Risk management. A case study of a Colombian public sector company*

Gestión del riesgo. Caso de una entidad del sector público colombiano

Gestão de risco. Caso de entidade do setor público colombiano

Cuadernos de Contabilidad, vol. 22, 2021

Pontificia Universidad Javeriana

Diego Jurado-Zambrano ª a

Escuela Superior de Administración Pública, Colombia

Eduart Villanueva

Universidad Eafit, Colombia

Received: 14 July 2020

Accepted: 20 July 2021

Published: 31 December 2021

Abstract: The objective of this research is to analyze, in a Colombian public sector company, the key success factors for the implementation of a ERM initiative. To comply with the objective, an investigation with a qualitative approach and descriptive scope is developed. As instruments for collecting information, the following are used: The focus group technique; the documentary review specifically of the strategic plan, the operating policies, the risks previously identified, as well as the internal and external audit reports. The results show the existence of some key success factors, such as: Senior management leadership, resource allocation, methodological integration for risk management; which enabled the successful implementation of integrated risk management. Likewise, the main stages adopted in the implementation exercise are presented, which were based on the ISO 31000: 2018 standard.

JEL Codes: D73, H83, M19.

Keywords:Enterprise Risk Management, case study, ISO 31000, key success factors, public sector.

Resumen: El objetivo de la investigación es analizar los factores clave de éxito para la implementación de una iniciativa de gestión integral del riesgo en una empresa del sector público de Colombia. Para dar cumplimiento al objetivo se desarrolla una investigación con enfoque cualitativo y de alcance descriptivo. Como instrumentos de recolección de información se emplean la técnica de grupo focal, la revisión documental específicamente del plan estratégico, las políticas de operación, los riesgos previamente identificados, así como los informes de auditoría interna y externa. Los resultados evidencian la existencia de algunos factores clave de éxito, tales como: el liderazgo de la alta dirección, la asignación de recursos, la integración metodológica para gestión de los riesgos; los cuales habilitaron la implementación exitosa de la gestión integrada de riesgos. De igual forma, se exponen las principales etapas adoptadas en el ejercicio de implementación las cuales se basaron en el estándar ISO 31000: 2018.

Códigos JEL: D73, H83, M19.

Palabras clave: Gestión integrada de riesgos, estudio de caso, ISO 31000, factores clave de éxito, sector público.

Resumo: O objetivo da pesquisa é analisar os fatores-chave de sucesso para a implementação de uma iniciativa de gestão integral do risco em uma empresa do setor público na Colômbia. Para cumprir o objetivo, é desenvolvida uma pesquisa com abordagem qualitativa e âmbito descritivo. Como instrumentos de coleta de informações, utilizam-se a técnica de grupo focal, a revisão documental especificamente do plano estratégico, das políticas operacionais, dos riscos previamente identificados, bem como dos relatórios de auditoria interna e externa. Os resultados mostram a existência de alguns fatores-chave de sucesso, tais como: liderança da alta administração, alocação de recursos, integração metodológica para gestão de riscos; os quais permitiram a implementação bem-sucedida da gestão integrada de riscos. Da mesma forma, são expostas as principais etapas adotadas no exercício de implementação, as quais foram baseadas na norma ISO 31000: 2018.

Códigos JEL: D73, H83, M19.

Palavras-chave: Gestão integrada de risco, estudo de caso, ISO 31000, fatores-chave de sucesso, setor público.


The global financial crisis has turned the notion of risk as a central issue in the management of public and private organizations (Rana, Wickramasinghe, & Bracci, 2019), risk management allows the identification of events that impact the organization's ability to create value and compliance with the strategy (Giraldo & Nunez, 2020), in addition to providing information to improve the decision-making process in uncertain contexts (Blanco-Mesa, Rivera-Rubiano, Patino-Hernandez et al., 2019), being a focal point for executives and professionals (Oliveira, Méxas, Meiriño et al., 2019); ERM has been found to have a positive relationship with company performance (Saeidi, Saeidi, Gutierrez et al., 2021). Risk management has become an emerging key element of the New Public Management (Lapsley, 2009). In the Colombian public sector, guidelines around the subject are contained in the Integrated Planning and Management Model (MIPG for its translation into Spanish), which is regulated under Decree 1499 of 2017.

Enterprise Risk Management (ERM) has been used as a methodology to assess risks in achieving the objectives of an organization (de Freitas Alves, Neto, Coli et al., 2017). Given that there is a lack of studies on risk management in the public sector (de Freitas Alves et al., 2017; Rana et al., 2019; Tabares, Jaramillo, Arias et al., 2017), the objective of this paper was to analyze, the key factors for successful implementation of a risk management initiative in a Colombian public sector organization. For this case study, focus groups were developed with key employees of each entity process and internal and external audit reports over matrices were consulted.

The most relevant results of the study showed that 59% of risks were located in a high or extreme zone, which documented 30 action plans. Action plans in large percentage, focused on developing or updating operating policies and on training and educating employees in implementation. This is consistent with the distribution of risk, as 56% of the total identified were categorized as operational. Finally, we highlighted some of present key factors in the implementation such as the allocation of resources, participation of senior management, and the articulation of initial work agreements for the methodology of managing risk.

Theoretical framework

Risk management

Risk is defined as a combination of the probability or frequency of an event and its consequences, which are generally negative (Elahi, 2013) or contain uncertainty about the objectives (International Organization for Standardization 31000, 2018). Risk involves an element of unpredictability and an undesirable result such as a loss (Soltanizadeh, Abdul, Mottaghi et al., 2016). One can have unwanted operations, strategy, competitiveness, finance, reputation and compliance obligations with adverse impact (Jalal-Karim, 2013).

Because the business environment is complex as a result of deregulation, globalization, downsizing and technological advancement (Rasid, Isa, & Ismail, 2014), companies face a wide range of risks that must be managed holistically; and thus, there is growing interest in ERM (Beasley, Clune, & Hermanson, 2005). Unlike traditional approaches to risk management, ERM is a holistic approach to risk management that involves a joint review of the risk that is assessed, quantified, funded and managed at the enterprise-level (Grace, Leverty, Phillips et al., 2015). ERM is also implemented at all levels of a company and applied in a configuration strategy so as to ensure the achievement of corporate goals (Zhao, Hwang, & Low, 2015). However, the successful implementation of ERM depends on several factors. A table 1 is presented to summarize several of them.

Table 1
Several factors for ERM
Several factors for ERM

Source: Own elaboration

For example, there is a correlation between participative leadership style that allows employees to participate in the success of ERM (Sax & Torp, 2015). Other example can be the establishment of the ERM function being headed by a senior person, such as a Chief Risk Officer or Risk Director (Beasley et al., 2005; Oliveira et al., 2019). This person should be responsible for establishing and communicating policies regarding ERM, training current employees, and hiring ERM functional staff with professional experience in ERM (Kerstin, Simone, & Nicole, 2014).

In addition, it is important to have the corporate culture, values, beliefs, knowledge, attitudes and understanding of the risks shared by a group of individuals, teams and workgroups in order to boost ERM initiatives (Agarwal & Ansell, 2016; Oliva, 2016). These aspects contribute to the overall risk culture which has shown to be of great influence in facilitating ERM practices (Oliveira et al., 2019).

On the other hand, resource availability is a determining factor in advancing ERM efforts (Hallowell et al., 2013), such as estimates of qualified staff, experience and time, in addition to improving the risk management processes based on the participation of people and the proper allocation of resources, tools and techniques (Gibson & Young, 2012).

Because of its proactive nature of decision-making, ERM requires strong leadership, a substantial commitment of resources, timely reports, and real-time data insight (Moshesh, Niemann, & Kotzé, 2018). The absence or lack of these requirements could lead to implementation challenges that impact on the success of ERM. When managers perceive that other control systems and risk management are satisfactory, ERM initiatives may struggle to find a space and to sell its value added to owners (Arnaboldi & Lapsley, 2014).

Because of its integration of risk management practices and its holistic and different and simultaneous types of risk management, ERM has several benefits for organizations (Khan, Hussain, & Mehmood, 2016). It enables a consistent treatment of risk; it encourages a view of the longer-term risk while allowing accurate resource allocation and improved and faster reaction to the emerging risk identified. All of this can lead to increased profitability (Moshesh et al., 2018). It has also been shown that companies that have ERM systems in place have a higher market value (Hoyt & Liebenberg, 2011).

It is important to consider that these benefits are within the business as long as its context is associated with competition within the industry, company size, complexity of the company and its board of directors (Gordon, Loeb, & Tseng, 2009). Another benefits include the integration of decision-making across different risks within the business, the duplication of management risk fees are avoided, and a better understanding of aggregate risk in different commercial activities is obtained (Hoyt & Liebenberg, 2011). Through its approach to identification, assessment, treatment, monitoring and communication of risks, ERM can have a positive impact on the promotion of competitive business advantage (Jalal-Karim, 2013), and has even been found to allow for better management of organizational reputation (Pérez-Cornejo, de Quevedo-Puente, & Delgado-García, 2019).

In the Colombian public sector, risk management is established as a guideline in Decree 1499 of 2017 in which, among other elements, it is defined as the MIPG. The MIPG is structured in different dimensions and policies, with respect to the issue of risk management. It is referred to as Internal Control, and is contemplated within the dimension in the politics of the same name. The basis for implementing this internal control policy is the Standard Model of Internal Control, which adopted the structure of the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Framework, which includes the component of risk assessment (Committee of Sponsoring Organizations of the Treadway Commission, 2013). Another factor to take into account within the internal control dimension is the model of the three lines of defense, which facilitates communication of the different roles regarding risk management and control in order to determine the different roles that must be completed; in this model the first line of defense refers to the monitoring of risks to be performed by management, the second line encompasses the various supervisory functions determined by the respective administrative and financial controls, security, risk management, and quality, among others; while the third line of defense is the internal audit (Institute of Internal Auditors, 2020).

The International Organization for Standardization (ISO) 31000 risk management standard was developed by professionals around the world, and used by all types of companies, this has made it the leading global guide for risk management practices (Govender, 2019). There is a lack of integrated approaches that consider the different types of risks, and the different sources of information to identify the risks, for this the use of ISO 31000 has been recommended as an adequate basis (Parviainen, Goerlandt, Helle et al., 2021). The aforementioned standard, recognized as a worldwide standard, allows organizations to implement the risk management process following key factors for successful implementation and contribute to performance (Rampini, Takia, & Berssaneti, 2019). Additionally, it integrates a set of systematic techniques for the different stages of risk management, which allows excellent adaptability to companies in different sectors (Antonionia & Moreno, 2019).

To implement risk management the following steps must be followed: Establish the context, assess risk, address the risk, communicate and consult, review and monitor, and record and report (International Organization for Standardization 31000, 2018).


Companies must look within the organization in order to determine the cultural level of risk management that permeates both existing practices as well as individual behavior. It should also analyze the specific nature of the context of each company in order to determine if there are significant variations in the ERM practices, including companies that are in the same industry (Caldarelli, Fiondella, Maffei et al., 2016). Thus, risk management also includes another internal factors such as its own goals and activities of the company. It is important to consider that organizational factors could generate risks, hence the importance of conducting a thorough review of the internal context (International Organization for Standardization 31000, 2018).

The external context of the organizations must also be established since the exogenous factors create risks that must be managed with the implementation of the ERM (Gordon et al., 2009). Therefore, external variables must be detailed that may affect the objectives and results of the organization; once the context of the company is defined, the scope of risk management can already be defined (International Organization for Standardization 31000, 2018). With this defined context, the entire portfolio of risks that could be presented can also be analyzed, controlled and monitored (Farrell & Gallagher, 2015)

Risk assessment

This stage includes the identification of risks which must determine the events that may affect the achievement of objectives, including the causes and effects of each risk (Mejía, 2006); after this, the valuation of each risk based on the probability of the occurrence of each event and the magnitude of the consequences of these risks is determined (International Organization for Standardization 31000, 2018); subsequently the risks are ranked in order to set up the priority of events that must be treated (Brustbauer, 2016).

Risk treatment

At this stage, companies determine how to respond to risks, with actions that reduce their frequency and / or impact, or establish the source of resources that will cover the losses generated by an event such as insurance or the company’s own financial funds (Committee of Sponsoring Organizations of the Treadway Commission, 2017; Mejía, 2006). Thus, there are a variety of ways to mitigate significant risks that must be analyzed according to each context (Calandro, 2015). Allowing such treatment measures to respond to different risks and improve organizational management, increases opportunities and reduce threats (Jaraba, Nuñez, & Villanueva, 2018)

Monitoring and review

It is essential to conduct a periodic review of risk behavior over time, and this stage must be carried out in a planned manner, with responsibilities defined by the company (International Organization for Standardization 31000, 2018). This is why the relationship of the ERM system and organizational performance depends largely on adequate monitoring of risks (Gordon et al., 2009). The dynamism of the environment leads to new risks which arise, that are becoming more complex, and that may affect organizations. This monitoring should be done in a nonlinear manner that integrates different natural sciences, both technical and social (Kravchenko, 2018).

Communication and consultation

This step facilitates interaction with different stakeholders through accessible channels, so that they can be informed about the decisions that the organization must make regarding risk management and disagreements leading to these decisions; Similarly, it also allows for feedback from stakeholders to adjust the guidelines regarding how to act in the face of risks (International Organization for Standardization 31000, 2018). If an effective communication and consultation process is carried out, it will facilitate the generation of awareness in the company regarding the importance of risk management for decision-makers (Zhao et al., 2015).

Recording and reporting

This step is intended to document the entire risk management process in an official or formal consultation text, documenting the activities carried out and the results obtained, which support decision making. It is recommended that this report and all related quality data be presented and shared at all relevant levels within the organization, formally recording and sharing all actions taken, contributing to the overall risk management initiative (Shi, Wong, Li et al., 2018).


This document describes the results of the incorporation of a risk management initiative in a public sector Colombian company during the year 2019 by describing the processes and good practices followed by the company. This work was developed utilizing a qualitative research approach, because this type of research is defined primarily by its emphasis on the qualities, essences or categories of the study phenomenon, and its results are presented by using descriptive analysis and not through statistical models (Morrow & Smith, 2000). In the qualitative approach, the researcher often makes knowledge claims based primarily on constructivist perspectives (Creswell, 2003), a characteristic that complies with this present study, because it was implemented by following the process of managing the risk outlined in the ISO 31000 standard. Thus, the product obtained adds value to management.

This qualitative study encompasses many approaches, among which is the case study (Morrow & Smith, 2000). Case studies are a common way of doing qualitative research and in these studies the researcher explores in-depth, a program, an event, an activity, a process or one or more persons (Stake, 1994). Creswell (2007) argues that a case study is the investigation of a “bounded system,” be it an individual, a group or an institution. This is why this present work is defined as an intrinsic case study, because it was developed based on a single institution (Stake, 1994; Creswell et al., 2007). The study was conducted at the Instituto Social de Vivienda y Habitat de Medellín, which is an entity dedicated to managing social housing plans that ensure the right to an adequate habitat and fair housing for its citizens. In this regard, the importance of researching risk management within this entity is of paramount importance, given that it is one of the pillars of social development for the city and on which a large portion of public financial resources are allocated. For the year 2019, the entity administered an income budget of around USD 24 million. Regarding its organizational structure, the entity had seven departments from where missionary, strategic, support and evaluation processes were developed, which in turn are supported by around 50 employees assigned to the fixed plant of positions and around of 200 employees under other contracting modalities.

Case study research builds a deep and contextual understanding of the case, based on multiple data sources (Yin, 1981), using qualitative or quantitative evidence, from a variety of data collection procedures over an extended period of time (Stake , 1994), such as verbal reports and observations (Yin, 1981; Creswell et al., 2007; Corbin & Strauss 1990); fieldwork and records (Yin, 1981); interviews (Corbin & Strauss 1990; Creswell et al., 2007); audiovisual material (Creswell et al., 2007); government documents, video tapes, newspapers and books (Corbin & Strauss, 1990), or any combination thereof (Yin, 1981), which can shed light on the questions under study (Corbin & Strauss, 1990).

To develop the risk management process (International Organization for Standardization 31000, 2018), documents and reports (Creswell et al., 2007) were used as sources of information, such as: The strategic plan; the process map and the characterization of each of them; the internal audit reports from the internal control office and from the quality management system audit exercises; the external audit reports focused on financial and public procurement matters, as well as regulations from control and regulatory bodies of the public sector and the existing risk matrices.

Focus groups are a form of group interview that capitalizes on communication between research participants. Group processes can help people to explore and clarify their views in a way that would be less accessible in an individual interview (Kitzinger, 1995).

The number of times a focus group meets may vary from one meeting to several (Onwuegbuzie, Dickinson, Leech et al., 2009). As such, it was planned to develop four focus group sessions with a subset of employees from each of the 12 processes within the organization. The number of focus group sessions proposed was planned to try to cover relevant information from each of the risk management stages described in the theoretical framework of this document. In the focus groups, employees from the managerial, operational and auxiliary level participated, this because it was intended to cover the greatest number of activities that were developed in each process. The development of the focus groups was based on open questions so that participants could express their views (Creswell, 2003). During the development of the focus groups, participants explain their experiences with their peers, with whom they shared something in common. Since they were members of the process and knew the process in depth, this allowed them to share their views with each other (Kidd & Parshall, 2000).

For purposes of organizing the information resulting from focus groups, the transcription technique was used, which is an integral process in the qualitative analysis of language data (Lapadat & Lindsay, 1999). It is used, in speech studies to resubmit the speech as written text (Mishler, 1991), selectively (Davidson, 2009). Although within the development of the multiple focus groups multiple discussions were generated, in order to consolidate the results, the agreed upon information from the members of the groups resumed. The transcription of each of the focus group sessions allowed, subsequently, to identify repetitive themes that were frequently mentioned by the participants, with which it was possible to build categories of analysis that shaped the results of the present investigation. An example of this is the information presented in table 2.


The development of the implementation of the risk management initiative was carried out based on the stages outlined in the ISO 31000: 2018, as follows: Establishing the context; assessment of the risk, which consists of identifying, analyzing and assessing the risk; and the treatment, monitoring, review, recording and reporting of risk (International Organization for Standardization 31000, 2018). This is appropriate as the ISO 31000 standard has been formally adopted by many States (Purdy, 2010)


The establishment for the development of each of the 12 processes (see table 2) within the entity, where internal and external factors were identified, was based on the risk management guide (Departamento Administrativo de la Función Pública, 2018), established for the public sector in Colombia. As a result of this stage, common variables were found in in the exercises developed within each process. For each variable, its positive or negative incidence was determined, and the effect, positive or negative, for the same process was described. An example of the analysis performed for one of the identified variables is presented in table 2

Table 2
Example of the way to obtain a unified variable
Example of the way to obtain a unified variable

Source: Own elaboration.

Once the analysis was carried out, resorting to the crossing of information from each of the context identification exercises in the processes, the following was obtained: The variable with the greatest recurrence mentioned in the processes was the shortcomings in the organizational structure, which was identified in 92% of them. In the following way, the 83% of the processes owners agreed that the weakness of the information systems constituted a negative variable, which could be a cause of risks. Similarly, a comprehensive analysis of the information resulting from this phase was carried out, and the following recurrent variables were additionally identified: (67%), decrease in resource allocation (67%), inadequate physical work environment (58%) and shortcomings institutional planning (58%).

Risk assessment

Based on the information obtained in the context setting phase, and taking into account: The strategic plan; the process map and the characterization of each of them; the internal audit reports from the internal control office and from the quality management system audit exercises; the external audit reports focused on financial and public procurement matters, as well as regulations from control and regulatory bodies of the public sector and the existing risk matrices, 79 risks were identified, based on the knowledge and review of the objectives for each process.

The results are presented in table 3. In this regard, the results presented in table 3 were obtained. To help understand the results, it is important to take into account two aspects: First, the 79 risks classified according to the typologies proposed by the Departamento Administrativo de la Función Pública (2018) are presented in its guide to managing risks, that is, it mentions whether they are strategic, operational, corruption, technological, compliance and financial. Second, as shown in figure 1, an example of risk assessment is presented, for some risks of the Social Management process, in which the probability and impact tables presented in the appendix of this article were used (see table A1 and table A2).

With the initial evaluation, the inherent risk was identified, that is, the evaluation without considering the control measures already established in the process. Subsequently, the residual risk was identified, which is the one that remains once the impact of the controls on the causes that generate the risk has been analyzed. In the example presented in figure 1, it is observed that risks R1, R2 and R4 had a considerable change in terms of their risk zone, from extreme to low and moderate. For R3, although it had a decrease in its probability of occurrence, the impact remained the same.

Table 3
Results of the risk evaluation
Results of the risk evaluation

Source: Own elaboration.

Example of inherent and residual risk by Social Management process
Figure 1
Example of inherent and residual risk by Social Management process

Source: Own elaboration.

As can be seen in Table 3, among relevant results, 57% of the risks were classified as operational, that is, they are events that can be caused by failures or inadequacy of processes, people or external events (Committee on Banking Supervision Basel, 2003). On the other hand, 13% of the risks associated with strategic situations, that is, they are the most important events for the organization to achieve its objectives, build and protect value (Frigo & Anderson, 2009). Risks related to legal matters or compliance matters accounted for 11% of the total. The risk of corruption accounted for 10% of the total, which is a type typical of the public sector in Colombia, which began work on the issues after the issuance of Law 1474 of 2011.

Subsequently, as the analysis of the identified risks developed, it was necessary to determine the probability of their occurrence and impact. In this phase, the controls for each of the causes associated with risks were also identified. Controls were rigorously analyzed, determining for each one: Frequency, responsibility for the individual in charge, evidence of application and its nature (corrective or preventive). In those cases, in which the cause had no established controls, it was indicated so that the treatment step risk actions permitted that the development or strengthening would be documented.

The assessment of the residual risk, taking into account the incidence of controls, yielded the results shown in table 3, where it is highlighted that 37% of the risks were located in the extreme zone and 25% in high zone, with the data indicating that corrective action should be taken immediately for the treatment of risks. For risks located in moderate and low zone, which correspond to 16% and 22%, respectively, actions should continue to be taken in implementing and or maintaining controls to manage these areas.

Risk treatments

The purpose of the risk treatment plan is to specify the manner in which the options chosen to mitigate the risks will be implemented, so that those involved understand the provisions, and that progress can be monitored regarding the planned actions (International Organization for Standardization 31000, 2018). The risk treatment indicated that 27% would be accepted, given that: They were located in lower zone, because the treatment actions were sufficient, or because the causes depended on external generating agents, for which there was no higher incidence.

On the other hand, 73% of the risk would be reduced through treatment actions. In this regard, the entity formulated 34 treatment actions in order to avoid the materializing of the risks. The formulation of the actions was carried out by the individual responsible for each process. In this regard, a documented action in a given process could impact others, so it was only formalized once and proceeded to socialize with the other processes on which some kind of effect would be presented.

It is highlighted that of the actions taken, 53% focused on updating or designing operating policies and 26% on raising awareness on existing training. The previous data are consistent with the risk distribution (see table 3), as 57% of them were classified as operational, so issues related to possible process failures and human failures had to be adjusted.

Monitoring and review

The purpose of monitoring and review is to ensure and improve the quality and effectiveness of the design, implementation and results of the process ( International Organization for Standardization 31000, 2018). Given the definition of the risk criteria, a preliminary evaluation of the risk is defined, formalized and carried out according to the Risk Management Policy, where the monitoring and review processes are established based on the three lines of defense model (Institute of Internal Auditors, 2020). This was adopted by the National Government through the issuance of Decree 1499 of 2017, with specifically-developed operating manuals for implementation. As such, department head leaders would be responsible as the first line of defense through the ongoing supervision and monitoring of day-to-day activities.

This review process was carried out in three stages, as follows: First, although process leaders were charged with continuous monitoring of risks, it was also established that activities would be consolidated into quarterly reports, which were forwarded to the Corporate Planning area entity. Secondly, based on information from the first step, the Corporate Planning area proceeded with validating the consolidated quarterly reports with regular frequency. This allowed for the identification of possible improvement actions, in a focused and targeted manner for each process, with a transversal character for the entire risk management system. These activities configured the role of the second line of defense.

This corporate level risk report, consolidated by corporate planning, is integrated into the work of the Institutional Coordinating Committee for Internal Control for the organizational entity. This Committee is comprised of senior management, and operates as the highest monitoring and decision-making body in terms of control for the organization. As such, those decisions that could affect the operation in terms of risk management are taken by this committee since it has, as one of its main functions, the establishment and review of the risk management criteria, among which is the policy for risk management. Given this structure, the responsibility for strategic direction is established in the MIPG of the Consejo para la Gestión y Desempeño Institucional, and as such, is structured by the Institutional Committee Coordinator for Internal Control, an advisory and decision-making body on internal control for the overall senior management entity (Departamento Administrativo de la Función Pública, 2015).

Finally, there is the role of the third line of defense, which is responsible for implementing the risk-based audit plan, (Institute of Internal Auditors, 2017) an exercise which makes it possible to independently evaluate the effectiveness and efficiency of the controls for the established risks. This third line also serves as an information provider for the risk update exercise, as it generates reporting that identifies risks that become inputs for updating the overall process for the entity’s risk matrices.

Communication and consultation

Preliminarily to the development of the focus groups, as well as the theoretical explanation of the concepts, the importance and stages necessary to develop the risk management process were carried out so that members involved in the processes were made aware of the importance of the exercise. This served to facilitate knowledge seeking and the transfer of the methodological development for the application and implementation stages in the risk management process. These processes and procedures were developed so that any interested party within the management entity could be consulted and engaged.

Additionally, the selection of participants for focus groups for each process was made taking into account the need to have different training profiles, roles and responsibilities in order to promote discussion and feedback from a variety of viewpoints.

Recording and reporting

The results of the focus group’s working sessions were consolidated into a risk matrix process, which later would serve as the official consultation document. In establishing the criteria for risk management, it was determined by the Corporate Planning entity that progress reports would be consolidated and that implementation results for overall risk management would be disseminated to the Institutional Internal Control Committee Coordinator. This committee was composed of leaders from each of the processes as well as the legal representative. Similarly, in each of their own departmental meetings, the risks are monitored, emphasizing the existing controls, as well as the actions established for the treatment of the risks. As well, the assessment of the residual risks resulted in them being categorized as being in either high or extreme areas, as well as being classified as corruption (as required by the sector). The dissemination of information in these aforementioned areas is aimed at reviewing aspects that may be useful for updating risk the matrices.

Discussion and conclusions

The research results reveal some key factors for successful implementation.

  1. (I) Resource availability, which allowed the company to hire a professional to methodologically guide the development of building exercises as well as train members regarding the processes, and finally advising on the design for guidelines for risk management. This observation is in line with previous studies that evidenced the importance of having qualified personnel, tools, techniques and resources for successful ERM implementation (Gibson & Young, 2012; Hallowell et al., 2013).

  2. (II) The integration of methodologies, as there were different guidelines for managing specific risks for differing types of regulations for the public sector, with the importance of having a single consolidated procedure. This is a study finding that had not been highlighted in previous studies.

  3. (III) Participative leadership support from top management in the development and tracking of implementation exercises that addressed risks. These findings support earlier research (Moshesh et al., 2018; Sax & Torp, 2015).

  4. (IV) Support of senior management to conduct and carry out risk management in the organization as it creates greater commitment from the members of the organization, which corroborates the previous findings in the literature (Oliveira et al., 2019).

  5. (V) and finally, as an emerging category, the importance of articulating and auditing risk management in ensuring that this work becomes inputted to update the risk matrices.

Further, the results allowed us to observe that the implementation of ERM strengthened the identification of several types of risks within the entity, including strategic risks. Another benefit was also evidenced by improving the way in which treatment measures were designed and carried out to respond to risks. For example, the materialization of risks was reduced by maintaining updated policies within the institution, which helped to reduce one of the main risks associated with operational issues. These results are in line with previous studies that observed the benefits granted by this practice in supporting decision-making in the face of differing types of risks that may arise in companies (Hoyt & Liebenberg, 2011).

Also evidenced in the studied company was an improved framework for managing risk, where the organizational structure was revised to provide support for these risk initiatives, which clarified the roles and responsibilities of those involved in this exercise. These results are consistent with previous findings in the literature, where it was observed that Latin American companies strengthen their management structure risks by creating specific areas of responsibility for this function (Mejia et al., 2017). With guideline revisions within the institution, it was also possible to improve the characterization of the population within the scope of entity, as this was another highlighted benefit of implementing the risk management initiative.

The results confirm the importance of carrying out a comprehensive risk management program that allows for the administration of several types of risks under the same methodology, and thus facilitate the implementation of one system of ERM within differing areas within the organization. This evidence presents similarities to the issues raised in another study where the benefits of such holistic management were found (Khan et al., 2016).

Theoretical and practical implications

This research has theoretical implications to the literature because it contributes to the literature on the key success factors in implementing risk management. Theoretical knowledge is also strengthened on the importance of adapting flexible risk management frameworks adjusted to the organization's environment and not only using rigid and standardized frameworks to implement ERM.

On the other hand, other practical implications could be taken into account: The implementation of the process of managing risk within the organization sought to integrate practices based on a holistic management approach, so the methodology used articulated regulatory requirements which Colombian legislation has issued to respond to risk management. This helped to avoid reprocesses, confusion and duplication efforts. Another key aspect was the active participation of the different roles of the organization, an aspect that is recommended in the deployment of initiatives of similar contexts, highlighting that of management, as this enabled the empowerment of employees at all levels within the organization. Finally, the rigor in the design and qualification of the controls for the risk causes was a key point in undertaking the execution of pertinent action plans.

The practical implications could be useful to be considered in the areas in charge of comprehensive risk management, specifically from the role of chief risk officer. In the organizational context, it could also be of interest to senior management roles, from where the conditions for effective integrated risk management must be ensured. From the point of view of the public sector in general, the contributions of this research are useful to be taken into account by other organizations obliged to implement the ERM, as well as by entities in charge of providing guidelines on the matter.

Limitations and future research

A limitation of this current study is to have a single entity and, therefore, no comparisons are made that would allow for observing different behaviors of managing risk within different contexts. It is important to note, that for this reason, this study is not intended to generalize the results which are exposed in the research. Future studies could expand the sample, allowing for the ability to carry out comparative analyzes. For example, it would be interesting to conduct a similar study in small and medium-sized companies, which, having different characteristics, may reflect different realities regarding the implementation of risk management.

On the other hand, while the current research included aspects of leadership style and its relationship to ERM, it is suggested that further research could deepen the professional experience of the members of the board of directors, and how they are associated with the ERM system, given that they are responsible for monitoring the performance of the company and are responsible for the value of the company.

In this same sense, this present research inquired about the benefits received when implementing ERM in regard to the opinion of the people who participated in the exercise. Future research could also include how benefit is perceived from different exogenous interest groups within the entity, to broaden the implications in managing risks.

Another limitation is the use of the qualitative approach to observe the factors driving risk management in the company. It would be interesting to use, in future research, a quantitative study with structural equations that could help to identify factors associated with the development of such management in public companies, and to include a representative sample for the population, so that the results could be generalized. This could also make a theoretical contribution by raising possible factors supported by more robust samples.

The study focused on observing the stage of ERM implementation in a public entity, the process followed, the benefits achieved and the difficulties encountered. Although it is an interesting contribution from the case study perspective, it would, on the other hand, be interesting to carry out future research to analyze important aspects in the design, in the framework and in the principles of risk management (International Organization for Standardization, 2018), and, to include a quantitative study to relate variables associated with the characteristics of the company (size, structure, sector, trajectory), and the impact on the planning stage.

Ethical considerations

The investigation requested authorization from the entity to carry out the investigation and it was mentioned that the use of data would be anonymous. No ethical endorsement was required.

Authors’ contributions statement

Professor Diego Jurado-Zambrano participated in the elaboration of the article in the thematic role. Professor Eduart Villanueva participated in the preparation of the article in the methodological role.


There was no funding for the preparation of the article.

Interest conflicts

The authors declare that there is no conflict of interest in the preparation of the article.


Agarwal, R., & Ansell, J. (2016). Strategic Governance Lessons from History for West. Strategic Change: Briefings in Entrepreneurial Finance, 25(4), 427–439. https://doi.org/10.1002/jsc

Antonionia, G., & Moreno, V. C. (2019). A procedure for emergency planning for SMEs under Seveso III directive in the ISO 31000 framework. Chemical Engineering, 77.

Arnaboldi, M., & Lapsley, I. (2014). Enterprise-wide risk management and organizational fit: A comparative study. Journal of Organizational Effectiveness, 1(4), 365–377. https://doi.org/10.1108/JOEPP-09-2014-0056

Beasley, M., Clune, R., & Hermanson, D. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24(6), 521–531. https://doi.org/10.1016/j.jaccpubpol.2005.10.001

Blanco-Mesa, F., Rivera-Rubiano, J., Patino-Hernandez, X., & Martinez-Montana, M. (2019). The importance of enterprise risk management in large companies in Colombia. Technological and Economic Development of Economy, 25(4), 600-633. https://doi.org/10.3846/tede.2019.9380

Brustbauer, J. (2016). Enterprise risk management in SMEs: Towards a structural model. International Small Business Journal, 34(1), 70–85. https://doi.org/10.1177/0266242614542853

Calandro, J. (2015). A leader’s guide to strategic risk management. Strategy & Leadership, 43(1), 26. https://doi.org/10.1108/SL-11-2014-0082

Caldarelli, A., Fiondella, C., Maffei, M., & Zagaria, C. (2016). Managing risk in credit cooperative banks: Lessons from a case study. Management Accounting Research, 32(July), 1–15. https://doi.org/10.1016/j.mar.2015.10.002

Committee of Sponsoring Organizations of the Treadway Commission (2013). Control Interno-Marco Integrado (COSO). https://doi.org/10.1111/j.1559-1816.2000.tb02505.x

Committee of Sponsoring Organizations of the Treadway Commission (2017). Enterprise Risk Management—Integrating with Strategy and Performance. Committee of Sponsoring Organizations of the Treadway Commission.

Committee on Banking Supervision Basel (2003). Operacional risk transfer across financial sectors. Committee on Banking Supervision Basel. https://www.bis.org/publ/joint06.pdf

Corbin, J., & Strauss, A. (1990). Grounded Theory Methodology: Procedures, Canons, and Evaluative Criteria. Qualitative Sociology, 13(1), 3–21. https://med-fom-familymed-research.sites.olt.ubc.ca/files/2012/03/W10-Corbin-and-Strauss-grounded-theory.pdf

Creswell, J. (2003). Research design Qualitative, Quantitative, and Mixed Methods Approaches, 2nd ed. London: Sage Publications. https://doi.org/10.3109/08941939.2012.723954

Creswell, J. (2007). Qualitative Inquiry & Research Design: Choosing Among Five Approaches, 2nd ed. London: Sage Publications. https://doi.org/10.1016/S0022-3476(89)80781-4

Creswell, J., Hanson, W., Clark, V., & Morales, A. (2007). Qualitative Research Designs: Selection and Implementation. The Counseling Psychologist, 35(2), 236–264. https://doi.org/10.1177/0011000006287390

Davidson, C. (2009). Transcription: Imperatives for Qualitative Research. International Journal of Qualitative Methods, 8(2), 35–52. https://doi.org/10.1177/160940690900800206

de Freitas Alves, G., Neto, W., Coli, M., de Souza, P., Sant’Ana, T., & Salgado, E. (2017). Perception of Enterprise Risk Management in Brazilian Higher Education Institutions. In European, Mediterranean, and Middle Eastern Conference on Information Systems (pp. 506-512). Springer, Cham.

Departamento Administrativo de la Función Pública (2018). Guía para la administración del riesgo y el diseño de controles en entidades públicas: riesgos de gestión, corrupción y seguridad digital. http://www.funcionpublica.gov.co/documents/418548/34150781/Guía+para+la+administración+del+riesgo+y+el+diseño+de+controles+en+entidades+públicas+-+Riesgos+de+gestión%2C+corrupción+y+seguridad+digital+-+Versión+4+-+Octubre+de+2018.pdf/68d324dd-55c5-11e0-9f

Elahi, E. (2013). Risk management: The next source of competitive advantage. Foresight, 15(2), 117–131. https://doi.org/10.1108/14636681311321121

Farrell, M., & Gallagher, R. (2015). The Valuation Implications of Enterprise Risk Management Maturity. Journal of Risk and Insurance, 82(3), 625–657. https://doi.org/10.1111/jori.12035

Frigo, B., & Anderson, R. (2009). Strategic Risk Assessment. Strategic Finance, 25–33.

Gibson, M., & Young, J. (2012). Critical success factors for the implementation of an operational risk management system. Corporate Ownership and Control. https://doi.org/10.22495/cocv10i1art12

Giraldo, A. & Nunez, M. (2020). Administración del riesgo estratégico en algunas grandes empresas privadas de Colombia. AD-minister, (36), 67-96. https://vlex.com.co/vid/administracion-riesgo-estrategico-grandes-852187552

Gordon, L., Loeb, M., & Tseng, C. (2009). Enterprise risk management and firm performance: A contingency perspective. Journal of Accounting and Public Policy, 28(4), 301–327. https://doi.org/10.1016/j.jaccpubpol.2009.06.006

Govender, D. (2019). The use of the risk management model ISO 31000 by private security companies in South Africa. Security Journal, 32(3), 218-235. https://doi.org/10.1057/s41284-018-0158-x

Grace, M., Leverty, J., Phillips, R., & Shimpi, P. (2015). The value of investing in enterprise risk management. Journal of Risk and Insurance, 82(2), 289–316. https://doi.org/10.1111/jori.12022

Hallowell, M., Molenaar, K., & Fortunato, B. (2013). Enterprise risk management strategies for state departments of transportation. Journal of Management in Engineering, 29(2), 114–121. https://doi.org/10.1061/(ASCE)ME.1943-5479.0000136

Hoyt, R. & Liebenberg, A. (2011). The value of enterprise risk management. Journal of Risk and Insurance, 78(4), 795–822. https://doi.org/10.1111/j.1539-6975.2011.01413.x

Institute of Internal Auditors (2020). El modelo de las tres lineas del IIA 2020. Institute of Internal Auditors. https://na.theiia.org/translations/PublicDocuments/Three-Lines-Model-Updated-Spanish.pdf

Institute of Internal Auditors (2017). Marco Internacional para la práctica profesional de la auditoría interna. https://na.theiia.org/translations/PublicDocuments/IPPF-Standards-2017-Spanish.pdf

International Organization for Standardization 31000 (2018). Risk management-Guidelines (standard No. ISO 31000:2018). Washington, DC: International Organization for Standardization. https://www.iso.org/obp/ui#iso:std:iso31000

Jalal-Karim, A. (2013). Leveraging enterprise risk management (ERM) for boosting competitive business advantages in Bahrain. World Journal of Entrepreneurship, Management and Sustainable Development, 9(1), 65–75. https://doi.org/10.1108/20425961311315728

Jaraba, I., Nuñez, M. A., & Villanueva, E. (2018). Riesgos estratégicos. Un estudio de las medidas de tratamiento implementadas por las grandes empresas privadas de Antioquia, Colombia. Cuadernos de Contabilidad, 19(47), 171–181. https://doi.org/https://doi.org/10.11144/Javeriana.cc19-47

Kerstin, D., Simone, O., & Nicole, Z. (2014). Challenges in implementing enterprise risk management. ACRN Journal of Finance and Risk Perspectives, 3(3), 1-14. https://silo.tips/download/challenges-in-implementing-enterprise-risk-management

Khan, M., Hussain, D., & Mehmood, W. (2016). Why do firms adopt enterprise risk management (ERM)? Empirical evidence from France. Management Decision, 54(8), 1886–1907. https://doi.org/10.1108/MD-09-2015-0400

Kidd, P., & Parshall, M. (2000). Getting the focus and the group: Enhancing analytical rigor in focus group research. Qualitative Health Research, 10(3), 293–308. https://doi.org/10.1177/104973200129118453

Kitzinger, J. (1995). Qualitative Research: Introducing focus groups. Bmj, 311(7000), 299. https://doi.org/10.1136/bmj.311.7000.299

Kravchenko, S. (2018). The development of non-linear knowledge: New risks, vulnerabilities, and hopes. RUDN Journal of Sociology, 18(2), 195–207. https://doi.org/10.22363/2313-2272-2018-18-2-195-207

Lapadat, J., & Lindsay, A. (1999). Transcription in research and practice: From standardization of technique to interpretive positionings. Qualitative Inquiry, 5(1), 64–86. https://doi.org/10.1177/107780049900500104

Lapsley, I. (2009). New public management: The cruellest invention of the human spirit? Abacus, 45(1), 1–21. https://doi.org/10.1111/j.1467-6281.2009.00275.x

Mejía, R. (2006). Administración de riesgos. Un enfoque empresarial. Medellín: Fondo Editorial Universidad EAFIT.

Mishler, E. (1991). Representing Discourse: The Rhetoric of Transcription. Journal of Narrative and Life History, 1(4), 255–280. https://doi.org/https://doi.org/10.1075/jnlh.1.4.01rep

Morrow, S., & Smith, M. (2000). Qualitative Research for Counseling Psychology. In S. Brown & R. Lent (Eds.), Hanbook of Counseling Psychology (3rd ed., pp. 199–230). New York: John Wiley.

Moshesh, R., Niemann, W., & Kotzé, T. (2018). Enterprise risk management implementation challenges: A case study in a petrochemical supply chain. South African Journal of Industrial Engineering, 29(4), 230-244. https://dx.doi.org/10.7166/29-4-1782

Oliva, F. (2016). A maturity model for enterprise risk management. International Journal of Production Economics, 173, 66–79. https://doi.org/10.1016/j.ijpe.2015.12.007

Oliveira, K., Méxas, M., Meiriño, M., & Drumond, G. (2019). Critical success factors associated with the implementation of enterprise risk management. Journal of Risk Research, 22(8), 1004–1019. https://doi.org/10.1080/13669877.2018.1437061

Onwuegbuzie, A., Dickinson, W., Leech, N., & Zoran, A. (2009). A Qualitative Framework for Collecting and Analyzing Data in Focus Group Research. International Journal of Qualitative Methods, 8(3), 1–21. https://doi.org/10.1177/160940690900800301

Parviainen, T., Goerlandt, F., Helle, I., Haapasaari, P., & Kuikka, S. (2021). Implementing Bayesian networks for ISO 31000: 2018-based maritime oil spill risk management: State-of-art, implementation benefits and challenges, and future research directions. Journal of Environmental Management, 278, 111520.

Pérez-Cornejo, C., de Quevedo-Puente, E., & Delgado-García, J. B. (2019). How to manage corporate reputation? The effect of enterprise risk management systems and audit committees on corporate reputation. European Management Journal, 37(4), 505–515. https://doi.org/10.1016/j.emj.2019.01.005

Purdy, G. (2010). ISO 31000:2009 - Setting a new standard for risk management: Perspective. Risk Analysis, 30(6), 881–886. https://doi.org/10.1111/j.1539-6924.2010.01442.x

Rampini, G., Takia, H., & Berssaneti, F. (2019). Critical success factors of risk management with the advent of ISO 31000 2018-Descriptive and content analyzes. Procedia Manufacturing, 39, 894-903. https://doi.org/10.1016/j.promfg.2020.01.400

Rana, T., Wickramasinghe, D., & Bracci, E. (2019). New development: Integrating risk management in management control systems—lessons for public sector managers. Public Money and Management, 39(2), 148–151. https://doi.org/10.1080/09540962.2019.1580921

Rasid, S., Isa, C., & Ismail, W. (2014). Management accounting systems, enterprise risk management and organizational performance in financial institutions. Asian Review of Accounting, 22(2), 128–144. https://doi.org/10.1108/ARA-03-2013-0022

Saeidi, P., Saeidi, S., Gutierrez, L., Streimikiene, D., Alrasheedi, M., Saeidi, S., & Mardani, A. (2021). The influence of enterprise risk management on firm performance with the moderating effect of intellectual capital dimensions. Economic Research-Ekonomska Istraživanja, 34(1), 122-151.

Sax, J., & Torp, S. (2015). Speak up! enhancing risk performance with enterprise risk management, leadership style and employee voice. Management Decision, 53(7), 1452–1468. https://doi.org/10.1108/MD-10-2014-0625

Shi, X., Wong, Y., Li, M., & Chai, C. (2018). Key risk indicators for accident assessment conditioned on pre-crash vehicle trajectory. Accident Analysis and Prevention, 117(December 2017), 346–356. https://doi.org/10.1016/j.aap.2018.05.007

Soltanizadeh, S., Abdul, S., Mottaghi, N., & Wan, W. (2016). Business strategy, enterprise risk management and organizational performance. Management Research Review, 39(9), 1016–1033. https://doi.org/10.1108/MRR-05-2015-0107

Stake, R. (1994). Case Studies. In N. Denzin & Y. Lincoln (Eds.), Handbook of Qualitative Research. London: SAGE publications.

Tabares, J., Jaramillo, J., Arias, M., & Arias, A. (2017). Tendencias en la investigación sobre gestión del riesgo empresarial: un análisis bibliométrico. Revista Venezolana de Gerencia, 22(79), 506-524. https://doi.org/10.37960/revista.v22i79.23036

Yin, R. (1981). The case study crisis: Some answers. Administrative Science Quarterly, 26(1), 199–208. https://doi.org/10.1177/107554708100300106

Zhao, X., Hwang, B., & Low, S. (2015). Enterprise risk management in international construction firms: Drivers and hindrances. Engineering, Construction and Architectural Management, 22(3), 347–366. https://doi.org/10.1108/ECAM-09-2014-0117


Table A1
Likelihood scale
Likelihood scale

Source: Own elaboration


Table A2
Impact scale
Impact scale

Source: Own elaboration.


* Research paper.

Author notes

a Corresponding author. E-mail address: diego.jurado@esap.edu.co

Additional information

Cited as: Jurado-Zambrano, D., & Villanueva, E. (2021). Risk management. A case study of a Colombian public sector company. Cuadernos de Contabilidad, 22. https://doi.org/10.11144/Javeriana.cc22.rmcs