Businesses execute their strategic plans in an environment
of risk and uncertainty. Accordingly, firms design an enterprise risk
management framework to ensure that risk or uncertainty is identified,
measured, monitored, controlled, and reported properly. This framework helps
management pursue its strategy and decision making confidently and sustainably.
The core of the enterprise risk management framework is a
risk identification framework. Once a firm sets its strategy and identifies the
associated risks, only then can it begin the work of incorporating the risks
and uncertainties into its capital and liquidity planning processes and putting
in place the risk appetite on which it will base its strategy.
A robust risk identification framework ensures that the
firm’s risk inventory is comprehensive, inclusive, and dynamic.
The risk inventory’s comprehensiveness is evidenced by the
degree to which:
- It spans all risk
categories and lines of business.
- It covers
on-and-off-balance sheet risks.
- It identifies risks
appearing in business under usual environments as well as stress
The risk inventory’s inclusiveness is evidenced by:
- Multiple layers of review.
- Input from subject-matter experts in the
first and second lines of defense.
- Integration of input from senior
The dynamic nature of the risk inventory is evidenced by:
- Responsiveness and ability
to reflect changes in the business environment over the course of the
- Timeliness ensured by
conducting top-down risk surveys at least quarterly (surveys include both
current and emerging risks).
- Scoring and ranking risks
in order to monitor trends and developments in the risk inventory.
Strong risk identification frameworks have strong governance
processes documented in policy and applied through multiple levels of
oversight, including subcommittee approval of bottom-up risk inventories and
the senior management risk committee’s approval of the complete risk inventory.
Finally, evidence of the risk inventory’s use in other key
business processes, including risk appetite setting, risk monitoring, control
design, risk reporting, and capital planning, is the true litmus test of an
effective and meaningful risk identification framework.
The above is
based on an excerpt from The RMA Journal, December 2016 – January 2017 article “Sound
Practices in the Development of Risk Identification Frameworks” by Jim Lentino, director of corporate risk
management for Discover Financial Services, and Arindam Majumdar, senior ERM
program manager for Bank of the Ozarks in Little Rock, Arkansas. You can read the article in its entirety here.