Modern enterprise risk management in financial services

Managing risk and compliance across financial institutions continues to challenge leadership teams, particularly as organizations grow and adopt new technologies. Annual reviews of internal controls often surface recurring execution issues and gaps between stated risk priorities and day-to-day behavior. Those lessons, however, are only truly valuable when they inform how risk is identified and governed across the entire institution.

This article builds on those annual insights and examines how Enterprise Risk Management (ERM) is evolving. Increasingly, organizations are moving away from siloed risk activities and toward a more integrated, enterprise-wide approach that connects strategy, governance, internal controls, and audit into a shared framework.

What Is Enterprise Risk Management?

Enterprise Risk Management is a structured, ongoing process used in financial institutions and other industries to identify, assess, manage, and monitor risks that could affect the achievement of business objectives. Unlike function-specific risk activities, ERM takes an enterprise-wide view rather than operating in isolation, directly connecting oversight to strategy, governance, and decision-making.

A well-designed ERM assessment draws on internal and external inputs such as stakeholder interviews, regulatory and market changes, current policies, incident history, financial and operational performance indicators, and leadership-defined risk appetite. In practice, ERM helps leadership understand:

• What risks exist across the enterprise
• How severe those risks are
• Whether current processes and controls are sufficient
• When risks are approaching or exceeding the organization’s tolerance

ERM spans the organizational risk universe, including strategic, operational, financial reporting, regulatory, technology, cybersecurity, third-party, fraud, and reputational risk. The value of ERM lies in providing a consistent way to evaluate and prioritize what matters most, leading to better decision making and improved governance.

Moving Toward an Integrated Risk Framework

Historically, ERM, internal audit, and internal controls over financial reporting (ICFR) have operated with limited coordination. Each function assessed risk through its own lens, often using different language, definitions, and prioritization criteria. Over time, this separation has created duplication, blind spots, and inconsistent reporting to leadership and boards.

Leading financial institutions are now recognizing the interdependencies between these functions and moving toward integrated risk management frameworks. Under this approach, IT, strategy, internal controls, audit, and ERM work from a unified risk structure and shared terminology. While risk can never be fully eliminated, coordinated controls and monitoring significantly reduce both the likelihood and impact of adverse events.

When ICFR considerations are embedded into enterprise risk and audit planning, discussions become more complete and resource allocation more disciplined. Financial reporting risks are no longer treated as a standalone compliance exercise, but as part of a broader enterprise profile.

The Role of a Common Risk Taxonomy

A foundational element of integration is a shared approach to defining risk across Internal Audit, ICFR, and ERM, using consistent language rather than department-specific definitions.

Most organizations adopt core risk categories that work for ERM risk registers, audit planning, and ICFR scoping:

• Strategic risk
• Operational risk
• Financial reporting risk
• Compliance, legal, and regulatory risk
• Technology and IT risk
• Fraud risk
• Reputational risk

Best practice increasingly favors using a single risk and control matrix with a shared taxonomy, rather than parallel frameworks maintained by separate teams.

While the underlying risk language remains consistent, each function applies it differently:

• ERM uses it to identify, aggregate, and prioritize enterprise risks, define risk appetite, and report to leadership and the board.
• Internal Audit uses the same categories to scope audits, assess risk severity, and prioritize coverage based on control performance.
• ICFR maps financial reporting risks and control activities to enterprise risks, allowing ICFR insights to roll up into broader discussions.

Standard supporting attributes, such as inherent risk, control effectiveness, residual risk, ownership, and key risk indicators, help keep assessments comparable, operationally meaningful, and strategically relevant across all three functions.

Clarifying Accountability Through the Three Lines of Defense

An integrated risk view also reinforces accountability through the Three Lines of Defense model:

• First Line – Business Operations: Owns day-to-day activities and manages risk within processes.
• Second Line – Enterprise Risk Management: Establishes policies, frameworks, and monitoring.
• Third Line – Internal Audit: Provides independent assurance over the effectiveness of risk management and operating controls.

External audit sits outside the Three Lines of Defense, but it plays a complementary role. While external auditors maintain independence, effective coordination with management, ERM, and internal audit helps align views on the organization’s risk profile, control environment, and areas of heightened focus. In a mature risk environment, this interaction includes a shared understanding of key risks, timely communication about emerging issues, and thoughtful use of internal audit and control insights, without blurring accountability or independence.

Clear reporting relationships and escalation paths within and across the three lines, along with disciplined coordination with external audit, support a more connected risk environment. When accountability is well defined, risk information flows more effectively across the organization, and issues are surfaced before they become audit findings or external events.

Risk Appetite in the Next Era of ERM

Risk appetite has long existed as a governance concept, yet in many organizations it has failed to influence behavior. Traditional risk appetite statements are often written at too high a level, disconnected from operational decisions, and treated as documentation rather than guidance.

The risk appetite statement is becoming an active decision-making tool. Instead of static language, appetite statements are translated into practical boundaries that inform strategy, resource allocation, and performance expectations. Increasingly, financial institutions are integrating ICFR considerations into these discussions to better focus effort on the most consequential risk areas.

This enables risk appetite to influence:

1. Strategic prioritization by clarifying where uncertainty is acceptable and where it is not.
2. Operational alignment by matching controls and audit coverage to enterprise-level tolerance.
3. Performance monitoring by linking appetite thresholds to observable indicators and escalation triggers.

Culture and Leadership as Risk Drivers

A defining feature of ERM is its emphasis on leadership behavior and risk culture. Risk outcomes are shaped by tone at the top, clarity of ownership, and how leaders discuss performance.

Organizations with strong risk cultures reinforce sound judgment, encourage open communication, and help employees understand why controls exist and what risks they mitigate. When individuals see how their actions contribute to the broader enterprise, the first line of defense becomes more effective, and execution becomes more consistent.

We Can Help

As annual control reviews continue to surface gaps and misaligned effort, financial institutions are recognizing that many issues stem from fragmented risk oversight. A more integrated approach to ERM helps address these challenges by unifying risk language, aligning controls to strategy, and treating risk appetite as an operational guide.

Our Financial Services Group helps institutions:

• Evaluate the current ICFR framework
• Perform an Enterprise Risk Management assessment
• Identify gaps in risk assessment, control activities, and monitoring
• Enhance reporting processes and reduce manual effort
• Align oversight mechanisms with business goals and regulatory expectations
• Support leadership with actionable insights and practical solutions

Contact us today to get started.

‍

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.