A Risk Management Framework (RMF) melds together the strategic, foundational and tactical elements of risk to describe the role of Enterprise Risk Management (ERM) in helping a company maintain its franchise value and meet both its strategic business objectives and corporate stakeholder obligations. Here are ten (10) key elements every RMF should have.

Part A – Strategic Risk Context

Key Element 1:  Describe Business Profile and Brand

• What does your company do, per the information in the “Core Business” category of your Risk Register?
• What are your unique business characteristics and drivers of success?
• Where does your reputational risk emanate from?

Key Element 2:  List High-Level Business Goals (examples shown below)

• Achieve Targeted Performance
• Preserve Capital Adequacy
• Maintain Liquidity
• Protect Franchise Value/Reputation

Key Element 3:  Customize an Enterprise Risk Management (ERM) Mission Statement

Example: “ERM is the process to identify, assess, mitigate and monitor enterprise-wide risks that might impact the company’s ability to achieve its strategic business objectives.”

Key Element 4:  Develop, and Live By, an Overall Company Cultural Model

• Who We Are (e.g. high-performing, inclusive and equitable)
• What We Recognize and Reward (e.g. transparent meritocracy)
• Behaviors We Expect (e.g. mandatory ethics and Code of Conduct)

Part B – Risk Foundation

Key Element 5:  Establish Risk Governance Structure

• Roles and responsibilities portrayed either vertically (top-down and bottom-up) or horizontally (three lines of defense)

Key Element 6:  Set and Maintain Risk Appetite(s) and Tolerance(s)

• Risk appetite represents general willingness (high, medium, low) to assume risk and expose capital to risk of loss
• Risk tolerance reflects the specific pre-defined threshold(s) at which appetite might be exceeded, triggering management notification, assessment and/or corrective action

Part C – Tactical Risk Execution (4-step process)

Key Element 7:  Identify Risk on an Iterative Basis

• Universe of risks, in an enterprise-wide risk register, within four categories (Financial, Operational, Strategic and Core Business)
• One risk owner per risk, to establish accountability
• Causes and consequences listed for each risk, to set context

Key Element 8:  Assess Risk in Consistent and Transparent Manner

• Severity and likelihood, both before controls (inherent) and after controls (residual)
• Risk direction and velocity, as well
• Rating scales utilized must be consistent and easily-understood

Key Element 9:  Mitigate Risk Severity and Likelihood to an Acceptable Residual Level

• List controls individually
• Insist upon the greatest degree of specificity possible in control description (e.g. performed quarterly, escalation provision etc.)

Key Element 10:  Monitor Risk on an Ongoing Basis

• Execution of wide variety of processes by risk-related bodies (e.g. Risk Committee)
• Pinpoint prominent metrics, such as key risk indicators (KRIs)
• Prepare applicable risk reports prepared for internal and external dissemination

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One™ application.