What are the core components of an Enterprise Risk Management (ERM) framework, and how does it differ from siloed risk management?

This is a foundational topic that sets the stage for everything else in the FRM curriculum. Let me break down ERM both conceptually and practically. **Why ERM Replaced Siloed Risk Management** Before the 2008 crisis, many financial institutions managed risks in silos — the credit team tracked credit exposure, the market risk desk ran VaR models, and operational risk was handled by compliance. The problem? **Interconnected risks fell through the cracks.** Consider Pinnacle Financial Group, a hypothetical mid-size bank. Their mortgage trading desk had massive subprime exposure (credit risk), which was hedged with CDS from a single counterparty (counterparty risk), funded with overnight repo (liquidity risk). Each silo showed green — but the aggregate exposure was catastrophic. ERM exists to prevent exactly this kind of blind spot. **Core Components of an ERM Framework:** **1. Risk Governance Structure** - A dedicated **Chief Risk Officer (CRO)** who reports directly to the board, independent from business lines. - A **Board Risk Committee** that sets the institution's risk appetite and reviews risk exposures at least quarterly. - Clear **three lines of defense**: (i) business units own their risks, (ii) risk management provides oversight and frameworks, (iii) internal audit provides independent assurance. **2. Risk Appetite Statement** - A formal document that defines how much risk the firm is willing to take in pursuit of its strategic objectives. - Expressed in both qualitative terms ("We will not take concentrated single-name credit positions exceeding 5% of Tier 1 capital") and quantitative limits. **3. Risk Identification and Assessment** - A comprehensive **risk taxonomy** covering market, credit, operational, liquidity, strategic, and reputational risks. - Regular **risk assessment workshops** and scenario analysis that cut across silos. **4. Risk Measurement and Aggregation** - Consistent metrics across risk types — economic capital models that aggregate credit VaR, market VaR, and operational risk capital into a single firm-wide measure. - **Correlation and diversification effects** between risk types are explicitly modeled. **5. Risk Monitoring and Reporting** - Real-time dashboards that show enterprise-wide exposure against limits. - Escalation protocols when limits are breached. **6. Risk Culture** - Compensation structures aligned with risk-adjusted performance (not just revenue). - A culture where risk managers can challenge traders without retaliation. **ERM vs. Siloed Approach:** | Dimension | Siloed | ERM | |---|---|---| | Reporting | Each risk type to its own head | Integrated reporting to CRO and board | | Aggregation | None — risks measured independently | Firm-wide economic capital | | Correlations | Ignored | Explicitly modeled | | Strategic alignment | Risk limits set by traders | Risk appetite set by board | **Exam Tip:** GARP frequently tests whether you can identify weaknesses in a governance structure — e.g., a CRO who reports to the CFO instead of the board, or risk limits set by business heads rather than independent risk management. For a structured walkthrough of the entire Foundations module, check out AcadiFi's FRM Part I course — we cover governance, ERM, and risk culture with exam-style case studies.