ERM – Enterprise Risk Management

By Luciano Fantin: This article deals with Enterprise Risk Management and its increased importance in times of crisis.

To you who already know what ERM (Enterprise Risk Management) is about, I ask for patience.

This text may be basic, but it can help you to remember some concepts, and it is always good to remember and sediment concepts. On the other hand, you who still do not know the subject, may be interested in the subject, and may want to deepen it later.

This was the author’s intention: to bring more information with this brief and simple technical and conceptual contribution but trying to permeate it with the experience of the day-to-day in organizations where the author worked, either as a employee or consultant.

1. Is ERM just another fad?

ERM is a powerful corporate management tool. At the same time that the focus is on risk management, it provides a safer basis for strategic exercise and monitoring of business objectives, aligning organizational culture, resources and processes. The result is a greater possibility of creating value for shareholders and other interested parties.

No, it is not just another fad. In fact, when studying ERM in depth, it can be seen that it is fundamentally the adoption of “good and old” practices, based on the academy and successful companies, exactly contrary to fads.

ERM is state of art “common sense”.

In tranquil times, when markets and the economy in general are relatively calm, it is already important to adopt appropriate management tools, regardless of the segment in which a company operates. The adoption of sound governance, good strategic process, with the definition of challenging but achievable business objectives, surrounded by good performance and risk management, is necessary and highly recommended.

When we find ourselves, however, in a hostile environment, like this one of the coronavirus pandemic, with so many uncertainties surrounding the markets and the economy in general, the adoption of a tool like ERM can mean the difference between the continuity and the disappearance of the business. As simple as that.

2. A little bit of historical development

Originally formed in 1985, the COSO – Committee of Sponsoring Organizations of the Treadway Commission – is a joint initiative of five private sector organizations with more than 600 thousand professionals. It is dedicated to providing leadership of ideas through the development of processes and guides on ERM, internal controls and fraud detection. Therefore, when we talk about ERM, we must remember that the origin was in this important North American initiative, COSO.

The market tends to associate COSO with “internal controls”, since it is a standard born within entities focused on accounting and finance, predominantly, and a technical basis for auditors in general.

In 2004, there was the publication of the document “Enterprise Risk Management – Integrated Framework “, which has become a reference in terms of methodology of integrated risk management by organizations. This document expanded an earlier publication of COSO as of 1992 on internal control, providing a more robust and comprehensive focus on the company’s risk and its management. Although it is not intended and does not replace the structure of internal controls, it does incorporate the structure of internal controls within it.

More recently, in June 2017, the 2004 ERM document was updated, now called “Enterprise Risk Management – Integrating with Strategy and Performance”. It highlights the importance of taking risk into account in both the strategic definition process and in performance management. This is, therefore, the focus of this article.

3. What ERM can do for your company

As mentioned, when we think about COSO, audit, accounting and internal control issues come to mind. ERM is much more than that. Through disciplined application, regarding ERM we can state that:

  • It affects the creation of value;
  • It affects the strategy;
  • It is closely linked to the business;
  • It strengthens governance;
  • It is structurally linked to performance management;
  • It incorporates concepts of internal controls.

ERM premises are basic and never go out of style:

  •  Every company – for profit, non-profit or government – exists to generate value;
  • All companies face risks in the pursuit of value. The value of a company is largely determined by the decisions that management takes – from general strategy decisions to operational ones;
  • Risk affects an organization’s ability to achieve its business strategy and objectives;
  • The challenge for managers is to determine the amount of risk that the organization is prepared and able to accept.

Therefore, ERM focuses on risk management to reduce the likelihood of an event occurring and on managing the impact when and if that event occurs.

4. Where it all starts

The integration of corporate risk management practices in an organization improves decision making in governance, strategy, objective setting and daily operations. It helps improve performance by more closely linking business strategy and objectives to risk.

Well, ERM then starts from the beginning.

In the beginning, it was the mission, the vision and values of the company. It is this starting point that will guide the unfolding of ERM implementation in the company, given that the first risk appetite statement of any organization is (or should be) contained in the declaration of its mission and vision.

5. Defining ERM

The definition of ERM does not have a simple formulation. It seems a little intricate, although we do not have a suitable alternative to offer the reader, so we go with the same one from COSO. We decompose it further down, in order to facilitate conceptual understanding.

ERM definition:

“The culture, resources and activities integrated with the strategic definition and performance management, on which companies rely on risk management while creating value”.


  • Culture: People, property mission, values and vision; People’s decisions affect risk.
  • Resources: Companies seek several competitive advantages to create value. ERM increases the skills needed to fulfill the entity’s mission and vision and anticipates the challenges that can impede organizational success. ERM helps in adapting to changes.
  • Integration with strategic definition and performance: ERM integrates at a high organizational level with the definition of the strategy, understanding of the direction of the general risk profile and the implications of alternative strategies. In addition, ERM is integrated into day-to-day activities.
  • Risk management for business strategy and objectives: well-designed ERM practices give management and the board of directors reasonable expectations that will achieve business strategies and objectives. This means that the company will only take the appropriate amount of risk / it can bear.
  • Connection with value: the company needs to manage its risk in relation to its strategy and business objectives.

In a schematic way, we can demonstrate ERM as follows:


It is very interesting to note that one of the pillars of ERM is organizational culture. In the several years of work in the financial market, both as a employee in the institutions where I worked for, or even as a consultant, I was able to learn that organizational success, in terms of performance and risk management, was only as good as the quality of the people who were there.

It seems like a simple statement, but of little or no use are sophisticated systems, well-described processes, mission statements, vision and values properly hung on the walls, if the company’s culture is not reflected in such a way as to achieve these things.

6. Strategic ERM integration

The approaches of integration of culture, resources and activities with the strategic definition and performance management are thus proposed in ERM:


  • Implement forums or other mechanisms to share information, make decisions and identify opportunities.
  • Encourage people to escalate issues and concerns without fear of reprisals.
  • Clarify and communicate roles and responsibilities for achieving strategic and business objectives, including responsibilities for risk management.
  • Align values, behaviors and decision making with incentive and remuneration models.
  • Develop and share a strong understanding of the business context and the factors that create value.


  • Management is able to make appropriate decisions, given its appetite, the entity’s risk profile and the changes in the profile that occur over time.
  • The organization routinely hires capable individuals with relevant experience who can exercise judgment and supervision in accordance with their responsibilities.
  • The organization has access to capable individuals, subject matter experts or other technical resources to support decision making.
  • When making the necessary investments in technology or other infrastructure, management considers the tools necessary to enable corporate risk management responsibilities.
  • Suppliers, contractors and other third parties are considered in the risk and performance discussions.


  • The strategy definition explicitly considers risk when evaluating alternatives.
  • Management actively deals with risks in pursuit of its performance goals.
  • Activities are developed to regularly and consistently monitor performance results and changes in the risk profile across the entity.
  • Management is able to make decisions that are aligned with the speed and scope of changes in the entity.

7. What ERM is not

Very well, we saw what ERM is, but it is worth reinforcing what it is not, in order to consolidate the understanding and clarify some erroneous market interpretations:

  • ERM is not a function or department. It is the culture, resources and processes that organizations integrate with the establishment of strategies and apply them when they implement this strategy, with the objective of managing risks in the creation, preservation and obtaining of value, as we saw in the definition above.
  • ERM is more than a list of risks. It requires more than an inventory of all risks within the organization. It is broader and includes practices adopted by management to actively manage risks.
  • ERM goes beyond internal control. It also addresses other topics such as strategy definition, governance, communication with stakeholders and performance measurement. Its principles apply to all levels of the organization and in all functions.
  • ERM is not a checklist. It is a set of principles on which processes can be built or integrated for a specific organization and is a system for monitoring, learning and improving performance.
  • ERM does not create the entity’s strategy but informs the organization about the risks associated with the alternative strategies considered and, finally, the strategy adopted.

8. Risk and return

The company needs to assess how the chosen strategy can affect its risk profile, specifically the types and amount of risk to which the organization is potentially exposed.

Risk assessment for strategy and business objectives requires the company to understand the relationship between risk and performance (risk profile), as can be seen from the following figure, extracted from “Enterprise Risk Management integrating with Strategy and Performance ”, June 2017, COSO.

As in the financial world, the greater the risk, the greater the return must be. Business objectives that assume more robust levels of performance also tend to attract greater risks:

9. The ERM components and principles

Structurally, an ERM program starts from five basic elements, called “components”, which in turn have twenty “principles”, as can be seen in the figure below, extracted from “Enterprise Risk Management, integrated with Strategy and Performance “, June 2017, COSO:

As shown above, one of the pillars of ERM is organizational culture. In this way, ERM presents as its basic component, with five principles linked to it, that of “Governance and Culture”.

10. What are the criticisms of ERM?

There are many. Some valid and consistent, others unfair. The main ones, found in the literature, go through the following:

  • It is not possible to create an integrated view of risks, as advocated by ERM, since there are different natures that affect organizations, also in different ways;
  • An ERM program is very expensive to implement, especially for medium and small companies;
  • ERM is not a guarantee of success, not least because there are companies that have adopted ERM programs and have come to succumb to risks;
  • Risk appetite is too abstract a concept to be applied objectively;
  • ERM focuses on the negative, does not see the positive.

Our view of these criticisms:

Certainly, there are ways to create an integrated view of risk as a portfolio, through which the company can have a consolidated view of their situation, also in relation to their risk appetite.

We will here take as an example the concept of Basel applied to a bank. Existing numerical models lead to an allocation of capital (as a “reserve”) for assets at risk, interest and currency positions, history of operating losses, etc. so that managers and the regulator can assess sufficiency in the event of losses. This has worked well so far.

ERM programs do not necessarily involve the creation of new structures, the implementation of sophisticated systems, or large investments. On the contrary, we believe that it must be a gradual process, with small but powerful organizational changes, starting with aspects relevant to culture and governance. The later sophistication of the model will then be funded by the gains that will already result from the initial and gradual steps.

When someone offers a company a tool that “guarantees” success, one should always take two steps back. It is not about guaranteeing success with ERM, but about ensuring the disciplined application of tools and approaches that will mitigate (and greatly) the risk of failure. This is already a big thing.

The appetite for risk is in fact an abstract concept, especially as it passes through the field of social and psychological science. In the same organization, faced with the same question, there will be diverging responses for the same risk. But this is natural and even expected. What counts is the perception (and appetite) for risks of managers, in alignment with shareholders and stakeholders. This must be the prevalent aspect, the dissemination of which must be guaranteed throughout the organization. And, as we have seen in many organizations, people who do not align themselves with organizational culture (which is closely linked to risk perception), end up leaving. And, again, nothing wrong with that. Risk appetite can and should be measured objectively and financially.

Finally, nothing more positive than the mission and vision of a company that, as we have seen, incorporates aspects of its perception and appetite for risk. ERM, as a support for the strategic definition that it is, is absolutely aligned with the positive, not least because we have not yet found a company that describes that its mission is “to fail”.

On the other hand, we are aware of the challenges of implementing ERM in any organization. Some of the challenges include:

  • The commitment of its importance by all senior management;
  • The cultural adaptation;
  • Adaptation to a new governance;
  • Discipline and persistence;
  • Human Resources in key positions;
  • Dull and “standardized” projects, without due care with the organizational nature (the peculiarities to be respected, that each company has).

If you want to know more about ERM please contact us.

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Para o topo

    I agree with the Privacy Policy of the website (link below the form)

    *Required fields
    Check out our Privacy Policy , where we describe how the data sent by you are treated.