Information System Engineering Promotes Enterprise Risk Management

  • Margareth StollEmail author
  • Dietmar Laner
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 313)


Organizations are faced with increasing complexity, uncertainty and enhanced threats from a wide range of forces. Depending on how this situation is handled, it can become risk or opportunity to erode or enhance business value. In addition, organizations have to meet most different stakeholders’, legal and regulatory risk management requirements. Thus, comprehensive enterprise risk management has become key challenge and core competence for organizations’ sustainable success. Despite there were studied several approaches to systematically secure information systems against information security breaches, we found no approach, which guides organizations to promote enterprise risk management by system engineering. Interdisciplinary information security research at the organizational level is still missing. Accordingly, we propose a systemic approach for system engineering requirement analysis in order to promote enterprise risk management. The results of our case studies suggest that the approach was useful to promote enterprise risk management in an effective and sustainable way. Legal/regulatory compliance and risk awareness were enhanced. New insights for practice and future research are offered.


System development Requirement engineering Enterprise risk management ISO 31000 COSO 



The research leading to these results was partially funded by the Tyrolean business development agency through the Stiftungsassistenz QE – Lab.


  1. 1.
    N. Taleb, The Black Swan, The Impact of the Highly Improbable, Random House, New York, 2007.Google Scholar
  2. 2.
    M. Power, Organized Uncertainty. Oxford University Press, New York, NY 2007.Google Scholar
  3. 3.
    International Standard Organization (ISO). ISO Survey of Certifications 2010,
  4. 4.
    I. Brown, A. Steen and J. Foreman, “Risk management in corporate governance: A review and proposal,” Corporate Governance: An International Review, vol. 17, no. 5, pp. 546–558 2009.CrossRefGoogle Scholar
  5. 5.
    B. Windram and J. Song, “Non-executive directors and the changing nature of audit committees”, Corporate Ownership and Control, vol. 1, pp. 108–115, 2004.Google Scholar
  6. 6.
  7. 7.
    Corporate Law and Governance, “Corporate Law and Governance”,
  8. 8.
    S. Gates, J. Nicolas and P.L. Walker, “Enterprise risk management: A process for enhanced management and improved performance,” Management Accounting Quarterly, vol. 13, no. 3, pp. 28–38, 2012.Google Scholar
  9. 9.
    R.E. Hoyt and A.P. Liebenberg, “The value of enterprise risk management,” Journal of Risk & Insurance, vol. 78, no. 4, pp. 795–822, 2011.CrossRefGoogle Scholar
  10. 10.
    V. Arnold, T.S. Benford, C. Hampton and S.G. Sutton, “Enterprise risk management as a strategic governance mechanism in B2B-enabled transnational supply chains,” J. Inf. Syst., vol. 26, no. 1, pp. 51–76, 2012.Google Scholar
  11. 11.
    International Standard Organization (ISO), ISO 31000:2009, Risk management - Principles and Guidelines, 2009.Google Scholar
  12. 12.
    N. Taleb, D. Goldstein and M. Spitznagel, “The Six Mistakes Executives Make in Risk Management”, Harvard Business Review, vol. 87, pp. 78–81, Oct 2009.Google Scholar
  13. 13.
    S.G. Sutton, V. Arnold, T. Benford and J. Canada, Why Enterprise Risk Management is Vital: Learning from Company Experiences with Sarbanes-Oxley Section 404 Compliance, Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2009.Google Scholar
  14. 14.
    L.K. Meulbroek, “Integrated Risk Management for the Firm”, Journal of Applied Corporate Finance, vol. 14, pp. 56-70, 2002.CrossRefGoogle Scholar
  15. 15.
    P.M. Collier, Fundamentals of Risk Management for Accountants and Managers, Elsevier, 2009.Google Scholar
  16. 16.
    M.K. McShane, A. Nair and E. Rustambekov, “Does enterprise risk management increase firm value?” Journal of Accounting, Auditing & Finance, vol. 26, no. 4, pp. 641–658, 2011.CrossRefGoogle Scholar
  17. 17.
    D. Espersen, “Trends in enterprise risk management, Risk management.” Bank Accounting and Finance, December: 45–50, 2002Google Scholar
  18. 18.
    C. McDonald, “Few firms see themselves as ‘advanced’ on use of enterprise risk management,” National Underwriter/P&C, vol. 114, no. 15, pp. 25–25, 2010.Google Scholar
  19. 19.
    J.H. Iversen, L. Mathiassen and P.A. Nielsen, “Managing risk in software process improvement: An action research approach,” MIS Quarterly, vol. 28, no. 3, pp. 395–433, 2004.Google Scholar
  20. 20.
    H. Zhang, “Two schools of risk analysis: A review of past research on project risk,” Proj. Manage. J., vol. 42, no. 4, pp. 5-18, 2011.CrossRefGoogle Scholar
  21. 21.
    M.T. Siponen, “Analysis of modern IS security development approaches,” Information and Organization, vol. 15, no. 4, pp. 339–375, 2005.CrossRefGoogle Scholar
  22. 22.
    D. Mellado, C. Blanco, L.E. Sánchez and E. Fernández-Medina, “A systematic review of security requirements engineering,” Computer Standards & Interfaces, vol. 32, no. 4, pp. 153–165, 2010.CrossRefGoogle Scholar
  23. 23.
    A. Zuccato, “Holistic security requirement engineering for electronic commerce,” Comput. Secur., vol. 23, no. 1, pp. 63–76, 2004.CrossRefGoogle Scholar
  24. 24.
    Ernst & Young. “Into the cloud, out of the fog, Ernst & Young’s 2011, Global Information Security Survey”
  25. 25.
    W.R. Ashby, Introduction to Cybernetics. Methuen, London, UK, 1956.zbMATHGoogle Scholar
  26. 26.
    F. Bélanger and R.E. Crossler, “Privacy in the digital age,” MIS Quarterly, vol. 35, no. 4, pp. 1017–A36, 2011.Google Scholar
  27. 27.
    P.A. Pavlou, “State of the information privacy literature: Where are we now and where should we go?” MIS Quarterly, vol. 35, no. 4, pp. 977–988, 2011.Google Scholar
  28. 28.
    ISO, ISO/DGuide 83, High level structure, identical core text and common terms and core definitions for use in Management Systems Standards. Geneva: International Standard Organization, 2011.Google Scholar
  29. 29.
    S.A. Slaughter, L. Levine, B. Ramesh, J. Pries-Heje and R. Baskerville, “Aligning software processes with strategy,” MIS Quarterly, vol. 30, no. 4, pp. 891–918, 2006.Google Scholar
  30. 30.
    Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management - Integrated Framework, AICPA, New York, NY, 2009.Google Scholar
  31. 31.
    J. Rosenoer and W. Scherlis, “Risk Gone Wild”, Harvard Business Review, vol. 87, pp. 26, May 2009.Google Scholar
  32. 32.
    G. Campbell, R. Lefler, Security Alert, Harvard Business Review, vol. 87, pp. 104-105, Jul/Aug 2009Google Scholar
  33. 33.
    R. Kaplan, A. Mikes, R. Simons, P. Tufano and M. Hofmann, “Managing risk in the new world”, Harvard Business Review, vol. 87, pp. 69–75, Oct 2009.Google Scholar
  34. 34.
    ISO, ISO 9001:2008, Quality Management Systems – requirements. Geneva: International Standard Organization, 1.12.2008.Google Scholar
  35. 35.
    Y. Akao, Quality Function Deployment, integrating customer requirements into product design, Productivity Press, Portland, 1990.Google Scholar
  36. 36.
    R. Kaplan and D. Norton, The balanced scorecard, translating strategy into action, Harvard Business School Press, Boston, 2008.Google Scholar
  37. 37.
    M. Hammer, Beyond reengineering, HarperCollins Business, London, 1996.Google Scholar
  38. 38.
    T. Davenport and L. Prusak, Working Knowledge, Harvard Business School Press, Boston, 1998.Google Scholar
  39. 39.
    H. Takeuchi and I. Nonaka, Hitotsubashi on knowledge management. Singapore: Wiley, 2004.Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.University of InnsbruckInnsbruckAustria
  2. 2.European Academy of BozenBozenItaly

Personalised recommendations