A community bank uses the three lines of defense approach to manage its operational risk exposures. The bank is in the process of implementing an enterprise risk management (ERM) framework, and the CRO decides to extend the three lines of defense approach to its implementation of ERM. The CRO also wants to ensure that the ERM framework appropriately reflects the bank's risk appetite and risk culture. Which of the following actions should the CRO recommend for the bank to take?