Basic Components of an Enterprise Risk Management Framework

ERM Component	Description	Positive Example(s)
Established Risk Culture	This is the tone at the top that sets the basis for how risk is viewed and addressed by an organization’s stakeholders at all levels. The organization defines an enterprise-wide philosophy for risk management and risk appetite that is grounded in integrity, ethics, and a good grasp of how various stakeholders are affected by the organization’s decisions.	Consistent support for the ERM framework throughout the organization, from the board of directors to staff members on the front lines.
Clear Objectives	An ERM program encourages the leadership team to set clear strategic, operations, reporting, and compliance objectives that support and align with the organization’s mission and are consistent with its risk appetite.	Future objectives are reasonably achieved without exceeding a predetermined, stated risk tolerance.
Risk Register	The organization documents all identified material risks.	For each material risk, the risk register provides a description of the risk, the source(s) of the risk, parties responsible for managing and overseeing the risk, and approved risk mitigants.
Event Identification	The organization identifies internal and external events affecting achievement of objectives and distinguishes its risks from its opportunities.	For each uncertainty or potential event, a leading indicator is created along with parameters that would trigger a risk management response.
Risk Assessment	The organization continuously analyzes risk, considering the likelihood and impact of various scenarios, and uses the results of the analysis as a basis for determining how to manage those risks.	Leadership surveys its managers to develop a risk heat map and prioritizes the identified risks.
Risk Response	Leadership evaluates possible responses to risks, selects a response (avoid, accept, reduce, or share risk), and develops a set of actions that align risks with the organization’s risk tolerance.	Leadership identifies the costs and benefits for accepting each type of risk. The most relevant risk information is centralized and reported in consistent form, and to the right people to make timely and effective decisions about risk.
Control Activities	Leadership establishes and implements a set of policies and procedures to enable the organization to respond to risks effectively.	Staff understands the differences between risk avoidance, risk reduction, risk sharing, and risk acceptance. The senior manager responsible for ERM oversight reports directly to the board of directors or a board-established committee that enforces proper oversight and independence. The ERM program is independent of the risk-taking and operational functions.
Information and Communication	The credit union identifies, captures, and communicates relevant information in a form and timeframe that enables stakeholders to carry out their responsibilities. It communicates key information about strategy and decision-making clearly and broadly throughout an organization.	All personnel receive a clear message from leadership that ERM responsibilities are taken seriously. A robust and reliable reporting regimen is evident.
Monitoring	Through ongoing management activities and/or separate evaluations, the organization monitors the entirety of risk management and makes modifications as necessary.	Management reports performance as compared to established risk limits.

Established Risk Culture

This is the tone at the top that sets the basis for how risk is viewed and addressed by an organization’s stakeholders at all levels. The organization defines an enterprise-wide philosophy for risk management and risk appetite that is grounded in integrity, ethics, and a good grasp of how various stakeholders are affected by the organization’s decisions.

Consistent support for the ERM framework throughout the organization, from the board of directors to staff members on the front lines.

Clear Objectives

An ERM program encourages the leadership team to set clear strategic, operations, reporting, and compliance objectives that support and align with the organization’s mission and are consistent with its risk appetite.

Future objectives are reasonably achieved without exceeding a predetermined, stated risk tolerance.

Risk Register

The organization documents all identified material risks.

For each material risk, the risk register provides a description of the risk, the source(s) of the risk, parties responsible for managing and overseeing the risk, and approved risk mitigants.

Event Identification

The organization identifies internal and external events affecting achievement of objectives and distinguishes its risks from its opportunities.

For each uncertainty or potential event, a leading indicator is created along with parameters that would trigger a risk management response.

Risk Assessment

The organization continuously analyzes risk, considering the likelihood and impact of various scenarios, and uses the results of the analysis as a basis for determining how to manage those risks.

Leadership surveys its managers to develop a risk heat map and prioritizes the identified risks.

Risk Response

Leadership evaluates possible responses to risks, selects a response (avoid, accept, reduce, or share risk), and develops a set of actions that align risks with the organization’s risk tolerance.

Leadership identifies the costs and benefits for accepting each type of risk.
The most relevant risk information is centralized and reported in consistent form, and to the right people to make timely and effective decisions about risk.

Control Activities

Leadership establishes and implements a set of policies and procedures to enable the organization to respond to risks effectively.

Staff understands the differences between risk avoidance, risk reduction, risk sharing, and risk acceptance.
The senior manager responsible for ERM oversight reports directly to the board of directors or a board-established committee that enforces proper oversight and independence.
The ERM program is independent of the risk-taking and operational functions.

Information and Communication

The credit union identifies, captures, and communicates relevant information in a form and timeframe that enables stakeholders to carry out their responsibilities. It communicates key information about strategy and decision-making clearly and broadly throughout an organization.

All personnel receive a clear message from leadership that ERM responsibilities are taken seriously.
A robust and reliable reporting regimen is evident.

Monitoring

Through ongoing management activities and/or separate evaluations, the organization monitors the entirety of risk management and makes modifications as necessary.

Management reports performance as compared to established risk limits.