The Governance Library curated by Matthew Doyle
Risk Room · Risk Framework Relationship Map
Case studies · VW Dieselgate · Credit Suisse Archegos
00:00
Risk Room · Interactive · Map walkthrough
Risk Framework
Relationship Map
24 frameworks. Four phases. Three kinds of relationship.
Framing
The map is not the territory.
Risk management is a single system. The frameworks on this map are different cuts of that system, made at different times, for different purposes. The relationships between them matter more than the individual names.
Twenty-four frameworks. Four phases.
Phase 1
Regulatory
Foundations
6 frameworks
Phase 2
Concepts &
Processes
6 frameworks
Phase 3
Assessment &
Governance
7 frameworks
Phase 4
Control &
Emerging
6 frameworks
Phase 1
Phase One
Regulatory Foundations
The external architecture. What any organisation is required to do — and by whom.
Global Risk Environment UK Corporate Governance Code OECD Principles ISO 31000 ISO 19600 Sector Regulators
Tension worth namingISO 31000 is the core risk framework, sector-agnostic. ISO 19600 is a compliance-management standard. Most organisations adopt one properly and name-drop the other. The conflation has consequences.
Phase 2
Phase Two
Concepts & Processes
The conceptual and procedural layer. How the organisation thinks about risk, and how it moves risk through its system.
Risk Definition Risk Interconnectivity Risk Perception ERM Standard RM Process Three Lines Model
COSO ERM 2017 vs ISO 31000COSO integrates risk with strategy-setting and performance. ISO 31000 is lighter-touch, more principles-based. The choice reflects a bias about where risk management sits.
Phase 3
Phase Three
Assessment & Governance
Thinking becomes doing. Risks get identified, measured, recorded, and matched against the lines the organisation has said it will not cross.
GRC Framework Risk Identification Risk Assessment Risk Registers & RCSA Appetite & Tolerance Risk Culture Compliance Management
Phase 4
Phase Four
Control & Emerging
The response layer. What gets done about the risks the earlier phases surface — and how the system adapts to categories it was not built for.
Five Ts Risk Treatment Risk Financing BCP & Crisis Mgmt CSR & Sustainability Emerging Risks & Digital
Between them — three kinds of relationship.
Feeds
One framework provides the input another operates on.
Synthesis
Two frameworks inform each other. They work best together.
Tension
Frameworks disagree. The disagreement is itself a teaching point.
Relationship type · 1 of 3
Feeds
One framework provides the input another operates on. Most arrows on the map are feeds.
ISO 31000 → Standard risk management process
Risk Identification → Risk Assessment
Regulatory foundations → everything downstream
Relationship type · 2 of 3
Synthesis
Neither framework is fully upstream. They break when used in isolation.
ERM ⇄ GRC
Risk culture ⇄ Compliance
Risk appetite ⇄ Risk culture
Relationship type · 3 of 3
Tension
Frameworks pull in different directions. The disagreement is the teaching point.
Risk culture in tension with risk appetite — formal statements vs tone on the ground
Emerging risks in tension with existing treatments — new threats, old controls
ISO 31000 in tension with COSO ERM — different theories of where risk management sits
Good governance lives in the tensions.
Frameworks fail quietly, at the joints.
Most organisations can list the frameworks they use. Many fewer can describe the relationships between them. And it is the relationships that decide whether the frameworks actually catch anything.
Case · Volkswagen
Every node on the map that should have been lit up, was. On paper.
ISO-aligned RM process
Three Lines Model
German two-tier governance
Supervisory board
External auditor
The failure lived in the relationships
Risk identification → Risk assessment: did not carry the emissions signal.
Compliance → First line: never closed the loop.
Risk culture ⚡ Risk appetite: the tension was not named, let alone managed.
Contrast · Credit Suisse · 2021
Different industry. Different decade. Every node lit — relationships severed.
$5.5bn
Archegos default loss
2023
absorbed into UBS
Paul Weiss
external report · July 2021
Bill Hwang's family office held equity positions through undisclosed total-return swaps with multiple prime brokers. Relationship managers pressed for limit exceptions. Credit risk granted them without adequate governance challenge. Senior leadership did not see the concentration across the swap book.
ISO-aligned framework · three-lines structure · appetite statement · counterparty limits. All present. All severed at the joints.
Two practical moves when using the map.
Move 01 · Trace
Start with a real risk you are carrying.
From which phase does the risk first become visible? Which relationships, if they were working, would carry the signal through to the board? Which relationships, in your organisation, are currently dead?
Move 02 · Tension
Pay attention to the tension arrows.
If your organisation has quietly resolved every tension in favour of one framework or the other, you have lost the argument the tension was there to have.
The critique
This map is itself a framework. Cleaner. More systemic. Still a framework.
It draws on a tradition worth naming.
Descends from
Hard systems engineering
Decompose into parts. Study each separately. Classical risk management.
Concession to
Soft Systems Methodology
Peter Checkland · Lancaster University · 1970s. Behaviour lives in the relationships.
A starting point for thinking systemically — not a replacement for the thinking.
Three things to carry forward.
A reading
Use the interactive map itself. Pair it with Peter Checkland's Systems Thinking, Systems Practice for the theoretical frame.
A question
Which of the relationships on this map are currently alive, and which have quietly gone dead?
The wider library
The map frames every other video in this room.
Three Lines → phase 2. Appetite → phase 3. Oversight → across all four.
Risk Room 05 · The Governance Library curated by Matthew Doyle · mæd partners
00:00 · 08:20