Enterprise risk and opportunity management (EROM), also known as enterprise risk management (ERM), concerns the means by which organizations apply risk and opportunity considerations in developing their strategic goals and objectives, in implementing them through a portfolio of programs, projects, institutional assets, and activities, and in managing them through internal controls. The overall purpose of EROM is to help reach an optimal balance between minimizing the potential for loss (risk) while maximizing the potential for gain (opportunity).

The principal focus of this book is on the development of an EROM framework and overall approach that serves the interests of organizations that are charged with pioneering the development of new technology and applying it to complex systems (henceforth referred to as “Technical Research, Integration, and Operationalizing enterprises,” or TRIO enterprises). The framework is developed first for nonprofit and government organizations whose interests are specifically in achieving technical gains and performing services in the interest of the public. That framework is then extended to provide an EROM framework for commercial TRIO enterprises that develop and apply technology as a means for achieving their stakeholders' financial goals.

The book discusses the philosophical underpinnings of EROM for TRIO enterprises, the integration of EROM with existing management processes, and the nature of the activities that are performed to implement EROM within this context. It also provides concrete examples to illustrate all of these topics. The framework includes a set of core principles and examples that would be pertinent to any successful EROM approach, along with some features that are specific to TRIO enterprises.

The book also provides guidance that is intended to help federal agencies comply with the requirements of the Office of Management and Budget (OMB), expressed in their most recent updates to Circulars A-11 and A-123. The July 2016 update of Circular A-123 directs agencies of the federal government to fully integrate risk management and internal control activities into an EROM framework, proceeding incrementally according to a “maturity model approach.” This book discusses organizational structures and analytical tools that are consistent with reaching that point.

Chapters 1 and 2 are intended mainly for high-level managers and their administrative staff who wish to understand the organizational aspects of EROM and the broad concepts of how it could be applied at TRIO enterprises. Chapter 1 is presented in the form of a primer on EROM, answering fundamental questions about how EROM works at a high level, how EROM is particularly relevant to pioneering technical enterprises, how it operates in tandem with existing management structures, how it facilitates interactions with external agencies, and how it can be applied both across the enterprise as a whole and within individual management units of the enterprise. Chapter 2 discusses how EROM coordinates with the major management functions within most technically oriented enterprises, how it helps to shape and corroborate the information that flows within, between, and out of these management functions, how it may be practiced in TRIO enterprises that interact with many partners, both domestic and international, and how it helps to satisfy requirements mandated by governing federal entities.

Chapters 3 and 4 are directed more toward technical managers and practitioners who wish to gain an understanding of some of the more important technical details and the fine points of implementing EROM at TRIO enterprises. Chapter 3 provides guidance on the activities that are conducted within an EROM analysis for TRIO enterprises, including advice on how risk tolerances and opportunity appetites can be established, how risk and opportunity scenarios can be formulated and categorized, how indicators of the potential importance of risks and opportunities can be identified, tracked, and evaluated, how the overall degree of achievement for each objective can be inferred from the indicators, how the potential for unknown and/or underappreciated (UU) risks can be evaluated, how risk and opportunity drivers can be derived, and how responses including risk mitigation, opportunity exploitation, and internal controls can be identified and evaluated. Chapter 4 provides helpful templates for conducting EROM within TRIO enterprises, and using a real example derived from the NASA James Webb Space Telescope (JWST) project, shows how the templates may be populated and exploited for purposes of evaluating overall performance and planning strategy.

Chapter 5 focuses on how EROM may be applied within major technical units of a TRIO enterprise (i.e., technical centers or technical directorates). Sections 5.1 and 5.2 speak about the managerial aspects of EROM at the center or directorate level, emphasizing the various roles that each center or directorate plays in executing its programmatic and institutional responsibilities, the nature of the strategic objectives that require technical centers and directorates to manage multiple partnerships, the ways in which a center or directorate can use an EROM approach to facilitate its management responsibilities, and the organizational aspects of EROM that permit effective communication between a technical center or directorate and its various partnering organizations. Section 5.3 discusses the technical activities that may be conducted within an EROM analysis for technical centers and directorates, emphasizing the types of risks and opportunities and associated indicators that pertain to its core competencies and the development, allocation, and retirement of its resources and assets. Section 5.3 also provides additional templates, which, together with those in Chapter 4, can be of significant use for planning the strategies and evaluating the overall performance of technical centers and directorates.

Chapter 6 augments the approaches discussed in the preceding chapters to establish a framework for commercial TRIO enterprises, where the primary objectives are the optimization of financial gains for its stakeholders over short-term, mid-term, and long-term time frames. One of the primary intents of Chapter 6 is to incorporate the qualitative aspects of EROM developed in earlier chapters with the quantitative aspects of financial planning and accounting. For this purpose, the treatment of risks and opportunities in the financial model is informed by the risk and opportunity scenarios developed in the templates of Chapters 4 and 5, and the key variables in the financial model are informed by the leading indicators and risk/opportunity drivers identified through the use of the templates. The process is illustrated using, as an example, a fictional prime contractor that manufactures products and develops systems for the aerospace and defense markets. The example focuses on developing risk and opportunity scenario taxonomies and event sequence diagrams that depict the choices that the company has to make and the risks and opportunities that each choice entails with respect to its financial goals. Financially oriented risk and opportunity matrices are introduced to facilitate the decision-making process and the derivation of internal controls.

Chapter 7 deals with the application of EROM results to assist top management in making risk acceptance decisions at key decision points when there are competing objectives at the top level of the organization with correspondingly different levels of risk tolerance. It uses two examples, one based on the DoD Ground-based Missile Defense (GMD) program and the other based on the NASA Commercial Crew Transportation System (CCTS) program, to illustrate the processes involved.

Chapter 8 provides evaluation guidance for independent appraisers who are responsible for auditing the EROM practices and processes employed at a TRIO enterprise and for determining the viability of results obtained from the EROM analyses. The chapter presents a template containing a list of queries whose answers are designed to supply TRIO enterprise management and governing authorities with reliable information about the strength of the EROM analysis, the robustness of the internal controls relative to the principal risks, and the degree to which reasonable opportunities for progress have been availed. The guidance is intended to be of use to both government and commercial auditors and auditees.

Chapter 9 provides a brief discussion of how EROM in general and the EROM templates in particular can potentially interact with important strategic initiatives and other enterprise-wide activities currently practiced within TRIO enterprises, including technical capabilities assessment (TCA) processes, strategic annual review (SAR) processes, and portfolio performance review (PPR) processes.

Finally, Chapter 10 presents an integrated framework for deriving hierarchies of internal controls based on results from the EROM process. The approach taken here differs philosophically from the approach taken by others (e.g., COSO), where internal controls are derived separately from EROM but used as input to EROM. The fully integrated approach allows for the internal controls to be responsive to the drivers of aggregate risk and opportunity. The hierarchical formulation enables different levels of internal controls to be matched to different levels in the organizational hierarchy. The fully integrated, hierarchical approach is especially suitable for organizations whose objectives are more technical in nature than financial.