What are the core components of an Enterprise Risk Management (ERM) framework, and how does it differ from siloed risk management?

This is a foundational topic that sets the stage for everything else in the FRM curriculum. Let me break down ERM both conceptually and practically.

Why ERM Replaced Siloed Risk Management

Before the 2008 crisis, many financial institutions managed risks in silos — the credit team tracked credit exposure, the market risk desk ran VaR models, and operational risk was handled by compliance. The problem? Interconnected risks fell through the cracks.

Consider Pinnacle Financial Group, a hypothetical mid-size bank. Their mortgage trading desk had massive subprime exposure (credit risk), which was hedged with CDS from a single counterparty (counterparty risk), funded with overnight repo (liquidity risk). Each silo showed green — but the aggregate exposure was catastrophic. ERM exists to prevent exactly this kind of blind spot.

Core Components of an ERM Framework:

1. Risk Governance Structure

• A dedicated Chief Risk Officer (CRO) who reports directly to the board, independent from business lines.
• A Board Risk Committee that sets the institution's risk appetite and reviews risk exposures at least quarterly.
• Clear three lines of defense: (i) business units own their risks, (ii) risk management provides oversight and frameworks, (iii) internal audit provides independent assurance.

2. Risk Appetite Statement

• A formal document that defines how much risk the firm is willing to take in pursuit of its strategic objectives.
• Expressed in both qualitative terms ("We will not take concentrated single-name credit positions exceeding 5% of Tier 1 capital") and quantitative limits.

3. Risk Identification and Assessment

• A comprehensive risk taxonomy covering market, credit, operational, liquidity, strategic, and reputational risks.
• Regular risk assessment workshops and scenario analysis that cut across silos.

4. Risk Measurement and Aggregation

• Consistent metrics across risk types — economic capital models that aggregate credit VaR, market VaR, and operational risk capital into a single firm-wide measure.
• Correlation and diversification effects between risk types are explicitly modeled.

5. Risk Monitoring and Reporting

• Real-time dashboards that show enterprise-wide exposure against limits.
• Escalation protocols when limits are breached.

6. Risk Culture

• Compensation structures aligned with risk-adjusted performance (not just revenue).
• A culture where risk managers can challenge traders without retaliation.

ERM vs. Siloed Approach:

Exam Tip: GARP frequently tests whether you can identify weaknesses in a governance structure — e.g., a CRO who reports to the CFO instead of the board, or risk limits set by business heads rather than independent risk management.

For a structured walkthrough of the entire Foundations module, check out AcadiFi's FRM Part I course — we cover governance, ERM, and risk culture with exam-style case studies.