CEO · Framework · Advanced · Saves 70+ hours

Enterprise Risk Framework

A comprehensive framework for enterprise risk management.

Get coached on this — free

What's included

Risk Identification
- Risk categories
- Risk inventory
- Emerging risk scanning
Risk Assessment
- Likelihood evaluation
- Impact assessment
- Risk scoring and prioritization
Risk Mitigation
- Mitigation strategies
- Control implementation
- Residual risk acceptance
Risk Monitoring
- Key risk indicators
- Reporting cadence
- Board communication

Best used when

Building risk management program
Preparing for board risk committee
Conducting annual risk assessment
Post-incident improvement

Why this is Gold

Risk management is often ad-hoc. This framework creates systematic risk oversight.

The template

The Template

ENTERPRISE RISK PHILOSOPHY

Understanding Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT FUNDAMENTALS

WHY ENTERPRISE RISK MANAGEMENT MATTERS:
☐ Risks can destroy value overnight
☐ Proactive management beats reactive
☐ Boards expect risk oversight
☐ Investors evaluate risk practices
☐ Insurance requires risk documentation

CEO'S ROLE IN RISK MANAGEMENT:
☐ Set risk appetite and culture
☐ Ensure risk oversight structure
☐ Review top risks regularly
☐ Make risk-informed decisions
☐ Communicate to board effectively

THE RISK MANAGEMENT REALITY:
"You cannot eliminate risk. You can only
understand it, plan for it, and make
conscious decisions about what risks to
accept, mitigate, or avoid. The CEO who
ignores risk isn't bold - they're reckless."

RISK MANAGEMENT PRINCIPLES:
1. Risk is inherent in business
2. Not all risks are equal
3. Some risk must be accepted
4. Controls have costs
5. Residual risk must be tolerated

RISK CATEGORIES:
STRATEGIC: Risks to business model, market, competition
OPERATIONAL: Risks to processes, systems, execution
FINANCIAL: Risks to cash, revenue, cost structure
COMPLIANCE: Risks from regulation, legal, contracts
REPUTATIONAL: Risks to brand, trust, relationships

COMMON RISK MANAGEMENT MISTAKES:
☐ Risk theater (check-the-box)
☐ Only managing obvious risks
☐ Ignoring slow-moving risks
☐ No risk ownership
☐ All risk avoidance (no growth)
☐ Inconsistent risk tolerance

COMPREHENSIVE ENTERPRISE RISK FRAMEWORK

Enterprise Risk Framework

═══════════════════════════════════════
ENTERPRISE RISK FRAMEWORK
═══════════════════════════════════════

COMPANY: _______________
Assessment Date: _______________
Risk Officer: _______________
Last Update: _______________

═══════════════════════════════════════
SECTION 1: RISK GOVERNANCE
═══════════════════════════════════════

RISK GOVERNANCE STRUCTURE:

BOARD OVERSIGHT:
☐ Risk committee established: ☐ Yes ☐ No
☐ Risk reporting cadence: _______________
☐ Risk appetite approved: ☐ Yes ☐ No

MANAGEMENT ACCOUNTABILITY:
☐ Risk owner assigned for each key risk
☐ Risk review cadence: _______________
☐ Escalation process defined

RISK ROLES:
| Role | Responsibility | Name |
|------|----------------|------|
| Board | Oversight, appetite | |
| CEO | Strategy, culture | |
| CFO | Financial risk | |
| CTO | Technology risk | |
| Legal/Counsel | Legal/compliance | |
| Risk Committee | Coordination | |

═══════════════════════════════════════
SECTION 2: RISK IDENTIFICATION
═══════════════════════════════════════

RISK INVENTORY BY CATEGORY:

STRATEGIC RISKS:
☐ Market/competitive risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Technology disruption risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ M&A/partnership execution risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Strategic misalignment risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Key customer dependency risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

OPERATIONAL RISKS:
☐ System/technology failure risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Process breakdown risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Human error/fraud risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Supply chain/vendor risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Key person dependency risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

FINANCIAL RISKS:
☐ Liquidity/cash risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Credit/counterparty risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Revenue concentration risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Cost overrun risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ FX/market risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

COMPLIANCE RISKS:
☐ Regulatory risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Legal/contractual risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Data privacy risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Employment/HR risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ IP/patent risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

REPUTATIONAL RISKS:
☐ Brand/public perception risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Social media/viral risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

☐ Leadership conduct risk
   Description: _______________
   Current exposure: ☐ High ☐ Med ☐ Low

═══════════════════════════════════════
SECTION 3: RISK ASSESSMENT
═══════════════════════════════════════

RISK SCORING METHODOLOGY:

LIKELIHOOD SCALE:
1 = Rare (<5% probability)
2 = Unlikely (5-20% probability)
3 = Possible (20-50% probability)
4 = Likely (50-80% probability)
5 = Almost certain (>80% probability)

IMPACT SCALE:
1 = Negligible (<$50K or minimal disruption)
2 = Minor ($50K-$250K or <1 week disruption)
3 = Moderate ($250K-$1M or 1-4 week disruption)
4 = Major ($1M-$5M or 1-3 month disruption)
5 = Severe (>$5M or existential threat)

RISK SCORE = Likelihood × Impact

RISK PRIORITY MATRIX:
┌───────────────────────────────────────────┐
│        │  1   │  2   │  3   │  4   │  5  │
│ Impact │Negl. │Minor │Mod.  │Major │Severe
├────────┼──────┼──────┼──────┼──────┼─────┤
│5 Certain│  5  │ 10   │ 15   │ 20   │ 25 │
│4 Likely │  4  │  8   │ 12   │ 16   │ 20 │
│3 Possible│ 3  │  6   │  9   │ 12   │ 15 │
│2 Unlikely│ 2  │  4   │  6   │  8   │ 10 │
│1 Rare   │  1  │  2   │  3   │  4   │  5 │
└───────────────────────────────────────────┘

PRIORITY ZONES:
20-25: Critical (immediate action required)
12-19: High (active management required)
6-11: Medium (monitor and plan)
1-5: Low (accept and monitor)

TOP RISK ASSESSMENT:
| Rank | Risk | L | I | Score | Owner | Status |
|------|------|---|---|-------|-------|--------|
| 1 | | | | | | |
| 2 | | | | | | |
| 3 | | | | | | |
| 4 | | | | | | |
| 5 | | | | | | |
| 6 | | | | | | |
| 7 | | | | | | |
| 8 | | | | | | |
| 9 | | | | | | |
| 10 | | | | | | |

═══════════════════════════════════════
SECTION 4: RISK REGISTER
═══════════════════════════════════════

RISK REGISTER ENTRY TEMPLATE:
(Complete for each high/critical risk)

RISK ID: _______________
Risk Name: _______________
Category: ☐ Strategic ☐ Operational ☐ Financial
          ☐ Compliance ☐ Reputational
Owner: _______________

RISK DESCRIPTION:
What could happen: _______________
Trigger/cause: _______________
Consequence: _______________

INHERENT RISK ASSESSMENT:
(Risk without any controls)
Likelihood: ___/5
Impact: ___/5
Inherent Score: ___/25

CURRENT CONTROLS:
| Control | Type | Effectiveness |
|---------|------|---------------|
| | ☐ Preventive ☐ Detective | ☐ Strong ☐ Adequate ☐ Weak |
| | ☐ Preventive ☐ Detective | ☐ Strong ☐ Adequate ☐ Weak |
| | ☐ Preventive ☐ Detective | ☐ Strong ☐ Adequate ☐ Weak |

Overall Control Effectiveness: ☐ Strong ☐ Adequate ☐ Weak

RESIDUAL RISK ASSESSMENT:
(Risk after controls)
Likelihood: ___/5
Impact: ___/5
Residual Score: ___/25

RESIDUAL RISK ACCEPTABLE?
☐ Yes (within risk appetite)
☐ No (further mitigation required)

MITIGATION PLAN:
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| | | | ☐ Done ☐ On track ☐ Late |
| | | | ☐ Done ☐ On track ☐ Late |
| | | | ☐ Done ☐ On track ☐ Late |

KEY RISK INDICATORS (KRIs):
| KRI | Threshold | Current | Status |
|-----|-----------|---------|--------|
| | | | ☐ G ☐ Y ☐ R |
| | | | ☐ G ☐ Y ☐ R |

REVIEW SCHEDULE:
Review frequency: ☐ Monthly ☐ Quarterly ☐ Annually
Next review date: _______________

═══════════════════════════════════════
SECTION 5: RISK MONITORING
═══════════════════════════════════════

KEY RISK INDICATOR DASHBOARD:
| Risk Area | KRI | Target | Current | Status | Trend |
|-----------|-----|--------|---------|--------|-------|
| Cyber | Critical vulns | 0 | | ☐G☐Y☐R | ↑↓→ |
| Financial | Runway months | 12+ | | ☐G☐Y☐R | ↑↓→ |
| Customer | Top customer % | <20% | | ☐G☐Y☐R | ↑↓→ |
| Compliance | Open issues | <5 | | ☐G☐Y☐R | ↑↓→ |
| Operations | System uptime | 99.9% | | ☐G☐Y☐R | ↑↓→ |
| People | Key person backup | 100% | | ☐G☐Y☐R | ↑↓→ |

EMERGING RISK SCAN:
| Potential Risk | Timeframe | Likelihood | Impact | Monitor |
|----------------|-----------|------------|--------|---------|
| | | H/M/L | H/M/L | ☐ Yes |
| | | H/M/L | H/M/L | ☐ Yes |
| | | H/M/L | H/M/L | ☐ Yes |

INCIDENT TRACKING:
| Date | Incident | Risk Area | Severity | Resolution |
|------|----------|-----------|----------|------------|
| | | | H/M/L | |
| | | | H/M/L | |

═══════════════════════════════════════
SECTION 6: BOARD REPORTING
═══════════════════════════════════════

QUARTERLY BOARD RISK SUMMARY:

EXECUTIVE SUMMARY:
Total risks tracked: ___
Critical risks: ___
High risks: ___
New risks this quarter: ___
Closed/reduced this quarter: ___

OVERALL RISK POSTURE:
☐ Improving ☐ Stable ☐ Deteriorating
Commentary: _______________

TOP RISKS REQUIRING BOARD ATTENTION:
1. _______________
2. _______________
3. _______________

KEY DECISIONS FOR BOARD:
☐ _______________
☐ _______________

Risk Assessment Matrix

Risk	Category	Likelihood (1-5)	Impact (1-5)	Score	Priority	Owner
					Critical/High/Med/Low

Risk Management Calendar

Activity	Frequency	Owner	Next Date
Risk register update	Monthly
KRI review	Monthly
Full risk assessment	Quarterly
Board risk report	Quarterly
Risk appetite review	Annually
Emerging risk scan	Quarterly

Frequently asked questions

What is the Enterprise Risk Framework?

A comprehensive framework for enterprise risk management.

Who is the Enterprise Risk Framework for?

It is built for CEOs and their teams working on Risk Management. The AI coach adapts it to your company, stage, and goals.

How long does the Enterprise Risk Framework take to use?

It saves roughly 70+ hours versus building from scratch. Our AI coach can tailor the framework to your situation in minutes, then hand you a step-by-step plan.

Is the Enterprise Risk Framework free?

Yes. You can read the full framework and start getting coached through it for free. Sign in to save your tailored version and track your next steps.

How does the AI coach help with the Enterprise Risk Framework?

The coach teaches you the framework, asks a few questions about your business, tailors the framework to you, and gives you measurable next steps to execute.