The Tempest, Act 1

COSO ERM is more structured and closely tied to strategy, governance, and performance.
ISO 31000 is more flexible and principle-based, so it can fit many types of organizations.
In practice, COSO is often used for stronger internal control, while ISO is easier to adapt.

2.
Controls help reduce inherent risk to an acceptable target or residual risk level.
They work by preventing, detecting, or correcting problems.
Their effectiveness should be evaluated by checking whether they actually lower likelihood, impact, and repeated failures.

3.
ISO defines risk management as a way to create and protect value. COSO focuses more on managing uncertainty to improve strategy and performance.
This means ISO is broader, while COSO is more linked to business objectives and governance.

4.
Organizations should consider both threats and opportunities because risk can also lead to growth and innovation.
Focusing only on negative outcomes can make a company too defensive. A balanced view supports better decisions and stronger long-term results.

5.
A major challenge is building a culture where everyone considers risk in daily decisions.
Other problems include poor communication, lack of training, and resistance to change.
Departments may also work separately, making risk management hard to embed across the organization.

PESTLE stands for Political, Economic, Social, Technological, Legal, and Environmental factors.
It helps organizations identify external risks by analyzing each area systematically.
The most unpredictable category is often political or economic, because conditions can change quickly. 7 LILAC stands for Leadership, Incentives, Learning, Accountability, and Communication.
These elements build a risk-aware culture by encouraging responsibility, learning, and clear communication.
When leaders support risk awareness, employees are more likely to act carefully and consistently. 8 FIRM stands for Financial, Infrastructure, Reputational, and Marketplace benefits.
Financial strength supports resources, infrastructure improves operations, reputation builds trust, and marketplace benefits increase competitiveness.
Together, they reinforce one another and create long-term organizational value. 9 MADE2 refers to balancing key objectives such as reducing threats, improving decisions, and capturing opportunities.
When these objectives conflict, organizations should prioritize based on strategy and risk tolerance.
The goal is to find balance rather than maximize one objective at the expense of others. 10 PACED stands for Proportionate, Aligned, Comprehensive, Embedded, and Dynamic.
The hardest attribute to implement is often Embedded, because risk management must become part of everyday decisions.
That requires strong culture, consistency, and commitment at every level.