Enterprise Risk Management (ERM)

What Is Enterprise Risk Management?

Enterprise Risk Management (ERM) represents a paradigm shift from traditional siloed risk management — where each department manages its own risks in isolation — to an integrated, enterprise-wide approach that gives leadership a consolidated view of all significant risks and their interdependencies.

The foundational principle is that risk management should not be a reactive, compliance-driven exercise. Instead, it should be embedded into strategy-setting and performance management, helping organisations understand not only the threats they face but also the opportunities that come from well-managed risk-taking.

The COSO ERM Framework

The most widely used ERM framework globally is the COSO Enterprise Risk Management — Integrating with Strategy and Performance framework, updated in 2017. COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, a US initiative whose frameworks have been adopted internationally and are referenced by regulators and auditors worldwide.

The COSO ERM framework organises its components into five interrelated categories:

1. Governance and Culture — Board oversight, risk management culture, operating structure, commitment to core values, attraction and development of talent
2. Strategy and Objective-Setting — Business context analysis, risk appetite definition, strategy evaluation, objective-setting with risk in mind
3. Performance — Risk identification, risk severity assessment, risk prioritisation, risk responses (accept, avoid, pursue, reduce, share)
4. Review and Revision — Monitoring of substantial changes, reviewing risk and performance, pursuit of improvement
5. Information, Communication, and Reporting — Leveraging information, using technology, communicating risk information, reporting on risk, culture, and performance

Risk Categories in Practice

ERM frameworks typically organise risks into categories, though these vary by organisation and sector. Common categories for Spanish companies include:

• Strategic risks: Market entry failures, competitor disruption, M&A integration failure, major customer concentration
• Financial risks: Liquidity shortfalls, credit risk from customers, foreign exchange exposure, interest rate risk, going-concern threats
• Operational risks: Process failures, system outages, supply chain disruption, key person dependency, product quality failures
• Legal and regulatory risks: Regulatory change (tax, employment, environmental), litigation exposure, data protection breaches, anti-corruption liability
• Reputational risks: Brand damage from operational failures, social media crises, ESG failures, third-party misconduct
• Cyber and technology risks: Ransomware, system failures, data breaches, vendor lock-in, technology obsolescence

Risk Appetite and Risk Tolerance

Two foundational ERM concepts that are frequently misused:

Risk appetite is the broad-based amount and type of risk an organisation is willing to accept in pursuit of its strategic objectives. It is set by the board and expressed in qualitative statements (“We are not willing to accept any risk of regulatory sanction in our core regulated activities”) or, more usefully, in quantitative parameters.

Risk tolerance is the acceptable variation in performance relative to a specific objective — the tactical boundaries within which the organisation operates. Risk tolerances should cascade down from the board-level risk appetite to operating divisions.

ERM and Spanish Regulatory Requirements

Several Spanish regulatory and governance frameworks reference ERM concepts:

• Listed companies (CNMV): The Sistema de Control Interno sobre la Información Financiera (SCIIF) and the Sistema de Gestión de Riesgos required under Spain’s Code of Good Governance for listed companies draw directly on COSO concepts
• Insurance (Solvencia II): Own Risk and Solvency Assessment (ORSA) requirements effectively mandate ERM for Spanish insurance companies
• Banks (Pilar 2): The Internal Capital Adequacy Assessment Process (ICAAP) under Basel III/Pillar 2 requires comprehensive risk management frameworks
• Criminal compliance (LO 1/2015): Companies relying on the criminal compliance defence must demonstrate an effective risk identification, assessment, and mitigation programme across corruption, tax, employment, and other criminal risk areas

Implementing ERM in a Spanish SME

For mid-sized Spanish companies implementing ERM for the first time, a pragmatic approach includes:

1. Governance mandate — Board resolution establishing ERM as a management priority
2. Risk inventory — Facilitated workshops with leadership team to identify and describe significant risks (typically 25–50 risks for a mid-sized business)
3. Risk register — Structured register with risk descriptions, risk owners, likelihood/impact assessments, and existing controls
4. Prioritisation — Heat map or scoring methodology to identify the top 10–15 priority risks
5. Response plans — For priority risks, documented actions, owners, and timelines
6. Board reporting — Quarterly risk report to the board or audit committee
7. Annual review cycle — Update risk register as business context changes

How BMC Can Help

We design and implement ERM frameworks for Spanish companies, from initial risk inventory facilitation through COSO-aligned governance structure design, risk register development, board reporting templates, and integration with financial planning and strategic review processes.