COSO ERM framework: 3x better strategic risk anticipation — board-ready in 16 weeks

Enterprise Risk Management (ERM) is a governance discipline that enables organisations to identify, assess, and manage strategic, operational, financial, and compliance risks in an integrated manner rather than in departmental silos. The global reference framework is COSO ERM (Committee of Sponsoring Organizations — Enterprise Risk Management, 2017 edition), which links risk management directly to strategic planning and board oversight. In Spain, large listed companies are required by the CNMV to disclose their risk management systems, and mid-sized companies increasingly implement COSO ERM voluntarily to satisfy investor due diligence requirements and qualify for institutional financing.

Our risk management team combines COSO framework expertise with deep sectoral knowledge across industry, financial services, retail, and platform businesses.

Why fast-growing companies need an ERM framework before problems surface

Fast-growing companies typically lack a consolidated map of their real risks. The CFO manages liquidity risk, the operations director manages supply risk, external counsel handles legal risk, and the board receives disconnected fragments of information at each meeting. Nobody has an overall picture of the organisation’s risk profile. The result is that the most important strategic risks — excessive customer concentration, technology dependency on a critical supplier, regulatory exposure in a new market — emerge as costly surprises rather than informed decisions. Deloitte studies indicate that companies with a formal ERM framework anticipate strategic risks three times better than those without one, and suffer less than half the unplanned operational disruptions.

Enterprise risk management has evolved fundamentally. It is no longer about producing a risk list presented to the board once a year: modern ERM is a strategic information system that connects the organisation’s risk profile with its capital allocation decisions, growth objectives, and capacity to respond to a rapidly changing environment. Organisations that manage risk well are not more conservative — they are more decisively agile because they know exactly which risks they are taking and which fall within their appetite.

Our COSO ERM implementation process

Our professionals implement the COSO ERM framework scaled to each company’s size. For an SME of 30 employees the framework is lightweight: a register of 20 to 40 well-documented risks, five critical KRIs, and a one-page quarterly board report. For a mid-sized company of 200 employees the framework is more structured: a four-category risk taxonomy (strategic, operational, financial, compliance), a complete register with owners and controls, 15 KRIs monitored monthly, and a board dashboard. In both cases the process begins with leadership team interviews to identify perceived real risks and ends with formal board approval of the risk appetite.

We coordinate the risk register with business continuity plans and third-party risk management, avoiding the fragmentation that turns risk management into a formal compliance exercise with no operational value. For companies with an outsourced CFO, integrating financial KRIs into the ERM framework provides a leading risk view that enriches board reporting.

What our ERM service includes

The service covers the current risk management maturity diagnostic, corporate risk taxonomy design, board-approved risk appetite and tolerance definition, construction of the corporate risk register with probability and impact assessment, owner assignment and mitigation plans, KRI definition for the most relevant categories with alert thresholds, design of the board risk dashboard, and accompaniment through the first three quarterly review cycles. Semi-annual register maintenance is included.

Real results in enterprise risk management

Companies that implement the ERM framework with our team receive their first consolidated board risk report within 10 to 16 weeks. The quality of board strategic conversations improves immediately and measurably: directors report having more relevant information in less time. KRIs enable detection of rising risk signals 4 to 8 weeks before the problem would have materialised without the alert system. And the documented ERM framework is a signal of organisational maturity that improves conditions in financing processes and investor due diligence.

Frequently asked questions about enterprise risk management

KRIs are the early-warning mechanism that distinguishes a mature ERM framework from a merely documentary one. A good set of KRIs allows the leadership team and board to see risk level evolution before problems materialise — precisely the same logic as leading financial indicators in economic performance management. The KRIs we design are specific to each company’s context, not generic lists copied from a handbook. The board risk report — its format, frequency, level of detail, and emerging risk narrative — determines whether the board can make good use of risk information. A well-designed risk report does not alarm without basis or minimise real problems: it provides the precise information directors need to fulfil their fiduciary governance responsibilities.

Enterprise risk management in the Spanish business context

Enterprise risk management (ERM) provides the framework through which organisations identify, assess, and manage risks that could prevent them from achieving their strategic objectives. Effective ERM is not a compliance exercise — it is a strategic management tool that enables organisations to take calculated risks confidently, knowing that the exposure is understood and the response capacity is in place.

For Spanish businesses, the ERM agenda in 2026 is shaped by several converging forces: the CSRD sustainability risk disclosure requirements (which mandate systematic assessment of climate, social, and governance risks), the EU AI Act compliance obligations for businesses deploying AI in certain contexts, the NIS2 cybersecurity requirements for essential and important entities, and the increasingly volatile macroeconomic environment (energy costs, supply chain disruptions, interest rate sensitivity).

The ERM framework: COSO and ISO 31000

Our ERM advisory is grounded in two complementary frameworks:

COSO ERM (2017 edition): the Committee of Sponsoring Organizations framework, which integrates risk management with strategic planning and performance management. COSO is particularly relevant for publicly traded companies and PE-backed businesses with board-level governance requirements.

ISO 31000:2018: the international standard for risk management, providing principles and guidelines applicable to all organisations regardless of sector or size. ISO 31000 is the reference framework for the ERM programmes of many Spanish mid-market companies.

The practical output of an ERM programme is a risk register — a structured inventory of identified risks, with each risk assessed for likelihood and impact, assigned an owner, and paired with specific mitigation actions. The risk register is a living document reviewed at defined intervals and presented to the board or management team as part of the governance cycle.

Key risk categories for Spanish businesses

Our ERM work covers the following principal risk categories:

Strategic risks: risks arising from strategic decisions — market entry failures, M&A integration challenges, disruptive technology change, geopolitical disruption affecting key markets or supply chains.

Operational risks: process failures, IT system disruptions, key person dependencies, supplier failures, and product/service quality defects. For manufacturing, logistics, and agri-food businesses in Spain, supply chain risk is frequently the most material operational risk.

Financial risks: liquidity risk, interest rate sensitivity (particularly relevant for businesses that refinanced in the low-rate environment), currency exposure for businesses with international revenues or costs, credit risk on major customer concentrations.

Compliance and regulatory risks: the rapidly evolving regulatory environment — CSRD, DORA, NIS2, AI Act, supply chain due diligence (CSDDD) — creates a compliance risk landscape that requires structured monitoring.

Reputational risks: for Spanish consumer-facing businesses and for companies whose contracts depend on public procurement, reputational risk has become a material ERM consideration — amplified by social media and the increasing use of ESG criteria in procurement decisions.

Integration with business continuity and internal audit

ERM does not exist in isolation. The risks identified in the ERM framework should directly inform the business continuity planning priorities (which risks have the most significant disruption potential?), the internal audit programme (which risk areas require assurance testing?), and the CSRD reporting IRO (impacts, risks, and opportunities) register for companies subject to sustainability disclosure obligations.

Contact our ERM team for a risk diagnostic or ERM framework implementation engagement.

Regulatory framework: ERM obligations and best practice standards

Enterprise Risk Management in Spain operates within a regulatory environment that increasingly mandates structured risk governance for companies above certain thresholds:

CNMV Annual Report on Corporate Governance (IAGC): listed companies must disclose their risk management system in the annual corporate governance report, including a description of risk management policies, identification of the principal risks, and the governance bodies responsible for oversight. The CNMV’s Good Governance Code (updated 2020) recommends that the board’s audit committee be responsible for risk oversight and that a senior executive (Chief Risk Officer or equivalent) be designated.

CSRD and ESRS IRO (Impacts, Risks, and Opportunities) process: the Corporate Sustainability Reporting Directive (EU 2022/2464) requires companies within its scope to conduct a double materiality assessment that identifies sustainability-related impacts, risks, and opportunities (IROs). This process is functionally an extension of ERM to sustainability dimensions — and the ESRS standards (ESRS 1, paragraph 53–54) explicitly reference alignment with the company’s general risk management framework. Companies implementing CSRD without integrating the sustainability risk register into their broader ERM framework create a compliance gap.

DORA (Regulation 2022/2554): for financial services entities (banks, insurance companies, investment firms, payment institutions), DORA mandates a specific ICT risk management framework as a subset of the overall ERM programme. ICT risk policies, incident response, resilience testing, and third-party ICT risk management must all be documented and tested as components of the DORA-compliant risk framework.

ISO 31000:2018 (Risk Management Guidelines): whilst not mandatory, ISO 31000 is the international standard most commonly used as the technical reference for ERM programme design in Spain. It provides the principles, framework, and process for risk management. Our ERM framework implementations are ISO 31000 compliant and aligned with COSO ERM 2017.

Ley de Auditoría de Cuentas (LAC, Law 22/2015) and internal audit requirements: the audit law requires that public-interest entities (PIEs — listed companies, credit institutions, insurance undertakings) establish an audit committee with responsibility for overseeing the internal audit function and the risk management system. The internal audit plan must be risk-based — reflecting ERM priorities in the assurance agenda.

Sectors with specific ERM requirements

Financial services: banks and investment firms are subject to the most extensive mandatory risk management frameworks — the SREP (Supervisory Review and Evaluation Process) conducted by the Banco de España and ECB requires a comprehensive Own Risk and Solvency Assessment (ORSA for insurers; ICAAP/ILAAP for banks). Our ERM team provides advisory to mid-size financial institutions on SREP-compliant risk frameworks and pre-inspection readiness.

Energy and utilities: companies in the energy sector face specific regulatory risk (CNMC tariff review risk, renewable energy regulatory framework volatility), project risk (construction delays, financing covenant risk on project-financed assets), and physical climate risk (extreme weather impact on generation assets). ERM for energy sector clients integrates ESRS environmental risk disclosure with operational and regulatory risk management.

Technology and digital platforms: cyber risk is the primary risk category for technology businesses, followed by regulatory risk (GDPR/AEPD enforcement, NIS2 requirements, AI Act compliance for AI-enabled products) and concentration risk (dependence on a small number of platform providers — AWS, Google Cloud, Microsoft — for critical infrastructure). ERM frameworks for technology companies typically lead with a comprehensive cyber risk assessment coordinated with the virtual CISO function.

Manufacturing and supply chain: supply chain disruption (geographic concentration of suppliers, single-source dependencies, logistics vulnerability) has emerged as the most material operational risk category for Spanish manufacturers following COVID and the Ukraine conflict’s impact on energy and raw material supply. ERM for manufacturers requires a structured supply chain risk map, second-source qualification programmes, and inventory buffer strategy aligned with the risk appetite statement.

Professional services: reputational risk, key-person dependency (concentration of client relationships in individual partners), and professional liability risk (E&O claims, regulatory sanctions for compliance failures) are the principal ERM categories for professional services firms. Risk management in this context is inseparable from quality management and governance.

Company size segmentation

SMEs (EUR 5M–EUR 50M): typically do not have a formal ERM function. Our SME ERM service delivers a risk diagnostic and lightweight risk register — the top 10–15 material risks for the company, scored by likelihood and impact, with a management action plan for the highest-priority items. Annual update included. Fixed fee from EUR 8,500 for the initial engagement.

Mid-size companies (EUR 50M–EUR 250M): require a more structured ERM framework — risk appetite statement, risk committee governance, integration with the business planning cycle, and defined risk escalation procedures. Implementation typically takes 3–4 months. Ongoing advisory available to support the risk committee and annual risk review.

Large companies and groups (above EUR 250M): COSO ERM 2017 or ISO 31000 framework implementation with a dedicated risk function design, risk information system (software platform), board and audit committee ERM reporting, and integration with the CSRD IRO process. Our team works alongside the company’s internal resources to build sustainable risk management capability rather than perpetual external dependency.

Listed companies: CNMV IAGC disclosure support, audit committee ERM advisory, and alignment of the risk management system with the CNMV Code of Good Governance recommendations. Pre-CNMV review ERM documentation review available.

Worked example: ERM implementation for a EUR 120M logistics group

A Spanish logistics group (EUR 120M revenue, 680 employees, operations in Spain, Portugal, and Morocco) engaged our ERM team following a significant operational incident — a cyberattack that disrupted operations for 72 hours — that the board identified as symptomatic of insufficient risk governance.

Phase 1 — Risk diagnostic (4 weeks): interviews with 18 senior managers across operations, finance, IT, HR, commercial, and legal. Identification of 47 risk events across four categories (strategic, operational, financial, compliance). Scored using a 5×5 likelihood/impact matrix, producing an initial heat map.

Top 5 risks identified:

1. Cyber/ransomware (impact: HIGH, likelihood: HIGH — already materialised)
2. Key customer concentration (top 3 customers = 58% of revenue)
3. Morocco country risk (regulatory and currency — EUR 18M annual revenue exposure)
4. Driver shortage (65 critical driver positions requiring CDL with ADR certification)
5. Fuel price volatility (hedging programme absent)

Phase 2 — ERM framework design (6 weeks):

• Risk appetite statement approved by the board: zero tolerance for regulatory violations; medium tolerance for operational disruptions with defined recovery time objectives; high tolerance for competitive risk from market entry.
• Risk committee established: quarterly meetings, CFO chair, CTO and COO as standing members, external ERM adviser (our team) in advisory role.
• Risk owner designation: each of the top 15 risks assigned to a named executive owner with quarterly reporting obligation.
• KRI (Key Risk Indicator) dashboard: 22 KRIs defined across the top risk categories, reported monthly to the risk committee.

Phase 3 — Priority risk actions (months 3–12):

• Cyber risk: virtual CISO engagement; security incident response plan; NDR (network detection and response) tooling implemented; cyber insurance obtained (EUR 5M limit).
• Customer concentration: commercial strategy review targeting diversification to 40% top-3 revenue within 24 months.
• Morocco currency risk: EUR/MAD forward contract programme established for EUR 8M of annual exposure.

Outcome: ERM framework operational within 6 months of engagement. Two subsequent board audit committee risk reviews conducted without external incident. CNMV IAGC risk management disclosure prepared for the group’s listed subsidiary.

Five common ERM implementation mistakes

1. Risk registers that are too long. A risk register with 80 risks is operationally useless — no organisation can manage 80 distinct risk streams in parallel. Effective ERM focuses on the 15–20 most material risks, prioritised by impact and likelihood, with clearly assigned owners and defined management actions. We build risk registers that are genuinely actionable, not compliance artefacts.

2. Disconnecting risk management from strategic planning. COSO ERM 2017’s most significant contribution was explicitly linking risk management to strategy setting. ERM processes that operate in isolation from the annual planning cycle — identifying risks independently of the strategic initiatives that generate them — miss the most important risk context.

3. Treating ERM as a one-time exercise. A risk assessment conducted in January that is not updated when the competitive environment changes (a major competitor enters the market, a key supplier fails, a new regulation is enacted) becomes stale within months. ERM must be integrated into the business rhythm — quarterly risk committee reviews, annual full assessment updates, and trigger-based assessments when significant strategic events occur.

4. Scoring risks without calibrating the scale. A likelihood/impact matrix is only useful if the scoring criteria are defined and applied consistently. “High likelihood” must mean the same thing to the IT director as to the CFO. Risk scoring workshops that align the scoring definitions before applying the matrix produce more reliable heat maps than individual assessments reviewed after the fact.

5. Not stress-testing risk appetite statements. Many companies adopt risk appetite statements (“we have a low tolerance for regulatory risk”) without testing whether the statement is consistent with the actual decisions the organisation makes. ERM advisory that identifies the disconnect between stated appetite and actual risk-taking behaviour provides the most actionable insight for board governance.

How we work: ERM advisory engagement model

Risk diagnostic (4–6 weeks): stakeholder interviews, document review (existing risk policies, incident records, audit findings, regulatory correspondence), heat map development, and gap analysis versus COSO ERM 2017 or ISO 31000.

Framework design (6–10 weeks): risk appetite statement, governance model (risk committee structure, escalation procedures, reporting cadence), risk register template, KRI definitions, and integration plan with existing governance processes.

Implementation (3–6 months): training for risk owners, first full risk assessment cycle, board and audit committee ERM reporting design, and integration with the CSRD IRO process where applicable.

Ongoing advisory: quarterly risk committee participation (advisory capacity), annual risk assessment refresh, regulatory update monitoring (CSRD, DORA, NIS2, AI Act developments), and ERM maturity assessment every two years.

Fixed-fee engagements for diagnostic and framework design phases. Ongoing advisory under monthly retainer from EUR 2,500/month depending on company size and scope. Contact our ERM team for a no-obligation risk diagnostic proposal.