Skip to main content

Enterprise Risk and Opportunity Management: Concepts and Step-by-Step Examples for Pioneering Scientific and Technical Organizations

Enterprise Risk and Opportunity Management: Concepts and Step-by-Step Examples for Pioneering Scientific and Technical Organizations

Allan S. Benjamin

ISBN: 978-1-119-31873-6

Feb 2017

360 pages



Risk management strategy for the pioneering technological sector

Enterprise Risk and Opportunity Management provides much-needed guidance tailored specifically to the technological sector. While most enterprise risk management guides are written for traditional businesses and finance firms, this book translates effective enterprise risk and opportunity management (EROM) principles into strategies and practices that work for government, nonprofit, and for-profit organizations in the technological space. Originally designed for noncommercial pioneering enterprises like NASA, an entire chapter is now devoted toward applying the methods to profit-making technological enterprises.

A 40-year veteran of the tech sector, Dr. Allan Benjamin outlines risk management strategies for organizations in which the advancement and integration of science and technology within complex systems is necessary for accomplishment of the mission. Commercial EROM strategies do not translate directly when the development and implementation of risky technologies is the organization's primary objective, and clumsy or near-sighted implementation can easily cripple progress. This book provides authoritative guidance tailored to the sector's specialized needs.

  • Maximize opportunity while effectively managing risk
  • Understand the core principles of the technological EROM approach and its interfaces with the management of the organization
  • Comprehend the intricacies of aggregating risks and opportunities from lower to higher levels of the organization
  • Gain expert insights specific to the technology sector
  • Mitigate and control the risk that comes with pursuing discovery

In practice, EROM in this sector involves working with mostly qualitative data, and is characterized by high uncertainty. Managing risk without handicapping the organization requires a specific set of adjustments to traditional EROM, and a more nuanced approach to the idea of "acceptable risk. Balance is key in technological EROM, and Enterprise Risk and Opportunity Management provides foundational guidance, real-world strategy, and enlightening examples for getting it right.

Related Resources


Request an Evaluation Copy for this title

Preface xxiii

Introduction xxv

CHAPTER 1 An EROM Primer for Organizations Concerned with Technical Research, Integration, and Operations (TRIO Enterprises) 1

1.1 EROM Scope and Objectives for TRIO Enterprises 1

1.1.1 What Is EROM? 1

1.1.2 Why Is EROM Important to TRIO Enterprises? 2

1.1.3 What Kinds of Risk and Opportunity Are Considered within EROM for TRIO Enterprises? 3

1.1.4 How Does EROM for Nonprofit and Government TRIO Enterprises Differ from EROM for Typical Commercial Enterprises? 4

1.1.5 To What Extent Does EROM Work within the Existing Management Structure of a TRIO Enterprise? 5

1.1.6 How Does EROM Facilitate Negotiations between a TRIO Enterprise and the Entities That Provide Funding and Governance? 6

1.1.7 Can Various Management Units within the Organization Separately Apply EROM as Though Each Were an Enterprise? 7

1.1.8 In What Areas Does EROM Facilitate Strategic Planning, Implementation, and Evaluation of Performance for TRIO Enterprises? 8

1.2 EROM Definitions and Technical Attributes for TRIO Enterprises 9

1.2.1 What Is Meant by Risk and Opportunity within the Context of EROM? 9

1.2.2 How Do We Differentiate between Risks and Opportunities during Strategic Planning versus during Plan Implementation and Performance Evaluation? 11

1.2.3 How Does EROM Help Achieve an Optimal Balance between Risk and Opportunity? 11

1.2.4 What Is Meant by the Terms Risk Scenario, Opportunity Scenario, Cumulative Risk, and Cumulative Opportunity? 13

1.2.5 How Does EROM Incorporate Risk-Informed Decision Making and Continuous Risk Management within the rganization as a Whole and within Different Management Units? 14

1.2.6 Is the Analysis in EROM Principally Qualitative or Quantitative? 16

1.2.7 Can EROM Account for Unknown and Underappreciated (UU) Risks? 17

Notes 18

References 19

CHAPTER 2 Coordination of EROM with Organizational Management Activities 21

2.1 The Executive, Programmatic, and Institutional/Technical Management Functions and Their Interfaces 21

2.2 EROM-Relevant Management Activities 23

2.2.1 Activities within Each Management Level 23

2.2.2 Roles and Responsibilities within and between Each Management Level 26

2.3 Coordination of EROM with Management Activities 31

2.3.1 Organizational Planning and Plan Implementation 31

2.3.2 Evaluation of Organizational Performance and Replanning 31

2.3.3 Alignment with Management-Level Roles and Responsibilities 35

2.4 Communication across Extended Partnerships 35

2.4.1 Nature of the Strategic Objectives That Require Extended Partnerships 35

2.4.2 The Challenges of Conducting EROM across Extended Partnerships 42

2.5 Contribution of EROM to Compliance with Federal Regulations and Directives 43

2.5.1 OMB Circular A-11 and GPRAMA (Government Performance, Results, and Budgeting) 43

2.5.2 EROM and Internal Controls from the Viewpoint of Federal Regulations and Guidance 45

2.5.3 OMB Circular A-123 (Management’s Responsibility for ERM and Internal Control) and the Required Statement of Assurance 47

2.5.4 Example Risk Profile from OMB Circular A-123 49

Notes 52

References 52

CHAPTER 3 Overview of EROM Process and Analysis Approach 55

3.1 Organizational Objectives Hierarchies 55

3.1.1 Objectives Hierarchies for Each Management Unit 55

3.1.2 Objectives Hierarchy for the Enterprise as a Whole 57

3.2 Populating the Organizational Objectives Hierarchies with Risk and Opportunity Information 61

3.3 Establishing Risk Tolerances and Opportunity Appetites 63

3.3.1 Risk and Opportunity Parity Statements 63

3.3.2 Response Boundaries and Watch Boundaries 65

3.4 Identifying Risk and Opportunity Scenarios and Leading Indicators 66

3.4.1 Risk and Opportunity Taxonomies 67

3.4.2 Risk and Opportunity Scenario Statements 68

3.4.3 Risk and Opportunity Scenario Narratives 72

3.4.4 Risk and Opportunity Leading Indicators 73

3.4.5 Leading Indicators of Unknown and Underappreciated (UU) Risks 74

3.5 Specifying Leading Indicator Trigger Values and Evaluating Cumulative Risks and Opportunities 78

3.5.1 Leading Indicator Trigger Values 80

3.5.2 Cumulative Risks and Opportunities 80

3.6 Identifying and Evaluating Risk Mitigation, Opportunity Exploitation, and Internal Control Options 82

3.6.1 Deducing Risk and Opportunity Drivers 82

3.6.2 Deducing Risk and Opportunity Scenario Drivers 83

3.6.3 Evaluating Risk and Opportunity Scenario Likelihoods and Impacts 85

3.6.4 Identifying Options for Risk Response, Opportunity Action, and Internal Control 87

3.6.5 Evaluating Options for Risk Response, Opportunity Action, and Internal Control 89

3.6.6 Brief Comparison of this Approach with the COSO Internal Control Framework and the GAO Green Book 91

Notes 94

References 94

CHAPTER 4 The Development and Utilization of EROM Templates for Performance Evaluation and Strategic Planning 97

4.1 Overview 97

4.2 Demonstration Example: The NASA Next-Generation Space Telescope as of 2014 99

4.3 Example Objectives Hierarchies 101

4.3.1 Objectives Hierarchies for Different Management Levels 101

4.3.2 Integrated Objectives Hierarchies for the Enterprise as a Whole 103

4.4 Risks, Opportunities, and Leading Indicators 103

4.4.1 Known Risk and Opportunity Scenarios 105

4.4.2 Cross-Cutting Risks and Opportunities 105

4.4.3 Unknown and Underappreciated Risks 112

4.5 Example Templates for Risk and Opportunity Identification and Evaluation 113

4.5.1 Risk and Opportunity Identification Template 113

4.5.2 Leading Indicator Evaluation Template 113

4.6 Example Templates for Risk and Opportunity Roll-Up 126

4.6.1 Objectives Interface and Influence Template 126

4.6.2 Known Risk Roll-Up Template 126

4.6.3 Opportunity Roll-Up Template 144

4.6.4 Composite Indicator Identification and Evaluation Template 147

4.6.5 UU Risk Roll-Up Template 151

4.7 Example Templates for the Identification of Risk and Opportunity Drivers, Responses, and Internal Controls 159

4.7.1 Risk and Opportunity Driver Identification Template 159

4.7.2 Risk and Opportunity Scenario Likelihood and Impact Evaluation Template 161

4.7.3 Risk Mitigation, Opportunity Action, and Internal Control Identification Templates 161

4.7.4 High-Level Display Template 165

4.8 Upward Propagation of Templates for Full-Scope EROM Applications 165

4.8.1 Scope of the Problem 165

4.8.2 Propagation of Templates 173

4.8.3 Development of an Integrated EROM Database 175

4.9 Application of the Templates to Organizational Planning and the Selection from among Alternative Candidate Portfolios 175

Notes 181

References 181

CHAPTER 5 Management and Implementation of EROM at the Institutional/Technical Level (Technical Centers or Directorates) 183

5.1 EROM from a Technical Center’s Perspective 183

5.2 Extended Enterprises and the Technical Center’s Extended Organization 184

5.2.1 Overview 184

5.2.2 Relationship of Each Technical Center to the Other Entities in the Center’s Extended Organization 187

5.2.3 EROM Organizational Structure for a Technical Center’s Extended Enterprises 189

5.2.4 Challenges of Creating and Managing an Integrated Database 191

5.3 EROM-Informed Budgeting of Resources across a Technical Center’s Extended Organization 192

5.3.1 Objectives-Based Distribution of Human, Physical, and Instructional Assets 192

5.3.2 Representative Templates for Distributions of Allocated Assets 192

5.3.3 Asset Risks, Opportunities, and Risk/Opportunity Scenario Statements 198

5.3.4 Leading Indicators of a Technical Center’s Health 200

5.3.5 Correlations between Internal Leading Indicators and Gaps in the Distributions of Human, Physical, and Instructional Assets 201

5.3.6 Optimization of the Acquisition, Allocation, and Retirement of Human, Physical, and Instructional Assets 203

5.3.7 Relevance to Provider Acquisition Decisions Made by Technical Centers 206

References 206

CHAPTER 6 Special Considerations for EROM Practice and Analysis at Commercial TRIO Enterprises 207

6.1 Overview 207

6.2 Risk and Opportunity Scenarios and Leading Indicators 210

6.2.1 Risk and Opportunity Taxonomies 210

6.2.2 Risk and Opportunity Branching Events and Scenario Event Diagrams 210

6.2.3 Risk and Opportunity Templates 215

6.2.4 Risk and Opportunity Matrices 221

6.3 Controllable Drivers, Mitigations, Actions, and Internal Controls 229

CHAPTER 7 Examples of the Use of EROM Results for Informing Risk Acceptance Decisions 237

7.1 Overview 237

7.2 Example 1: DoD Ground-Based Midcourse Missile Defense in the 2002 Time Frame 238

7.2.1 Background 238

7.2.2 Top-Level Objectives, Risk Tolerances, and Risk Parity 239

7.2.3 Risks and Leading Indicators 242

7.2.4 Leading Indicator Trigger Values 244

7.2.5 Example Template Entries and Results 247

7.2.6 Implications for Risk Acceptance Decision Making 247

7.3 Example 2: NASA Commercial Crew Transportation System as of 2015 249

7.3.1 Background 249

7.3.2 Top-Level Objectives, Risk Tolerances, and Risk Parity 251

7.3.3 Remainder of Example 2 253

7.4 Implication for TRIO Enterprises and Government Authorities 254

References 254

CHAPTER 8 Independent Appraisal of EROM Processes and Results to Assure the Adequacy of Internal Controls and Inform Risk Acceptance Decisions 255

8.1 Background 255

8.1.1 OMB Motivation 255

8.1.2 Department of Energy Guidance 256

8.1.3 Institute of Internal Auditors Guidance 257

8.2 Queries for an Independent Appraisal of EROM in the Contexts of Internal Control and Risk Acceptance 258

8.2.1 Overview 258

8.2.2 Template for Evaluating EROM Process and Results 259

References 265

CHAPTER 9 Brief Overview of the Potential Integration of EROM with Other Strategic Assessment Activities 267

9.1 Technical Capability Assessment (TCA) 267

9.2 Strategic Annual Review (SAR) 270

9.3 Portfolio Performance Review (PPR) 271

References 274

CHAPTER 10 An Integrated Framework for Hierarchical Internal Controls 275

10.1 Internal Control Principles and the Integration of Internal Control, Risk Management, and Governance 275

10.2 Methodological Basis 280

10.2.1 Hierarchical Control Loops 280

10.2.2 RACI Matrices 282

10.3 Examples 285

10.3.1 Example 1: Institutional Responsibility for Risk Management and System Safety 285

10.3.2 Example 2: NASA Commercial Crew Program Risk-Based Assurance Process and Shared Assurance Model 287

10.4 Incorporation of Internal Control Principles into the Control Loop Approach 297

10.5 Summary of Observations 302

References 306

APPENDIX A Acronyms 309

APPENDIX B Definitions 311

About the Companion Website 314

About the Author 315

Index 317