In this class, Alejandro Orrego, CEO at Pirani, introduces us to the fundamentals of Enterprise Risk Management (ERM). The session explores what ERM is, its connection to ISO 31000, and key risk management frameworks such as COSO. We’ll discuss how ERM provides a holistic view of risks, why it matters today, and the differences between traditional and modern approaches. Finally, we’ll cover the building blocks of ERM and the Three Lines of Defense model as a foundation for effective risk management.
ERM (Enterprise Risk Management):
A structured approach to identify, assess, manage, and monitor risks across the whole organization.
Risk
In ISO 31000, risk is defined as the effect of uncertainty on objectives.
This means that risk is the possibility of an event or situation occurring that could have an impact on the achievement of an organization's goals and objectives.
Risk can be seen as the likelihood and potential consequences of a threat or opportunity.
What is ERM?
Goes beyond compliance → aligns risk with strategy and objectives.
Compliance
Are we following the rules?
Doing only what the law or regulation requires.
Example: a bank documents money laundering risks because the regulator demands it.
ERM
Are we managing risks in a way that supports our strategy success?
ERM connects risk management directly to the company’s goals and decision-making.
Example: A company’s objective is expand into new market. ERM looks at strategic risks (regulatory changes, competition, culture) and ensures the expansion is done.
What could stop us from achieving our mission, and how do we prepare?
ISO 31000 |RISK MANAGEMENT FRAMEWORKS
ISO 31000 (International Organization for Standardization)
- Overview: ISO 31000 provides guidelines on managing risk faced by organizations. It is not industry-specific and can be applied to any organization.
- Principles:
- Integrated
- Structured and comprehensive
- Customized
- Inclusive
- Dynamic
- Best available information
- Human and cultural factors
- Continual improvement
- Last version: 2018
ISO 31050: 2023
COSO | RISK MANAGEMENT FRAMEWORKS
COSO ERM (Committee of Sponsoring Organizations Enterprise Risk Management Framework)
- Overview: COSO ERM provides a comprehensive approach to risk management, integrating it with strategy and performance.
- Components:
- Governance and Culture
- Strategy and Objective-Setting
- Performance
- Review and Revision
- Information, Communication, and Reporting
Why ERM Matters Today
- Business environments are volatile and complex.
- Risks are interconnected (e.g., cyber → operational → reputational).
- Boards, investors, and regulators expect integrated risk oversight.
- ERM helps companies:
- Take smarter decisions.
- Build trust and accountability.
- Create long-term sustainability.
Traditional vs Modern Risk Management
Traditional
- Siloed in departments.
- Focus on compliance & checklists.
- Reactive (after the event).
List Management
Modern
- Organization-wide & integrated.
- Linked to strategy and value.
- Proactive (anticipates and prepares).
Integrated Risk Management
Enterprise Risk Management
The Building Blocks of ERM
ERM works when it has solid foundations. Key elements:
- Governance & Leadership
Clear accountability, tone at the top.
- Risk Appetite & Tolerance
Define how much risk is acceptable in pursuit of objectives.
- Structured Process
Identify → Assess → Treat → Monitor risks.
- Integration with Strategy
Risk management aligned with business goals, not separate.
- Culture & Communication
People at all levels must speak up and own risk.
Governance & Leadership
- Leaders set the tone: transparency, accountability, ethics.
- Board & senior management must be actively involved.
- ERM must be seen as value protection + value creation.
- Without top support, ERM becomes a “paper exercise.”
Risk Appetite & Tolerance
- Risk Appetite = how much risk the organization is willing to take.
- Risk Tolerance = acceptable variation around that appetite.
Example:
-
- Appetite: “We accept moderate credit risk to grow lending.”
- Tolerance: “Default rate must stay below 2%.”
- Clear appetite ensures aligned decisions across the company.
The ERM Process
- Identify risks → across all categories (strategic, operational, financial, compliance, reputational).
- Assess risks → likelihood & impact, prioritize.
- Treat risks → accept, mitigate, transfer, avoid.
- Monitor & review → continuous feedback & updates.
- Continuous improvement → Learn and improve from experience.
👉 ERM is a cycle, not a checklist.
Integration with Strategy
- ERM is not separate from strategy — it supports decision-making.
Example:
- Strategic Objective: expand internationally.
- ERM aligns by assessing market entry risks, regulatory challenges, currency risks
- Ensures that growth plans are resilient and realistic.
Culture & Communication
- Culture = how people actually manage risk daily (values, behaviors, decisions).
- Strong culture: open communication, accountability, learning from mistakes.
- Weak culture: silence, fear of retaliation, “yes boss” mentality.
- Leadership must model the behavior and encourage dialogue.
- Employees feel safe to speak up, and risks are discussed openly across the organization.
👉 Without the right culture, even the best ERM framework is just theory on paper.
ERM is Continuous, Not a One-Time Task