Risk management. A case study of a Colombian public sector company*

e objective of this research is to analyze, in a Colombian public sector company, the key success factors for the implementation of a ERM initiative. To comply with the objective, an investigation with a qualitative approach and descriptive scope is developed. As instruments for collecting information, the following are used: e focus group technique; the documentary review specically of the strategic plan, the operating policies, the risks previously identied, as well as the internal and external audit reports. e results show the existence of some key success factors, such as: Senior management leadership, resource allocation, methodological integration for risk management; which enabled the successful implementation of integrated risk management. Likewise, the main stages adopted in the implementation exercise are presented, which were based on the ISO 31000: 2018 standard. JEL Codes: D73, H83, M19.

Introduction e global nancial crisis has turned the notion of risk as a central issue in the management of public and private organizations (Rana, Wickramasinghe, & Bracci, 2019), risk management allows the identication of events that impact the organization's ability to create value and compliance with the strategy (Giraldo & Nunez, 2020), in addition to providing information to improve the decision-making process in uncertain contexts (Blanco-Mesa, Rivera-Rubiano, Patino-Hernandez et al., 2019), being a focal point for executives and professionals (Oliveira, Méxas, Meiriño et al., 2019); ERM has been found to have a positive relationship with company performance (Saeidi, Saeidi, Gutierrez et al., 2021). Risk management has become an emerging key element of the New Public Management (Lapsley, 2009). In the Colombian public sector, guidelines around the subject are contained in the Integrated Planning and Management Model (MIPG for its translation into Spanish), which is regulated under Decree 1499 of 2017.
Enterprise Risk Management (ERM) has been used as a methodology to assess risks in achieving the objectives of an organization (de Freitas Alves, Neto, Coli et al., 2017). Given that there is a lack of studies on risk management in the public sector (de Freitas Alves et al., 2017;Rana et al., 2019;Tabares, Jaramillo, Arias et al., 2017), the objective of this paper was to analyze, the key factors for successful implementation of a risk management initiative in a Colombian public sector organization. For this case study, focus groups were developed with key employees of each entity process and internal and external audit reports over matrices were consulted.
e most relevant results of the study showed that 59% of risks were located in a high or extreme zone, which documented 30 action plans. Action plans in large percentage, focused on developing or updating operating policies and on training and educating employees in implementation. is is consistent with the distribution of risk, as 56% of the total identied were categorized as operational. Finally, we highlighted some of present key factors in the implementation such as the allocation of resources, participation of senior management, and the articulation of initial work agreements for the methodology of managing risk.

Risk management
Risk is dened as a combination of the probability or frequency of an event and its consequences, which are generally negative (Elahi, 2013) or contain uncertainty about the objectives (International Organization for Standardization 31000, 2018). Risk involves an element of unpredictability and an undesirable result such as a loss (Soltanizadeh, Abdul, Mottaghi et al., 2016). One can have unwanted operations, strategy, competitiveness, nance, reputation and compliance obligations with adverse impact ( Jalal-Karim, 2013).
Because the business environment is complex as a result of deregulation, globalization, downsizing and technological advancement (Rasid, Isa, & Ismail, 2014), companies face a wide range of risks that must be managed holistically; and thus, there is growing interest in ERM (Beasley, Clune, & Hermanson, 2005). Unlike traditional approaches to risk management, ERM is a holistic approach to risk management that involves a joint review of the risk that is assessed, quantied, funded and managed at the enterprise-level (Grace, Leverty, Phillips et al., 2015). ERM is also implemented at all levels of a company and applied in a conguration strategy so as to ensure the achievement of corporate goals (Zhao, Hwang, & Low, 2015). However, the successful implementation of ERM depends on several factors. A table 1 is presented to summarize several of them. For example, there is a correlation between participative leadership style that allows employees to participate in the success of ERM (Sax & Torp, 2015). Other example can be the establishment of the ERM function being headed by a senior person, such as a Chief Risk Officer or Risk Director (Beasley et al., 2005;Oliveira et al., 2019). is person should be responsible for establishing and communicating policies regarding ERM, training current employees, and hiring ERM functional staff with professional experience in ERM (Kerstin, Simone, & Nicole, 2014).
In addition, it is important to have the corporate culture, values, beliefs, knowledge, attitudes and understanding of the risks shared by a group of individuals, teams and workgroups in order to boost ERM initiatives (Agarwal & Ansell, 2016;Oliva, 2016). ese aspects contribute to the overall risk culture which has shown to be of great inuence in facilitating ERM practices (Oliveira et al., 2019).
On the other hand, resource availability is a determining factor in advancing ERM efforts (Hallowell et al., 2013), such as estimates of qualied staff, experience and time, in addition to improving the risk management processes based on the participation of people and the proper allocation of resources, tools and techniques (Gibson & Young, 2012).
Because of its proactive nature of decision-making, ERM requires strong leadership, a substantial commitment of resources, timely reports, and real-time data insight (Moshesh, Niemann, & Kotzé, 2018). e absence or lack of these requirements could lead to implementation challenges that impact on the success of ERM. When managers perceive that other control systems and risk management are satisfactory, ERM initiatives may struggle to nd a space and to sell its value added to owners (Arnaboldi & Lapsley, 2014).
Because of its integration of risk management practices and its holistic and different and simultaneous types of risk management, ERM has several benets for organizations (Khan, Hussain, & Mehmood, 2016). It enables a consistent treatment of risk; it encourages a view of the longer-term risk while allowing accurate resource allocation and improved and faster reaction to the emerging risk identied. All of this can lead to increased protability (Moshesh et al., 2018). It has also been shown that companies that have ERM systems in place have a higher market value (Hoyt & Liebenberg, 2011).
It is important to consider that these benets are within the business as long as its context is associated with competition within the industry, company size, complexity of the company and its board of directors (Gordon, Loeb, & Tseng, 2009). Another benets include the integration of decision-making across different risks within the business, the duplication of management risk fees are avoided, and a better understanding of aggregate risk in different commercial activities is obtained (Hoyt & Liebenberg, 2011). rough its approach to identication, assessment, treatment, monitoring and communication of risks, ERM can have a positive impact on the promotion of competitive business advantage ( Jalal-Karim, 2013), and has even been found to allow for better management of organizational reputation (Pérez-Cornejo, de Quevedo-Puente, & Delgado-García, 2019).
In the Colombian public sector, risk management is established as a guideline in Decree 1499 of 2017 in which, among other elements, it is dened as the MIPG. e MIPG is structured in different dimensions and policies, with respect to the issue of risk management. It is referred to as Internal Control, and is contemplated within the dimension in the politics of the same name. e basis for implementing this internal control policy is the Standard Model of Internal Control, which adopted the structure of the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Framework, which includes the component of risk assessment (Committee of Sponsoring Organizations of the Treadway Commission, 2013). Another factor to take into account within the internal control dimension is the model of the three lines of defense, which facilitates communication of the different roles regarding risk management and control in order to determine the different roles that must be completed; in this model the rst line of defense refers to the monitoring of risks to be performed by management, the second line encompasses the various supervisory functions determined by the respective administrative and nancial controls, security, risk management, and quality, among others; while the third line of defense is the internal audit (Institute of Internal Auditors, 2020).
e International Organization for Standardization (ISO) 31000 risk management standard was developed by professionals around the world, and used by all types of companies, this has made it the leading global guide for risk management practices (Govender, 2019). ere is a lack of integrated approaches that consider the different types of risks, and the different sources of information to identify the risks, for this the use of ISO 31000 has been recommended as an adequate basis (Parviainen, Goerlandt, Helle et al., 2021). e aforementioned standard, recognized as a worldwide standard, allows organizations to implement the risk management process following key factors for successful implementation and contribute to performance (Rampini, Takia, & Berssaneti, 2019). Additionally, it integrates a set of systematic techniques for the different stages of risk management, which allows excellent adaptability to companies in different sectors (Antonionia & Moreno, 2019).
To implement risk management the following steps must be followed: Establish the context, assess risk, address the risk, communicate and consult, review and monitor, and record and report (International Organization for Standardization 31000, 2018).

Context
Companies must look within the organization in order to determine the cultural level of risk management that permeates both existing practices as well as individual behavior. It should also analyze the specic nature of the context of each company in order to determine if there are signicant variations in the ERM practices, including companies that are in the same industry (Caldarelli, Fiondella, Maffei et al., 2016). us, risk management also includes another internal factors such as its own goals and activities of the company. It is important to consider that organizational factors could generate risks, hence the importance of conducting a thorough review of the internal context (International Organization for Standardization 31000, 2018).
e external context of the organizations must also be established since the exogenous factors create risks that must be managed with the implementation of the ERM (Gordon et al., 2009). erefore, external variables must be detailed that may affect the objectives and results of the organization; once the context of the company is dened, the scope of risk management can already be dened (International Organization for Standardization 31000, 2018). With this dened context, the entire portfolio of risks that could be presented can also be analyzed, controlled and monitored (Farrell & Gallagher, 2015) Risk assessment is stage includes the identication of risks which must determine the events that may affect the achievement of objectives, including the causes and effects of each risk (Mejía, 2006); aer this, the valuation of each risk based on the probability of the occurrence of each event and the magnitude of the consequences of these risks is determined (International Organization for Standardization 31000, 2018); subsequently the risks are ranked in order to set up the priority of events that must be treated (Brustbauer, 2016).

Risk treatment
At this stage, companies determine how to respond to risks, with actions that reduce their frequency and / or impact, or establish the source of resources that will cover the losses generated by an event such as insurance or the company's own nancial funds (Committee of Sponsoring Organizations of the Treadway Commission, 2017; Mejía, 2006). us, there are a variety of ways to mitigate signicant risks that must be analyzed according to each context (Calandro, 2015). Allowing such treatment measures to respond to different risks and improve organizational management, increases opportunities and reduce threats ( Jaraba, Nuñez, & Villanueva, 2018)

Monitoring and review
It is essential to conduct a periodic review of risk behavior over time, and this stage must be carried out in a planned manner, with responsibilities dened by the company (International Organization for Standardization 31000, 2018). is is why the relationship of the ERM system and organizational performance depends largely on adequate monitoring of risks (Gordon et al., 2009). e dynamism of the environment leads to new risks which arise, that are becoming more complex, and that may affect organizations. is monitoring should be done in a nonlinear manner that integrates different natural sciences, both technical and social (Kravchenko, 2018).

Communication and consultation
is step facilitates interaction with different stakeholders through accessible channels, so that they can be informed about the decisions that the organization must make regarding risk management and disagreements leading to these decisions; Similarly, it also allows for feedback from stakeholders to adjust the guidelines regarding how to act in the face of risks (International Organization for Standardization 31000, 2018). If an effective communication and consultation process is carried out, it will facilitate the generation of awareness in the company regarding the importance of risk management for decision-makers (Zhao et al., 2015).

Recording and reporting
is step is intended to document the entire risk management process in an official or formal consultation text, documenting the activities carried out and the results obtained, which support decision making. It is recommended that this report and all related quality data be presented and shared at all relevant levels within the organization, formally recording and sharing all actions taken, contributing to the overall risk management initiative (Shi, Wong, Li et al., 2018).
Methodology is document describes the results of the incorporation of a risk management initiative in a public sector Colombian company during the year 2019 by describing the processes and good practices followed by the company. is work was developed utilizing a qualitative research approach, because this type of research is dened primarily by its emphasis on the qualities, essences or categories of the study phenomenon, and its results are presented by using descriptive analysis and not through statistical models (Morrow & Smith, 2000). In the qualitative approach, the researcher oen makes knowledge claims based primarily on constructivist perspectives (Creswell, 2003), a characteristic that complies with this present study, because it was implemented by following the process of managing the risk outlined in the ISO 31000 standard. us, the product obtained adds value to management. is qualitative study encompasses many approaches, among which is the case study (Morrow & Smith, 2000). Case studies are a common way of doing qualitative research and in these studies the researcher explores in-depth, a program, an event, an activity, a process or one or more persons (Stake, 1994). Creswell (2007) argues that a case study is the investigation of a "bounded system," be it an individual, a group or an institution. is is why this present work is dened as an intrinsic case study, because it was developed based on a single institution (Stake, 1994;Creswell et al., 2007). e study was conducted at the Instituto Social de Vivienda y Habitat de Medellín, which is an entity dedicated to managing social housing plans that ensure the right to an adequate habitat and fair housing for its citizens. In this regard, the importance of researching risk management within this entity is of paramount importance, given that it is one of the pillars of social development for the city and on which a large portion of public nancial resources are allocated.
For the year 2019, the entity administered an income budget of around USD 24 million. Regarding its organizational structure, the entity had seven departments from where missionary, strategic, support and evaluation processes were developed, which in turn are supported by around 50 employees assigned to the xed plant of positions and around of 200 employees under other contracting modalities.
Case study research builds a deep and contextual understanding of the case, based on multiple data sources (Yin, 1981), using qualitative or quantitative evidence, from a variety of data collection procedures over an extended period of time (Stake , 1994), such as verbal reports and observations (Yin, 1981;Creswell et al., 2007;Corbin & Strauss 1990); eldwork and records (Yin, 1981); interviews (Corbin & Strauss 1990;Creswell et al., 2007); audiovisual material ; government documents, video tapes, newspapers and books (Corbin & Strauss, 1990), or any combination thereof (Yin, 1981), which can shed light on the questions under study (Corbin & Strauss, 1990).
To develop the risk management process (International Organization for Standardization 31000, 2018), documents and reports  were used as sources of information, such as: e strategic plan; the process map and the characterization of each of them; the internal audit reports from the internal control office and from the quality management system audit exercises; the external audit reports focused on nancial and public procurement matters, as well as regulations from control and regulatory bodies of the public sector and the existing risk matrices.
Focus groups are a form of group interview that capitalizes on communication between research participants. Group processes can help people to explore and clarify their views in a way that would be less accessible in an individual interview (Kitzinger, 1995).
e number of times a focus group meets may vary from one meeting to several (Onwuegbuzie, Dickinson, Leech et al., 2009). As such, it was planned to develop four focus group sessions with a subset of employees from each of the 12 processes within the organization. e number of focus group sessions proposed was planned to try to cover relevant information from each of the risk management stages described in the theoretical framework of this document. In the focus groups, employees from the managerial, operational and auxiliary level participated, this because it was intended to cover the greatest number of activities that were developed in each process. e development of the focus groups was based on open questions so that participants could express their views (Creswell, 2003). During the development of the focus groups, participants explain their experiences with their peers, with whom they shared something in common. Since they were members of the process and knew the process in depth, this allowed them to share their views with each other (Kidd & Parshall, 2000).
For purposes of organizing the information resulting from focus groups, the transcription technique was used, which is an integral process in the qualitative analysis of language data (Lapadat & Lindsay, 1999). It is used, in speech studies to resubmit the speech as written text (Mishler, 1991), selectively (Davidson, 2009). Although within the development of the multiple focus groups multiple discussions were generated, in order to consolidate the results, the agreed upon information from the members of the groups resumed. e transcription of each of the focus group sessions allowed, subsequently, to identify repetitive themes that were frequently mentioned by the participants, with which it was possible to build categories of analysis that shaped the results of the present investigation. An example of this is the information presented in table 2.

Results
e development of the implementation of the risk management initiative was carried out based on the stages outlined in the ISO 31000: 2018, as follows: Establishing the context; assessment of the risk, which consists of identifying, analyzing and assessing the risk; and the treatment, monitoring, review, recording and reporting of risk (International Organization for Standardization 31000, 2018). is is appropriate as the ISO 31000 standard has been formally adopted by many States (Purdy, 2010) Context e establishment for the development of each of the 12 processes (see table 2) within the entity, where internal and external factors were identied, was based on the risk management guide (Departamento Administrativo de la Función Pública, 2018), established for the public sector in Colombia. As a result of this stage, common variables were found in in the exercises developed within each process. For each variable, its positive or negative incidence was determined, and the effect, positive or negative, for the same process was described. An example of the analysis performed for one of the identied variables is presented in table 2   TABLE 2 Example of the way to obtain a unied variable Source: Own elaboration.
Once the analysis was carried out, resorting to the crossing of information from each of the context identication exercises in the processes, the following was obtained: e variable with the greatest recurrence mentioned in the processes was the shortcomings in the organizational structure, which was identied in 92% of them. In the following way, the 83% of the processes owners agreed that the weakness of the information systems constituted a negative variable, which could be a cause of risks. Similarly, a comprehensive analysis of the information resulting from this phase was carried out, and the following recurrent variables were additionally identied: (67%), decrease in resource allocation (67%), inadequate physical work environment (58%) and shortcomings institutional planning (58%).

Risk assessment
Based on the information obtained in the context setting phase, and taking into account: e strategic plan; the process map and the characterization of each of them; the internal audit reports from the internal control office and from the quality management system audit exercises; the external audit reports focused on nancial and public procurement matters, as well as regulations from control and regulatory bodies of the public sector and the existing risk matrices, 79 risks were identied, based on the knowledge and review of the objectives for each process.
e results are presented in table 3. In this regard, the results presented in table 3 were obtained. To help understand the results, it is important to take into account two aspects: First, the 79 risks classied according to the typologies proposed by the Departamento Administrativo de la Función Pública (2018) are presented in its guide to managing risks, that is, it mentions whether they are strategic, operational, corruption, technological, compliance and nancial. Second, as shown in gure 1, an example of risk assessment is presented, for some risks of the Social Management process, in which the probability and impact tables presented in the appendix of this article were used (see table A1 and table A2).
With the initial evaluation, the inherent risk was identied, that is, the evaluation without considering the control measures already established in the process. Subsequently, the residual risk was identied, which is the one that remains once the impact of the controls on the causes that generate the risk has been analyzed. In the example presented in gure 1, it is observed that risks R1, R2 and R4 had a considerable change in terms of their risk zone, from extreme to low and moderate. For R3, although it had a decrease in its probability of occurrence, the impact remained the same.  Example of inherent and residual risk by Social Management process Source: Own elaboration.
As can be seen in Table 3, among relevant results, 57% of the risks were classied as operational, that is, they are events that can be caused by failures or inadequacy of processes, people or external events (Committee on Banking Supervision Basel, 2003). On the other hand, 13% of the risks associated with strategic situations, that is, they are the most important events for the organization to achieve its objectives, build and protect value (Frigo & Anderson, 2009). Risks related to legal matters or compliance matters accounted for 11% of the total. e risk of corruption accounted for 10% of the total, which is a type typical of the public sector in Colombia, which began work on the issues aer the issuance of Law 1474 of 2011.
Subsequently, as the analysis of the identied risks developed, it was necessary to determine the probability of their occurrence and impact. In this phase, the controls for each of the causes associated with risks were also identied. Controls were rigorously analyzed, determining for each one: Frequency, responsibility for the individual in charge, evidence of application and its nature (corrective or preventive). In those cases, in which the cause had no established controls, it was indicated so that the treatment step risk actions permitted that the development or strengthening would be documented.
e assessment of the residual risk, taking into account the incidence of controls, yielded the results shown in table 3, where it is highlighted that 37% of the risks were located in the extreme zone and 25% in high zone, with the data indicating that corrective action should be taken immediately for the treatment of risks. For risks located in moderate and low zone, which correspond to 16% and 22%, respectively, actions should continue to be taken in implementing and or maintaining controls to manage these areas.

Risk treatments
e purpose of the risk treatment plan is to specify the manner in which the options chosen to mitigate the risks will be implemented, so that those involved understand the provisions, and that progress can be monitored regarding the planned actions (International Organization for Standardization 31000, 2018). e risk treatment indicated that 27% would be accepted, given that: ey were located in lower zone, because the treatment actions were sufficient, or because the causes depended on external generating agents, for which there was no higher incidence.
On the other hand, 73% of the risk would be reduced through treatment actions. In this regard, the entity formulated 34 treatment actions in order to avoid the materializing of the risks. e formulation of the actions was carried out by the individual responsible for each process. In this regard, a documented action in a given process could impact others, so it was only formalized once and proceeded to socialize with the other processes on which some kind of effect would be presented.
It is highlighted that of the actions taken, 53% focused on updating or designing operating policies and 26% on raising awareness on existing training. e previous data are consistent with the risk distribution (see table 3), as 57% of them were classied as operational, so issues related to possible process failures and human failures had to be adjusted.

Monitoring and review
e purpose of monitoring and review is to ensure and improve the quality and effectiveness of the design, implementation and results of the process ( International Organization for Standardization 31000, 2018). Given the denition of the risk criteria, a preliminary evaluation of the risk is dened, formalized and carried out according to the Risk Management Policy, where the monitoring and review processes are established based on the three lines of defense model (Institute of Internal Auditors, 2020). is was adopted by the National Government through the issuance of Decree 1499 of 2017, with specically-developed operating manuals for implementation. As such, department head leaders would be responsible as the rst line of defense through the ongoing supervision and monitoring of day-to-day activities.
is review process was carried out in three stages, as follows: First, although process leaders were charged with continuous monitoring of risks, it was also established that activities would be consolidated into quarterly reports, which were forwarded to the Corporate Planning area entity. Secondly, based on information from the rst step, the Corporate Planning area proceeded with validating the consolidated quarterly reports with regular frequency. is allowed for the identication of possible improvement actions, in a focused and targeted manner for each process, with a transversal character for the entire risk management system. ese activities congured the role of the second line of defense.
is corporate level risk report, consolidated by corporate planning, is integrated into the work of the Institutional Coordinating Committee for Internal Control for the organizational entity. is Committee is comprised of senior management, and operates as the highest monitoring and decision-making body in terms of control for the organization. As such, those decisions that could affect the operation in terms of risk management are taken by this committee since it has, as one of its main functions, the establishment and review of the risk management criteria, among which is the policy for risk management. Given this structure, the responsibility for strategic direction is established in the MIPG of the Consejo para la Gestión y Desempeño Institucional, and as such, is structured by the Institutional Committee Coordinator for Internal Control, an advisory and decision-making body on internal control for the overall senior management entity (Departamento Administrativo de la Función Pública, 2015).
Finally, there is the role of the third line of defense, which is responsible for implementing the riskbased audit plan, (Institute of Internal Auditors, 2017) an exercise which makes it possible to independently evaluate the effectiveness and efficiency of the controls for the established risks. is third line also serves as an information provider for the risk update exercise, as it generates reporting that identies risks that become inputs for updating the overall process for the entity's risk matrices.

Communication and consultation
Preliminarily to the development of the focus groups, as well as the theoretical explanation of the concepts, the importance and stages necessary to develop the risk management process were carried out so that members involved in the processes were made aware of the importance of the exercise. is served to facilitate knowledge seeking and the transfer of the methodological development for the application and implementation stages in the risk management process. ese processes and procedures were developed so that any interested party within the management entity could be consulted and engaged.
Additionally, the selection of participants for focus groups for each process was made taking into account the need to have different training proles, roles and responsibilities in order to promote discussion and feedback from a variety of viewpoints.

Recording and reporting
e results of the focus group's working sessions were consolidated into a risk matrix process, which later would serve as the official consultation document. In establishing the criteria for risk management, it was determined by the Corporate Planning entity that progress reports would be consolidated and that implementation results for overall risk management would be disseminated to the Institutional Internal Control Committee Coordinator. is committee was composed of leaders from each of the processes as well as the legal representative. Similarly, in each of their own departmental meetings, the risks are monitored, emphasizing the existing controls, as well as the actions established for the treatment of the risks. As well, the assessment of the residual risks resulted in them being categorized as being in either high or extreme areas, as well as being classied as corruption (as required by the sector). e dissemination of information in these aforementioned areas is aimed at reviewing aspects that may be useful for updating risk the matrices.

Discussion and conclusions
e research results reveal some key factors for successful implementation.
(I) Resource availability, which allowed the company to hire a professional to methodologically guide the development of building exercises as well as train members regarding the processes, and nally advising on the design for guidelines for risk management. is observation is in line with previous studies that evidenced the importance of having qualied personnel, tools, techniques and resources for successful ERM implementation (Gibson & Young, 2012;Hallowell et al., 2013).
(II) e integration of methodologies, as there were different guidelines for managing specic risks for differing types of regulations for the public sector, with the importance of having a single consolidated procedure. is is a study nding that had not been highlighted in previous studies.
(III) Participative leadership support from top management in the development and tracking of implementation exercises that addressed risks. ese ndings support earlier research (Moshesh et al., 2018;Sax & Torp, 2015).
(IV) Support of senior management to conduct and carry out risk management in the organization as it creates greater commitment from the members of the organization, which corroborates the previous ndings in the literature (Oliveira et al., 2019).
(V) and nally, as an emerging category, the importance of articulating and auditing risk management in ensuring that this work becomes inputted to update the risk matrices.
Further, the results allowed us to observe that the implementation of ERM strengthened the identication of several types of risks within the entity, including strategic risks. Another benet was also evidenced by improving the way in which treatment measures were designed and carried out to respond to risks. For example, the materialization of risks was reduced by maintaining updated policies within the institution, which helped to reduce one of the main risks associated with operational issues. ese results are in line with previous studies that observed the benets granted by this practice in supporting decision-making in the face of differing types of risks that may arise in companies (Hoyt & Liebenberg, 2011).
Also evidenced in the studied company was an improved framework for managing risk, where the organizational structure was revised to provide support for these risk initiatives, which claried the roles and responsibilities of those involved in this exercise. ese results are consistent with previous ndings in the literature, where it was observed that Latin American companies strengthen their management structure risks by creating specic areas of responsibility for this function (Mejia et al., 2017). With guideline revisions within the institution, it was also possible to improve the characterization of the population within the scope of entity, as this was another highlighted benet of implementing the risk management initiative.
e results conrm the importance of carrying out a comprehensive risk management program that allows for the administration of several types of risks under the same methodology, and thus facilitate the implementation of one system of ERM within differing areas within the organization. is evidence presents similarities to the issues raised in another study where the benets of such holistic management were found (Khan et al., 2016). eoretical and practical implications is research has theoretical implications to the literature because it contributes to the literature on the key success factors in implementing risk management. eoretical knowledge is also strengthened on the importance of adapting exible risk management frameworks adjusted to the organization's environment and not only using rigid and standardized frameworks to implement ERM.
On the other hand, other practical implications could be taken into account: e implementation of the process of managing risk within the organization sought to integrate practices based on a holistic management approach, so the methodology used articulated regulatory requirements which Colombian legislation has issued to respond to risk management. is helped to avoid reprocesses, confusion and duplication efforts. Another key aspect was the active participation of the different roles of the organization, an aspect that is recommended in the deployment of initiatives of similar contexts, highlighting that of management, as this enabled the empowerment of employees at all levels within the organization. Finally, the rigor in the design and qualication of the controls for the risk causes was a key point in undertaking the execution of pertinent action plans.
e practical implications could be useful to be considered in the areas in charge of comprehensive risk management, specically from the role of chief risk officer. In the organizational context, it could also be of interest to senior management roles, from where the conditions for effective integrated risk management must be ensured. From the point of view of the public sector in general, the contributions of this research are useful to be taken into account by other organizations obliged to implement the ERM, as well as by entities in charge of providing guidelines on the matter.

Limitations and future research
A limitation of this current study is to have a single entity and, therefore, no comparisons are made that would allow for observing different behaviors of managing risk within different contexts. It is important to note, that for this reason, this study is not intended to generalize the results which are exposed in the research. Future studies could expand the sample, allowing for the ability to carry out comparative analyzes. For example, it would be interesting to conduct a similar study in small and medium-sized companies, which, having different characteristics, may reect different realities regarding the implementation of risk management.
On the other hand, while the current research included aspects of leadership style and its relationship to ERM, it is suggested that further research could deepen the professional experience of the members of the board of directors, and how they are associated with the ERM system, given that they are responsible for monitoring the performance of the company and are responsible for the value of the company.
In this same sense, this present research inquired about the benets received when implementing ERM in regard to the opinion of the people who participated in the exercise. Future research could also include how benet is perceived from different exogenous interest groups within the entity, to broaden the implications in managing risks.
Another limitation is the use of the qualitative approach to observe the factors driving risk management in the company. It would be interesting to use, in future research, a quantitative study with structural equations that could help to identify factors associated with the development of such management in public companies, and to include a representative sample for the population, so that the results could be generalized. is could also make a theoretical contribution by raising possible factors supported by more robust samples.
e study focused on observing the stage of ERM implementation in a public entity, the process followed, the benets achieved and the difficulties encountered. Although it is an interesting contribution from the case study perspective, it would, on the other hand, be interesting to carry out future research to analyze important aspects in the design, in the framework and in the principles of risk management (International Organization for Standardization, 2018), and, to include a quantitative study to relate variables associated with the characteristics of the company (size, structure, sector, trajectory), and the impact on the planning stage.

Ethical considerations
e investigation requested authorization from the entity to carry out the investigation and it was mentioned that the use of data would be anonymous. No ethical endorsement was required.

Authors' contributions statement
Professor Diego Jurado-Zambrano participated in the elaboration of the article in the thematic role. Professor Eduart Villanueva participated in the preparation of the article in the methodological role. Interest conflicts e authors declare that there is no conict of interest in the preparation of the article.