This paper examines how governance and risk management affect risk-taking in banks. It distinguishes between good risks, which are risks that have an ex ante private reward for the bank on a stand-alone basis, and bad risks, which do not have such a reward. A well-governed bank takes the amount of risk that maximizes shareholder wealth subject to constraints imposed by laws and regulators. In general, this involves eliminating or mitigating all bad risks to the extent that it is cost effective to do so. The role of risk management in such a bank is not to reduce the bank's total risk per se. It is to identify and measure the risks the bank is taking, aggregate these risks in a measure of the bank's total risk, enable the bank to eliminate, mitigate and avoid bad risks, and ensure that its risk level is consistent with its risk appetite. Organizing the risk management function so that it plays that role is challenging because there are limitations in measuring risk and because, while more detailed rules can prevent destructive risk-taking, they also limit the flexibility of an institution in taking advantage of opportunities that increase firm value. Limitations of risk measurement and the decentralized nature of risk-taking imply that setting appropriate incentives for risk-takers and promoting an appropriate risk culture are essential to the success of risk management in performing its function.