Enterprise Risk Management

Definition

Enterprise risk management is the risk management subactivity consisting of the cohesive collection of all tasks that are primarily performed to lower an enterprise’s significant risks to acceptable levels.

Goals

The typical goals of enterprise risk management are to:

• Reduce enterprise risks to acceptable levels.

Objectives

The typical objectives of enterprise risk management are to:

• Identify and understand the major risks to the enterprise.
• Avoid the risks that can be avoided.
• Mitigate the impact of risks that cannot be avoided.

Examples

Typical examples of enterprise risk management include the management of risks on a:

• Business enterprise.
• Profit and Loss (P&L) Center.
• Business unit

Preconditions

Enterprise risk management typically may begin when the following conditions hold:

• The enterprise is started.
• The enterprise team are:
  • Initially staffed.
  • Adequately trained in risk management.

Completion Criteria

Enterprise risk management is typically complete when the following postconditions hold:

• The enterprise is retired.

Tasks

Enterprise risk management typically involves the following teams performing the following tasks in an iterative, incremental, parallel, and time-boxed manner:

• The enterprise teams, which perform:
  • Risk Analysis
  • Risk Control
  • Risk Identification
  • Risk Management Planning
  • Risk Monitoring

Environments

Enterprise risk management is typically performed using the following environment(s) and associated tools:

• TBD
  • Risk management tool

Work Products

Enterprise risk management typically results in the production of all or part of the following work products:

• Risk Management Plan
• Risk Analysis
• Risk Monitoring Report

Phases

Enterprise risk management tasks are typically performed during the following phases:

Guidelines

• The importance of a risk is the product of its probability and its impact.
• It is typically better to avoid a risk that to mitigate its damage once it has occured.
• Risks can be divided into the following categories:
  • Business Risks:
    • Requirements Scope Creep
    • Changing Market Pressures
    • Loss of Market Share
    • Bad Public Relations
    • Loss of Life or Property
    • Litigation
  • Financial Risks:
    • Cost Overrun
    • Inadequate Cost Estimates
  • Resource Risks:
    • Inadequate Staffing
    • Inadequately Trained Staff
    • Inadequate Staff Productivity
    • Inadequate Development Tools
  • Schedule Risks:
    • Unrealistic Schedule
    • Inadequate Schedule Estimates
    • Upgrades to COTS components and tools not available when promised (vaporware)
    • Excessive Time To Market
  • Technical Risks:
    • The enterprise will not provide all required functionality.
    • The enterprise’s transactions will not be auditable.
    • The enterprise will not adequately support internationalization.
    • The enterprise will not provide personalization.
    • The enterprise will contain excessive defects.
    • The enterprise’s outputs will be inadequately accurate or precise.
  • This activity is documented using the typical configuration for large projects. It is intended to be configured (i.e., instantiated, extended, and tailored) to meet the needs of specific projects.
  • The preconditions of this activity should be the union of the preconditions of its constituent tasks.
  • The completion criteria for this activity should be the union of the postconditions of its constituent tasks.