Cover
Title Page
Copyright
Figures
Tables
Preface
Introduction
Chapter 1: An EROM Primer for Organizations Concerned with Technical Research, Integration, and Operations (TRIO Enterprises)
1. 1.1 EROM Scope and Objectives for TRIO Enterprises
2. 1.2 EROM Definitions and Technical Attributes for TRIO Enterprises
3. Notes
4. References
Chapter 2: Coordination of EROM with Organizational Management Activities
1. 2.1 The Executive, Programmatic, and Institutional/Technical Management Functions and Their Interfaces
2. 2.2 EROM-Relevant Management Activities
3. 2.3 Coordination of EROM with Management Activities
4. 2.4 Communication across Extended Partnerships
5. 2.5 Contribution of EROM to Compliance with Federal Regulations and Directives
6. Notes
7. References
Chapter 3: Overview of EROM Process and Analysis Approach
1. 3.1 Organizational Objectives Hierarchies
2. 3.2 Populating the Organizational Objectives Hierarchies with Risk and Opportunity Information
3. 3.3 Establishing Risk Tolerances and Opportunity Appetites
4. 3.4 Identifying Risk and Opportunity Scenarios and Leading Indicators
5. 3.5 Specifying Leading Indicator Trigger Values and Evaluating Cumulative Risks and Opportunities
6. 3.6 Identifying and Evaluating Risk Mitigation, Opportunity Exploitation, and Internal Control Options
7. Notes
8. References
Chapter 4: The Development and Utilization of EROM Templates for Performance Evaluation and Strategic Planning
1. 4.1 Overview
2. 4.2 Demonstration Example: The NASA Next-Generation Space Telescope as of 2014
3. 4.3 Example Objectives Hierarchies
4. 4.4 Risks, Opportunities, and Leading Indicators
5. 4.5 Example Templates for Risk and Opportunity Identification and Evaluation
6. 4.6 Example Templates for Risk and Opportunity Roll-Up
7. 4.7 Example Templates for the Identification of Risk and Opportunity Drivers, Responses, and Internal Controls
8. 4.8 Upward Propagation of Templates for Full-Scope EROM Applications
9. 4.9 Application of the Templates to Organizational Planning and the Selection from among Alternative Candidate Portfolios
10. Notes
11. References
Chapter 5: Management and Implementation of EROM at the Institutional/Technical Level (Technical Centers or Directorates)
1. 5.1 EROM from a Technical Center's Perspective
2. 5.2 Extended Enterprises and the Technical Center's Extended Organization
3. 5.3 EROM-Informed Budgeting of Resources across a Technical Center's Extended Organization
4. References
Chapter 6: Special Considerations for EROM Practice and Analysis at Commercial TRIO Enterprises
1. 6.1 Overview
2. 6.2 Risk and Opportunity Scenarios and Leading Indicators
3. 6.3 Controllable Drivers, Mitigations, Actions, and Internal Controls
Chapter 7: Examples of the Use of EROM Results for Informing Risk Acceptance Decisions
1. 7.1 Overview
2. 7.2 Example 1: DoD Ground-Based Midcourse Missile Defense in the 2002 Time Frame
3. 7.3 Example 2: NASA Commercial Crew Transportation System as of 2015
4. 7.4 Implication for TRIO Enterprises and Government Authorities
5. References
Chapter 8: Independent Appraisal of EROM Processes and Results to Assure the Adequacy of Internal Controls and Inform Risk Acceptance Decisions
1. 8.1 Background
2. 8.2 Queries for an Independent Appraisal of EROM in the Contexts of Internal Control and Risk Acceptance
3. References
Chapter 9: Brief Overview of the Potential Integration of EROM with Other Strategic Assessment Activities
1. 9.1 Technical Capability Assessment (TCA)
2. 9.2 Strategic Annual Review (SAR)
3. 9.3 Portfolio Performance Review (PPR)
4. References
Chapter 10: An Integrated Framework for Hierarchical Internal Controls
1. 10.1 Internal Control Principles and the Integration of Internal Control, Risk Management, and Governance
2. 10.2 Methodological Basis
3. 10.3 Examples
4. 10.4 Incorporation of Internal Control Principles into the Control Loop Approach
5. 10.5 Summary of Observations
6. Note
7. References
Appendix A: Acronyms
Appendix B: Definitions
About the Companion Website
About the Author
Index
End User License Agreement

List of Illustrations

Chapter 1: An EROM Primer for Organizations Concerned with Technical Research, Integration, and Operations (TRIO Enterprises)
1. Figure 1.1 Decision making is a balance between risk and opportunity
2. Figure 1.2 Risk tolerance relative to diverse goals and objectives
3. Figure 1.3 The elements of RIDM and CRM applied to the TRIO enterprise's management activities at various levels
Chapter 2: Coordination of EROM with Organizational Management Activities
1. Figure 2.1 The three levels of management within a typical enterprise
2. Figure 2.2 The principal activities and transfer of information within and between levels of management
3. Figure 2.3 Activities within the executive level and transfer of information from/to external and internal sources
4. Figure 2.4 Activities within a program directorate (programmatic level) and transfer of information from/to external and internal sources
5. Figure 2.5 Activities within a technical center (institutional/technical level) and transfer of information from/to external and internal sources
6. Figure 2.6 Interfaces between EROM activities and management activities in the development of an organizational plan
7. Figure 2.7 Interfaces between EROM activities and management activities in the evaluation of performance relative to the organizational plan
8. Figure 2.8 The relationship between governance, enterprise risk management, and internal controls according to the new OMB Circular A-123
Chapter 3: Overview of EROM Process and Analysis Approach
1. Figure 3.1 Types of objectives developed at the executive level
2. Figure 3.2 Types of objectives developed at the programmatic level
3. Figure 3.3 Types of objectives developed at the institutional/technical level
4. Figure 3.4 Conceptualization of an enterprise-wide objectives hierarchy
5. Figure 3.5 Associating risk and opportunity information with objectives in the organizational objectives hierarchy
6. Figure 3.6 Risk and opportunity response and watch boundaries
7. Figure 3.7 Example taxonomy for enterprise risks and opportunities
8. Figure 3.8 Risk and opportunity leading indicator triggers
9. Figure 3.9 Hypothetical results showing how the elimination of a risk driver affects cumulative risk and the elimination of an opportunity driver affects cumulative opportunity
10. Figure 3.10 Iterative process for identifying and evaluating a risk response, opportunity action, and internal control plan that balances cumulative risk, cumulative opportunity, and cost
Chapter 4: The Development and Utilization of EROM Templates for Performance Evaluation and Strategic Planning
1. Figure 4.1 Executive-level objectives for the example demonstration
2. Figure 4.2 Programmatic-level objectives for the example demonstration
3. Figure 4.3 Center-level objectives for the example demonstration
4. Figure 4.4 Integrated objectives hierarchy showing primary interfaces between objectives
5. Figure 4.5 Individual risks and associated leading indicators for executive-level objectives
6. Figure 4.6 Individual risks and associated leading indicators for program-level objectives
7. Figure 4.7 Individual risks and associated leading indicators for center-level objectives
8. Figure 4.8 Individual opportunities, introduced risks, and associated leading indicators for executive-level objectives
9. Figure 4.9 Secondary objective interfaces for the example demonstration
10. Figure 4.10 Schematic of roll-up method alternative 1 for Objective E (>10) #1
11. Figure 4.11 Schematic of roll-up method alternative 2 for Objective E (>10) #1
12. Figure 4.12 Schematic of risk roll-up for Objective P (1) #11 in the example demonstration
13. Figure 4.13 Illustration of risk and opportunity scenario drivers and their time-frame criticalities
14. Figure 4.14 Illustration of risk and opportunity constituent drivers and their time-frame criticalities
15. Figure 4.15 Schematic showing the upward propagation of templates for full-scope EROM applications
Chapter 5: Management and Implementation of EROM at the Institutional/Technical Level (Technical Centers or Directorates)
1. Figure 5.1 The extended organization for a NASA center
2. Figure 5.2 NASA example of how each center takes risk and opportunity inputs from a variety of entities and supports multiple strategic objectives of the agency
3. Figure 5.3 A representative EROM organizational chart for a technical center that manages extended enterprises
4. Figure 5.4 The success of a technical center's inherited strategic objectives is dependent on the “right-sizing” of the resources available to the center (NASA example)
5. Figure 5.5 Outline of the steps in the iterative process for optimizing asset distributions based on costs and current and projected values of leading indicators
6. Figure 5.6 Illustration of iterative process for optimizing asset distributions based on costs and current and projected values of leading indicators
Chapter 6: Special Considerations for EROM Practice and Analysis at Commercial TRIO Enterprises
1. Figure 6.1 Integration of qualitative and quantitative modeling to evaluate the likelihood of success of a commercial TRIO enterprise
2. Figure 6.2 Example enterprise risk taxonomy for a commercial TRIO enterprise
3. Figure 6.3 Example opportunity taxonomy for a commercial TRIO enterprise
4. Figure 6.4 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Competition from other companies”
5. Figure 6.5 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Customer satisfaction”
6. Figure 6.6 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Leadership mortality and succession issues”
7. Figure 6.7 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Accident causing human deaths”
8. Figure 6.8 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Changes in foreign exchange rates and interest rates”
9. Figure 6.9 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Labor strikes”
10. Figure 6.10 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Exploitation of new technology”
11. Figure 6.11 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Act of terror”
12. Figure 6.12 Example risk and opportunity matrix for quantitative financial objectives
13. Figure 6.13 Example risk scenario statement, scenario event diagram, and scenario matrix for a risk in the taxonomic category “Competition from other companies”
14. Figure 6.14 Example risk scenario statement, scenario event diagram, and scenario matrix for a risk in the taxonomic category “Exploitation of new technology”
Chapter 7: Examples of the Use of EROM Results for Informing Risk Acceptance Decisions
1. Figure 7.1 Objectives and hypothetical cumulative risk parity table for GMD example
2. Figure 7.2 Risks and leading indicators for GMD example (2002 time frame)
3. Figure 7.3 Hypothetical composite leading indicator parity table for GMD example
4. Figure 7.4 Objectives and hypothetical cumulative risk parity table for CCTS example
Chapter 9: Brief Overview of the Potential Integration of EROM with Other Strategic Assessment Activities
1. Figure 9.1 Relationship between the TCA process and the EROM objectives interface and influence template
2. Figure 9.2 Relationship between the EROM risk-and-opportunity-based asset optimization process and the TCA asset right-sizing objective
3. Figure 9.3 Relationship between the EROM risk and opportunity identification and leading indicator evaluation templates and the SAR process
4. Figure 9.4 Relationship between the EROM risk and opportunity roll-up templates and the SAR process
Chapter 10: An Integrated Framework for Hierarchical Internal Controls
1. Figure 10.1 Conceptualization of the relationship between governance, risk management, and internal controls: strategic planning
2. Figure 10.2 Conceptualization of the relationship between governance, risk management, and internal controls: organizational performance evaluation
3. Figure 10.3 Simplified schematic of the interfaces between organizational management functions and organizational management levels
4. Figure 10.4 Standard control loop form
5. Figure 10.5 Example simple control loop for a mechanical system
6. Figure 10.6 Example form of a hierarchical system of internal control loops
7. Figure 10.7 Example primary control loop for the objective of improving risk management and system safety methodology and practice within the enterprise
8. Figure 10.8 Process diagram for the selected control activity: “Develop and update risk management and system safety policies, procedures, standards, and guides”
9. Figure 10.9 Secondary control loop for the selected control activity: “Develop and update risk management and system safety policies, procedures, standards, and guides”
10. Figure 10.10 Process diagram and tertiary control loop for the selected control activity: “Develop and update RM and SS policies, procedures, standards, and guides”
11. Figure 10.11 Example primary control loop for CCP's objective of achieving acceptable safety within schedule and budget using the RBA process and shared assurance model
12. Figure 10.12 Example generic primary control loop for achievement of internal control principles
13. Figure 10.13 Example primary control loop for demonstration of a commitment to integrity and ethical values

List of Tables

Chapter 2: Coordination of EROM with Organizational Management Activities
1. Table 2.1 Typical Executive, Program Directorate, and Technical Directorate Managerial Roles and Responsibilities (Adapted from NASA 2014a, Table D-1)
2. Table 2.2 Executive, Program Directorate, and Technical Directorate Standards of Support to Be Provided by EROM Consistent with Roles and Responsibilities Outlined Previously
3. Table 2.3 Example Risk Profile from the New OMB-Circular A-123
Chapter 3: Overview of EROM Process and Analysis Approach
1. Table 3.1 Typical Risk and Opportunity Scenario Types and Associated Leading Indicators
2. Table 3.2 Published Guidelines for Roughly Estimating the Ratio of the System Failure Probability from UU Risks to the System Failure Probability from Known Risks at Time of Initial Operation (Benjamin et al. 2015)
3. Table 3.3 Example Likelihood Scale for a Risk or Opportunity Relative to a Critical Organizational Objective
4. Table 3.4 Example Impact Scale for a Risk or Opportunity Relative to a Critical Organizational Objective
Chapter 4: The Development and Utilization of EROM Templates for Performance Evaluation and Strategic Planning
1. Table 4.1 A View of the Form of the Outcome for Cumulative Risks and Opportunities
2. Table 4.2 Risk and Opportunity Identification Template
3. Table 4.3 Leading Indicator Evaluation Template
4. Table 4.4 Example Entries for Leading Indicator Evaluation Template for Objective P(1) #11: Deliver the Cryocooler Subsystem
5. Table 4.5 Objectives Interface and Influence Template
6. Table 4.6 Known Risk Roll-Up Template
7. Table 4.7 Example Entries for Known Risk Roll-Up Template for Objective P(1) #11: Deliver the Cryocooler Subsystem
8. Table 4.8 Example Entries for Risk Roll-Up Template for Objective P(1) #11 Including an Intermediate Roll-Up to Risk Scenario Level
9. Table 4.9 Opportunity Roll-Up Template
10. Table 4.10 Example Entries for Opportunity Roll-Up for Objective E(>10) #1: Discover How the Universe Works, Explore How It Began/Evolved, Search for Life on Planets Around Other Stars
11. Table 4.11 Composite Indicator Identification and Evaluation Template
12. Table 4.12 Example Entries for Risk Roll-Up Template for Objective P(1) #11 Using a Composite Indicator
13. Table 4.13 UU Risk Roll-Up Template
14. Table 4.14 Example Risk and Opportunity Driver Identification Template
15. Table 4.15 Example Entries for Risk and Opportunity Scenario Likelihood and Impact Evaluation Template
16. Table 4.16 Example Entries for Risk Mitigation and Internal Control Template for Objective E (>10) #1: Discover How the Universe Works
17. Table 4.17 Example Entries for Opportunity Action and Internal Control Template for Objective E (>10) #1: Discover How the Universe Works
18. Table 4.18 High-Level Display Template
19. Table 4.19 Example Risk Roll-Up Template for the Next-Generation Space Telescope as Applied to Alternative Selection during Organizational Planning
Chapter 5: Management and Implementation of EROM at the Institutional/Technical Level (Technical Centers or Directorates)
1. Table 5.1 Distribution of Responsibilities among the Principal Entities within the JWST Project (Source: NASA 2016c)
2. Table 5.2 Templates for Distribution of Human (Workforce), Physical, and Instructional Assets
Chapter 6: Special Considerations for EROM Practice and Analysis at Commercial TRIO Enterprises
1. Table 6.1 Form of the Risk and Opportunity Identification and Evaluation Templates (Combined) for the Commercial TRIO Enterprise Example
2. Table 6.2 Form of the Risk and Opportunity Roll-Up Templates (Combined) for the Commercial TRIO Enterprise Example
3. Table 6.3 Qualitative/Quantitative Risk and Opportunity Roll-Up Comparison Template for the Commercial TRIO Enterprise Example (Excerpt)
4. Table 6.4 Example Controllable Drivers and Corresponding Existing Safeguards, Risk Mitigations, Opportunity Actions, and Internal Controls for XYZ Company
5. Table 6.5 Excerpt of the Risk Mitigation and Internal Control Template and the Opportunity Action and Internal Control Template for the Commercial TRIO Enterprise
Chapter 7: Examples of the Use of EROM Results for Informing Risk Acceptance Decisions
1. Table 7.1 Leading Indicator Evaluation Template for GMD Example (2002 Time Frame)
2. Table 7.2 High-Level Display Template for GMD Example (2002 Time Frame)
3. Table 7.3 High-Level Display Template for GMD Example after Adopting Corrective Actions That Balance the Risks to the Top-Level Objectives
Chapter 8: Independent Appraisal of EROM Processes and Results to Assure the Adequacy of Internal Controls and Inform Risk Acceptance Decisions
1. Table 8.1 Template for Evaluating EROM Process and Results
Chapter 10: An Integrated Framework for Hierarchical Internal Controls
1. Table 10.1 Example form of a RACI matrix
2. Table 10.2 Example summary chart of cascading activities, weaknesses, and controls for the SMA organization example
3. Table 10.3 Example RACI chart for the SMA example
4. Table 10.4 Candidates for secondary and tertiary control loops for CCP risk-based assurance process and shared assurance model
5. Table 10.5 GAO green book principles for internal control (GAO 2014)
6. Table 10.6 GAO green book means of accomplishment for principle 1 (GAO 2014)
7. Table 10.7 MIT-conducted NASA independent technical authority study: system safety principles for internal control and means of accomplishment (Leveson et al. 2005)
8. Table 10.8 Example template for aggregating means of accomplishment to principles

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Australia and Asia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.

The Wiley Finance series contains books written specifically for finance and investment professionals as well as sophisticated individual investors and their financial advisors. Book topics range from portfolio management to e-commerce, risk management, financial engineering, valuation and financial instrument analysis, as well as much more.

For a list of available titles, visit our website at www.WileyFinance.com.

Enterprise Risk and Opportunity Management

Concepts and Step-by-Step Examples for Pioneering Scientific and Technical Organizations

ALLAN S. BENJAMIN

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com.

For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Names: Benjamin, Allan S., author.

Title: Enterprise risk and opportunity management : concepts and step-by-step examples for pioneering scientific and technical organizations / Allan S. Benjamin.

Description: Hoboken : Wiley, 2017. | Series: Wiley finance | Includes index.

Identifiers: LCCN 2016031019 (print) | LCCN 2016055611 (ebook) | ISBN 9781119288428 (hardback) | ISBN 9781119318729 (ePDF) | ISBN 9781119318712 (ePub)

Subjects: LCSH: Risk management. | Information technology—Management. | Strategic planning. | BISAC: BUSINESS & ECONOMICS / Finance.

Classification: LCC HD61 .B46 2017 (print) | LCC HD61 (ebook) | DDC 658.15/5—dc23

LC record available at https://lccn.loc.gov/2016031019

Cover design: Wiley

Cover images: Modern business center, Toronto © PhotoSerg/Shutterstock;

Businessman on tight rope © i-works/amanaimagesRF/Getty Images, Inc.

Figures

1.1 Decision making is a balance between risk and opportunity
1.2 Risk tolerance relative to diverse goals and objectives
1.3 The elements of RIDM and CRM applied to the TRIO enterprise's management activities at various levels
2.1 The three levels of management within a typical enterprise
2.2 The principal activities and transfer of information within and between levels of management
2.3 Activities within the executive level and transfer of information from/to external and internal sources
2.4 Activities within a program directorate (programmatic level) and transfer of information from/to external and internal sources
2.5 Activities within a technical center (institutional/technical level) and transfer of information from/to external and internal sources
2.6 Interfaces between EROM activities and management activities in the development of an organizational plan
2.7 Interfaces between EROM activities and management activities in the evaluation of performance relative to the organizational plan
2.8 The relationship between governance, enterprise risk management, and internal controls according to the new OMB Circular A-123
3.1 Types of objectives developed at the executive level
3.2 Types of objectives developed at the programmatic level
3.3 Types of objectives developed at the institutional/technical level
3.4 Conceptualization of an enterprise-wide objectives hierarchy
3.5 Associating risk and opportunity information with objectives in the organizational objectives hierarchy
3.6 Risk and opportunity response and watch boundaries
3.7 Example taxonomy for enterprise risks and opportunities
3.8 Risk and opportunity leading indicator triggers
3.9 Hypothetical results showing how the elimination of a risk driver affects cumulative risk and the elimination of an opportunity driver affects cumulative opportunity
3.10 Iterative process for identifying and evaluating a risk response, opportunity action, and internal control plan that balances cumulative risk, cumulative opportunity, and cost
4.1 Executive-level objectives for the example demonstration
4.2 Programmatic-level objectives for the example demonstration
4.3 Center-level objectives for the example demonstration
4.4 Integrated objectives hierarchy showing primary interfaces between objectives
4.5 Individual risks and associated leading indicators for executive-level objectives
4.6 Individual risks and associated leading indicators for program-level objectives
4.7 Individual risks and associated leading indicators for center-level objectives
4.8 Individual opportunities, introduced risks, and associated leading indicators for executive-level objectives
4.9 Secondary objective interfaces for the example demonstration
4.10 Schematic of roll-up method alternative 1 for Objective E (>10) #1
4.11 Schematic of roll-up method alternative 2 for Objective E (>10) #1
4.12 Schematic of risk roll-up for Objective P (1) #11 in the example demonstration
4.13 Illustration of risk and opportunity scenario drivers and their time-frame criticalities
4.14 Illustration of risk and opportunity constituent drivers and their time-frame criticalities
4.15 Schematic showing the upward propagation of templates for full-scope EROM applications
5.1 The extended organization for a NASA center
5.2 NASA example of how each center takes risk and opportunity inputs from a variety of entities and supports multiple strategic objectives of the agency
5.3 A representative EROM organizational chart for a technical center that manages extended enterprises
5.4 The success of a technical center's inherited strategic objectives is dependent on the “right-sizing” of the resources available to the center (NASA example)
5.5 Outline of the steps in the iterative process for optimizing asset distributions based on costs and current and projected values of leading indicators
5.6 Illustration of iterative process for optimizing asset distributions based on costs and current and projected values of leading indicators
6.1 Integration of qualitative and quantitative modeling to evaluate the likelihood of success of a commercial TRIO enterprise
6.2 Example enterprise risk taxonomy for a commercial TRIO enterprise
6.3 Example opportunity taxonomy for a commercial TRIO enterprise
6.4 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Competition from other companies”
6.5 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Customer satisfaction”
6.6 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Leadership mortality and succession issues”
6.7 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Accident causing human deaths”
6.8 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Changes in foreign exchange rates and interest rates”
6.9 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Labor strikes”
6.10 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Exploitation of new technology”
6.11 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Act of terror”
6.12 Example risk and opportunity matrix for quantitative financial objectives
6.13 Example risk scenario statement, scenario event diagram, and scenario matrix for a risk in the taxonomic category “Competition from other companies”
6.14 Example risk scenario statement, scenario event diagram, and scenario matrix for a risk in the taxonomic category “Exploitation of new technology”
7.1 Objectives and hypothetical cumulative risk parity table for GMD example
7.2 Risks and leading indicators for GMD example (2002 time frame)
7.3 Hypothetical composite leading indicator parity table for GMD example
7.4 Objectives and hypothetical cumulative risk parity table for CCTS example
9.1 Relationship between the TCA process and the EROM objectives interface and influence template
9.2 Relationship between the EROM risk-and-opportunity-based asset optimization process and the TCA asset right-sizing objective
9.3 Relationship between the EROM risk and opportunity identification and leading indicator evaluation templates and the SAR process
9.4 Relationship between the EROM risk and opportunity roll-up templates and the SAR process
10.1 Conceptualization of the relationship between governance, risk management, and internal controls: strategic planning
10.2 Conceptualization of the relationship between governance, risk management, and internal controls: organizational performance evaluation
10.3 Simplified schematic of the interfaces between organizational management functions and organizational management levels
10.4 Standard control loop form
10.5 Example simple control loop for a mechanical system
10.6 Example form of a hierarchical system of internal control loops
10.7 Example primary control loop for the objective of improving risk management and system safety methodology and practice within the enterprise
10.8 Process diagram for the selected control activity: “Develop and update risk management and system safety policies, procedures, standards, and guides”
10.9 Secondary control loop for the selected control activity: “Develop and update risk management and system safety policies, procedures, standards, and guides”
10.10 Process diagram and tertiary control loop for the selected control activity: “Develop and update RM and SS policies, procedures, standards, and guides”
10.11 Example primary control loop for CCP's objective of achieving acceptable safety within schedule and budget using the RBA process and shared assurance model
10.12 Example generic primary control loop for achievement of internal control principles
10.13 Example primary control loop for demonstration of a commitment to integrity and ethical values

Tables

2.1 Typical Executive, Program Directorate, and Technical Directorate Managerial Roles and Responsibilities (Adapted from NASA 2014a, Table D-1)
2.2 Executive, Program Directorate, and Technical Directorate Standards of Support to Be Provided by EROM Consistent with Roles and Responsibilities Outlined Previously
2.3 Example Risk Profile from the New OMB-Circular A-123
3.1 Typical Risk and Opportunity Scenario Types and Associated Leading Indicators
3.2 Published Guidelines for Roughly Estimating the Ratio of the System Failure Probability from UU Risks to the System Failure Probability from Known Risks at Time of Initial Operation (Benjamin et al. 2015)
3.3 Example Likelihood Scale for a Risk or Opportunity Relative to a Critical Organizational Objective
3.4 Example Impact Scale for a Risk or Opportunity Relative to a Critical Organizational Objective
4.1 A View of the Form of the Outcome for Cumulative Risks and Opportunities
4.2 Risk and Opportunity Identification Template
4.3 Leading Indicator Evaluation Template
4.4 Example Entries for Leading Indicator Evaluation Template for Objective P(1) #11: Deliver the Cryocooler Subsystem
4.5 Objectives Interface and Influence Template
4.6 Known Risk Roll-Up Template
4.7 Example Entries for Known Risk Roll-Up Template for Objective P(1) #11: Deliver the Cryocooler Subsystem
4.8 Example Entries for Risk Roll-Up Template for Objective P(1) #11 Including an Intermediate Roll-Up to Risk Scenario Level
4.9 Opportunity Roll-Up Template
4.10 Example Entries for Opportunity Roll-Up for Objective E(>10) #1: Discover How the Universe Works, Explore How It Began/Evolved, Search for Life on Planets Around Other Stars
4.11 Composite Indicator Identification and Evaluation Template
4.12 Example Entries for Risk Roll-Up Template for Objective P(1) #11 Using a Composite Indicator
4.13 UU Risk Roll-Up Template
4.14 Example Risk and Opportunity Driver Identification Template
4.15 Example Entries for Risk and Opportunity Scenario Likelihood and Impact Evaluation Template
4.16 Example Entries for Risk Mitigation and Internal Control Template for Objective E (>10) #1: Discover How the Universe Works
4.17 Example Entries for Opportunity Action and Internal Control Template for Objective E (>10) #1: Discover How the Universe Works
4.18 High-Level Display Template
4.19 Example Risk Roll-Up Template for the Next-Generation Space Telescope as Applied to Alternative Selection during Organizational Planning
5.1 Distribution of Responsibilities among the Principal Entities within the JWST Project (Source: NASA 2016c)
5.2 Templates for Distribution of Human (Workforce), Physical, and Instructional Assets
6.1 Form of the Risk and Opportunity Identification and Evaluation Templates (Combined) for the Commercial TRIO Enterprise Example
6.2 Form of the Risk and Opportunity Roll-Up Templates (Combined) for the Commercial TRIO Enterprise Example
6.3 Qualitative/Quantitative Risk and Opportunity Roll-Up Comparison Template for the Commercial TRIO Enterprise Example (Excerpt)
6.4 Example Controllable Drivers and Corresponding Existing Safeguards, Risk Mitigations, Opportunity Actions, and Internal Controls for XYZ Company
6.5 Excerpt of the Risk Mitigation and Internal Control Template and the Opportunity Action and Internal Control Template for the Commercial TRIO Enterprise
7.1 Leading Indicator Evaluation Template for GMD Example (2002 Time Frame)
7.2 High-Level Display Template for GMD Example (2002 Time Frame)
7.3 High-Level Display Template for GMD Example after Adopting Corrective Actions That Balance the Risks to the Top-Level Objectives
8.1 Template for Evaluating EROM Process and Results
10.1 Example form of a RACI matrix
10.2 Example summary chart of cascading activities, weaknesses, and controls for the SMA organization example
10.3 Example RACI chart for the SMA example
10.4 Candidates for secondary and tertiary control loops for CCP risk-based assurance process and shared assurance model
10.5 GAO green book principles for internal control (GAO 2014)
10.6 GAO green book means of accomplishment for principle 1 (GAO 2014)
10.7 MIT-conducted NASA independent technical authority study: system safety principles for internal control and means of accomplishment (Leveson et al. 2005)
10.8 Example template for aggregating means of accomplishment to principles

Preface

In one form or another, I have been preparing to write this book for many years. In the most recent of those years, my focus has been on collaborating with NASA personnel on producing detailed guidance about potential ways that the agency could apply enterprise risk and opportunity management to help ensure its success as its mission becomes more complex. This collaboration has resulted in the publication of the NASA special publication report, Organizational Risk and Opportunity Management: Concepts and Processes for NASA Consideration.

In the process of writing that report, my thinking has evolved into considering two extensions of the original NASA purpose. First is how EROM can be applied to other pioneering technical organizations, both nonprofit and commercial, some of whom I have previously worked with on matters of risk and opportunity assessment and management. Second is how EROM can be integrated with the identification, implementation, and evaluation of internal controls, complying with new requirements from the federal government. This book, therefore, builds on the NASA work by extending it to be generally applicable to organizations of all sorts that are concerned with performing pioneering technical research, integrating and operationalizing that research into complex technical systems, and satisfying externally mandated requirements.

One might ask, “Why yet another guidebook on EROM when there have been several others produced during the past 10 or 15 years?” The answer is that the vast majority of the work that has appeared before now has been oriented toward business and financial organizations, whose objectives center on ultimate monetary gain for their company and their stockholders. In contrast, organizations whose principal objective is to develop and implement risky technologies for scientific and technical gain are faced with different kinds of risks and different kinds of opportunities. In many ways, their risks and opportunities are broader and more challenging than those of the traditional commercial business/financial sector, because their successes may produce breakthroughs that benefit the entire world while their failures may correspondingly have negative global implications. Yet they, like commercial business/financial companies, are also faced with the pressure of tight schedules, decreasing budgets, and political vagaries.

Another reason for writing this book is to fill a gap that exists in explaining how the high-level principles of EROM that others have presented (for example, COSO) can be converted into fine-tuned methods and tools. The practice of EROM in pioneering technical enterprises involves working with mostly qualitative data in a realm that is characterized by high uncertainties. The rigorous part of EROM in such an environment is in the strength of the arguments that are made to reach conclusions about how the enterprise should proceed. Thus, a large part of the effort concerns the derivation of the tasks and templates needed to assist in ensuring that the rationale behind the arguments is both sound and comprehensive. Fulfilling this need is one of the focuses of the book.

Government offices like the office of Management and Budget (OMB), the Government Accountability Office (GAO), and the President's Management Council (PMC) are beginning to encourage and even require the use of EROM in federal agencies, while many top-notch educational and research centers are beginning or have already begun to incorporate EROM into their strategic planning. It is hoped that this book will be of particular value in encouraging and informing these efforts.

In the words of Thomas H. Stanton, past president of the Association of Federal Enterprise Risk Management (AFERM), [quoting from the second quarter 2015 AFERM newsletter]: “Among those agencies that face serious budget cuts, those with strong risk management processes are likely to fare much better—in terms of protecting their core missions and the well-being of their constituents and employees—than those lacking the ability to identify, prioritize, and address major risks that may arise without the protections that effective ERM provides.”

Before commencing, I would like to express my special thanks to Dr. Homayoon Dezfuli, Technical Fellow for System Safety and Risk Management at the NASA office of Safety and Mission Assurance, and Chris Everett, Manager of the Technology Risk Management office at Information Systems Laboratories, Inc. (ISL), with whom I collaborated in the formulation of an integrated EROM framework and in the development of the antecedent NASA report through a NASA/ISL blanket purchase agreement (BPA). Special thanks are also due to the following professionals at NASA for reviewing that work and helping to improve its content: Julie Pollitt (retired), Chet Everline, Martin Feather, Sharon Thomas, Emma Lehnhardt, Jessica Southwell (now with the Department of Labor), Prince Kalia, Harmony Myers, Anthony Mittskus, Sue Otero, Wayne Frazier, Kimberly Ennix Sandhu, and Pete Rutledge (retired and now with Quality Assurance and Risk Management Inc.).

Introduction

Enterprise risk and opportunity management (EROM), also known as enterprise risk management (ERM), concerns the means by which organizations apply risk and opportunity considerations in developing their strategic goals and objectives, in implementing them through a portfolio of programs, projects, institutional assets, and activities, and in managing them through internal controls. The overall purpose of EROM is to help reach an optimal balance between minimizing the potential for loss (risk) while maximizing the potential for gain (opportunity).

The principal focus of this book is on the development of an EROM framework and overall approach that serves the interests of organizations that are charged with pioneering the development of new technology and applying it to complex systems (henceforth referred to as “Technical Research, Integration, and Operationalizing enterprises,” or TRIO enterprises). The framework is developed first for nonprofit and government organizations whose interests are specifically in achieving technical gains and performing services in the interest of the public. That framework is then extended to provide an EROM framework for commercial TRIO enterprises that develop and apply technology as a means for achieving their stakeholders' financial goals.

The book discusses the philosophical underpinnings of EROM for TRIO enterprises, the integration of EROM with existing management processes, and the nature of the activities that are performed to implement EROM within this context. It also provides concrete examples to illustrate all of these topics. The framework includes a set of core principles and examples that would be pertinent to any successful EROM approach, along with some features that are specific to TRIO enterprises.

The book also provides guidance that is intended to help federal agencies comply with the requirements of the Office of Management and Budget (OMB), expressed in their most recent updates to Circulars A-11 and A-123. The July 2016 update of Circular A-123 directs agencies of the federal government to fully integrate risk management and internal control activities into an EROM framework, proceeding incrementally according to a “maturity model approach.” This book discusses organizational structures and analytical tools that are consistent with reaching that point.

Chapters 1 and 2 are intended mainly for high-level managers and their administrative staff who wish to understand the organizational aspects of EROM and the broad concepts of how it could be applied at TRIO enterprises. Chapter 1 is presented in the form of a primer on EROM, answering fundamental questions about how EROM works at a high level, how EROM is particularly relevant to pioneering technical enterprises, how it operates in tandem with existing management structures, how it facilitates interactions with external agencies, and how it can be applied both across the enterprise as a whole and within individual management units of the enterprise. Chapter 2 discusses how EROM coordinates with the major management functions within most technically oriented enterprises, how it helps to shape and corroborate the information that flows within, between, and out of these management functions, how it may be practiced in TRIO enterprises that interact with many partners, both domestic and international, and how it helps to satisfy requirements mandated by governing federal entities.

Chapters 3 and 4 are directed more toward technical managers and practitioners who wish to gain an understanding of some of the more important technical details and the fine points of implementing EROM at TRIO enterprises. Chapter 3 provides guidance on the activities that are conducted within an EROM analysis for TRIO enterprises, including advice on how risk tolerances and opportunity appetites can be established, how risk and opportunity scenarios can be formulated and categorized, how indicators of the potential importance of risks and opportunities can be identified, tracked, and evaluated, how the overall degree of achievement for each objective can be inferred from the indicators, how the potential for unknown and/or underappreciated (UU) risks can be evaluated, how risk and opportunity drivers can be derived, and how responses including risk mitigation, opportunity exploitation, and internal controls can be identified and evaluated. Chapter 4 provides helpful templates for conducting EROM within TRIO enterprises, and using a real example derived from the NASA James Webb Space Telescope (JWST) project, shows how the templates may be populated and exploited for purposes of evaluating overall performance and planning strategy.

Chapter 5 focuses on how EROM may be applied within major technical units of a TRIO enterprise (i.e., technical centers or technical directorates). Sections 5.1 and 5.2 speak about the managerial aspects of EROM at the center or directorate level, emphasizing the various roles that each center or directorate plays in executing its programmatic and institutional responsibilities, the nature of the strategic objectives that require technical centers and directorates to manage multiple partnerships, the ways in which a center or directorate can use an EROM approach to facilitate its management responsibilities, and the organizational aspects of EROM that permit effective communication between a technical center or directorate and its various partnering organizations. Section 5.3 discusses the technical activities that may be conducted within an EROM analysis for technical centers and directorates, emphasizing the types of risks and opportunities and associated indicators that pertain to its core competencies and the development, allocation, and retirement of its resources and assets. Section 5.3 also provides additional templates, which, together with those in Chapter 4, can be of significant use for planning the strategies and evaluating the overall performance of technical centers and directorates.

Chapter 6 augments the approaches discussed in the preceding chapters to establish a framework for commercial TRIO enterprises, where the primary objectives are the optimization of financial gains for its stakeholders over short-term, mid-term, and long-term time frames. One of the primary intents of Chapter 6 is to incorporate the qualitative aspects of EROM developed in earlier chapters with the quantitative aspects of financial planning and accounting. For this purpose, the treatment of risks and opportunities in the financial model is informed by the risk and opportunity scenarios developed in the templates of Chapters 4 and 5, and the key variables in the financial model are informed by the leading indicators and risk/opportunity drivers identified through the use of the templates. The process is illustrated using, as an example, a fictional prime contractor that manufactures products and develops systems for the aerospace and defense markets. The example focuses on developing risk and opportunity scenario taxonomies and event sequence diagrams that depict the choices that the company has to make and the risks and opportunities that each choice entails with respect to its financial goals. Financially oriented risk and opportunity matrices are introduced to facilitate the decision-making process and the derivation of internal controls.

Chapter 7