Foundation Series: A Modern Enterprise Risk Management (ERM) Function
How Financial Services Organizations can design ERM as an enterprise decision, oversight, and resilience capability.
Introduction
Enterprise Risk Management (ERM) has grown significantly in importance over the last few decades. What began as a response to fragmented risk ownership, inconsistent oversight, and limited enterprise-wide visibility has become a core governance and management discipline within financial services (and other sectors).
Today, however, ERM is at an inflection point. Its purpose and value remain highly relevant, but the function must continue to evolve, as it has done before, to remain modern, proportionate, and fit for purpose. The risk landscape is becoming more interconnected, technology-enabled, data-dependent, and fast-moving. At the same time, organizations are under pressure to simplify, prioritize, and demonstrate that risk management is not only well controlled, but also useful to decision-making.
In my previous two articles I explored the forces re-shaping the ERM function. For ease of navigation, I have included the links below:
In that environment, ERM should not be understood only as risk infrastructure, a function, or process. All three descriptions are partly true, but incomplete. In a modern Financial Services Organization (FSO), ERM should be understood more broadly: as the enterprise capability that helps senior management and the Board of Directors (“the Board”) understand, govern, challenge, and respond to risk across the full organization.
A mature ERM function is not simply a policy shop, a reporting team, or a horizontal coordination layer that routes questions to other risk specialists. Nor should it operate as a “risk police” function that tries to own every risk and control across the organization. At its best, ERM provides common standards through which risks are identified, measured, monitored, responded to, and reported on consistently across the enterprise.
Core Purpose
ERM should fundamentally enable FSO’s to answer a deceptively simple question:
What risks are we talking about, are they within appetite, and are we managing them in a way that supports the organization’s strategy, resilience, and obligations?
For large and complex FSOs, the best target state is usually a model that aligns with the Three Lines of Defense Model: a strong central ERM function under a Chief Risk Officer (CRO) or equivalent senior risk executive in the Second Line of Defense (2LOD), paired with clear First Line of Defense (1LOD) risk ownership in the business and specialist functional teams. The central ERM function should own the common framework, taxonomy, appetite architecture, risk programs, enterprise reporting, risk oversight, and independent view of risk. The business and functional areas should own the risks, controls, decisions, remediation, and day-to-day execution - see figure 1 below.
That model reflects a practical reality. Risk is created in the business, but risk insight needs to be aggregated across the enterprise.
Why ERM Exists
ERM did not emerge because organizations suddenly became fond of frameworks. It emerged because siloed risk management repeatedly failed to provide a complete view of risk.
Traditional risk disciplines such as credit risk, market risk, liquidity risk, insurance, operational risk, compliance, and internal control developed at different speeds and often with different methods, languages, and governance structures. Each discipline could be effective in its own domain, while still leaving the enterprise exposed to gaps, overlaps, correlations, and concentrations that were only visible at the enterprise-wide level.
This is the original problem ERM was designed to solve.
A business unit may understand its own operating risks. Treasury may understand liquidity risk. Compliance may understand regulatory obligations. Cybersecurity may understand vulnerabilities in the technology environment. Internal Audit may provide independent assurance over selected areas. But the enterprise still needs a way to connect these perspectives into a coherent view of risk.
That need becomes especially important when risks do not remain neatly inside their categories. In practice, major risk events usually cut across several domains at once. A technology outage may become an operational resilience matter, a customer harm matter, a regulatory matter, a reputational matter, and a strategic matter. A third-party failure may affect cyber, data, compliance, operations, financial performance, and customer trust. A poorly governed Artificial Intelligence (AI) use case may introduce model risk, conduct risk, data risk, privacy risk, legal risk, and reputational risk at the same time.
This is where ERM has a distinct value proposition. It is one of the few functions designed to look horizontally across risk categories, business lines, legal entities, geographies, and governance routines.
The Original Purpose Still Matters (and a Brief History)
The historical development of ERM can be viewed as a convergence of several streams - see Figure 2 above.
One stream came from portfolio thinking: the idea that risk should not be viewed only in isolation, but also through diversification, correlation, concentration, and aggregate exposure. Another came from internal control and governance reform, particularly the recognition that organizations needed clearer accountability, documentation, controls, and oversight. A third came from the growth of the CRO role and the need for senior executives who could provide an integrated view of risk. A fourth came from post-crisis supervisory expectations around risk appetite, risk culture, risk-data aggregation, and Board-level oversight.
Frameworks such as COSO ERM, ISO 31000, the Financial Stability Board’s (FSB’s) risk appetite principles, the Basel Committee’s risk-data aggregation principles, and the Institute of Internal Auditors’ (IIA’s) Three Lines Model all point toward a similar conclusion: risk management should be integrated, structured, accountable, and connected to strategy and decision-making. The FSB’s risk appetite principles, for example, emphasize the need for an effective risk appetite framework, risk appetite statement, risk limits, and clear roles for the Board and senior management. The IIA’s Three Lines Model similarly clarifies the respective roles of governing bodies, management, risk/compliance functions, and internal audit in supporting governance and risk management.
The original ERM purpose remains valid: organizations need a disciplined way to understand risk across the enterprise. What has changed is the scope of the “enterprise”.
Today, the enterprise risk profile is broader, more granular, and more dynamic than earlier ERM models were originally designed to capture. Risk taxonomies continue to expand, with increasingly detailed sub-categories and thematic risks emerging across business activities, technology, data, third parties, regulation, strategy, and operations.
This does not mean ERM should own every risk category. That would be neither practical nor consistent with clear risk ownership. The objective of ERM is to ensure that these risks sit within a common enterprise risk infrastructure: a shared taxonomy, consistent assessment methodology, defined appetite and escalation standards, connected governance routines, and reliable reporting mechanisms.
In other words, ERM’s role is not to become the owner of an ever-expanding risk universe. Its role is to connect that universe. It provides the architecture through which different risk categories can be understood consistently, aggregated meaningfully, challenged effectively, and reported coherently to senior management and the Board.
ERM as an Enterprise Risk Intelligence Capability
A modern ERM function should be designed as an enterprise risk intelligence capability, not as a documentation factory. This is an important distinction.
A documentation factory produces policies, templates, inventories, committee packs, meeting minutes, and dashboards. These artifacts matter. They provide structure, accountability, traceability, and evidence. However, artifacts are not the same as risk management.
A risk intelligence capability uses those artifacts to improve judgment. It helps the organization understand where risk is building, where assumptions may be weak, where controls are under pressure, where exposures are concentrated, and where management needs to act.
In that sense, ERM should help the organization do six things well:
Set a common language for risk.
This includes the risk taxonomy, risk category definitions, materiality standards, severity scales, escalation thresholds, and common methodology.Establish the Enterprise Risk Management Framework (ERMF).
This includes the risk management lifecycle, the lines of defense model, governance expectations, risk culture expectations, policy architecture, and linkage to laws, rules, regulations, and supervisory expectations.Run or oversee core enterprise risk programs.
This includes risk identification and assessment, risk appetite, risk governance, policy governance, scenario analysis, issue aggregation, escalation, risk acceptance, exception management, and enterprise reporting (see more in the following section: “The Core ERM Programs” - further below).Provide risk oversight, credible review, and effective challenge.
ERM should assess whether risk programs are being implemented consistently, whether management’s risk assessments are supportable, whether Issues and Risk Events are being escalated appropriately, and whether risk responses are proportionate to the underlying exposure. Effective challenge should be constructive, evidence-based, and focused on improving the quality of risk decisions.
Develop an independent view of risk.
ERM should not simply aggregate what the first line provides. It should scan the internal and external environments, challenge assumptions, identify blind spots, and form its own view of the enterprise risk profile.Provide senior management and Board-level insight
ERM should translate complex risk information into concise, decision-useful reporting that helps senior leaders understand what is changing, what matters, and what requires action.
This is where ERM moves from process to insight.
The Hybrid Operating Model
For most large and diversified FSOs, the strongest ERM model is neither fully centralized nor fully decentralized. It is hybrid.
In a fully centralized model, the central risk function may become too detached from where risk is actually created. It may over-standardize, over-document, and slow down business decision-making. In a fully decentralized model, business units and specialist functions may develop their own taxonomies, thresholds, dashboards, escalation practices, and definitions of materiality. This can create fragmentation and competing versions of the truth.
A hybrid model attempts to solve both problems.
The central ERM function owns the enterprise reference architecture. The business and functional areas own the risks, controls, and actions. Federated risk leads or embedded risk teams connect the two.
In practical terms, this means:
The Board approves risk appetite and receives a concise view of the enterprise risk profile.
The CRO or equivalent senior risk executive has direct access to the CEO, senior management, and the Board or Board Risk Committee.
ERM owns the common framework, taxonomy, appetite architecture, risk programs, and enterprise reporting.
The first line owns day-to-day risk decisions, control execution, issue remediation, and data quality.
Specialist risk domains such as cyber, model risk, third-party risk, data risk, and AI governance connect into the ERM framework through common taxonomy, issue management, risk appetite, scenario design, and reporting.
Internal Audit remains independent as the third line and provides assurance over governance, risk management, and controls.
This aligns with the Three Lines of Defense Model and preserves accountability while improving enterprise coherence.
ERM Is More Than a Horizontal Traffic Cop
One common misconception is that ERM is simply a thin horizontal layer that helps route questions across the risk organization.
Under this view, if a business has a compliance question, ERM points them to Compliance. If the question relates to operational risk, ERM points them to Operational Risk Management, and so on. That version of ERM is too limited.
ERM should not simply redirect risk questions across the organization. A mature ERM function helps design and maintain the enterprise risk infrastructure that allows risk management to operate coherently at scale.
That infrastructure includes the framework, policies, standards, taxonomy, risk and control libraries, issue inventories, risk appetite architecture, escalation protocols, data definitions, workflow tools, reporting logic, and governance routines that sit underneath the visible outputs of risk management. Dashboards are only the surface layer. The more important question is whether the underlying risk data, ownership model, taxonomies, inventories, and technology stack are clean, connected, and governed well enough to support reliable enterprise insight - and ultimately informed decision-making.
This is where many FSOs struggle. Significant resources may be spent on reporting, tooling, and visualizations, but the organization may still lack a consistent risk taxonomy, a trusted control inventory, clear data lineage, common definitions of materiality, reliable issue linkage, or integrated workflow across risk programs. In those cases, technology can make risk information look more sophisticated without making it more accurate, comparable, or decision-useful.
A modern ERM function should therefore focus not only on the design of frameworks and policies, but also on the enabling architecture beneath them. It should help ensure that risk categories, controls, issues, risk events, appetite metrics, scenarios, policies, third parties, models, and remediation actions can be connected through common data structures and governance standards. This does not require ERM to own every system or dataset. But it does require ERM to define the enterprise logic by which risk information is organized, interpreted, aggregated, challenged, and reported. This requires orchestration, but also judgment. ERM must be able to ask whether the organization’s risk infrastructure is producing a coherent view of risk or simply producing more activity.
That is a fundamentally different role than simple coordination. ERM is not just moving information across the organization. It is helping build the architecture that makes enterprise-wide risk information usable, comparable, and fit for senior management and Board decision-making.
The Risk Management Lifecycle
A well-designed ERM function should anchor the organization around a common risk management lifecycle. While specific programs may apply the life cycle differently, the basic logic should be consistent across the enterprise.
A practical lifecycle includes:
Risk Identification.
Risk Measurement.
Risk Monitoring.
Risk Response.
Risk Reporting.
More detail (and examples) on the risk management life cycle here:
The lifecycle sounds simple, but it is difficult to execute well because each step often sits in a different process, system, team, or governance forum. Risk identification may be conducted through an annual assessment. Risk appetite may be maintained in a separate metric inventory. Issues may sit in a GRC tool. Controls may be owned by the first line. Risk events may be captured through operational risk processes. Reporting may be produced by a central team that is several steps removed from the source data. When these components are not connected, the organization may have risk activity without risk intelligence.
This is the practical challenge ERM is meant to solve. The value is not in running each routine as a standalone process. The value is in connecting the routines so that risk information can move from identification, to assessment, to monitoring, to response, to escalation and reporting in a coherent way.
A modern ERM function should therefore ensure that risk routines are not just performed, but integrated. The question is not whether the organization has a risk assessment, a risk appetite statement, issue management, committees, and dashboards. The more important question is whether those components produce a clear, evidence-based view of the enterprise risk profile and support better decisions by senior management and the Board.
Developing an Independent View of Risk
One of the most important responsibilities of a 2LOD ERM function is developing an independent view of risk.
This does not mean ERM should ignore the first line. Quite the opposite. ERM should actively engage business leaders, product owners, control owners, technology teams, finance, legal, compliance, operations, and other subject matter experts. The first line often has the deepest understanding of how risks are created and managed in practice.
However, ERM should not rely only on what the 1LOD escalates. The 2LOD should be able to form its own view based on internal and external signals. This includes Risk Events, Issues, control testing, audit findings, complaints, regulatory developments, macroeconomic conditions, peer events, third-party incidents, cyber threats, business performance, strategic changes, and emerging technology trends.
The value of this independent view is threefold.
First, it improves review and challenge. ERM enters the conversation with a prepared perspective rather than simply reacting to information provided by the first line.
Second, it helps identify blind spots. Business units may understate risks because they are close to execution, focused on delivery, or unaware of enterprise-level concentrations.
Third, it strengthens enterprise aggregation. ERM can compare bottom-up information from the first line against top-down risk sensing and ask whether anything is missing, understated, duplicated, or misclassified.
This is where ERM’s horizontal view becomes especially valuable. A risk that appears manageable in one business unit may become material when aggregated across several businesses, legal entities, vendors, systems, or products.
Risk Appetite as a Decision Tool
Risk appetite is one of the most important ERM programs because it connects risk-taking to strategy.
Too often, risk appetite is treated as an annual document approved by the Board and then revisited only for reporting purposes. That approach weakens its value.
A mature risk appetite framework should help the organization make decisions. It should define how much risk the organization is willing to accept in pursuit of its objectives, how that appetite is translated into measures and thresholds, and what happens when the organization approaches or breaches those thresholds.
The FSB’s principles for an effective risk appetite framework emphasize the role of the Board and senior management in establishing, communicating, and monitoring risk appetite, as well as the importance of risk thresholds and clear responsibilities. In practice, this means risk appetite should be linked to business strategy, capital, liquidity, and other material dimensions of the enterprise risk profile.
A useful risk appetite program should answer:
What risks are we willing to take?
What risks are we not willing to take?
What are the quantitative and qualitative boundaries?
Which indicators tell us that risk is increasing?
What escalation is required when thresholds are breached?
What management actions are expected?
How does risk appetite influence business planning, product decisions, investments, and strategic choices?
Risk appetite should not sit apart from management decision-making. It should be embedded into it.
The Core ERM Programs
The exact scope of ERM will vary by organization. Larger and more complex FSOs will usually require more formal programs, more specialized teams, and more detailed governance. Smaller institutions may apply the same principles in a more streamlined way.
However, most mature ERM functions will have responsibility for, or strong connectivity to, several core programs - see figure 3 below:
Not all of these programs need to sit entirely within ERM. In many organizations, several will be owned by specialist risk functions. The important point is that ERM should ensure they connect into a coherent enterprise risk architecture.
The Importance of Risk Data and Technology
Modern ERM cannot operate effectively without credible infrastructure and data.
The Basel Committee’s principles for effective risk data aggregation and risk reporting were developed to strengthen FSO’s ability to aggregate risk data and produce complete, accurate, timely, consistent, and insightful risk reports. This remains highly relevant. Weak data aggregation is one of the recurring reasons risk management functions struggle to provide a reliable enterprise view.
An ERM function does not need an exotic technology stack. But it does need connected infrastructure.
At a minimum, a modern ERM technology environment should include:
A canonical risk taxonomy.
A process, risk, and control inventory.
A risk appetite and threshold library.
Issue tracking.
Risk Event capture.
A policy document repository.
Model (including AI) inventory.
Key performance and risk indicators (KPIs and KRIs).
Data lineage and reference data.
Governance workflows.
Dashboards with drill-down evidence.
Audit trails for key decisions, approvals, and changes.
Most Governance, Risk, and Compliance (GRC) tools include these or similar modules.
The differentiator is not the number of tools or modules. It is whether these connect to provide comprehensive coverage, which is accurate and actionable. If different risk programs use disparate systems and tools with siloed repositories, the organization will struggle to understand risk in a timely way. AI may accelerate some tasks, but it will not fix fragmentation. In fact, without strong data architecture and governance, AI may simply produce faster inconsistency.
This is especially important as cyber, data, third-party, and AI risks become more deeply embedded in business processes. NIST’s Cybersecurity Framework 2.0 explicitly places cybersecurity governance within the broader context of enterprise risk management, including organizational context, roles and responsibilities, policy, oversight, and supply chain risk management. The Securities and Exchange Commission also requires public companies to disclose material information about cybersecurity risk management, strategy, governance, and incidents, including Board oversight and management’s role in assessing and managing material cybersecurity risks.
This reinforces a broader point: modern ERM needs to connect traditional risk governance with digital, technology, and resilience risks.
Skills Needed in a Modern ERM Function
The skillset required for ERM is changing. Historically, many ERM functions relied heavily on policy knowledge, governance routines, committee management, risk assessment facilitation, and reporting. These skills remain important. However, they are no longer sufficient on their own.
A modern ERM team needs a broader and more technical skillset.
First, ERM professionals need strong business understanding. Because ERM looks across the enterprise, its staff need to understand the FSO’s strategy, products, customers, revenue model, operating environment, legal entity structure, and risk profile. Without business understanding, review and challenge becomes generic.
Second, ERM teams need digital fluency. This includes familiarity with AI, data analytics, cybersecurity, Information Technology (IT) risk, third-party risk, data governance, model risk, and operational resilience. ERM professionals do not all need to be deep technical specialists, but they need enough literacy to ask better questions and connect risk themes across the enterprise.
Third, ERM staff need to understand how risk programs generate intelligence. Risk identification, risk assessment, issue management, risk appetite, scenario analysis, and reporting should not be treated as separate administrative routines. They should be viewed as connected sources of risk insight.
Fourth, ERM requires strong stakeholder management. The function often defines requirements that the first line must implement and then challenges how those requirements are applied. This requires judgment, diplomacy, credibility, and executive presence. Effective review and challenge is not about being adversarial. It is about improving decision quality.
Finally, ERM needs intellectual capital. The function should be able to produce points of view, advisory perspectives, risk intelligence, and practical guidance. This requires curiosity, analytical judgment, and the ability to connect disparate signals into a coherent story.
In short, the modern ERM professional needs to be part risk practitioner, part strategist, part analyst, part facilitator, and part advisor.
Agility, Judgment, and Proportionate Oversight
The risk landscape is becoming more dynamic, more interconnected, and less uniform. Regulatory expectations differ across jurisdictions. Supervisory emphasis can shift over time. Technology is changing faster than governance routines. Business models are becoming more dependent on third parties, data, platforms, automation, and AI.
In that environment, ERM functions cannot rely only on fixed quarterly or annual routines. They need agility.
A modern ERM function should be able to scale oversight up or down based on where pressure is building across the enterprise risk profile. Some risks may require deeper scrutiny because their velocity, complexity, or strategic impact is increasing. Other areas may require less intensity because controls, governance, and outcomes are stable.
The objective is not to cover every risk with equal weight. That is not risk management. That is process uniformity. The objective is to exercise sound judgment about which risks require sharper attention, stronger governance, further escalation, or more senior-level discussion.
This places a premium on:
Risk sensing.
External scanning.
Scenario thinking.
Data quality.
Effective review and challenge.
Enterprise aggregation.
Clear escalation thresholds.
Disciplined prioritization.
Board-quality reporting.
ERM’s value increasingly depends on its ability to identify material risk themes early, test management assumptions, connect signals across the enterprise, and mobilize proportionate oversight before risks crystallize into larger exposures or worse, Risk Events.
A Word on Degree of Maturity
Not every FSO needs the same ERM model. A Global Systemically Important Bank (G-SIB) will require a more formal, specialized, and heavily governed ERM function than a smaller FSO, fintech, asset manager, or trust bank. Size, complexity, regulatory status, business model, geographic reach, product mix, legal entity structure, and risk profile all matter.
The goal is not to copy the structure of a large bank into every organization. The goal is to apply the principles in a way that fits the institution.
For a smaller or less complex FSO, the ERM function may be leaner. Certain responsibilities may be combined. Some risk routines may be less formal. The Board reporting pack may be simpler. The taxonomy may be shorter. The risk appetite framework may have fewer metrics. However, the core questions still apply:
Is there a common language for risk?
Is risk ownership clear?
Is the Board receiving a coherent view of the risk profile?
Are material and emerging risks identified and monitored?
Is risk appetite connected to decision-making?
Are Issues identified and gaps remediated appropriately?
A smaller organization can operate with a lighter framework. It should not operate with no framework.
Conclusion
A modern ERM function should be smaller in clerical activity, stronger in risk intelligence and insight, and broader in connective tissue.
Its role is not to own every risk. Its role is to create the enterprise architecture through which risks can be understood, challenged, aggregated, escalated, and governed.
That architecture includes the framework, taxonomy, risk appetite, governance routines, reporting, data infrastructure, and an independent 2LOD view of risk. It also includes the judgment to know where to focus, when to challenge, and how to connect signals that may appear separate when viewed from within individual silos. ERM is most valuable when it helps the organization see the whole picture.
In financial services, that enterprise view is not optional. It is central to resilience, accountability, and sound decision-making. A strong ERM function helps senior management and the Board understand not only what risks exist, but how those risks interact, where they are moving, and what choices the organization needs to make in response. That is the real purpose of modern ERM.