Ten (10) Key Elements in a Robust Risk Management Framework (RMF)

A Risk Management Framework (RMF) melds together the strategic, foundational and tactical elements of risk to describe the role of Enterprise Risk Management (ERM) in helping a company maintain its franchise value and meet both its strategic business objectives and corporate stakeholder obligations. Here are ten (10) key elements every RMF should have.

Part A – Strategic Risk Context

Key Element 1:  Describe Business Profile and Brand

  • What does your company do, per the information in the “Core Business” category of your Risk Register?
  • What are your unique business characteristics and drivers of success?
  • Where does your reputational risk emanate from?

Key Element 2:  List High-Level Business Goals (examples shown below)

  • Achieve Targeted Performance
  • Preserve Capital Adequacy
  • Maintain Liquidity
  • Protect Franchise Value/Reputation

Key Element 3:  Customize an Enterprise Risk Management (ERM) Mission Statement

Example: “ERM is the process to identify, assess, mitigate and monitor enterprise-wide risks that might impact the company’s ability to achieve its strategic business objectives.”

Key Element 4:  Develop, and Live By, an Overall Company Cultural Model

  • Who We Are (e.g. high-performing, inclusive and equitable)
  • What We Recognize and Reward (e.g. transparent meritocracy)
  • Behaviors We Expect (e.g. mandatory ethics and Code of Conduct)

Part B – Risk Foundation

Key Element 5:  Establish Risk Governance Structure

  • Roles and responsibilities portrayed either vertically (top-down and bottom-up) or horizontally (three lines of defense)

Key Element 6:  Set and Maintain Risk Appetite(s) and Tolerance(s)

  • Risk appetite represents general willingness (high, medium, low) to assume risk and expose capital to risk of loss
  • Risk tolerance reflects the specific pre-defined threshold(s) at which appetite might be exceeded, triggering management notification, assessment and/or corrective action

Part C – Tactical Risk Execution (4-step process)

Key Element 7:  Identify Risk on an Iterative Basis

  • Universe of risks, in an enterprise-wide risk register, within four categories (Financial, Operational, Strategic and Core Business)
  • One risk owner per risk, to establish accountability
  • Causes and consequences listed for each risk, to set context

Key Element 8:  Assess Risk in Consistent and Transparent Manner

  • Severity and likelihood, both before controls (inherent) and after controls (residual)
  • Risk direction and velocity, as well
  • Rating scales utilized must be consistent and easily-understood

Key Element 9:  Mitigate Risk Severity and Likelihood to an Acceptable Residual Level

  • List controls individually
  • Insist upon the greatest degree of specificity possible in control description (e.g. performed quarterly, escalation provision etc.)

Key Element 10:  Monitor Risk on an Ongoing Basis

  • Execution of wide variety of processes by risk-related bodies (e.g. Risk Committee)
  • Pinpoint prominent metrics, such as key risk indicators (KRIs)
  • Prepare applicable risk reports prepared for internal and external dissemination

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One™ application.

Newsletter Signup

Interested in being informed when a new blog post is released? Sign up for our newsletter.

Leave a Reply


DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.