Note. This article is general commentary, not legal or regulatory advice. The Basel framework remains in transition across major jurisdictions, and implementation timelines continue to move. Readers should check current guidance from their own regulator.
Risk management is not a compliance exercise that sits alongside banking. It is central to banking. Every loan, every market position, every system and every product carries risk. The question is never whether to accept it, but how to understand it, price it and manage it within boundaries the organisation can sustain. Enterprise risk management is the framework that makes that possible across the institution, rather than one silo at a time.
That part is straightforward. What is harder, and what most ERM programmes get wrong, is the distance between having a framework and actually managing risk well. The frameworks themselves are well documented. COSO, ISO 31000, the three lines model, Basel, none of this is secret knowledge. What separates banks that manage risk effectively from banks that produce excellent risk documentation is something else.
What the framework is for
Most ERM programmes are designed as if the point is the framework. A risk taxonomy is produced. A risk appetite statement is drafted. Risk registers are populated. Committees are stood up. Reporting is scheduled. All of this is necessary, and a regulator inspecting the institution will want to see it all in place.
But the framework is not the point. The point is that when a credit officer is reviewing a marginal loan, a trader is considering a position close to a limit, a technology team is deciding whether to release a change on a Friday afternoon, or a product team is designing a new offering, the framework actually shapes what they decide. If those decisions happen the same way they would have without the framework, the framework is not doing anything. It is a decoration.
The test of an ERM programme is not the thickness of the policy manual. It is whether the people making day-to-day risk decisions are visibly constrained by something other than commercial pressure. That sounds obvious. In practice, it is the hardest thing to achieve in risk management.
Where the discipline gets lost
The failure modes are predictable, and most large institutions have seen at least one of them.
The first is the risk appetite statement that does not constrain anything. Statements of the form “we have a moderate appetite for credit risk and a low appetite for reputational risk” are common, board-approved, and entirely useless. They cannot be breached because they cannot be operationalised. The test of a real risk appetite framework is whether business decisions actually get stopped by it. Most do not.
The second line has been absorbed into the first. The risk function exists, on paper, to provide independent oversight. In practice, in many institutions, it reports to people with commercial incentives, sits inside business units, and is staffed by people whose careers depend on not being difficult. Independence is structural, not aspirational. Where the structure does not support it, no amount of stated independence makes it real.
The third is the risk register that exists for audit. It is updated annually, populated by people who do not own the risks, and signed off by committees that do not read it. The document that captures the institution’s actual exposures and is argued over is different from the one used for compliance. In well-run institutions, they are the same. In most institutions, they are not.
The fourth is the stress test that informs nothing. Regulators require it; the modelling team runs it; the output goes into a deck; the deck goes to a committee; and capital planning continues as it was going to anyway. Stress testing that does not change decisions is a regulatory submission, not a risk management tool.
Where the supervisory pressure is increasing
The supervisory environment is still shifting. In the UK, the PRA has confirmed the implementation of Basel 3.1 on 1 January 2027, with the FRTB internal model approach deferred to 2028. In the EU, most of the package has been applied since January 2025, with the remaining market risk elements now aligned to January 2027. The US position remains in development. For internationally active banks, divergence across jurisdictions is itself a risk management problem, and one that is unlikely to resolve neatly.
Climate-related risk is now being supervised more explicitly as a mainstream prudential risk. The PRA replaced SS3/19 with SS5/25 in December 2025 and required firms to complete an internal review within six months. The supervisory expectation is clear: firms should be able to show traceable board oversight, use scenario analysis as a governance tool rather than a one-off exercise, and maintain a documented gap analysis against the updated expectations. Firms that treated climate risk as a disclosure obligation rather than a risk management one are now exposed.
Operational resilience has moved past programme design and into ongoing supervisory scrutiny. Frameworks for identifying key business services, setting impact tolerances, and testing dependencies should now operate as part of business-as-usual risk management. Third-party concentration risk, particularly in cloud and core technology, is increasingly a supervisory concern at the system level, not just the firm level.
What firms most often miss
None of this is fundamentally about models, dashboards, or policy documents. It is about culture and accountability. Institutions that manage risk well are the ones where bad news travels up the organisation as fast as good news, where the second line can challenge the first without career consequences, where controls are followed even when they are inconvenient, and where the people making risk decisions own the consequences.
That is not the kind of thing a programme builds. It is built by what senior management actually does when commercial interest and risk discipline come into tension. The framework documents the answer the institution wants to give. The decisions document the answer it actually gives. When those two diverge for long enough, the framework stops mattering.
A practical lens
If you work inside a regulated institution and want a quick, honest reading of how well ERM is working, four questions usually surface the truth faster than any framework review.
When was the last time a commercial decision was changed because of a risk appetite limit? If the answer is “I cannot remember,” the framework is not constraining anything.
When was the last time the second line escalated something the first line did not want escalated? If the answer is “rarely” or “never,” independence is structural in name only.
When was the last time the risk register was argued over rather than signed off? Live documents get challenged. Dead documents get approved.
When was the last time the output of a stress test changed a capital, lending, or strategic decision? Stress testing that has never changed a decision is a reporting exercise.
None of these questions appears in any ERM framework. They are the questions a thoughtful regulator asks, and the questions a senior risk professional learns to ask. The framework matters. The discipline matters more. The point of ERM is not to produce a defensible artefact. It is to make the institution more resilient than it would be without it. The test is whether it does.
Go deeper
Enterprise Risk Management in Banking
The companion resource guide covers the framework end to end: regulatory context, the three lines model, risk appetite, mitigation, governance, monitoring, emerging risks, and a full implementation checklist.
