A Risk Management Framework (RMF) melds together the strategic, foundational and tactical elements of risk to describe the role of Enterprise Risk Management (ERM) in helping a company maintain its franchise value and meet both its strategic business objectives and corporate stakeholder obligations. Here are ten (10) key elements every RMF should have.
Part A – Strategic Risk Context
Key Element 1: Describe Business Profile and Brand
- What does your company do, per the information in the “Core Business” category of your Risk Register?
- What are your unique business characteristics and drivers of success?
- Where does your reputational risk emanate from?
Key Element 2: List High-Level Business Goals (examples shown below)
- Achieve Targeted Performance
- Preserve Capital Adequacy
- Maintain Liquidity
- Protect Franchise Value/Reputation
Key Element 3: Customize an Enterprise Risk Management (ERM) Mission Statement
Example: “ERM is the process to identify, assess, mitigate and monitor enterprise-wide risks that might impact the company’s ability to achieve its strategic business objectives.”
Key Element 4: Develop, and Live By, an Overall Company Cultural Model
- Who We Are (e.g. high-performing, inclusive and equitable)
- What We Recognize and Reward (e.g. transparent meritocracy)
- Behaviors We Expect (e.g. mandatory ethics and Code of Conduct)
Part B – Risk Foundation
Key Element 5: Establish Risk Governance Structure
- Roles and responsibilities portrayed either vertically (top-down and bottom-up) or horizontally (three lines of defense)
Key Element 6: Set and Maintain Risk Appetite(s) and Tolerance(s)
- Risk appetite represents general willingness (high, medium, low) to assume risk and expose capital to risk of loss
- Risk tolerance reflects the specific pre-defined threshold(s) at which appetite might be exceeded, triggering management notification, assessment and/or corrective action
Part C – Tactical Risk Execution (4-step process)
Key Element 7: Identify Risk on an Iterative Basis
- Universe of risks, in an enterprise-wide risk register, within four categories (Financial, Operational, Strategic and Core Business)
- One risk owner per risk, to establish accountability
- Causes and consequences listed for each risk, to set context
Key Element 8: Assess Risk in Consistent and Transparent Manner
- Severity and likelihood, both before controls (inherent) and after controls (residual)
- Risk direction and velocity, as well
- Rating scales utilized must be consistent and easily-understood
Key Element 9: Mitigate Risk Severity and Likelihood to an Acceptable Residual Level
- List controls individually
- Insist upon the greatest degree of specificity possible in control description (e.g. performed quarterly, escalation provision etc.)
Key Element 10: Monitor Risk on an Ongoing Basis
- Execution of wide variety of processes by risk-related bodies (e.g. Risk Committee)
- Pinpoint prominent metrics, such as key risk indicators (KRIs)
- Prepare applicable risk reports prepared for internal and external dissemination
About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One™ application.
Interested in being informed when a new blog post is released? Sign up for our newsletter.