Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Template Guide ERM Framework Template Guide

Enterprise Risk Management Framework Guide

How to build an Enterprise Risk Management Framework: program charter, governance bodies, risk appetite, three lines of defense, a 10-dimension maturity assessment, and the quarterly board risk report.

Built for financial services risk teams Practitioner methodology

◆ Quick answer

An Enterprise Risk Management Framework template should include a program charter (scope, governance bodies, reporting lines, meeting cadence), a board-approved risk appetite statement, risk categories in scope, three lines of defense assignments, a risk taxonomy, KRI thresholds with escalation, a 10-dimension maturity self-assessment scored 1-5, and a quarterly board risk report tracking KRI status, open issues, RCSA completion, and risk appetite breaches.

Guide vs. template

This guide explains what belongs in the template. The paid template gives you the editable working files so you're not rebuilding from a blank page.

Paid template includes

  • Risk appetite statement template
  • 3 Lines of Defense model
  • Risk committee charter
  • Board risk reporting dashboard

What is this template for?

An Enterprise Risk Management Framework (ERMF) is the documented structure that connects everything else in your risk program: who governs risk decisions, what the board has approved as acceptable risk, which categories are in scope, and how risk information flows from business lines up to the board. The useful version is not a policy binder — it is a program charter with named governance bodies and reporting cadences, a board-approved risk appetite statement, three lines of defense assignments that match your actual headcount, a maturity self-assessment that shows where the gaps are, and a quarterly board risk report that proves the framework operates. Most fintechs have risk floating in someone's head; regulators and bank partners want a framework they can review.

◆ Audience

Who needs this.

  • Your bank partner or regulator has asked to see your ERM framework and you don't have a documented governance structure.
  • You have risk management activities happening — a risk register, some policies, maybe a committee — but no coherent framework connecting them.
  • Your board needs a formal risk committee charter and risk appetite statement they can adopt.
  • You're a CRO or head of risk building your first enterprise risk program and need the complete documentation structure.
  • You're upgrading from "we have a risk register" to "we have an actual documented risk management program."

◆ Required fields

What every row needs.

The fields that make this template defensible to an auditor, bank partner, or examiner — and what goes in each.

Field Why it matters Example
Program charter with owner, approval, and review cadence Establishes that the program is board-sanctioned, not a side project. Charter owner: Chief Risk Officer / Head of Risk; approved by Board of Directors; annual review frequency
Governance bodies with responsibilities, reporting lines, and meeting cadence Regulators and bank partners want to see who decides what and how often. Board of Directors — ultimate ERM oversight, approves Risk Appetite Statement annually, quarterly; CRO — owns the ERM program, reports to CEO with direct board access, ongoing; Management Risk Committee — reviews KRI dashboard, open issues, RCSA results, emerging risks, quarterly or monthly
Risk categories in scope Defines the taxonomy everything else — register, RCSA, KRIs — maps to. Compliance, Regulatory, Operational, Technology/Cyber, Fraud, Credit — covering the company and all subsidiaries, business lines, and functional areas
Board-approved risk appetite statement Without an approved appetite, "exceeds appetite" and "within appetite" mean nothing on the board report. Sample board-approvable language across 7 dimensions: financial loss, regulatory penalty, reputational impact, operational disruption, data privacy incident, third-party failure, and strategic risk tolerance
Three lines of defense assignments Shows who owns risks, who challenges, and who assures — even when one person wears two hats. Business line leaders (1st line) own risks within their domains, complete RCSAs, monitor KRI data, escalate material events
Maturity self-assessment scored 1-5 across 10 dimensions Baselines the program and shows examiners you know where your gaps are before they find them. Risk Appetite dimension: Level 2 = generic statement exists but not board-approved or operationalized; Level 3 = board-approved with qualitative and quantitative tolerances, mapped to KRI thresholds
KRI status and escalation tracking Turns the framework from a document into a monitoring program. Board report tracks KRIs at Green (within appetite), Amber (watch), and Red (exceeds appetite) with quarter-over-quarter movement
Quarterly board risk report with posture metrics The report is the recurring evidence the framework actually operates. KRIs at each RAG status, open high/critical issues, RCSA functions complete this cycle, vendor critical assessments current, new risks identified, risk appetite breaches this quarter

◆ Worked example

Example board risk report row (top 10 risks)

Top risk Fraud — account takeover. Residual rating High, movement stable quarter over quarter.
Vs. appetite Within appetite; KRI status Amber. Key controls: multi-factor authentication, device fingerprinting.
Remediation / owner Enhanced monitoring deployed Q3. Owner: CISO / Head of Fraud.

◆ Implementation roadmap

How to roll this out.

01

Adopt the ERM program charter

Owner · CRO or Head of Risk, approved by the Board

Output · Charter documenting purpose, scope, risk categories, governance bodies with reporting lines and meeting cadence, and annual review date

02

Write and board-approve the risk appetite statement

Owner · CRO with CEO sponsorship; Board approves

Output · Appetite statement with qualitative and quantitative tolerances per risk category, approved by board resolution and mapped to KRI thresholds

03

Assign the three lines of defense to real people

Owner · CRO with business line leaders

Output · Documented 1st/2nd/3rd line responsibilities matched to actual headcount — including how the model works when the same person wears 1st and 2nd line hats

04

Baseline maturity with the 10-dimension self-assessment

Owner · CRO or Head of Risk

Output · Scores of 1-5 (Initial through Optimized) per dimension with current-state notes and a priority action per gap

05

Stand up the quarterly board risk report

Owner · CRO; received by Board or Board Risk Committee

Output · Recurring report with executive summary, risk posture metrics, top 10 risks with movement and appetite status, and remediation owners

◆ Ready to use it?

Download the Enterprise Risk Management Framework (ERMF).

Use the guide to understand the structure, or buy the editable template to move faster.

◆ FAQ

Frequently asked questions.

What are the components of an Enterprise Risk Management Framework?

A program charter (purpose, scope, governance bodies, reporting lines, cadence), a board-approved risk appetite statement, a risk taxonomy with categories in scope, three lines of defense assignments, a risk register and RCSA process feeding the framework, KRI monitoring with thresholds, a maturity assessment, and a quarterly board risk report. The framework is the connective layer — the register, RCSA, and KRIs are the operational programs that hang off it.

What is an ERM maturity assessment and how is it scored?

A self-assessment across 10 dimensions — governance, risk appetite, risk identification, risk assessment, risk monitoring, risk reporting, and others — each scored 1 to 5: Initial (ad hoc, no formal process), Developing (inconsistent, owned by individuals), Defined (formal, documented, consistently applied), Managed (measured, monitored, continuously improved), and Optimized (proactive, predictive, integrated with strategy). Each dimension gets current-state notes and a priority action to advance.

Does a small fintech need a full three lines of defense?

Not a fully separated one. Under roughly 50 employees, the same person often wears 1st-line and 2nd-line hats; between 50 and 200, dedicated risk and compliance staff emerge; at 200+, full separation becomes practical. What matters is documenting the model honestly — including where separation doesn't exist yet — rather than pretending to a structure you don't have.

What goes in a quarterly board risk report?

An executive summary of overall risk posture, a metrics table (KRIs at Green/Amber/Red status with quarter-over-quarter movement, open high/critical issues, RCSA functions completed this cycle, vendor critical assessments current, new risks identified, risk appetite breaches), and a top 10 risks table showing residual rating, movement, status versus appetite, KRI status, key controls, remediation status, and owner.

What is the difference between an ERM framework and a risk register?

A risk register is one artifact: a list of risks with ratings and owners. The ERM framework is the program around it — who governs risk decisions, what appetite the board approved, how risks get identified and escalated, and how everything reports upward. A register without a framework is a spreadsheet nobody is accountable for; the framework is what makes it defensible to a regulator or bank partner.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.