CPCU 500 separates the ideas of arisk management frameworkand arisk management process. Theframeworkis the overall structure that makes risk management work across the organization. It includes governance, leadership commitment, policies, roles and responsibilities, communication channels, reporting, and integration with strategy and operations. Theprocessis the repeatable set of steps used to manage risks day to day, such as identifying risks, analyzing them, selecting and implementing responses, and monitoring results.
OptionCis correct because the process does not stand alone. It operateswithinthe framework and depends on the framework for authority, consistency, accountability, and resources. In other words, the framework provides the “system” and expectations for how risk decisions are made, while the process is the “method” used to carry out those decisions.
OptionAis too broad and slightly off-target: senior management sets tone and oversight, but the framework is typically established through governance and coordinated responsibilities, not simply “the process established by senior management.” OptionBis incorrect because ERM is not only about minimizing downside; it also addresses uncertainty in achieving objectives and can include opportunities. OptionDis incorrect because identifying risk owners is part of governance and implementation, but the first step of the risk management process is generallyrisk identification, not defining roles.
