The proposal is quite good aiming to establish proper culture of complaince and risk management. In my opinion, the outlined risk categories are good enough for now.
Although “MEDIUM” gives here a sense, I am of a opinion that this should be quantified for each categories of risks if possible. For example, identifying the measurable metrics for credit risk appetite statement and what metric level constitutes low, medium and high profile.
As I understand Risk Management and Compliance normally falls under second line of defense in organizational framework and usually overseen by board audit/risk committee. Question remains who will oversee the risk management framework in protocol, although we are yet to establish risk mannagement framework 
All in all this is a good start.