GaiaEx AcademyGaiaEx Academy
Enterprise Risk Management: A Systematic Framework
ProfessionalRiskacademy.article.readingTime

Enterprise Risk Management: A Systematic Framework

How institutions organize risk across credit, market, and operational domains

Share Posts

What Is Enterprise Risk Management?

Risk in one corner of a firm can look harmless until it meets risk in another corner. Credit tightens, liquidity thins, ops crack — suddenly you are not dealing with three small problems, you are dealing with one big one.

Enterprise Risk Management (ERM) is the attempt to map those connections on purpose: one inventory of exposures, shared language, explicit appetite, and reporting that reaches people who can say no.

Barings and Enron are taught as ethics tales; they are also wiring diagrams — controls existed in pieces, nobody saw the whole circuit.

For regulated finance, ERM is table stakes. For crypto firms mixing leverage, code, and custody, skipping it is not “moving fast” — it is flying blind with other people’s money.

The COSO ERM Framework

COSO (2017 update) is the common textbook layout: governance, strategy, performance, review, and reporting in a loop — not a five-step checklist you file once a year.

  • Governance and culture — board mandate, tone from the top, incentives that do not reward hiding bad news.
  • Strategy and objectives — risk appetite written down; growth targets that do not contradict capital and liquidity guardrails.
  • Performance — identify, assess, prioritize; respond with accept, avoid, reduce, or transfer.
  • Review and revision — new products, new hacks, new regulators: the map has to update.
  • Information and reporting — escalations that arrive while there is still room to act.

ERM is not “no risk.” It is knowing which risks you are paid to take and which ones you are accidentally swallowing because nobody owns them.

COSO-style loop (simplified) Governance & culture Strategy & objectives Info & reporting Performance identify · assess · respond Review & revision Not a binder on a shelf — if the board never argues about risk appetite, the framework is decorative.
The useful version lives in meetings and limits — not in the diagram’s font choice.

The Three Lines of Defense Model

First line — desks and builders who run the business. They own the risk and the first-layer controls: limits, reconciliations, code review habits.

Second line — risk and compliance with a reporting line that can challenge the first line without worrying about this quarter’s bonus pool.

Third line — internal audit, reporting to the audit committee. They kick the tires on whether the first two lines actually work.

When the second line is missing or reports into the trading org, you do not have a subtle governance nuance — you have a blind spot with a budget. Several crypto blowups were boring concentration and leverage problems that a functioning second line would have flagged early.

Three lines of defense (schematic) 1st line — owns risk day to day desk, product, engineering: controls + limits in the workflow 2nd line — risk & compliance oversight independent from P&L: policy, monitoring, challenge 3rd line — internal audit tests whether 1 & 2 work; reports to board audit committee
If “risk” only exists as a Slack channel, you are not running three lines — you are running hope.

The Five Core Risk Categories

Market — prices move against you: rates, FX, equities, commodities, token marks.

Credit — someone does not pay: loans, OTC, counterparty at a venue, bad debt on a lending book.

Operational — people, processes, systems: bugs, fraud, key handling, outages. Basel formalized capital for banks; the intuition applies everywhere.

Liquidity — you cannot fund yourself or exit without moving the market against you.

Compliance — rules you break cost fines, licenses, and reputation. In crypto the rule set is still a moving target — that raises the compliance surface, not lowers it.

Basel III/IV and Regulatory Capital

Basel is how regulators turn ERM into minimum numbers for banks: CET1 buffers, leverage floors, LCR/NSFR liquidity rules. You may never file a Basel report; the ideas still leak into how prime brokers and lenders behave toward you.

Unbacked crypto on bank balance sheets has been treated harshly in international guidance — think very high risk weights. That pushes activity to non-bank pipes and changes who can warehouse risk.

Personal takeaway: match leverage to liquidity, keep a cushion, and know your counterparty — the same vocabulary as Basel, without the spreadsheet.

ERM for Crypto: GaiaEx's Approach

KRIs — pick a small set with thresholds: withdrawal pressure, pair concentration, liquidation frequency, latency SLOs, regulatory filings by jurisdiction. Breach triggers an escalation path, not a shrug emoji.

Risk appetite belongs in writing: what we will not do with client assets, how much prop risk is zero, what uptime we target. Ambiguity is how commingling starts.

Culture — near-misses get postmortems; “ship at all costs” without a dissent channel ends the same way twice.

GaiaEx leans on non-custodial settlement and MPC-style key handling so a large class of “one database, one boss” failures never gets the same shape. Market risk, contract risk, and regulatory risk remain — they need the same monitoring discipline as anywhere else.