Enterprise Risk and Opportunity Management E-Book

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Australia and Asia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.

The Wiley Finance series contains books written specifically for finance and investment professionals as well as sophisticated individual investors and their financial advisors. Book topics range from portfolio management to e-commerce, risk management, financial engineering, valuation and financial instrument analysis, as well as much more.

For a list of available titles, visit our website at www.WileyFinance.com.

Table of Contents

Cover

Title Page

Copyright

Figures

Tables

Preface

Introduction

Chapter 1: An EROM Primer for Organizations Concerned with Technical Research, Integration, and Operations (TRIO Enterprises)

1.1 EROM Scope and Objectives for TRIO Enterprises

1.2 EROM Definitions and Technical Attributes for TRIO Enterprises

Notes

References

Chapter 2: Coordination of EROM with Organizational Management Activities

2.1 The Executive, Programmatic, and Institutional/Technical Management Functions and Their Interfaces

2.2 EROM-Relevant Management Activities

2.3 Coordination of EROM with Management Activities

2.4 Communication across Extended Partnerships

2.5 Contribution of EROM to Compliance with Federal Regulations and Directives

Notes

References

Chapter 3: Overview of EROM Process and Analysis Approach

3.1 Organizational Objectives Hierarchies

3.2 Populating the Organizational Objectives Hierarchies with Risk and Opportunity Information

3.3 Establishing Risk Tolerances and Opportunity Appetites

3.4 Identifying Risk and Opportunity Scenarios and Leading Indicators

3.5 Specifying Leading Indicator Trigger Values and Evaluating Cumulative Risks and Opportunities

3.6 Identifying and Evaluating Risk Mitigation, Opportunity Exploitation, and Internal Control Options

Notes

References

Chapter 4: The Development and Utilization of EROM Templates for Performance Evaluation and Strategic Planning

4.1 Overview

4.2 Demonstration Example: The NASA Next-Generation Space Telescope as of 2014

4.3 Example Objectives Hierarchies

4.4 Risks, Opportunities, and Leading Indicators

4.5 Example Templates for Risk and Opportunity Identification and Evaluation

4.6 Example Templates for Risk and Opportunity Roll-Up

4.7 Example Templates for the Identification of Risk and Opportunity Drivers, Responses, and Internal Controls

4.8 Upward Propagation of Templates for Full-Scope EROM Applications

4.9 Application of the Templates to Organizational Planning and the Selection from among Alternative Candidate Portfolios

Notes

References

Chapter 5: Management and Implementation of EROM at the Institutional/Technical Level (Technical Centers or Directorates)

5.1 EROM from a Technical Center's Perspective

5.2 Extended Enterprises and the Technical Center's Extended Organization

5.3 EROM-Informed Budgeting of Resources across a Technical Center's Extended Organization

References

Chapter 6: Special Considerations for EROM Practice and Analysis at Commercial TRIO Enterprises

6.1 Overview

6.2 Risk and Opportunity Scenarios and Leading Indicators

6.3 Controllable Drivers, Mitigations, Actions, and Internal Controls

Chapter 7: Examples of the Use of EROM Results for Informing Risk Acceptance Decisions

7.1 Overview

7.2 Example 1: DoD Ground-Based Midcourse Missile Defense in the 2002 Time Frame

7.3 Example 2: NASA Commercial Crew Transportation System as of 2015

7.4 Implication for TRIO Enterprises and Government Authorities

References

Chapter 8: Independent Appraisal of EROM Processes and Results to Assure the Adequacy of Internal Controls and Inform Risk Acceptance Decisions

8.1 Background

8.2 Queries for an Independent Appraisal of EROM in the Contexts of Internal Control and Risk Acceptance

References

Chapter 9: Brief Overview of the Potential Integration of EROM with Other Strategic Assessment Activities

9.1 Technical Capability Assessment (TCA)

9.2 Strategic Annual Review (SAR)

9.3 Portfolio Performance Review (PPR)

References

Chapter 10: An Integrated Framework for Hierarchical Internal Controls

10.1 Internal Control Principles and the Integration of Internal Control, Risk Management, and Governance

10.2 Methodological Basis

10.3 Examples

10.4 Incorporation of Internal Control Principles into the Control Loop Approach

10.5 Summary of Observations

Note

References

Appendix A: Acronyms

Appendix B: Definitions

About the Companion Website

About the Author

Index

End User License Agreement

Pages

ii

iii

iv

xiii

xiv

xv

xvi

xvii

xix

xx

xxi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

317

318

319

320

321

322

323

324

Guide

Table of Contents

Begin Reading

List of Illustrations

Chapter 1: An EROM Primer for Organizations Concerned with Technical Research, Integration, and Operations (TRIO Enterprises)

Figure 1.1 Decision making is a balance between risk and opportunity

Figure 1.2 Risk tolerance relative to diverse goals and objectives

Figure 1.3 The elements of RIDM and CRM applied to the TRIO enterprise's management activities at various levels

Chapter 2: Coordination of EROM with Organizational Management Activities

Figure 2.1 The three levels of management within a typical enterprise

Figure 2.2 The principal activities and transfer of information within and between levels of management

Figure 2.3 Activities within the executive level and transfer of information from/to external and internal sources

Figure 2.4 Activities within a program directorate (programmatic level) and transfer of information from/to external and internal sources

Figure 2.5 Activities within a technical center (institutional/technical level) and transfer of information from/to external and internal sources

Figure 2.6 Interfaces between EROM activities and management activities in the development of an organizational plan

Figure 2.7 Interfaces between EROM activities and management activities in the evaluation of performance relative to the organizational plan

Figure 2.8 The relationship between governance, enterprise risk management, and internal controls according to the new OMB Circular A-123

Chapter 3: Overview of EROM Process and Analysis Approach

Figure 3.1 Types of objectives developed at the executive level

Figure 3.2 Types of objectives developed at the programmatic level

Figure 3.3 Types of objectives developed at the institutional/technical level

Figure 3.4 Conceptualization of an enterprise-wide objectives hierarchy

Figure 3.5 Associating risk and opportunity information with objectives in the organizational objectives hierarchy

Figure 3.6 Risk and opportunity response and watch boundaries

Figure 3.7 Example taxonomy for enterprise risks and opportunities

Figure 3.8 Risk and opportunity leading indicator triggers

Figure 3.9 Hypothetical results showing how the elimination of a risk driver affects cumulative risk and the elimination of an opportunity driver affects cumulative opportunity

Figure 3.10 Iterative process for identifying and evaluating a risk response, opportunity action, and internal control plan that balances cumulative risk, cumulative opportunity, and cost

Chapter 4: The Development and Utilization of EROM Templates for Performance Evaluation and Strategic Planning

Figure 4.1 Executive-level objectives for the example demonstration

Figure 4.2 Programmatic-level objectives for the example demonstration

Figure 4.3 Center-level objectives for the example demonstration

Figure 4.4 Integrated objectives hierarchy showing primary interfaces between objectives

Figure 4.5 Individual risks and associated leading indicators for executive-level objectives

Figure 4.6 Individual risks and associated leading indicators for program-level objectives

Figure 4.7 Individual risks and associated leading indicators for center-level objectives

Figure 4.8 Individual opportunities, introduced risks, and associated leading indicators for executive-level objectives

Figure 4.9 Secondary objective interfaces for the example demonstration

Figure 4.10 Schematic of roll-up method alternative 1 for Objective E (>10) #1

Figure 4.11 Schematic of roll-up method alternative 2 for Objective E (>10) #1

Figure 4.12 Schematic of risk roll-up for Objective P (1) #11 in the example demonstration

Figure 4.13 Illustration of risk and opportunity scenario drivers and their time-frame criticalities

Figure 4.14 Illustration of risk and opportunity constituent drivers and their time-frame criticalities

Figure 4.15 Schematic showing the upward propagation of templates for full-scope EROM applications

Chapter 5: Management and Implementation of EROM at the Institutional/Technical Level (Technical Centers or Directorates)

Figure 5.1 The extended organization for a NASA center

Figure 5.2 NASA example of how each center takes risk and opportunity inputs from a variety of entities and supports multiple strategic objectives of the agency

Figure 5.3 A representative EROM organizational chart for a technical center that manages extended enterprises

Figure 5.4 The success of a technical center's inherited strategic objectives is dependent on the “right-sizing” of the resources available to the center (NASA example)

Figure 5.5 Outline of the steps in the iterative process for optimizing asset distributions based on costs and current and projected values of leading indicators

Figure 5.6 Illustration of iterative process for optimizing asset distributions based on costs and current and projected values of leading indicators

Chapter 6: Special Considerations for EROM Practice and Analysis at Commercial TRIO Enterprises

Figure 6.1 Integration of qualitative and quantitative modeling to evaluate the likelihood of success of a commercial TRIO enterprise

Figure 6.2 Example enterprise risk taxonomy for a commercial TRIO enterprise

Figure 6.3 Example opportunity taxonomy for a commercial TRIO enterprise

Figure 6.4 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Competition from other companies”

Figure 6.5 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Customer satisfaction”

Figure 6.6 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Leadership mortality and succession issues”

Figure 6.7 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Accident causing human deaths”

Figure 6.8 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Changes in foreign exchange rates and interest rates”

Figure 6.9 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Labor strikes”

Figure 6.10 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Exploitation of new technology”

Figure 6.11 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Act of terror”

Figure 6.12 Example risk and opportunity matrix for quantitative financial objectives

Figure 6.13 Example risk scenario statement, scenario event diagram, and scenario matrix for a risk in the taxonomic category “Competition from other companies”

Figure 6.14 Example risk scenario statement, scenario event diagram, and scenario matrix for a risk in the taxonomic category “Exploitation of new technology”

Chapter 7: Examples of the Use of EROM Results for Informing Risk Acceptance Decisions

Figure 7.1 Objectives and hypothetical cumulative risk parity table for GMD example

Figure 7.2 Risks and leading indicators for GMD example (2002 time frame)

Figure 7.3 Hypothetical composite leading indicator parity table for GMD example

Figure 7.4 Objectives and hypothetical cumulative risk parity table for CCTS example

Chapter 9: Brief Overview of the Potential Integration of EROM with Other Strategic Assessment Activities

Figure 9.1 Relationship between the TCA process and the EROM objectives interface and influence template

Figure 9.2 Relationship between the EROM risk-and-opportunity-based asset optimization process and the TCA asset right-sizing objective

Figure 9.3 Relationship between the EROM risk and opportunity identification and leading indicator evaluation templates and the SAR process

Figure 9.4 Relationship between the EROM risk and opportunity roll-up templates and the SAR process

Chapter 10: An Integrated Framework for Hierarchical Internal Controls

Figure 10.1 Conceptualization of the relationship between governance, risk management, and internal controls: strategic planning

Figure 10.2 Conceptualization of the relationship between governance, risk management, and internal controls: organizational performance evaluation

Figure 10.3 Simplified schematic of the interfaces between organizational management functions and organizational management levels

Figure 10.4 Standard control loop form

Figure 10.5 Example simple control loop for a mechanical system

Figure 10.6 Example form of a hierarchical system of internal control loops

Figure 10.7 Example primary control loop for the objective of improving risk management and system safety methodology and practice within the enterprise

Figure 10.8 Process diagram for the selected control activity: “Develop and update risk management and system safety policies, procedures, standards, and guides”

Figure 10.9 Secondary control loop for the selected control activity: “Develop and update risk management and system safety policies, procedures, standards, and guides”

Figure 10.10 Process diagram and tertiary control loop for the selected control activity: “Develop and update RM and SS policies, procedures, standards, and guides”

Figure 10.11 Example primary control loop for CCP's objective of achieving acceptable safety within schedule and budget using the RBA process and shared assurance model

Figure 10.12 Example generic primary control loop for achievement of internal control principles

Figure 10.13 Example primary control loop for demonstration of a commitment to integrity and ethical values

List of Tables

Chapter 2: Coordination of EROM with Organizational Management Activities

Table 2.1 Typical Executive, Program Directorate, and Technical Directorate Managerial Roles and Responsibilities (Adapted from NASA 2014a, Table D-1)

Table 2.2 Executive, Program Directorate, and Technical Directorate Standards of Support to Be Provided by EROM Consistent with Roles and Responsibilities Outlined Previously

Table 2.3 Example Risk Profile from the New OMB-Circular A-123

Chapter 3: Overview of EROM Process and Analysis Approach

Table 3.1 Typical Risk and Opportunity Scenario Types and Associated Leading Indicators

Table 3.2 Published Guidelines for Roughly Estimating the Ratio of the System Failure Probability from UU Risks to the System Failure Probability from Known Risks at Time of Initial Operation (Benjamin et al. 2015)

Table 3.3 Example Likelihood Scale for a Risk or Opportunity Relative to a Critical Organizational Objective

Table 3.4 Example Impact Scale for a Risk or Opportunity Relative to a Critical Organizational Objective

Chapter 4: The Development and Utilization of EROM Templates for Performance Evaluation and Strategic Planning

Table 4.1 A View of the Form of the Outcome for Cumulative Risks and Opportunities

Table 4.2 Risk and Opportunity Identification Template

Table 4.3 Leading Indicator Evaluation Template

Table 4.4 Example Entries for Leading Indicator Evaluation Template for Objective P(1) #11: Deliver the Cryocooler Subsystem

Table 4.5 Objectives Interface and Influence Template

Table 4.6 Known Risk Roll-Up Template

Table 4.7 Example Entries for Known Risk Roll-Up Template for Objective P(1) #11: Deliver the Cryocooler Subsystem

Table 4.8 Example Entries for Risk Roll-Up Template for Objective P(1) #11 Including an Intermediate Roll-Up to Risk Scenario Level

Table 4.9 Opportunity Roll-Up Template

Table 4.10 Example Entries for Opportunity Roll-Up for Objective E(>10) #1: Discover How the Universe Works, Explore How It Began/Evolved, Search for Life on Planets Around Other Stars

Table 4.11 Composite Indicator Identification and Evaluation Template

Table 4.12 Example Entries for Risk Roll-Up Template for Objective P(1) #11 Using a Composite Indicator

Table 4.13 UU Risk Roll-Up Template

Table 4.14 Example Risk and Opportunity Driver Identification Template

Table 4.15 Example Entries for Risk and Opportunity Scenario Likelihood and Impact Evaluation Template

Table 4.16 Example Entries for Risk Mitigation and Internal Control Template for Objective E (>10) #1: Discover How the Universe Works

Table 4.17 Example Entries for Opportunity Action and Internal Control Template for Objective E (>10) #1: Discover How the Universe Works

Table 4.18 High-Level Display Template

Table 4.19 Example Risk Roll-Up Template for the Next-Generation Space Telescope as Applied to Alternative Selection during Organizational Planning

Chapter 5: Management and Implementation of EROM at the Institutional/Technical Level (Technical Centers or Directorates)

Table 5.1 Distribution of Responsibilities among the Principal Entities within the JWST Project (Source: NASA 2016c)

Table 5.2 Templates for Distribution of Human (Workforce), Physical, and Instructional Assets

Chapter 6: Special Considerations for EROM Practice and Analysis at Commercial TRIO Enterprises

Table 6.1 Form of the Risk and Opportunity Identification and Evaluation Templates (Combined) for the Commercial TRIO Enterprise Example

Table 6.2 Form of the Risk and Opportunity Roll-Up Templates (Combined) for the Commercial TRIO Enterprise Example

Table 6.3 Qualitative/Quantitative Risk and Opportunity Roll-Up Comparison Template for the Commercial TRIO Enterprise Example (Excerpt)

Table 6.4 Example Controllable Drivers and Corresponding Existing Safeguards, Risk Mitigations, Opportunity Actions, and Internal Controls for XYZ Company

Table 6.5 Excerpt of the Risk Mitigation and Internal Control Template and the Opportunity Action and Internal Control Template for the Commercial TRIO Enterprise

Chapter 7: Examples of the Use of EROM Results for Informing Risk Acceptance Decisions

Table 7.1 Leading Indicator Evaluation Template for GMD Example (2002 Time Frame)

Table 7.2 High-Level Display Template for GMD Example (2002 Time Frame)

Table 7.3 High-Level Display Template for GMD Example after Adopting Corrective Actions That Balance the Risks to the Top-Level Objectives

Chapter 8: Independent Appraisal of EROM Processes and Results to Assure the Adequacy of Internal Controls and Inform Risk Acceptance Decisions

Table 8.1 Template for Evaluating EROM Process and Results

Chapter 10: An Integrated Framework for Hierarchical Internal Controls

Table 10.1 Example form of a RACI matrix

Table 10.2 Example summary chart of cascading activities, weaknesses, and controls for the SMA organization example

Table 10.3 Example RACI chart for the SMA example

Table 10.4 Candidates for secondary and tertiary control loops for CCP risk-based assurance process and shared assurance model

Table 10.5 GAO green book principles for internal control (GAO 2014)

Table 10.6 GAO green book means of accomplishment for principle 1 (GAO 2014)

Table 10.7 MIT-conducted NASA independent technical authority study: system safety principles for internal control and means of accomplishment (Leveson et al. 2005)

Table 10.8 Example template for aggregating means of accomplishment to principles

Enterprise Risk and Opportunity Management

Concepts and Step-by-Step Examples for Pioneering Scientific and Technical Organizations

Copyright © 2017 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com.

For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Names: Benjamin, Allan S., author.

Title: Enterprise risk and opportunity management : concepts and step-by-step examples for pioneering scientific and technical organizations / Allan S. Benjamin.

Description: Hoboken : Wiley, 2017. | Series: Wiley finance | Includes index.

Identifiers: LCCN 2016031019 (print) | LCCN 2016055611 (ebook) | ISBN 9781119288428 (hardback) | ISBN 9781119318729 (ePDF) | ISBN 9781119318712 (ePub)

Subjects: LCSH: Risk management. | Information technology—Management. | Strategic planning. | BISAC: BUSINESS & ECONOMICS / Finance.

Classification: LCC HD61 .B46 2017 (print) | LCC HD61 (ebook) | DDC 658.15/5—dc23

LC record available at https://lccn.loc.gov/2016031019

Cover design: Wiley

Cover images: Modern business center, Toronto © PhotoSerg/Shutterstock;

Businessman on tight rope © i-works/amanaimagesRF/Getty Images, Inc.

Figures

1.1 Decision making is a balance between risk and opportunity

1.2 Risk tolerance relative to diverse goals and objectives

1.3 The elements of RIDM and CRM applied to the TRIO enterprise's management activities at various levels

2.1 The three levels of management within a typical enterprise

2.2 The principal activities and transfer of information within and between levels of management

2.3 Activities within the executive level and transfer of information from/to external and internal sources

2.4 Activities within a program directorate (programmatic level) and transfer of information from/to external and internal sources

2.5 Activities within a technical center (institutional/technical level) and transfer of information from/to external and internal sources

2.6 Interfaces between EROM activities and management activities in the development of an organizational plan

2.7 Interfaces between EROM activities and management activities in the evaluation of performance relative to the organizational plan

2.8 The relationship between governance, enterprise risk management, and internal controls according to the new OMB Circular A-123

3.1 Types of objectives developed at the executive level

3.2 Types of objectives developed at the programmatic level

3.3 Types of objectives developed at the institutional/technical level

3.4 Conceptualization of an enterprise-wide objectives hierarchy

3.5 Associating risk and opportunity information with objectives in the organizational objectives hierarchy

3.6 Risk and opportunity response and watch boundaries

3.7 Example taxonomy for enterprise risks and opportunities

3.8 Risk and opportunity leading indicator triggers

3.9 Hypothetical results showing how the elimination of a risk driver affects cumulative risk and the elimination of an opportunity driver affects cumulative opportunity

3.10 Iterative process for identifying and evaluating a risk response, opportunity action, and internal control plan that balances cumulative risk, cumulative opportunity, and cost

4.1 Executive-level objectives for the example demonstration

4.2 Programmatic-level objectives for the example demonstration

4.3 Center-level objectives for the example demonstration

4.4 Integrated objectives hierarchy showing primary interfaces between objectives

4.5 Individual risks and associated leading indicators for executive-level objectives

4.6 Individual risks and associated leading indicators for program-level objectives

4.7 Individual risks and associated leading indicators for center-level objectives

4.8 Individual opportunities, introduced risks, and associated leading indicators for executive-level objectives

4.9 Secondary objective interfaces for the example demonstration

4.10 Schematic of roll-up method alternative 1 for Objective E (>10) #1

4.11 Schematic of roll-up method alternative 2 for Objective E (>10) #1

4.12 Schematic of risk roll-up for Objective P (1) #11 in the example demonstration

4.13 Illustration of risk and opportunity scenario drivers and their time-frame criticalities

4.14 Illustration of risk and opportunity constituent drivers and their time-frame criticalities

4.15 Schematic showing the upward propagation of templates for full-scope EROM applications

5.1 The extended organization for a NASA center

5.2 NASA example of how each center takes risk and opportunity inputs from a variety of entities and supports multiple strategic objectives of the agency

5.3 A representative EROM organizational chart for a technical center that manages extended enterprises

5.4 The success of a technical center's inherited strategic objectives is dependent on the “right-sizing” of the resources available to the center (NASA example)

5.5 Outline of the steps in the iterative process for optimizing asset distributions based on costs and current and projected values of leading indicators

5.6 Illustration of iterative process for optimizing asset distributions based on costs and current and projected values of leading indicators

6.1 Integration of qualitative and quantitative modeling to evaluate the likelihood of success of a commercial TRIO enterprise

6.2 Example enterprise risk taxonomy for a commercial TRIO enterprise

6.3 Example opportunity taxonomy for a commercial TRIO enterprise

6.4 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Competition from other companies”

6.5 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Customer satisfaction”

6.6 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Leadership mortality and succession issues”

6.7 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Accident causing human deaths”

6.8 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Changes in foreign exchange rates and interest rates”

6.9 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Labor strikes”

6.10 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Exploitation of new technology”

6.11 Example risk scenario statement and scenario event diagram for a risk in the taxonomic category “Act of terror”

6.12 Example risk and opportunity matrix for quantitative financial objectives

6.13 Example risk scenario statement, scenario event diagram, and scenario matrix for a risk in the taxonomic category “Competition from other companies”

6.14 Example risk scenario statement, scenario event diagram, and scenario matrix for a risk in the taxonomic category “Exploitation of new technology”

7.1 Objectives and hypothetical cumulative risk parity table for GMD example

7.2 Risks and leading indicators for GMD example (2002 time frame)

7.3 Hypothetical composite leading indicator parity table for GMD example

7.4 Objectives and hypothetical cumulative risk parity table for CCTS example

9.1 Relationship between the TCA process and the EROM objectives interface and influence template

9.2 Relationship between the EROM risk-and-opportunity-based asset optimization process and the TCA asset right-sizing objective

9.3 Relationship between the EROM risk and opportunity identification and leading indicator evaluation templates and the SAR process

9.4 Relationship between the EROM risk and opportunity roll-up templates and the SAR process

10.1 Conceptualization of the relationship between governance, risk management, and internal controls: strategic planning

10.2 Conceptualization of the relationship between governance, risk management, and internal controls: organizational performance evaluation

10.3 Simplified schematic of the interfaces between organizational management functions and organizational management levels

10.4 Standard control loop form

10.5 Example simple control loop for a mechanical system

10.6 Example form of a hierarchical system of internal control loops

10.7 Example primary control loop for the objective of improving risk management and system safety methodology and practice within the enterprise

10.8 Process diagram for the selected control activity: “Develop and update risk management and system safety policies, procedures, standards, and guides”

10.9 Secondary control loop for the selected control activity: “Develop and update risk management and system safety policies, procedures, standards, and guides”

10.10 Process diagram and tertiary control loop for the selected control activity: “Develop and update RM and SS policies, procedures, standards, and guides”

10.11 Example primary control loop for CCP's objective of achieving acceptable safety within schedule and budget using the RBA process and shared assurance model

10.12 Example generic primary control loop for achievement of internal control principles

10.13 Example primary control loop for demonstration of a commitment to integrity and ethical values

Tables

2.1 Typical Executive, Program Directorate, and Technical Directorate Managerial Roles and Responsibilities (Adapted from NASA 2014a, Table D-1)

2.2 Executive, Program Directorate, and Technical Directorate Standards of Support to Be Provided by EROM Consistent with Roles and Responsibilities Outlined Previously

2.3 Example Risk Profile from the New OMB-Circular A-123

3.1 Typical Risk and Opportunity Scenario Types and Associated Leading Indicators

3.2 Published Guidelines for Roughly Estimating the Ratio of the System Failure Probability from UU Risks to the System Failure Probability from Known Risks at Time of Initial Operation (Benjamin et al. 2015)

3.3 Example Likelihood Scale for a Risk or Opportunity Relative to a Critical Organizational Objective

3.4 Example Impact Scale for a Risk or Opportunity Relative to a Critical Organizational Objective

4.1 A View of the Form of the Outcome for Cumulative Risks and Opportunities

4.2 Risk and Opportunity Identification Template

4.3 Leading Indicator Evaluation Template

4.4 Example Entries for Leading Indicator Evaluation Template for Objective P(1) #11: Deliver the Cryocooler Subsystem

4.5 Objectives Interface and Influence Template

4.6 Known Risk Roll-Up Template

4.7 Example Entries for Known Risk Roll-Up Template for Objective P(1) #11: Deliver the Cryocooler Subsystem

4.8 Example Entries for Risk Roll-Up Template for Objective P(1) #11 Including an Intermediate Roll-Up to Risk Scenario Level

4.9 Opportunity Roll-Up Template

4.10 Example Entries for Opportunity Roll-Up for Objective E(>10) #1: Discover How the Universe Works, Explore How It Began/Evolved, Search for Life on Planets Around Other Stars

4.11 Composite Indicator Identification and Evaluation Template

4.12 Example Entries for Risk Roll-Up Template for Objective P(1) #11 Using a Composite Indicator

4.13 UU Risk Roll-Up Template

4.14 Example Risk and Opportunity Driver Identification Template

4.15 Example Entries for Risk and Opportunity Scenario Likelihood and Impact Evaluation Template

4.16 Example Entries for Risk Mitigation and Internal Control Template for Objective E (>10) #1: Discover How the Universe Works

4.17 Example Entries for Opportunity Action and Internal Control Template for Objective E (>10) #1: Discover How the Universe Works

4.18 High-Level Display Template

4.19 Example Risk Roll-Up Template for the Next-Generation Space Telescope as Applied to Alternative Selection during Organizational Planning

5.1 Distribution of Responsibilities among the Principal Entities within the JWST Project (Source: NASA 2016c)

5.2 Templates for Distribution of Human (Workforce), Physical, and Instructional Assets

6.1 Form of the Risk and Opportunity Identification and Evaluation Templates (Combined) for the Commercial TRIO Enterprise Example

6.2 Form of the Risk and Opportunity Roll-Up Templates (Combined) for the Commercial TRIO Enterprise Example

6.3 Qualitative/Quantitative Risk and Opportunity Roll-Up Comparison Template for the Commercial TRIO Enterprise Example (Excerpt)

6.4 Example Controllable Drivers and Corresponding Existing Safeguards, Risk Mitigations, Opportunity Actions, and Internal Controls for XYZ Company

6.5 Excerpt of the Risk Mitigation and Internal Control Template and the Opportunity Action and Internal Control Template for the Commercial TRIO Enterprise

7.1 Leading Indicator Evaluation Template for GMD Example (2002 Time Frame)

7.2 High-Level Display Template for GMD Example (2002 Time Frame)

7.3 High-Level Display Template for GMD Example after Adopting Corrective Actions That Balance the Risks to the Top-Level Objectives

8.1 Template for Evaluating EROM Process and Results

10.1 Example form of a RACI matrix

10.2 Example summary chart of cascading activities, weaknesses, and controls for the SMA organization example

10.3 Example RACI chart for the SMA example

10.4 Candidates for secondary and tertiary control loops for CCP risk-based assurance process and shared assurance model

10.5 GAO green book principles for internal control (GAO 2014)

10.6 GAO green book means of accomplishment for principle 1 (GAO 2014)

10.7 MIT-conducted NASA independent technical authority study: system safety principles for internal control and means of accomplishment (Leveson et al. 2005)

10.8 Example template for aggregating means of accomplishment to principles

Preface

In one form or another, I have been preparing to write this book for many years. In the most recent of those years, my focus has been on collaborating with NASA personnel on producing detailed guidance about potential ways that the agency could apply enterprise risk and opportunity management to help ensure its success as its mission becomes more complex. This collaboration has resulted in the publication of the NASA special publication report, Organizational Risk and Opportunity Management: Concepts and Processes for NASA Consideration.

In the process of writing that report, my thinking has evolved into considering two extensions of the original NASA purpose. First is how EROM can be applied to other pioneering technical organizations, both nonprofit and commercial, some of whom I have previously worked with on matters of risk and opportunity assessment and management. Second is how EROM can be integrated with the identification, implementation, and evaluation of internal controls, complying with new requirements from the federal government. This book, therefore, builds on the NASA work by extending it to be generally applicable to organizations of all sorts that are concerned with performing pioneering technical research, integrating and operationalizing that research into complex technical systems, and satisfying externally mandated requirements.

One might ask, “Why yet another guidebook on EROM when there have been several others produced during the past 10 or 15 years?” The answer is that the vast majority of the work that has appeared before now has been oriented toward business and financial organizations, whose objectives center on ultimate monetary gain for their company and their stockholders. In contrast, organizations whose principal objective is to develop and implement risky technologies for scientific and technical gain are faced with different kinds of risks and different kinds of opportunities. In many ways, their risks and opportunities are broader and more challenging than those of the traditional commercial business/financial sector, because their successes may produce breakthroughs that benefit the entire world while their failures may correspondingly have negative global implications. Yet they, like commercial business/financial companies, are also faced with the pressure of tight schedules, decreasing budgets, and political vagaries.

Another reason for writing this book is to fill a gap that exists in explaining how the high-level principles of EROM that others have presented (for example, COSO) can be converted into fine-tuned methods and tools. The practice of EROM in pioneering technical enterprises involves working with mostly qualitative data in a realm that is characterized by high uncertainties. The rigorous part of EROM in such an environment is in the strength of the arguments that are made to reach conclusions about how the enterprise should proceed. Thus, a large part of the effort concerns the derivation of the tasks and templates needed to assist in ensuring that the rationale behind the arguments is both sound and comprehensive. Fulfilling this need is one of the focuses of the book.

Government offices like the office of Management and Budget (OMB), the Government Accountability Office (GAO), and the President's Management Council (PMC) are beginning to encourage and even require the use of EROM in federal agencies, while many top-notch educational and research centers are beginning or have already begun to incorporate EROM into their strategic planning. It is hoped that this book will be of particular value in encouraging and informing these efforts.

In the words of Thomas H. Stanton, past president of the Association of Federal Enterprise Risk Management (AFERM), [quoting from the second quarter 2015 AFERM newsletter]: “Among those agencies that face serious budget cuts, those with strong risk management processes are likely to fare much better—in terms of protecting their core missions and the well-being of their constituents and employees—than those lacking the ability to identify, prioritize, and address major risks that may arise without the protections that effective ERM provides.”

Before commencing, I would like to express my special thanks to Dr. Homayoon Dezfuli, Technical Fellow for System Safety and Risk Management at the NASA office of Safety and Mission Assurance, and Chris Everett, Manager of the Technology Risk Management office at Information Systems Laboratories, Inc. (ISL), with whom I collaborated in the formulation of an integrated EROM framework and in the development of the antecedent NASA report through a NASA/ISL blanket purchase agreement (BPA). Special thanks are also due to the following professionals at NASA for reviewing that work and helping to improve its content: Julie Pollitt (retired), Chet Everline, Martin Feather, Sharon Thomas, Emma Lehnhardt, Jessica Southwell (now with the Department of Labor), Prince Kalia, Harmony Myers, Anthony Mittskus, Sue Otero, Wayne Frazier, Kimberly Ennix Sandhu, and Pete Rutledge (retired and now with Quality Assurance and Risk Management Inc.).

Introduction

Enterprise risk and opportunity management (EROM), also known as enterprise risk management (ERM), concerns the means by which organizations apply risk and opportunity considerations in developing their strategic goals and objectives, in implementing them through a portfolio of programs, projects, institutional assets, and activities, and in managing them through internal controls. The overall purpose of EROM is to help reach an optimal balance between minimizing the potential for loss (risk) while maximizing the potential for gain (opportunity).

The principal focus of this book is on the development of an EROM framework and overall approach that serves the interests of organizations that are charged with pioneering the development of new technology and applying it to complex systems (henceforth referred to as “Technical Research, Integration, and Operationalizing enterprises,” or TRIO enterprises). The framework is developed first for nonprofit and government organizations whose interests are specifically in achieving technical gains and performing services in the interest of the public. That framework is then extended to provide an EROM framework for commercial TRIO enterprises that develop and apply technology as a means for achieving their stakeholders' financial goals.

The book discusses the philosophical underpinnings of EROM for TRIO enterprises, the integration of EROM with existing management processes, and the nature of the activities that are performed to implement EROM within this context. It also provides concrete examples to illustrate all of these topics. The framework includes a set of core principles and examples that would be pertinent to any successful EROM approach, along with some features that are specific to TRIO enterprises.

The book also provides guidance that is intended to help federal agencies comply with the requirements of the Office of Management and Budget (OMB), expressed in their most recent updates to Circulars A-11 and A-123. The July 2016 update of Circular A-123 directs agencies of the federal government to fully integrate risk management and internal control activities into an EROM framework, proceeding incrementally according to a “maturity model approach.” This book discusses organizational structures and analytical tools that are consistent with reaching that point.

Chapters 1 and 2 are intended mainly for high-level managers and their administrative staff who wish to understand the organizational aspects of EROM and the broad concepts of how it could be applied at TRIO enterprises. Chapter 1 is presented in the form of a primer on EROM, answering fundamental questions about how EROM works at a high level, how EROM is particularly relevant to pioneering technical enterprises, how it operates in tandem with existing management structures, how it facilitates interactions with external agencies, and how it can be applied both across the enterprise as a whole and within individual management units of the enterprise. Chapter 2 discusses how EROM coordinates with the major management functions within most technically oriented enterprises, how it helps to shape and corroborate the information that flows within, between, and out of these management functions, how it may be practiced in TRIO enterprises that interact with many partners, both domestic and international, and how it helps to satisfy requirements mandated by governing federal entities.

Chapters 3 and 4 are directed more toward technical managers and practitioners who wish to gain an understanding of some of the more important technical details and the fine points of implementing EROM at TRIO enterprises. Chapter 3 provides guidance on the activities that are conducted within an EROM analysis for TRIO enterprises, including advice on how risk tolerances and opportunity appetites can be established, how risk and opportunity scenarios can be formulated and categorized, how indicators of the potential importance of risks and opportunities can be identified, tracked, and evaluated, how the overall degree of achievement for each objective can be inferred from the indicators, how the potential for unknown and/or underappreciated (UU) risks can be evaluated, how risk and opportunity drivers can be derived, and how responses including risk mitigation, opportunity exploitation, and internal controls can be identified and evaluated. Chapter 4 provides helpful templates for conducting EROM within TRIO enterprises, and using a real example derived from the NASA James Webb Space Telescope (JWST) project, shows how the templates may be populated and exploited for purposes of evaluating overall performance and planning strategy.

Chapter 5 focuses on how EROM may be applied within major technical units of a TRIO enterprise (i.e., technical centers or technical directorates). Sections 5.1 and 5.2 speak about the managerial aspects of EROM at the center or directorate level, emphasizing the various roles that each center or directorate plays in executing its programmatic and institutional responsibilities, the nature of the strategic objectives that require technical centers and directorates to manage multiple partnerships, the ways in which a center or directorate can use an EROM approach to facilitate its management responsibilities, and the organizational aspects of EROM that permit effective communication between a technical center or directorate and its various partnering organizations. Section 5.3 discusses the technical activities that may be conducted within an EROM analysis for technical centers and directorates, emphasizing the types of risks and opportunities and associated indicators that pertain to its core competencies and the development, allocation, and retirement of its resources and assets. Section 5.3 also provides additional templates, which, together with those in Chapter 4, can be of significant use for planning the strategies and evaluating the overall performance of technical centers and directorates.

Chapter 6 augments the approaches discussed in the preceding chapters to establish a framework for commercial TRIO enterprises, where the primary objectives are the optimization of financial gains for its stakeholders over short-term, mid-term, and long-term time frames. One of the primary intents of Chapter 6 is to incorporate the qualitative aspects of EROM developed in earlier chapters with the quantitative aspects of financial planning and accounting. For this purpose, the treatment of risks and opportunities in the financial model is informed by the risk and opportunity scenarios developed in the templates of Chapters 4 and 5, and the key variables in the financial model are informed by the leading indicators and risk/opportunity drivers identified through the use of the templates. The process is illustrated using, as an example, a fictional prime contractor that manufactures products and develops systems for the aerospace and defense markets. The example focuses on developing risk and opportunity scenario taxonomies and event sequence diagrams that depict the choices that the company has to make and the risks and opportunities that each choice entails with respect to its financial goals. Financially oriented risk and opportunity matrices are introduced to facilitate the decision-making process and the derivation of internal controls.

Chapter 7