The document outlines the principles and strategies for building an Enterprise Risk Management (ERM) framework, emphasizing the need for strong culture and governance to effectively manage risks. It identifies key components such as risk appetite, control environment, and measurement which organizations must evaluate to align risk management with business strategy. Additionally, it provides resources like workbooks to assist in developing an ERM framework.

1. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
HOW TO BUILD AN ENTERPRISE
RISK MANAGEMENT FRAMEWORK
ERM strategies from the Risk Management
Association’s ERM Council

2. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
2
JOIN. ENGAGE. LEAD.
THE RMA ERM COUNCIL DEFINES ERM
ERM is the management
capability to manage all
business risks in pursuit of
acceptable returns.

3. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
3
JOIN. ENGAGE. LEAD.
STRATEGIC STEPS
Risk appetite
Business strategy and
risk coverage
Governance and policies
Risk data and
infrastructure
Measurement and
evaluation
Control environment.
Response Stress testing

4. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
4
JOIN. ENGAGE. LEAD.
ERM CULTURE
At the center of the ERM
framework is culture.
If an institution lacks the right
culture and strong leadership at
the top, none of the other elements
will matter.
Organizations that comprehend
and adopt ERM as a “way of
thinking” typically outperform those
that do not.

5. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
5
JOIN. ENGAGE. LEAD.
ERM CAN ANSWER 3 BASIC BUSINESS
QUESTIONS
• Aligned with business strategy, risk
appetite, culture, values, and ethics?
Should we
do it?
• People, processes, structure, and
technology capabilities?
Can we
do it?
• Assessment of expected results,
continuous learning, and a robust
system of checks and balances?
Did we
do it?

6. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
6
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK
What is ERM? It is the capability to effectively answer these questions.

7. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
7
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK (CONT.)
The
framework
applies
regardless of
the size of the
institution or
how it
categorizes
risks.
The individual
components
are a dynamic
flow in both
directions.
Culture is at
the heart—
without the
right culture,
the other
components
are somewhat
irrelevant.

8. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
8
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK HELPS ANSWER
BUSINESS QUESTIONS
• What are all the risks to our business
strategy and operations?
Coverage
• How much risk are we willing to takeRisk appetite
• How do we govern risk taking ?
Culture, governance,
and policies
• How do we capture the information we
need to manage these risks?
Risk data and
infrastructure

9. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
9
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK HELPS ANSWER
BUSINESS QUESTIONS (CONT.)
• How do we control the risks?Control environment
• How do we know the size of the various
risks?
Measurement and
evaluation
• What are we doing about these risks?Response
• What possible scenarios could hurt us?
• How are various risks interrelated?
Stress testing

10. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
10
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES
Before an institution can
articulate its risk appetite,
it must first determine its
goals and objectives, i.e.,
its business strategy.

11. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
11
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES (CONT.)
The institution must define
what it wants to achieve in
terms of markets,
geographies, segments,
products, earnings, etc.

12. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
12
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES (CONT.)
From there, the institution
assesses the risk implied in
that strategy and
determines the level of risk
it is willing to assume in
executing that strategy.

13. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
13
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES
Risk exposures Risk appetite
Culture,
governance,
and policies
Control
environment
Measurement
and evaluation
Scenario
planning and
stress testing

14. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
14
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK EXPOSURES
Credit Liquidity
Strategic/
Business/
Reputation
Market Operational
Compliance/
Legal/
Regulatory
Financial
Capital
Adequacy
Regardless of a specific business strategy, an institution
is exposed to the following risks:

15. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
15
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE
RMA has defined risk appetite as
“the amount of risk (volatility of
expected results) an
organization is willing to accept
in pursuit of a desired financial
performance (returns).”

16. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
16
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE (CONT.)
The concepts of risk appetite and risk tolerance are
often used interchangeably, but they have distinct
differences in meaning.
Risk appetite represents
the acceptance of volatility
an institution is willing to
assume in executing its
business strategy.
Risk tolerance refers to
day-to-day operational
limits developed within the
context of an
organization’s stated risk
appetite (for example,
concentration limits).

17. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
17
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE (CONT.)
Management and the board of directors
must understand the critical links among
strategy, business plans, and risk.
• A risk appetite statement is one tool that facilitates
this linkage.
• In this context, the risk management function is an
integral part of the institution’s overall strategies and
specific business objectives—an essential part of the
institution’s success, returns, and value creation.

18. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
18
JOIN. ENGAGE. LEAD.
Culture can be described as
“what people do when they are not
being watched.”
Culture is
the most
important
aspect of
any good
ERM
competency.
ERM COMPETENCIES:
CULTURE, GOVERNANCE,
AND POLICIES

19. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
19
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CULTURE, GOVERNANCE,
AND POLICIES (CONT.)
Policies express the risk
appetite of the company to the
masses.
Policies describe to all
stakeholders what the company
is willing to do and not to do.
The statement of risk appetite is
executed through policies (what
to do?) and procedures (how to
do them?).
Culture, governance, and
policies collectively help an
institution manage its risk-taking
activities.
Culture,
Governance, and
Policies

20. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
20
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CONTROL ENVIRONMENT (CONT.)
The internal control environment is
one the most important tools in the
management toolbox for
management of risks.
Internal controls help reduce the
level of inherent risk to a level
acceptable to management.

21. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
21
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CONTROL ENVIRONMENT (CONT.)
Culture Governance Policies
Preventive and
detective
controls
Scenario
planning
The system of internal controls includes:

22. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
22
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CONTROL ENVIRONMENT (CONT.)
Management relies on
internal controls to
manage residual risk to
an acceptable level.
Residual risk is defined
as the level of inherent
risks reduced by
internal controls.
Building an effective
internal control
environment allows
management to control
what can be controlled.

23. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
23
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND
EVALUATION
The science and art of measurement
in ERM is about concluding which
risks are significant and which ones
are not, and where to invest time,
energy, and effort.
At any given
time, boards
of directors
and
management
must
manage a
portfolio of
risks

24. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
24
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND EVALUATION (CONT.)
In order to accomplish the goal of
measurement and evaluation, an
institution may adopt:
• A simple model of color rating
(green, yellow, and red).
• A middle-of-the-road failure
mode and effect analysis
(FMEA) model.
• Or a highly sophisticated risk
adjusted return on capital
(RAROC)

25. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
25
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND EVALUATION (CONT.)
Measurement
and evaluation
help boards
and
management
answer the
question, “so
what?”
The process of measurement and
evaluation must :
Include the
system of
internal
controls and
Determine how
well the risks
can be
managed.

26. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
26
JOIN. ENGAGE. LEAD.
The art of ERM is the ability to answer
the question, “what can go wrong and,
hence, create deviation from expected
outcomes?”
Management
must
address
known,
knowable,
and
unknowable
risks.
ERM COMPETENCIES:
SCENARIO PLANNING AND
STRESS TESTING

27. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
27
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES: SCENARIO PLANNING
AND STRESS TESTING (CONT.)
Scenario planning and
stress testing are tools
that focus on the
knowable and, perhaps,
some unknowable risks.
A robust scenario
planning and stress
testing discipline is a
must from a capital
planning perspective.

28. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
28
JOIN. ENGAGE. LEAD.
To help you develop your ERM framework, RMA offers a
series of highly practical workbooks:
1. Risk Appetite Workbook, November 2010.
2. Scenario Analysis and Stress Testing for Community
Banks, February 2012.
3. Governance and Policies Workbook (includes
“Response”), November 2013.
4. Risk Measurement and Evaluation (in development).
5. Risk Data and Infrastructure (to be developed).
RMA members may download the workbooks for $0 (free!).
Not a member? Join today.
ENTERPRISE RISK MANAGEMENT
WORKBOOKS

29. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
29
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management
Visit our blog at http://rmablog.rmahq.org/
RMA is a member-driven professional association whose sole purpose is to
advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional
performance and financial stability, and enhance the risk competency of
individuals through information, education, peer sharing, and networking.
Become a member today.