Information System Engineering Promotes Enterprise Risk Management
Organizations are faced with increasing complexity, uncertainty and enhanced threats from a wide range of forces. Depending on how this situation is handled, it can become risk or opportunity to erode or enhance business value. In addition, organizations have to meet most different stakeholders’, legal and regulatory risk management requirements. Thus, comprehensive enterprise risk management has become key challenge and core competence for organizations’ sustainable success. Despite there were studied several approaches to systematically secure information systems against information security breaches, we found no approach, which guides organizations to promote enterprise risk management by system engineering. Interdisciplinary information security research at the organizational level is still missing. Accordingly, we propose a systemic approach for system engineering requirement analysis in order to promote enterprise risk management. The results of our case studies suggest that the approach was useful to promote enterprise risk management in an effective and sustainable way. Legal/regulatory compliance and risk awareness were enhanced. New insights for practice and future research are offered.
KeywordsSystem development Requirement engineering Enterprise risk management ISO 31000 COSO
The research leading to these results was partially funded by the Tyrolean business development agency through the Stiftungsassistenz QE – Lab.
- 1.N. Taleb, The Black Swan, The Impact of the Highly Improbable, Random House, New York, 2007.Google Scholar
- 2.M. Power, Organized Uncertainty. Oxford University Press, New York, NY 2007.Google Scholar
- 3.International Standard Organization (ISO). ISO Survey of Certifications 2010, http://www.iso.org/iso/iso-survey2010.pdf.
- 5.B. Windram and J. Song, “Non-executive directors and the changing nature of audit committees”, Corporate Ownership and Control, vol. 1, pp. 108–115, 2004.Google Scholar
- 6.European Commission. “Company laws”, http://ec.europa.eu/internal_market/company/official/index_en.html.
- 7.Corporate Law and Governance, “Corporate Law and Governance”, http://corporatelawandgovernance.blogspot.it/.
- 8.S. Gates, J. Nicolas and P.L. Walker, “Enterprise risk management: A process for enhanced management and improved performance,” Management Accounting Quarterly, vol. 13, no. 3, pp. 28–38, 2012.Google Scholar
- 10.V. Arnold, T.S. Benford, C. Hampton and S.G. Sutton, “Enterprise risk management as a strategic governance mechanism in B2B-enabled transnational supply chains,” J. Inf. Syst., vol. 26, no. 1, pp. 51–76, 2012.Google Scholar
- 11.International Standard Organization (ISO), ISO 31000:2009, Risk management - Principles and Guidelines, 2009.Google Scholar
- 12.N. Taleb, D. Goldstein and M. Spitznagel, “The Six Mistakes Executives Make in Risk Management”, Harvard Business Review, vol. 87, pp. 78–81, Oct 2009.Google Scholar
- 13.S.G. Sutton, V. Arnold, T. Benford and J. Canada, Why Enterprise Risk Management is Vital: Learning from Company Experiences with Sarbanes-Oxley Section 404 Compliance, Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2009.Google Scholar
- 15.P.M. Collier, Fundamentals of Risk Management for Accountants and Managers, Elsevier, 2009.Google Scholar
- 17.D. Espersen, “Trends in enterprise risk management, Risk management.” Bank Accounting and Finance, December: 45–50, 2002Google Scholar
- 18.C. McDonald, “Few firms see themselves as ‘advanced’ on use of enterprise risk management,” National Underwriter/P&C, vol. 114, no. 15, pp. 25–25, 2010.Google Scholar
- 19.J.H. Iversen, L. Mathiassen and P.A. Nielsen, “Managing risk in software process improvement: An action research approach,” MIS Quarterly, vol. 28, no. 3, pp. 395–433, 2004.Google Scholar
- 24.Ernst & Young. “Into the cloud, out of the fog, Ernst & Young’s 2011, Global Information Security Survey” http://www.ey.com/Publication.
- 26.F. Bélanger and R.E. Crossler, “Privacy in the digital age,” MIS Quarterly, vol. 35, no. 4, pp. 1017–A36, 2011.Google Scholar
- 27.P.A. Pavlou, “State of the information privacy literature: Where are we now and where should we go?” MIS Quarterly, vol. 35, no. 4, pp. 977–988, 2011.Google Scholar
- 28.ISO, ISO/DGuide 83, High level structure, identical core text and common terms and core definitions for use in Management Systems Standards. Geneva: International Standard Organization, 2011.Google Scholar
- 29.S.A. Slaughter, L. Levine, B. Ramesh, J. Pries-Heje and R. Baskerville, “Aligning software processes with strategy,” MIS Quarterly, vol. 30, no. 4, pp. 891–918, 2006.Google Scholar
- 30.Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, AICPA, New York, NY, 2009.Google Scholar
- 31.J. Rosenoer and W. Scherlis, “Risk Gone Wild”, Harvard Business Review, vol. 87, pp. 26, May 2009.Google Scholar
- 32.G. Campbell, R. Lefler, Security Alert, Harvard Business Review, vol. 87, pp. 104-105, Jul/Aug 2009Google Scholar
- 33.R. Kaplan, A. Mikes, R. Simons, P. Tufano and M. Hofmann, “Managing risk in the new world”, Harvard Business Review, vol. 87, pp. 69–75, Oct 2009.Google Scholar
- 34.ISO, ISO 9001:2008, Quality Management Systems – requirements. Geneva: International Standard Organization, 1.12.2008.Google Scholar
- 35.Y. Akao, Quality Function Deployment, integrating customer requirements into product design, Productivity Press, Portland, 1990.Google Scholar
- 36.R. Kaplan and D. Norton, The balanced scorecard, translating strategy into action, Harvard Business School Press, Boston, 2008.Google Scholar
- 37.M. Hammer, Beyond reengineering, HarperCollins Business, London, 1996.Google Scholar
- 38.T. Davenport and L. Prusak, Working Knowledge, Harvard Business School Press, Boston, 1998.Google Scholar
- 39.H. Takeuchi and I. Nonaka, Hitotsubashi on knowledge management. Singapore: Wiley, 2004.Google Scholar