation so far has had a limited effect on ensuring that the most critical aspects of effective risk governance — strong corporate governance practices, risk-focused executive compensation plans and balanced risk and return management — are in place.

While it is ideal for institutions to come to the conclusion organically that stronger risk governance is in their financial interest, regulators can still nudge banks in that direction without explicitly mandating that banks adopt risk governance frameworks by providing their own set of financial incentives. For example, the Federal Deposit Insurance Corp.'s pricing model for deposit insurance can incorporate factors that reward strong risk governance. Private-market providers of directors and officers insurance can provide similar incentives by conducting greater on-site due diligence to examine risk governance practices and in turn establish more rigorous risk-based pricing. Risk-based capital requirements could also be more tied to defined measures of risk governance.

The FDIC's current risk-based pricing system is simply unable to accurately gauge a bank's level of risk governance. And, likewise, the "Camels" ratings process currently used by regulators to assess bank risk is antiquated for a 21st-century banking system. Alternatively, a financial oversight authority such as the Financial Industry Regulatory Authority could develop and maintain a risk governance rating system that is adopted by all parties to provide consistency, transparency and alignment of investor interests in evaluating risk management practices.

Regulation cannot achieve the worthwhile objective of establishing effective risk governance. Rather than forced compliance with risk governance standards, strong risk practices are more likely achieved through measures that create an environment for bank managers to shape their own risk governance destiny.

Clifford Rossi is Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business at the University of Maryland.