Five Risk Reports. Five Formats. No Answers.

The board of a Caribbean financial services group met quarterly to discuss risk. At each meeting, the board received risk reporting from five separate sources. The credit risk department submitted a twelve-page report detailing portfolio concentration, non-performing loan ratios, provisioning adequacy, and the top twenty exposures. The operational risk function provided a six-page incident report listing the operational events that had occurred during the quarter, classified by type and severity. The compliance department submitted a regulatory risk update covering examination findings, remediation progress, and emerging regulatory requirements. The IT department provided a technology risk summary that described system availability, cybersecurity incidents, and the status of technology projects. And the treasury submitted a market risk report covering interest rate sensitivity, foreign exchange exposure, and liquidity ratios.

Each report was competently prepared. Each addressed real risks. And each was utterly disconnected from the others.

The credit risk report used a five-point severity scale. The operational risk report used a three-tier classification. The compliance report used traffic light indicators. The IT report used a heat map. The treasury report used numerical metrics with no severity classification at all. The board could not compare risks across domains, could not assess whether a credit risk rated “4” was more or less severe than an operational risk rated “high,” and could not determine whether the enterprise’s aggregate risk exposure was within acceptable limits because no aggregate view existed.

The board chair, a recently appointed independent director with risk management experience from an international banking group, asked four questions that exposed the framework’s deficiency.

First: “What is our risk appetite? What level of risk has this board formally agreed it is willing to accept in pursuit of the group’s strategic objectives?” The answer: the group had no documented risk appetite statement. Risk tolerance was implicit — understood informally by management but never formally articulated, approved by the board, or communicated across the organisation.

Second: “What are the top ten risks facing this group, ranked by the combination of likelihood and impact, across all risk categories?” The answer: no aggregated risk ranking existed. Each department ranked risks within its own domain, but nobody had ranked risks across domains. The board could not determine whether credit concentration in the loan portfolio was a greater threat than a cybersecurity breach, or whether regulatory non-compliance was a more urgent concern than the aging core banking system.

Third: “Who is accountable for each of our material risks? Who owns the risk, who is responsible for the controls that mitigate it, and who reports on its status?” The answer: risk ownership was assumed but not formally assigned. The credit risk department assumed it owned credit risk. The IT department assumed it owned technology risk. But risks that crossed departmental boundaries — fraud risk, which involves credit, operations, compliance, and IT; or third-party risk, which involves procurement, legal, IT, and operations — had no clear owner.

Fourth: “How do we know our risk management is effective? What assurance do we have that the controls we rely on to mitigate our material risks are actually operating as intended?” The answer: internal audit performed some testing of controls, but the audit plan was not aligned with the risk register because there was no enterprise risk register to align it with. The connection between risk identification, control design, control testing, and board reporting was broken.

The board chair’s assessment was measured but consequential: “We have risk reporting. We do not have risk management. Reporting tells us what has happened. Management tells us what could happen and what we are doing about it. We need to build the framework that connects every risk into a single, governed, actionable view.”

This fictional scenario, while not attributable to any specific Caribbean financial services group, reflects the fragmented approach to risk management that Dawgen Global encounters in enterprises across the Caribbean — including enterprises that believe they have a risk management framework because they have risk reports.

What Enterprise Risk Management Actually Is

Enterprise risk management is not a department. It is not a report. It is not a register. It is a framework — a structured, integrated, enterprise-wide approach to identifying, assessing, managing, monitoring, and reporting the risks that affect the enterprise’s ability to achieve its strategic objectives.

The two most widely recognised ERM frameworks provide the foundation for building this capability.

COSO ERM Framework: The Committee of Sponsoring Organizations’ Enterprise Risk Management — Integrating with Strategy and Performance framework defines ERM as the culture, capabilities, and practices that organisations integrate with strategy-setting and performance management to create, preserve, and realise value. The COSO framework emphasises the integration of risk management with strategy: the enterprise’s risk appetite should inform its strategic choices, and its risk management capability should enable it to pursue strategy with confidence. COSO identifies five interrelated components: governance and culture, strategy and objective-setting, performance, review and revision, and information, communication, and reporting.

ISO 31000: The International Organization for Standardization’s ISO 31000 Risk Management standard provides principles, a framework, and a process for managing risk. ISO 31000 is applicable to any organisation regardless of size, sector, or geography, and provides a practical, process-oriented approach to risk management. The ISO 31000 process includes establishing the context, risk identification, risk analysis, risk evaluation, risk treatment, monitoring and review, and communication and consultation. For Caribbean enterprises that are building risk management capability for the first time, ISO 31000 provides an accessible, practical starting point.

Both frameworks share common principles that define what effective ERM looks like in practice: risk management should be integrated into the enterprise’s governance and decision-making, should be systematic and structured, should be based on the best available information, should be tailored to the enterprise’s context, and should be continuously improved.

The Seven Building Blocks of Caribbean ERM

1. Risk Governance: Effective ERM begins with governance: the board’s oversight of risk, the risk committee’s mandate, the chief risk officer’s or risk champion’s authority, and the policies that define how risk is managed across the enterprise. The governance structure determines who is accountable for risk management, how risk information flows to the board, and how risk decisions are made. For Caribbean enterprises, risk governance does not require a separate risk committee in every case — for mid-market enterprises, the audit committee or a combined audit and risk committee may fulfil the function — but it requires clear accountability, board-level oversight, and defined reporting lines.
2. Risk Appetite and Tolerance: Risk appetite is the amount and type of risk the enterprise is willing to accept in pursuit of its strategic objectives. Risk tolerance is the acceptable variation from the risk appetite for specific risk categories. Without a documented, board-approved risk appetite statement, the enterprise cannot determine whether its current risk exposure is within acceptable limits or whether management’s risk-taking decisions are aligned with the board’s expectations. The financial services group’s inability to answer whether aggregate risk was within acceptable limits was a direct consequence of having no risk appetite statement.
3. Risk Identification: The enterprise must systematically identify the risks that could affect its ability to achieve its objectives. Risk identification should be comprehensive — covering strategic, operational, financial, compliance, technology, reputational, and environmental risks — and should draw on multiple sources: management judgement, historical incident data, industry analysis, regulatory guidance, scenario analysis, and stakeholder input. The food manufacturer in Article 1 failed to identify risks that were plainly visible — supplier concentration, facility aging, and process gaps — because no systematic identification process existed.
4. Risk Assessment: Each identified risk must be assessed for its likelihood of occurrence and its potential impact on the enterprise. The assessment should use a consistent methodology across all risk categories — the consistent scale that the financial services group’s five departments lacked. Risk assessment produces the prioritised view that enables the board and management to focus attention and resources on the risks that matter most. The assessment should consider both inherent risk (the risk before controls) and residual risk (the risk after the effect of existing controls), enabling the enterprise to evaluate the effectiveness of its control environment.
5. Risk Mitigation and Controls: For each material risk, the enterprise must define the controls and mitigation strategies that reduce the risk to within the risk appetite. Controls may be preventive (designed to prevent the risk from materialising), detective (designed to identify the risk event when it occurs), or corrective (designed to limit the impact after the event). The enterprise should document the controls that mitigate each risk, assign ownership of each control, and establish processes for verifying that controls are operating effectively.
6. Risk Monitoring and Reporting: The enterprise must monitor its risk profile continuously and report to the board and management on a regular basis. Risk monitoring includes tracking key risk indicators that provide early warning of changing risk levels, reviewing incidents and near-misses for lessons learned, and updating the risk assessment as the enterprise’s internal and external environment changes. Risk reporting to the board should provide the aggregated, cross-domain view that the financial services group’s board chair demanded: the top risks, their status, the effectiveness of controls, and any emerging risks that require attention.
7. Risk Culture: The most sophisticated framework will fail if the enterprise’s culture does not support risk management. Risk culture means that employees at every level understand their role in managing risk, feel empowered to escalate risk concerns, and see risk management as an enabler of good decision-making rather than a bureaucratic obstacle. Building risk culture requires leadership commitment — the tone from the top that signals risk management is valued — and practical reinforcement through training, communication, performance management, and the visible consequences of both good and poor risk management decisions.

The Enterprise Risk Register: The Single View That Changes Everything

The enterprise risk register is the centrepiece of the ERM framework — the single document that captures every material risk facing the enterprise, its assessment, its owner, its controls, and its status. The risk register transforms risk management from a collection of departmental activities into an integrated, governed enterprise capability.

What the Risk Register Contains: For each identified risk: a clear description of the risk event and its potential consequences; the risk category (strategic, operational, financial, compliance, technology, reputational, environmental); the inherent risk assessment (likelihood and impact before controls); the existing controls and their assessed effectiveness; the residual risk assessment (likelihood and impact after controls); the risk owner (the individual accountable for managing the risk); the planned mitigation actions and their timelines; and the key risk indicators that will be monitored.

How the Risk Register Is Used: The risk register is not a static document prepared annually and filed. It is a dynamic management tool that is reviewed and updated regularly — quarterly at a minimum, and immediately when the risk environment changes. The risk committee reviews the register at each meeting. The board receives a summary of the top risks and their movement. Management uses the register to prioritise risk mitigation investment. Internal audit uses the register to align its audit plan with the enterprise’s most significant risks. And the register provides the basis for the aggregated risk reporting that enables the board to understand the enterprise’s total risk exposure.

What Changes When You Have One: The transformation from siloed risk reporting to an integrated risk register changes the quality of every risk conversation in the enterprise. The board can see, for the first time, the complete risk landscape. Management can compare risks across domains and allocate resources to the areas of greatest exposure. Risk owners have clear accountability. Internal audit can focus its limited resources on the risks that matter most. And the enterprise can make strategic decisions with a genuine understanding of the risks those decisions create or affect.

From Silos to Integration: The Practical Path

Phase 1 — Foundation (Months 1–4): Establish the risk governance structure: designate the board committee responsible for risk oversight, appoint the risk champion or CRO, and define the risk management policy. Conduct an initial enterprise-wide risk identification workshop involving senior management from all functions. Develop the risk assessment methodology: the consistent scales, the scoring criteria, and the documentation templates. Produce the first version of the enterprise risk register.

Phase 2 — Development (Months 4–9): Develop the risk appetite statement for board approval. Map the existing controls against the risks in the register and assess their effectiveness. Identify the control gaps — risks that are above the risk appetite with insufficient controls — and develop mitigation plans. Establish key risk indicators for the top risks. Design the board risk reporting format: the dashboard that provides the aggregated, cross-domain view the board needs.

Phase 3 — Integration (Months 9–18): Integrate functional risk management activities into the enterprise framework: credit risk, operational risk, compliance risk, IT risk, and any other functional risk capabilities feed into the enterprise risk register and report through the enterprise risk governance structure. Align internal audit’s plan with the enterprise risk register. Conduct the first enterprise-wide scenario testing exercise. Begin embedding risk management into strategic planning and major decision-making processes.

Phase 4 — Maturity (Months 18–36): Develop the risk culture through training, communication, and leadership reinforcement. Implement technology-enabled risk monitoring and reporting. Conduct regular risk appetite reviews to ensure alignment with evolving strategy. Establish continuous improvement processes: annual framework effectiveness reviews, peer benchmarking, and emerging risk horizon scanning. The framework is now operational, governed, and continuously improving.

Dawgen Global’s Enterprise Risk Management Advisory

Dawgen Global’s Enterprise Risk Management Advisory provides Caribbean enterprises with the practical expertise to build ERM frameworks that are effective, proportionate, and sustainable.

ERM Framework Design: Dawgen Global designs enterprise risk management frameworks tailored to the enterprise’s size, complexity, industry, and regulatory environment. Our frameworks are built on COSO and ISO 31000 principles but designed for Caribbean operating realities — practical, implementable, and proportionate to the enterprise’s resources.

Risk Assessment and Register Development: Dawgen Global facilitates enterprise-wide risk identification and assessment, producing the comprehensive risk register that becomes the foundation of the ERM framework. Our facilitated workshops draw on management’s knowledge while applying the structured methodology that ensures completeness and consistency.

Risk Appetite Development: Dawgen Global works with boards and executive teams to develop risk appetite statements that are specific, measurable, and aligned with the enterprise’s strategy. Our risk appetite work includes the cascading of board-level appetite into operational risk tolerances that guide day-to-day decision-making.

Risk Governance and Reporting Design: Dawgen Global designs risk governance structures and board reporting frameworks that provide the integrated, actionable risk intelligence the board needs. Our reporting designs replace the fragmented departmental reports with aggregated dashboards that enable genuine risk oversight.

ERM Implementation Support: Dawgen Global provides ongoing advisory support throughout the ERM implementation journey — from initial framework design through integration and maturity — ensuring that the framework is embedded in the enterprise’s operations rather than existing only on paper.

From Five Reports to One Framework

The fictional financial services group whose board received five disconnected risk reports was not lacking in risk awareness. Every department was aware of the risks in its domain and was reporting them conscientiously. What the enterprise lacked was integration: the framework that connects every risk into a single, governed, actionable view that enables the board to understand the enterprise’s total risk exposure and to make decisions accordingly.

The board chair’s four questions — about risk appetite, aggregated risk ranking, risk ownership, and assurance over controls — are questions that every Caribbean board should be able to answer. They are questions that cannot be answered without an enterprise risk management framework. And they are questions whose answers determine whether the enterprise is genuinely managing risk or merely reporting on it after the fact.

The difference between risk reporting and risk management is the difference between knowing what happened and knowing what could happen. Enterprise risk management gives the board and management the forward-looking, integrated, governed view that transforms risk from a reactive burden into a strategic capability. The five reports become one framework. The fragments become a picture. And the enterprise moves from hoping that risks will not materialise to being prepared when they do.

Build Your ERM Framework

Dawgen Global invites Caribbean enterprises to move from fragmented risk reporting to integrated enterprise risk management.

Request a proposal for Dawgen Global’s Enterprise Risk Management Framework Design and Implementation Advisory. Email [email protected] or visit www.dawgen.global to begin the conversation.

DAWGEN GLOBAL | Big Firm Capabilities. Caribbean Understanding.

Request a proposal for Dawgen Global’s Enterprise Risk Management Framework Design and Implementation Advisory.

Email: [email protected]

Web: www.dawgen.global

About Dawgen Global