Resource guide · Transformation and Risk

Enterprise Risk Management in Banking

An overview of ERM frameworks, models, and control environments as they apply to financial services organisations. Covers the regulatory context, governance structures, risk identification, and practical implementation.

Introduction

Risk management is not a compliance exercise that sits alongside banking. It is the central discipline of banking. Every loan a bank makes, every market position it holds, every system it runs, every product it sells carries risk. The question is never whether to accept risk, but how to understand it, price it correctly, and manage it within boundaries the organisation can sustain.

Enterprise Risk Management is the framework through which banks approach that challenge holistically. Rather than managing credit risk in one team, operational risk in another, and market risk somewhere else, ERM brings these disciplines together under a unified framework — one that allows risk to be viewed across the whole organisation, connected to strategy, and governed from the top.

This guide explains what ERM is, why it matters, how it is structured, what the main regulatory frameworks require, and what good implementation looks like in practice. It is written for risk professionals, senior managers, board members, and anyone who needs to understand how enterprise risk management actually works inside a regulated institution.

The regulatory context is international in scope, with reference to the Basel Accords as the primary global framework. Implementation timelines and specific requirements vary by jurisdiction and are currently in transition across many markets. The guide reflects the position as of May 2026.

What enterprise risk management is

The shift from siloed to integrated risk management

For most of banking history, risk was managed in functional silos. Credit teams assessed lending risk. Treasury managed market and liquidity risk. Operations teams handled process failures. Compliance managed regulatory risk. Each function had its own tools, its own reporting, and its own view of the world.

The problem with this approach became clear in the 2008 financial crisis. Risks that looked manageable in isolation turned out to be deeply interconnected. Mortgage credit risk became market risk. Market risk became liquidity risk. Liquidity risk became systemic risk. Institutions that believed they had adequate controls in each silo found that the silos themselves were the problem.

ERM emerged from that experience as a deliberate response. It does not replace functional risk management — credit teams still manage credit risk, and market risk teams still manage market risk. What ERM does is connect those functions within a common framework, give the board and senior management a consolidated view of risk across the organisation, and ensure that risk appetite is set and monitored at the enterprise level.

A working definition

ERM in banking can be defined as an integrated, organisation-wide approach to identifying, assessing, managing, monitoring, and reporting on the risks that could affect the achievement of the organisation's objectives.

Three elements of that definition are worth emphasising.

Integrated means that risks are not assessed in isolation from each other or from the organisation's strategy. A bank's credit risk profile is connected to its funding strategy. Its operational risk profile is connected to its technology investment decisions. Its reputational risk is connected to how it manages financial crime. ERM requires those connections to be visible and managed.

Organisation-wide means that ERM covers all material risks, across all business lines, all geographies, and all functions. It cannot be confined to the risk department.

Objectives means that risk management is connected to what the organisation is trying to achieve. Risk is not managed for its own sake. It is managed so the organisation can pursue its strategy, serve its customers, and meet its obligations — including to shareholders, regulators, and the broader financial system.

The core risk categories in banking

Banks face a wide range of risks, but they are typically grouped into several core categories that form the basis of any ERM framework.

Credit risk

The risk that a borrower or counterparty will fail to meet their obligations. This is the most fundamental risk in banking and the one that historically has caused the largest losses. Credit risk includes lending risk, counterparty risk in derivatives and capital markets activities, and concentration risk where exposures are too heavily weighted towards particular sectors, geographies, or counterparties.

Market risk

The risk of losses arising from movements in market prices, including interest rates, exchange rates, equity prices, and commodity prices. Market risk is most significant for banks with trading books, but it affects all banks through interest rate risk in the banking book, which arises from the mismatch between the repricing of assets and liabilities.

Liquidity risk

The risk that a bank cannot meet its financial obligations as they fall due without incurring unacceptable losses. Liquidity risk has two dimensions: funding liquidity risk, which is the risk of being unable to raise funds to meet obligations, and market liquidity risk, which is the risk of being unable to sell assets without significantly moving their price. The 2008 crisis demonstrated how quickly liquidity risk can become existential.

Operational risk

The risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This is a broad category that includes technology failures, fraud, human error, process breakdowns, cyber incidents, and external events such as natural disasters. The Basel framework defines operational risk to include legal risk but excludes strategic and reputational risk.

Compliance and regulatory risk

The risk of financial loss, regulatory sanction, or reputational damage arising from failure to comply with laws, regulations, rules, and standards. In banking this covers a vast range of obligations, from capital adequacy and conduct of business rules to anti-money laundering requirements and consumer protection obligations.

Strategic risk

The risk that the bank's business strategy proves incorrect, or that the organisation fails to execute its strategy effectively. Strategic risk includes the risk of entering new markets or products that prove unprofitable, the risk of technological disruption, and the risk of making acquisitions that destroy rather than create value.

Reputational risk

The risk of damage to the bank's standing with customers, investors, regulators, and the public. Reputational risk is often a consequence of other risks — a large fraud, a significant operational failure, or a regulatory sanction can all damage reputation — but it can also arise independently from how the bank is perceived to behave.

Climate and environmental risk

An increasingly significant category, climate risk encompasses both physical risk (the risk of losses from extreme weather events and longer-term environmental changes) and transition risk (the risk of losses arising from the move to a lower-carbon economy, including stranded assets and regulatory change). Regulators globally are increasingly incorporating climate risk into their supervisory frameworks.

The regulatory framework

Banking is one of the most heavily regulated industries in the world. The regulatory framework shapes almost every aspect of how banks approach risk management, from how much capital they must hold to how they must govern their risk-taking activities.

The Basel Accords

The Basel Accords are the international banking standards produced by the Basel Committee on Banking Supervision (BCBS), hosted at the Bank for International Settlements in Basel, Switzerland. They set the global baseline for how banks must manage and capitalise their risks, and they underpin domestic banking regulation across the world's major financial markets.

Implementation timelines vary significantly by jurisdiction. The EU implemented the core framework from January 2025, with market risk elements deferred to January 2026. The UK has confirmed implementation from 1 January 2027, with the FRTB internal model approach deferred to 1 January 2028, and final rules published by the PRA in PS1/26 in January 2026. In the US, the Basel III Endgame proposals remain in development. These divergent timelines and approaches create genuine complexity for internationally active banks.

Other key regulatory requirements

Stress testing

Regulators across major jurisdictions require banks to conduct regular stress tests, assessing their resilience under adverse scenarios. Stress tests serve two purposes: they give supervisors a view of how the banking system as a whole would fare under severe but plausible shocks, and they require banks to understand their own vulnerabilities. The results of regulatory stress tests have become an important driver of capital planning decisions.

Recovery and resolution planning

Post-2008, regulators introduced requirements for banks to maintain credible plans for recovering from serious financial stress (recovery plans) and for how they could be resolved if they failed without requiring a taxpayer bailout (resolution plans). These requirements have had a significant impact on how large banks structure themselves and their risk management frameworks.

Operational resilience

Regulators, particularly in the UK and EU, have developed specific frameworks for operational resilience, requiring banks to identify their most important business services, set impact tolerances for disruption to those services, and demonstrate that they can remain within those tolerances even under severe operational stress. This goes beyond traditional business continuity planning and has driven significant investment in technology resilience and third-party risk management.

Climate risk

Central banks and prudential regulators globally are increasingly incorporating climate risk into their supervisory frameworks. Banks are being required to assess their exposures to physical and transition climate risks, incorporate climate scenarios into their stress testing, and disclose their climate risk exposures. The pace and approach varies by jurisdiction, but the direction of travel is consistent.

ERM frameworks

A risk management framework provides the structure within which all risk management activity takes place. It defines the principles, the governance, the processes, and the responsibilities that together constitute the organisation's approach to risk. Several well-established frameworks exist, and most banks draw on more than one.

COSO

The Committee of Sponsoring Organisations of the Treadway Commission has produced two widely used frameworks: the Internal Controls Integrated Framework and the Enterprise Risk Management Integrated Framework.

The COSO ERM framework identifies five interrelated components that must work together for effective enterprise risk management: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting. The framework is built on 20 principles covering areas including board risk oversight, defining risk appetite, identifying risks across the organisation, assessing the severity of risks, selecting risk responses, and developing a portfolio view of risk.

COSO is widely used as a reference framework in financial services, though it is comprehensive and demanding to implement in full. Many organisations use it as a reference point rather than a strict implementation guide, adapting its principles to their own context and size.

ISO 31000

ISO 31000 is the international standard for risk management, produced by the International Organisation for Standardisation. It provides principles and guidelines for risk management that apply across any organisation and any type of risk.

ISO 31000 defines risk management as a set of coordinated activities to direct and control an organisation with regard to risk. It emphasises that effective risk management is integrated into all organisational activities, is structured, comprehensive, and customised, and is based on the best available information.

The standard provides a framework and a process, but it is deliberately non-prescriptive about how those should be implemented. This makes it flexible and applicable across very different types of organisation, but it also means that two organisations that both claim to follow ISO 31000 may have quite different approaches in practice.

The Three Lines Model

The Three Lines Model is not a full ERM framework but rather a governance model that describes how risk management responsibilities should be distributed across an organisation. It is widely used in banking and is referenced in regulatory guidance.

First line: business management

The first line comprises the business units and functions that own and create risk. They are responsible for identifying, assessing, and managing the risks within their area of activity, and for implementing the controls designed to keep those risks within agreed limits. First-line ownership of risk is a foundational principle: the people best placed to manage a risk are usually the people closest to the activity that creates it.

Second line: risk and compliance functions

The second line provides the frameworks, policies, tools, and oversight that support first-line risk management. This includes the risk management function, the compliance function, and specialist functions such as financial crime, model risk, and information security. The second line sets the standards and monitors whether the first line is operating within them. Critically, the second line does not own the risks — it supports and oversees those who do.

Third line: internal audit

The third line provides independent assurance that the first and second lines are functioning as intended. Internal audit reports directly to the board or audit committee, giving the board confidence that the risk management framework is effective. The independence of internal audit from management is essential to its value. An audit function that reports into the business it is auditing cannot provide genuine assurance.

External assurance

Beyond the three lines, external auditors and regulators provide additional layers of assurance. External audit provides assurance on financial reporting. Regulators assess whether the bank is meeting its prudential and conduct obligations. These external checks are an important complement to the internal framework.

Risk appetite

One of the most important concepts in ERM, and one of the most commonly misunderstood in practice, is risk appetite. Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its objectives.

A well-developed risk appetite framework does several things. It defines the types of risk the organisation is willing to accept and those it is not. It sets quantitative limits for key risk categories, such as maximum credit loss scenarios, maximum market risk exposures, or maximum operational loss events. And it connects those limits to the organisation's strategy and capital position.

Risk appetite statements that consist of vague aspirations — "we have a moderate appetite for risk" — are not useful. The test of a good risk appetite framework is whether it actually constrains decisions. When a new business proposal is rejected because it exceeds the credit risk appetite, or a trading strategy is modified because it approaches market risk limits, the framework is doing its job.

The board is responsible for setting risk appetite. Management is responsible for operating within it. The risk function is responsible for monitoring whether the organisation is doing so, and for escalating promptly when limits are approached or breached.

Risk identification and assessment

Knowing what risks you face is the starting point for managing them. This sounds straightforward, but in practice risk identification is one of the most challenging elements of ERM. Risks that are well understood and easily quantified are generally well managed. The risks that cause the most damage are usually those that were not adequately anticipated.

Risk identification approaches

Banks use a range of techniques to identify risks, and effective ERM draws on multiple sources rather than relying on any single method.

Historical analysis

Reviewing past losses, near misses, market disruptions, and industry incidents provides a grounding in what has actually gone wrong. Historical data is most useful for risks that occur with some frequency, such as credit defaults or operational incidents. It is less useful for tail risks and novel threats that have not yet materialised.

Scenario analysis

Scenario analysis involves constructing plausible adverse scenarios and assessing their potential impact. This is particularly valuable for low-frequency, high-impact risks where historical data is sparse. Regulatory stress tests are a form of mandated scenario analysis, but effective ERM uses internal scenario analysis that reflects the organisation's specific risk profile, not just the standardised scenarios regulators require.

Forward-looking risk assessment

Monitoring the external environment for emerging threats is an important complement to historical analysis. This includes tracking macroeconomic trends, geopolitical developments, regulatory changes, technological developments, and competitive dynamics. Climate risk is a prominent current example of a risk category where forward-looking assessment is essential because the most significant impacts lie in the future.

Business and process reviews

Understanding the risks embedded in specific products, processes, and business models requires direct engagement with the people who run them. Risk identification workshops, process walkthroughs, and new product approval processes are all mechanisms for surfacing risks that might not appear in historical data or external analysis.

Risk assessment

Once risks are identified, they need to be assessed. The standard approach involves assessing two dimensions: likelihood (how probable is the risk?) and impact (how severe would the consequences be?). Multiplying these dimensions gives a rough sense of priority, though in practice the relationship is more complex than a simple multiplication.

For quantifiable risks, banks use statistical models and historical data to estimate probability and impact. Value at Risk is a widely used market risk measure that estimates the maximum loss that might be expected over a given time horizon at a given confidence level. Credit risk models estimate default probabilities and loss given default for lending portfolios.

These quantitative tools are valuable but have important limitations. They tend to perform well in normal market conditions and less well in the tail events that matter most. The 2008 crisis exposed the limitations of models that were calibrated on recent historical data that did not capture extreme scenarios. ERM frameworks should include explicit recognition of model limitations and complement quantitative measures with qualitative judgement.

For risks that cannot be readily quantified — reputational risk, strategic risk, some aspects of operational risk — assessment relies more heavily on expert judgement, structured debate at risk committees, and scenario analysis. The fact that a risk cannot be precisely measured does not mean it should be less carefully managed.

Risk registers

Most organisations maintain risk registers as a tool for documenting identified risks, their assessed severity, the controls in place to manage them, and the residual risk after those controls are applied. Risk registers exist at multiple levels — enterprise-wide, business unit, and function-specific — with the enterprise register capturing the organisation's most significant risks.

A risk register is only as useful as the process behind it. Registers that are updated annually as a compliance exercise, without genuine engagement from the people who own the risks, quickly become stale and inaccurate. The most effective risk registers are live documents, reviewed regularly, challenged actively, and connected to the decisions that determine how the organisation manages its exposures.

Risk mitigation and controls

Identifying and assessing risks is necessary but not sufficient. The point is to manage them. Risk mitigation involves selecting and implementing responses to bring risks within the organisation's risk appetite.

Risk response options

For any given risk, an organisation has four basic response options.

Accept. Some risks are accepted because the cost of mitigating them exceeds the benefit, or because they are inherent in the business the organisation has chosen to pursue. Accepting a risk is a legitimate decision, but it should be a conscious and documented one, not a default.

Mitigate. Most risks are managed through controls designed to reduce either their likelihood or their impact. Internal controls, credit limits, diversification requirements, and operational procedures are all mitigation measures.

Transfer. Some risks can be transferred to third parties through insurance, derivatives, or contractual arrangements. Banks use hedging instruments extensively to manage market risk, and insurance to manage certain operational risks. Transfer reduces the bank's exposure but does not eliminate it — basis risk, counterparty risk, and gaps in coverage all remain.

Avoid. Some risks can be avoided by choosing not to engage in certain activities or markets. A bank might decide not to enter a particular geographic market or not to offer a particular product because the risk profile is outside its appetite. Risk avoidance has an opportunity cost, but it is a legitimate strategic choice.

Internal controls

Internal controls are the mechanisms through which risks are managed in the normal course of business. They include policies and procedures that set out how activities should be conducted, segregation of duties that prevents any single individual from both initiating and approving a transaction, authorisation frameworks that require higher-level sign-off for significant decisions, reconciliation processes that detect errors and discrepancies, and monitoring systems that track activity against expected patterns.

The control environment — the culture, values, and tone set by senior management — underpins everything else. Controls that exist on paper but are routinely bypassed in practice, or that are ignored when they are inconvenient, are not effective controls. A strong control environment is one where following controls is the norm, where breaches are taken seriously, and where the people responsible for controls have sufficient standing to enforce them.

Hedging and risk transfer

Banks use financial instruments extensively to manage market and credit risks. Interest rate swaps are used to manage the interest rate risk arising from the mismatch between fixed-rate loans and variable-rate funding. Foreign exchange hedges manage currency risk in international operations. Credit derivatives transfer credit risk to other parties.

These instruments are powerful tools, but they introduce their own risks. Basis risk arises when a hedge does not perfectly offset the underlying exposure. Counterparty risk arises when the provider of a hedge may themselves default. The complexity of hedging programmes requires specialist expertise and robust risk monitoring.

Concentration risk management

One of the most important but easily overlooked aspects of credit and market risk management is concentration risk: the risk that exposures are too heavily weighted in a particular direction, whether by borrower, sector, geography, or instrument type. A well-diversified portfolio is more resilient to shocks than a concentrated one.

Banks manage concentration risk through limits on individual exposures, sector limits, geographic limits, and regular portfolio analysis to identify where concentrations may be developing. Stress testing of concentrated portfolios is particularly important, as the scenarios that matter most are often those that affect an entire sector or geography simultaneously.

Governance and culture

Risk management frameworks and control systems are necessary but not sufficient for effective ERM. The governance structures through which risk decisions are made, and the culture within which people operate, determine whether those frameworks actually work.

Board responsibilities

The board of directors bears ultimate responsibility for risk governance in a bank. This responsibility cannot be delegated, though it can be discharged through appropriate committee structures and management reporting.

The board's risk responsibilities include setting the organisation's risk appetite, ensuring that the risk management framework is adequate and properly resourced, receiving regular reporting on the organisation's risk profile, challenging management's risk assessments and decisions, and overseeing the independence and effectiveness of the internal audit function.

Most large banks have a dedicated board risk committee alongside the audit committee. The risk committee provides more focused oversight of risk management, including reviewing the risk appetite framework, major risk exposures, and significant risk management policies. Board members on the risk committee need sufficient understanding of the bank's risk profile to provide meaningful challenge — non-executive board members with relevant experience are a genuine asset.

Senior management responsibilities

Senior management is responsible for implementing the board's risk appetite and for the day-to-day operation of the risk management framework. This includes the Chief Risk Officer, who leads the risk function and is responsible for the overall ERM framework, and business heads, who own the risks in their areas.

The CRO must have sufficient independence and authority to raise risk concerns at the highest level. A CRO who is unable to challenge business heads effectively, or who faces pressure not to escalate concerns to the board, cannot perform the role. In many jurisdictions, the independence and effectiveness of the CRO is subject to specific supervisory scrutiny.

Management risk committees — the executive risk committee, the credit committee, the asset and liability committee (ALCO), the operational risk committee — provide the forums where risk issues are discussed and decisions made. The quality of these committees, including the quality of information they receive and the rigour of their challenge, is a strong indicator of the overall health of an ERM framework.

Risk culture

Culture is where most ERM programmes ultimately succeed or fail. An organisation can have excellent policies, sophisticated models, and clear governance structures, and still experience significant risk failures if the culture does not support honest risk assessment and open escalation of concerns.

A healthy risk culture is one where people feel empowered to raise concerns without fear of negative consequences, where bad news travels up the organisation as fast as good news, where risk considerations are genuinely integrated into business decisions rather than treated as a box to be ticked after the decision has effectively been made, and where there is genuine accountability for risk management failures.

Building and maintaining a healthy risk culture requires active effort from senior management and the board. It requires demonstrated behaviour from leaders — not just statements about risk culture, but actual decisions that show risk management is taken seriously. It requires appropriate incentives, so that people are not rewarded for taking risks that exceed the organisation's appetite. And it requires honest assessment of where the culture falls short.

Risk reporting

Effective ERM depends on timely, accurate, and relevant risk information reaching the people who need it. Risk reporting should give the board and senior management a clear picture of the organisation's risk profile, how it has changed, where it approaches or exceeds risk appetite limits, and what actions are being taken.

Good risk reporting is not simply comprehensive. A report that contains every available risk metric is not necessarily useful. Effective reporting is focused on what matters, highlights emerging trends and concerns, and provides enough context for decision-makers to understand what they are seeing. Risk dashboards that show key indicators alongside their trends and limits, with clear escalation triggers, are a more useful tool than dense technical reports that few people read.

The quality of risk data underpins everything. Banks that cannot aggregate risk data quickly and accurately across their portfolios and business lines are poorly placed to manage risk effectively. Post-2008, regulators introduced specific requirements for risk data aggregation and reporting, recognising that many institutions had data infrastructure that was not fit for purpose.

Risk monitoring and the ERM cycle

Risk management is not a one-time assessment. It is a continuous cycle of identifying, assessing, managing, monitoring, and reviewing risks as the business and its environment evolve.

Continuous monitoring

Banks operate real-time and near-real-time monitoring systems that track key risk metrics continuously. Market risk systems monitor trading positions against limits throughout the trading day. Credit monitoring systems track the performance of lending portfolios and flag deteriorating exposures. Liquidity systems track funding positions and available liquidity buffers in real time. Automated alerts notify risk managers when positions approach or breach limits.

Transaction monitoring, which plays a central role in financial crime compliance, is another form of continuous monitoring, applying rules and models to transaction data to identify patterns that may indicate suspicious activity.

Continuous monitoring requires investment in data infrastructure and systems. Institutions with fragmented legacy technology are at a disadvantage, often unable to produce consolidated risk views quickly enough to be useful. This is one reason why technology transformation has become such a significant component of risk management investment.

Periodic review and reporting

Alongside continuous monitoring, ERM requires regular structured reviews at different levels of the organisation. Risk committees review management information on a scheduled basis, typically monthly or quarterly, assessing the organisation's risk profile against appetite and discussing significant exposures and emerging concerns.

Annual reviews of the risk appetite framework and the overall ERM approach ensure that the framework remains appropriate as the business evolves. New products, new markets, acquisitions, and changes in the regulatory environment may all require adjustments to the framework.

Stress testing

Stress testing is a critical component of the ERM cycle, providing a forward-looking view of how the organisation would perform under adverse scenarios. Banks conduct stress testing for regulatory purposes, typically annually, but effective ERM uses stress testing more broadly as a management tool.

Internal stress tests should cover scenarios specific to the organisation's risk profile, not just the standardised regulatory scenarios. A bank with a concentrated commercial real estate portfolio needs stress scenarios that reflect severe commercial property market downturns. A bank with significant emerging market exposures needs scenarios that reflect currency crises and sovereign stress in those markets.

The results of stress testing should inform capital planning, limit setting, and strategic decisions. Stress testing that is conducted only to satisfy regulatory requirements, without the results being used to inform management decisions, is a missed opportunity.

The ICAAP and ILAAP

Banks subject to Pillar 2 of the Basel framework are required to conduct an Internal Capital Adequacy Assessment Process (ICAAP) and, in many jurisdictions, an Internal Liquidity Adequacy Assessment Process (ILAAP). These are annual self-assessments of whether the bank holds sufficient capital and liquidity given its risk profile and strategy.

The ICAAP and ILAAP are reviewed by supervisors as part of the Supervisory Review and Evaluation Process. Supervisors may require banks to hold capital or liquidity above the regulatory minimum where their assessment suggests the bank's own assessment is insufficient.

Emerging risks

The risk landscape facing banks is not static. New risks emerge, established risks take new forms, and the relative importance of different risk categories shifts over time. Effective ERM requires forward-looking awareness of where risks are developing.

Cyber and technology risk

Technology risk has become one of the most significant operational risks facing banks. Cyber attacks, including ransomware, data theft, and attacks on critical infrastructure, represent a genuine and growing threat. The increasing reliance of banks on digital channels, cloud infrastructure, and third-party technology providers has expanded the attack surface significantly.

Regulators have responded with specific operational resilience frameworks and increasingly detailed expectations around cyber risk management. Banks are required to identify their most critical systems and services, invest in detection and response capability, and demonstrate that they can recover from significant technology failures within acceptable timeframes.

Third-party and concentration risk in technology

Banks rely increasingly on a small number of large technology providers for critical functions including cloud infrastructure, core banking systems, and payment processing. This creates concentration risk at a systemic level: if a major cloud provider experiences a significant outage, the impact could extend across a large proportion of the banking system simultaneously.

Regulators are paying increasing attention to this risk, and banks are being required to map their critical third-party dependencies, assess the risks they create, and develop contingency plans for significant failures. Third-party risk management has become a significant component of operational risk frameworks.

Climate risk

Physical and transition climate risks are increasingly material for banks. Physical risks include direct damage to assets and disruption to business from extreme weather events, as well as longer-term changes to the value of assets in affected geographies. Transition risks include the impact on borrowers in carbon-intensive industries as the economy moves towards lower emissions.

Integrating climate risk into ERM requires new data, new modelling approaches, and longer time horizons than traditional risk management. Most banks are at an early stage of this journey, and regulatory expectations are increasing.

Digital assets and fintech

The rapid growth of digital assets, decentralised finance, and fintech competition presents both opportunity and risk for banks. Regulatory frameworks for digital assets are developing at pace, with significant jurisdictional variation. Banks with exposure to digital asset markets face novel risks around custody, counterparty credit quality, and operational resilience. The regulatory environment is in flux, requiring close monitoring.

Geopolitical risk

Geopolitical tensions, trade disputes, and sanctions regimes create significant risk management challenges for internationally active banks. Sanctions compliance has become increasingly complex as the number and scope of sanctions regimes has expanded. Geopolitical disruption can rapidly change the risk profile of entire markets and create concentrated losses in ways that traditional risk models do not capture.

Implementation checklist

The following summarises the key elements of an effective ERM framework for a banking institution. It is not exhaustive but covers the core components that regulators and best practice would expect to see in place.

Governance

• Approved appetite framework. Has the board approved a risk appetite framework that sets clear limits for all material risk categories?
• Focused board reporting. Does the board receive regular, focused risk reporting that enables meaningful oversight?
• Board risk committee. Is there a board risk committee with appropriate membership and clear terms of reference?
• CRO independence. Does the Chief Risk Officer have sufficient independence and authority to escalate concerns to the board?
• Functioning management committees. Are management risk committees functioning with appropriate frequency, information, and challenge?

Risk appetite

• Qualitative and quantitative. Does the risk appetite framework include both qualitative statements and quantitative limits?
• Connected to strategy. Are risk appetite limits connected to the organisation's capital and strategy?
• Monitoring and escalation. Is there a clear process for monitoring adherence to risk appetite limits and escalating breaches?
• Annual review. Is the risk appetite framework reviewed and updated at least annually?

Risk identification and assessment

• Documented process. Is there a documented process for identifying risks across all material risk categories and business lines?
• Live risk registers. Are risk registers maintained at the enterprise and business unit level, and kept current?
• Multiple sources. Does risk identification draw on multiple sources including historical data, scenario analysis, and forward-looking assessment?
• Emerging risks. Are emerging risks, including climate, cyber, and geopolitical risks, incorporated into the risk assessment process?

The Three Lines Model

• First-line ownership. Are first-line risk responsibilities clearly defined and understood by business management?
• Second-line independence. Does the second-line risk function have adequate independence, resources, and access to information?
• Internal audit reporting line. Does internal audit have a direct reporting line to the board or audit committee, independent of management?
• Ownership vs oversight. Is there a clear distinction between risk ownership (first line) and risk oversight (second line)?

Controls

• Documented coverage. Are material risks covered by documented controls with clear ownership?
• Periodic testing. Are controls tested periodically to verify that they are operating effectively?
• Remediation process. Is there a process for identifying and remediating control weaknesses?
• Tone from the top. Does the control environment reflect appropriate tone from the top?

Regulatory compliance

• Capital adequacy. Is the organisation meeting its capital adequacy requirements under the applicable Basel framework?
• Liquidity. Are liquidity requirements, including the LCR and NSFR, being met and monitored?
• ICAAP and ILAAP. Is the ICAAP (and ILAAP where applicable) a genuine management tool, not just a regulatory submission?
• Stress testing. Are stress testing programmes sufficiently rigorous and connected to management decision-making?
• Basel transition. Is the organisation monitoring Basel IV/3.1 implementation requirements applicable to its jurisdiction?

Risk culture

• Influence on decisions. Is there evidence that risk considerations genuinely influence business decisions, not just validate them after the fact?
• Risk-adjusted incentives. Do incentive structures reward risk-adjusted performance rather than raw revenue or growth?
• Escalation culture. Is there a clear escalation culture where concerns are raised and heard?
• Learning from failure. Are risk management failures taken seriously and used as learning opportunities?

Monitoring and reporting

• Continuous monitoring. Are key risk metrics monitored continuously with automated alerts for limit approaches or breaches?
• Risk data quality. Is risk data of sufficient quality to support consolidated risk views across business lines?
• Actionable reporting. Does risk reporting focus on what matters and provide actionable insight, rather than simply being comprehensive?
• Stress test use. Are stress test results used to inform capital planning and strategic decisions?

A final note

Enterprise risk management in banking is not a technical exercise for specialists. It is a fundamental management discipline that determines whether a bank can pursue its strategy, serve its customers, and meet its obligations sustainably over time.

The banks that manage risk well are not those with the most sophisticated models or the thickest policy manuals. They are the ones where risk is genuinely understood at every level, where the governance structures create real accountability, where controls are taken seriously rather than worked around, and where the culture supports honest assessment and open escalation of concerns.

Getting there requires sustained commitment from boards and senior management, not just investment in systems and frameworks. The tone is set at the top, and it shows in how organisations actually behave when risk and short-term commercial interest come into tension.