skip to navigation
skip to content

Financial Outsourcing Solutions

Bank key

FOS Blog

14 Dec

Risk ID Framework Practices

Risk ID Framework Practices

The Banking industry develops and executes strategic plans in an uncertain and risky environment. The purpose of an enterprise risk management framework is to ensure that those risks and areas of uncertainty are identified, analyzed, and monitored. The Federal Reserve recently formalized expectations for the risk ID framework to be comprehensive, dynamic, and inclusive. To ensure these expectations are met, companies have begun employing two different strategies – top-down and bottom-up.



The top-down risk identification process identifies significant enterprise-level risks that are strategic, systemic, and/or emerging in nature, including company-specific risks that could span multiple lines of business. This method of identification can be performed through a management risk survey conducted every quarter. This risk survey should be a formal, systematic, and repeatable process to ensure consistent identification and evaluation of significant risks by senior management. A company can leverage its risk categories to segment risks identified through the survey process. At least once every quarter, the top current and emerging risks should be reviewed by the senior management risk committee and, subsequently, the board risk committee. Meanwhile, mitigation plans ensure that the company’s view of key risks is transparent.


Identifies granular risk exposures from positions on and off balance sheet, including risk concentrations. With this method it is easier to segment the collection of bottom-up risk identification data using the risk categories from the company’s risk profile. For example, functional subject matter experts in the areas of consumer credit, commercial credit, market risk, liquidity risk, operational risk, compliance risk, and strategic risk coordinate with their functional counterparts in the first line of defense to compile the risk inventory for their particular risk stripes. For operational risk, bottom-up exposures are identified and captured through the risk and control self-assessment process, incident capture, fraud events, and scenario development.

Risk exposures identified through top-down and bottom-up processes can then be consolidated to create a comprehensive risk inventory, providing a view of the firm’s vulnerabilities and risks relevant to the business units.


Strong governance is critical to achieve satisfactory assessments for regulators and internal auditors. The Risk ID Framework should be documented in the Bank’s Enterprise Risk Management Policy, including any responsibilities. The bottom-up risk inventories along with the risk identified in the top-down survey create a risk inventory for the company. Once approved by a senior management risk committee and/or Board of Directors, the risk inventory is adopted for use by the key business processes in the Bank.


Guidance requires that Banks have a process in place to identify the materiality of risks, such as, when should a risk be included on the Bank’s risk inventory. Most firms use likelihood of an event occurring to gauge materiality, along with possible impacts. Likelihood and impact can be assessed using numeric values (ex: 1-low, 5-high).  Risks can then be ranked by chances of likelihood hood and severity of potential negative impact.


All in all, in order for a Bank to properly identify key risks within its business areas, the Bank must use two methods to determine financial, strategic, etc. risks. Risks can then be ranked on severity and likelihood to determine the Bank’s overall risk identification framework.

Article compiled by Jason Kline, for additional information please visit our contact us page.