Enterprise Risk
Governance Framework

The objectives of an ERM framework include:

• Aggregate and assess risk across the organization.
• Comply with laws, rules, and regulations.
• Protect and enhance an organization’s reputation.
• Facilitate an organization’s mission by integrating risk considerations into strategic and operational planning decisions, and by managing risk to the organization’s earning, capital, operational strength, and reputation in a manner that promotes prudent, effective decision-making, optimizes risk-reward, and instills accountability for risk in fulfilling the organization’s strategy and mission.
• Promote a strong risk culture that includes a thorough understanding of risk appetite along with clear roles, responsibilities, and accountabilities for the ownership and management of risks.
• Ensure that a strong risk infrastructure supports the effective management of risks and consistency in the management of risks.
• Maintain a risk governance structure at the board and management level that ensures identification, measurement, analysis, management, monitoring, and reporting of all material risks along with effective risk response strategies and escalation protocols.
• Ensure effective, proactive management for each of the organization’s risk categories along with anticipation and management of material risk interdependencies.

 

The board serves in a governance capacity ensuring that a framework exists to ensure risks are managed in a manner that is effective. The board understands and promotes the organization’s risk philosophy and desired risk and compliance culture, approves the risk appetite, inquires about risk practices, reviews the portfolio of risks, compares the actual risks to the risk appetite and is apprised of significant risks, both actual and emerging, and determines whether management is responding appropriately to risk events. The board challenges management and ensures accountability.

The board reviews and formally approves the ERM framework. Through this approval, the board confirms their expectation that first line of defense own and are responsible and accountable for identifying and managing their risks. This approval also confirms the role of risk and compliance as the second line of defense with both the authority and independence to oversee the management of risk levels consistent with established risk appetite.

A policy is a formal statement of an organization’s strategy and position. It addresses certain subject matter and any material inherent risks, including legal and regulatory requirements and expectations, and includes who the policy applies to, when the policy applies, when the policy requires actions, and any relevant restrictions. The purpose of a policy is to (i) establish the parameters in which the business should operate based upon the organization’s risk appetite, (ii) support adherence to laws or regulations, (iii) address fundamental strategic guiding principles or long-term goals and values, and (iv) address more tactical operating principles that support long-term goals.

Policies related to risk management (i.e., risk policies) are used to define and communicate risk management requirements, expectations, roles, and responsibilities.

Practically, there are two levels of policies—

• Level 1 Policies are those policies required by a law or regulation or are associated with a material inherent risk or are of a strategic nature that requires the approval of the board, or a committee of the board.
• Level II Policies consist of content largely applicable to a specific line of business or business practice and only requires the approval of a management level committee (e.g., Asset/Liability Committee, Compliance and Operational Risk Committee).

Management-level risk governance committees such as Compliance and Operational Risk Committee are formed and managed for the purpose of risk governance and decision-making. In some cases, there are regulatory requirements for committee activities, functions, and/or format reporting. While strong communication and awareness are important to effective overall governance, management-level risk governance committees should not be used solely for general and broad information sharing. Risk governance activities, such as program oversight, risk level and control adequacy monitoring decision making and policy approval, should comprise the majority of their meeting agenda items.

The Three Lines of Defense clarify the general roles and responsibilities and accountabilities of an organization’s business operations and management, independent risk management, and internal audit relative to the management of risk and provide a framework that supports the integrity of information escalated to risk governance committees and the board.

First Lines of Defense: Business Operations and Management

The responsibilities of business operations and management may include, but are not limited to:

• Own, identify, assess, manage, monitor, control, and mitigate risks aligned to the organization’s risk taxonomy.
• Incorporate established risk standards and parameters into business unit operating policies and procedures.
• Communicate risk appetite statement, tolerances, and limits throughout the business unit.
• Set clear expectations and accountability for risk management and compliance associated with business activities.
• Develop and execute action plans in the event of a risk trigger or appetite breach.
• Establish clear, well-defined protocols for evaluating, and where appropriate, and authorize exceptions to business level standard operating procedures.
• Conduct periodic evaluation of the types and levels of risk within the business, the effectiveness of the control environment, and the residual risk.
• Identify and monitor internal and external emerging risks, potential threats, and industry best practices.
• Aggregate risks, including by business activities or products.
• Use the risk identification and risk assessment for operational and strategic planning.
• Conduct continuous monitoring of a broad range of business performance data to ensure that established controls are working, and the business is complying with policies, standards, and procedures.
• Provide accurate, concise, and timely risk reports to executive management, the chief risk officer, internal audit, and board and management committees.

Second Line of Defense: Independent Risk Management

The responsibilities of independent risk management function (led by the Chief Risk Executive) may include, but are not limited to::

• Develop risk appetite limits by risk category in consultation with the risk-taking business units.
• Recommend risk appetite statement, limits, and metrics for board approval.
• Establish and maintain an enterprise risk management and control framework, including enterprise compliance risk management program that is aligned with the board’s risk appetite statement, the company’s business and strategic objectives, and regulatory expectations.
• Aggregate and report risk information against risk appetite, including exceedances and metrics to the board.
• Assess risk mitigation strategies, including the effectiveness of such mitigation in a range of circumstances, and recommend alternatives if concerns arise.
• Provide independent oversight, credible challenge, and monitoring of an organization’s overall control environment.
• For policies owned by independent risk management, adhere to first line of defense responsibilities.
• Identify and monitor top risks, internal and external emerging risks, thematic risks, potential threats, and industry best practices.
• Monitor business activities and reporting to identify risks, compliance deficiencies, and weaknesses in controls and provide information for periodic board and management committee updates and for adjusting testing activities.
• Develop test plan and conduct risk-based quality control and quality assurance testing of business unit activities.
• Establish a clearly defined escalation process to enable prompt escalation and remediation of material problems, including disputes between compliance and first line of defense management regarding compliance matters are resolved objectively.
• Ensure that management information systems have:
  • A level of sophistication consistent with the complexity and diversity of the organization’s operations, and
  • Support the responsibilities of the Board to oversee the organization’s core business lines, critical operations, and other core areas of supervisory focus.

Third Line of Defense: Internal Audit

The responsibilities of internal audit may include, but are not limited to::

• Evaluate the processes used by the organization to design and govern the risk appetite and related framework, standards, and procedures.
• Evaluate the operating effectiveness of the risk appetite framework and process, and report results to management and the board.
• Pose credible challenge to management when policies and procedures are not followed, or control weaknesses are identified.
• Provide independent assurance on the adequacy and effectiveness of the the organization’s overall control environment.
• At least annually, conduct independent risk assessments of auditable entities to determine the related risk profiles.

Risk appetites are expressed through risk appetite limits and triggers (most of which are based on key risk indicators (KRIs)) that align with the RAS and balance business objectives and should be approved by the board. Limits, triggers, and other key risk indicators (KRIs) are designed to be operationalized at various levels in the organization and are used to guide and control underlying business activity. Management should manage business consistent with established risk appetite and within defined limits and triggers.

Establishing and refining risk appetite limits, triggers, and KRIs is an evolutionary process. These risk appetite metrics are formulated and evolved through a combination of “top down” and “bottom up” approaches. Through a bottom up approach, limits and triggers ranges are identified by lines of business and independent risk oversight.

Additionally, through a top down approach, management analyzes risk-taking at the business unit level to formulate KRIs, limits, and triggers. These two approaches are supplemented by qualitative and quantitative evaluations considering strategy, stress testing, scenario analysis, and direction of risk and rate of change. From these activities, management formulates risk appetite metrics that are further reviewed, refined, and escalated through the risk governance process for approval.

An organization should strive to develop and use forward looking KRIs and other risk metrics wherever possible.

Once established, risk appetite limits, triggers, and KRIs are subject to regular reporting for conformance with established limits, and exceptions are highlighted. Reporting begins with a management monitoring process and is escalated to the appropriate risk governance committee and the board.

The governance committees are responsible for ensuring that appropriate policy enhancements and approvals, reporting, accountabilities, and escalation procedures are defined and communicated for the approved limits, triggers, and KRIs for the individual risk categories.

Performance relative to RAS, limits, triggers, and KRIs for each major risk category, along with the underlying limits, triggers, and KRIs that help ensure performance within the enterprise appetite should be regularly reviewed and discussed by the appropriate risk governance committee. The limits, triggers, and KRIs should be subject to analysis, reporting, and escalation as appropriate and warranted. Material issues, trends, and risk appetite metric breaches should be reported to risk governance committees and the board.

Risk appetite, when expressed as limits and triggers, defines the maximum amount of risk acceptable for a specific risk measure (“Limit”) and a level below the maximum requiring escalation and action (“Trigger”). When appetites are expressed as ranges, they define the acceptable variation around the desired level of risk for a specific risk measure.

The following illustrates one method to report performance against limits and triggers:

When performance within a trigger or limit is approaching the trigger or limit, an action plan should be considered. The action plan should be formulated and implemented to manage the activity to remain below the trigger or limit. If the trigger or limit is breached, a remediation plan should be formulated and implemented. The remediation plan should focus on risk reduction. Action items and remediation plans should be reported to, and approved by, the appropriate governance committee based on (a) the risk category and (b) the level (e.g., enterprise, line of business, function).

Where ranges are used, a consistent approach should be used for reporting. If the upper or lower limit of the range is breached, a remediation plan should be formulated and implemented. Depending on which limit is breached, the remediation plan should focus either on risk reduction or maintaining existing risk capacity.

Performance relative to risk appetite and enterprise-level limits, triggers, and KRIs should be reported and regularly discussed by enterprise-level risk governance committee. Similar reporting should be produced at least quarterly and reported to the board and board risk committee.

Activities in the strategic planning process include environmental assessments (internal and external), testing assumptions (at both enterprise and line of business level), developing new strategies, managing the performance of existing strategies, and communicating strategy.

A comprehensive risk assessment of the strategic planning process is important to gauge:

• Top and/or emerging risks that may be obstacles to the achievement of objectives.
• Current risk levels, direction of risks, and effectiveness of controls.
• Estimates of projected risk levels based on proposed business strategies.

Risk executives should participate with business executives in testing assumptions, identifying opportunities and alternatives, and providing effective challenge to new strategic direction. Risk assessment standards should be designed and implemented to provide structure and guidance on risk assessment activities. Elements of the strategic plans and risk assessments should be shared with relevant support functions to ensure that risk impacts are considered across processes and activities for the enterprise. Additionally, information such as anticipated new product volumes should be shared with decision support functions for planning purposes.

Outputs of the strategic planning process include the enterprise strategy, business level strategies, projected risk levels, and direct influence on operating plans, business performance objectives, and capital plans.

The strategic plan and scenario modeling should include impacts on the organization’s capital position.

An Integrated Strategic and Operational Plan (“Integrated Plan”) ensures operational commitments support strategic goals. It is developed by the organization’s leadership with board oversight and should cover a 3-year period.

The Integrated Plan is developed consistent with the Board’s risk appetite, including risk appetite under varying stressed conditions, as well as liquidity, and capital requirements. Monitoring systems should be established to report actual outcomes, KRIs, and make certain the organization’s objectives and risks remain aligned with the risk appetite.

Risk management is integrated into strategic planning and performance management. To ensure strategic and operational outcomes are aligned, senior executives should translate strategic direction into performance objectives for executives and cascade them into business unit objectives. These objectives are then further decomposed to individual performance objectives for all employees. Finance monitors progress for the

major business units, finalizes capital allocation, ensures disciplined reporting for these groups, identifies performance trends, and recommends adjustments where appropriate.

Performance objectives are expected to include financial and market performance, risk levels (leveraging dashboard information, appetite metrics reports, etc.), and other objective measures. Additionally, incentive compensation plans would be expected to include risk measurements in determining incentive award amounts, whether formulaic or discretionary.

Risk assessments are completed, reviewed, challenged, and aggregated for a holistic view of risk. The Chief Risk Executive, through participation in various activities in the strategic planning process, provides validation that if proposed activities are executed, risk levels should either (a) remain acceptable, or (b) move toward the desired risk level as remediation plans are completed.

Capital serves many purposes and enterprise capital adequacy is an important indication of an organization’s overall financial health. An organization should maintain capital at sufficient levels to absorb unexpected losses, promote public confidence, maintain access to funding, meet obligations to creditors and counterparties, and enable continued operations in an adverse environment. An organization should define, monitor, and manage to internal capital requirements sufficient to support its strategic and business plans, and appropriate for the actual and forecasted risk profiles of those plans, including potential growth.

Capital adequacy assessment, planning, and management processes should be integrated with strategic planning, performance management, and risk management, including stress testing activities. Capital adequacy assessment processes must account for a company’s array of businesses, regardless of whether the businesses are subject to different reporting, accounting, and regulatory capital regimes (e.g., GAAP, Economic, and Statutory).

Stress testing is conducted to support management’s assessment of the ability to absorb the consequences of unexpected events financially or operationally. Stress testing programs include multiple conceptually sound stress tests with various levels of complexity including scenario analysis, sensitivity analysis, entity-wide stress testing, and reverse stress testing. The process includes integration of risk identification and controls, risk appetite measures, and should be aligned with an organization’s operational planning and strategic focus.

A risk governance committee (e.g., new products approval committee) should evaluate and approve new, modified, and expanded products and services. Such

committee ensures that (a) new products and services are consistent with approved strategy and risk appetite, (b) risks are appropriately anticipated, evaluated and managed, and (c) approval conditions are met in a timely manner. After a new product or service is implemented, post-launch monitoring should be established and implemented to ensure the new product or service remains within established risk appetite through key risk indicators and control monitoring

Key initiatives / projects, not subject to a new product risk governance committee, are activities or decisions at an organization that could have risks associated with the organization’s risk taxonomy. These may include, but are not limited to, implementation of new systems, implementation of new regulatory changes, launch of new applications, and key outsourcing decisions. Using risk assessment methodology, key initiative’s impact on existing controls should be documented using risk assessment methodology and new controls develops, where applicable, that mitigate risk to an acceptable level within the organization’s established risk appetite.

Risk assessments measure the inherent risk that may materially impact an organization as well as the quality of risk management activities and the controls in place to mitigate risk to desired levels. Risk assessments help determine where efforts and resources need to be allocated to manage risks as well as identify opportunities to improve business decision marking and performance. Information is proactively gathered and discussed to identify, measure, monitor, and manage risks that can affect the organization’s ability to achieve its objectives. Risk assessments by the business and functional areas should be executed against an assessment entity within a defined risk assessment universe. An assessment entity is a product or key business unit within a line of business or key functional area for which a risk assessment will be performed.

Risk assessments and risk profiles take underlying RCSAs into consideration. RCSAs identify and measure operational and compliance risks related to business processes.

The risk assessment process should be governed by standards and guidance to facilitate consistency in assessing risk throughout and across the enterprise and allow for aggregation of information from all assessment units. The consistency within this approach allows the organization to effectively compare and prioritize risks by effectively identifying and assessing risks according to a standard set of process steps, terminology, and rating standards.

Risk Assessment Scope and Process

Various methods and techniques may be used in completing a risk assessment, such as interviews, forums, models, and facilitated workshops. Techniques used to measure the significance of risks can be quantitative and/or qualitative.

Various quantitative and qualitative techniques can be leveraged in the evaluation of risks.

• Quantitative – Use facts and data to quantify the risk of discrete and specific events and stress testing to assess discrete scenarios’ impact in the organization’s key performance measures.
• Qualitative – Some organization-specific risks do not lend themselves to quantification and must be qualitatively assessed. While data may not be sufficient to model or otherwise quantify these risks, facts and projections can be used to provide a description of the key risk exposures. Risk documentation should also include any assumptions being made regarding the potential risk event that may drive either the likelihood or impact (severity) of the risk event.

Regardless of method or technique, risk assessments should be documented and retained.

Remediation plans should be required when insufficient and weak management and control practices are identified and/or when risks exceed risk appetite metrics or trending in that direction. Minimum standards for remediation plans should include:

• Brief description of underlying risk issue including identification of root cause
• Specific action steps needed to manage within established risk appetite limits
• Accountable parties for action steps
• Target date (specific date, not a range) to restore to “green” status and, if resolution will take longer than one quarter, quarterly target milestones
• Assumptions and interdependencies
• Other corrective actions being taken
• Identification of risk governance committee and risk executive who will oversee and monitor progress

Risk reporting is accomplished through management reporting to the various risk governance committees and ultimately the board. Risk reporting should be comprehensive, useful, accurate, and timely. It should cover current and emerging risks and adherence to risk limits and risk concentrations. To ensure effective management of risk and oversight by the board and management level risk committees, routine risk management-related reporting practices should be produced.

Risk reports should include the following:

• Aggregated overall enterprise risk profile and aggregated risks by risk category
• Aggregated overall risk profile for each business unit and aggregated business unit risks by risk category
• Calendar of all required risk assessments for the next calendar year
• Recommended changes to the risk governance framework and other risk management-related documents
• Top and emerging Risks
• Material risk issues, trends, escalated issues, and the status of corrective actions
• Audit and regulatory examination findings or regulatory concerns related to the organization’s ERM framework, or the execution thereof
• Progress against approved annual risk management plan

Risk dashboards, in conjunction with the execution of risk assessments, help to ensure that material risks are identified, measured, assessed, monitored, controlled, and reported in a timely manner. Dashboards provide synthesized and actionable summaries to executive management and the board. Risk dashboards should provide a holistic view of major risks and should include, by risk category, the following: inherent risk level, trend of risk, volatility of risk, management effectiveness, and residual risk as well as insights into any plans to improve risk management and controls. Information derived from risk assessment activities should aggregated to inform the risk dashboard.

A strong risk management information system supports the identification, evaluation, remediation, and tracking of any potential or actual control deficiencies.

A control deficiency is defined as a condition, either a serious risk issue or material process breakdown that poses a perceived, potential, or real threat, exposing the organization to material loss or serious reputation impact. The three lines of defense each have a responsibility to identify and escalate any control deficiencies in a timely manner. The first two lines of defense are responsible to remediate any control deficiencies with a sense of urgency. The third line of defense has an obligation to provide assurance over remediation and is responsible for escalating remediation that is not timely or sufficiently comprehensive or sustainable.

Escalation processes include:

• Collection and analysis of exceptions and prioritization of issues, concerns, and trends warranting escalation
• Identification and notification to relevant stakeholders on critical issues or areas of concern
• Timely and accurate periodic and ad-hoc status reporting (if an issue remains open)
• Action items and/or remediation plans, including timing and accountabilities
• Aggregation of issue themes along with identification of systemic issues and an analysis of root causes

Issues represent inconsistencies with the organization’s risk appetite that arise across the enterprise and its risk taxonomy. While some issues like operational losses can be quantified, many do not lend themselves to measurement by quantitative appetite metrics. Such issues can range from instances of non-compliance with policies and procedures, control deficiencies, unacceptable residual risk levels, compliance weaknesses, adverse publicity, environmental impacts, audit and regulatory findings, and other such occurrences.

Risk considered insignificant on its own has the potential, as it interacts with other events and conditions, to cause great damage or significant opportunity. The risk assessment process evaluates risks individually, considers their interdependencies and correlation with other risk(s), and identifies themes. Risk assessment and aggregation prompt consideration of correlations which can be across risk categories (such as operational risk affecting compliance risk or market risk affecting liquidity risk) and within a risk category (e.g., trends in one credit portfolio affecting another credit portfolio within the same business).

Risk mitigation plans and controls are developed and implemented to reduce and mitigate risk exposures within an acceptable level. Determining the appropriate mitigation strategies, controls, and triggers is the primary responsibility of the risk owner or business area, as they are usually the subject matter experts for a given risk. Risk responses integrate the identification of mitigation plans and related controls needed to help ensure the risk responses are carried out properly and in a timely manner.

Policies, standards, and procedures should describe the control activities that help ensure that the organization’s responses are carried out. Control activities occur throughout an organization, at all levels and in all functions and consider interrelationships between people, processes, and technology.

Mitigation plans document how the chosen response options are implemented. Information provided in these plans include:

• Reasons for selecting risk response options (including expected benefits to be gained)
• Individuals that are accountable for approving and implementing the plan, proposed actions, resource requirements and contingencies, performance measures and constraints, reporting and monitoring requirements, and the timing and schedule of the plan

Processes should be in place to test the design and operational effectiveness of mitigating plans and controls. Testing helps validate management’s initial residual assessment of risks and identifies changes in the overall residual risk profile. Testing may also help optimize risk responses and mitigation actions by identifying exceptions and deficiencies requiring immediate attention and additional resources.

Risk acceptance process is intended to cover risk across the entire risk Taxonomy. The process begins when an issue is identified, and the issue owner makes an informed decision that the risk is acceptable or that the costs of risk mitigation outweighs the benefit.

Once a decision has been made to accept the risk, the issue owner should provide risk acceptance documentation and supporting information to the risk owners potentially impacted by risk acceptance to allow them to opine on the issue/risk. The issue owner should then obtain proper approvals from relevant stakeholders. The severity rating of the issue/risk should guide the level of authority of the relevant stakeholder(s) accepting the risk and the governance and oversight forum that must review or be informed of a risk acceptance decision. Further, all accepted issues should be reviewed on at least an annual basis to ensure appropriateness of continued acceptance.

To support the ERM Program, a RMIS strategy should be established, implemented, and periodically refreshed to meet the risk information needs of relevant stakeholders. The RMIS strategy should focus on efficiently producing information from a common, integrat

• Regular, synthesized, actionable, and timely reports for relevant stakeholders
• Effective and efficient analytics, measurement, and models, as appropriate, based on anticipated and actual risk trends and events
• Risk-reward decision making process that is integrated within each line of business

Core educational programs should be available for all relevant personnel and should be aimed at developing an enterprise-wide risk management culture and maintaining a level of risk management knowledge within the organization. All individuals should receive the appropriate training and development for their specific risk management related roles and responsibilities.

The board should receive ongoing training intended to improve directors’ understanding of roles and responsibilities and deepen their knowledge of the organization’s business, operations, risks, and management.

Today, many businesses and organizations choose to outsource aspects of their risk management effort. As a trusted advisory and managed service provider, Compliance Core delivers risk management and regulatory compliance excellence. Our services are designed to simplify compliance risk management while retaining efficiency and effectiveness.

Compliance Core has seen first-hand how organizations run operational and compliance programs. Over the years, we have helped industry-leading businesses and organizations to streamline and transform regulatory compliance management processes. Our approach drives a more efficient, strategic, and proactive process that supports organizations’ efforts to respond to evolving regulations and comply with regulatory obligations.

This new approach to compliance risk management has helped industry-leading businesses and organizations to gain a differentiated and competitive advantage. Here’s how it works:

1. Identify Scope of Risk: Develop a register of key risks across business lines, products, services, processes, and systems from which we can benchmark and orient.
2. Develop a Risk Assessment Framework: Quantify risk across business sectors and divisions.
3. Create Risk Treatment Strategies and Roadmap: Address risk proactively, efficiently, and effectively with reduced spend and labor.

To quickly assess your risk management and compliance program, we’ve developed a short quiz. Use this as an opportunity to identify risk management and compliance gaps. After the quiz, you’ll be given an opportunity to connect with us and discuss next steps towards your risk management and compliance goals.