Risk is the likelihood that an event will occur combined with the potential for negative consequences resulting from that event. Individuals and organizations take risks every day. Dealing with Risk is a key issue for Business Analysts as they work on projects. Risks exist in a large context for the organization as a whole and in a smaller context for individual projects. Risks to the organization as a whole should be managed at the Enterprise Level; many organizations have documented Risk Management functions. Risks at the project level are the responsibility of the key stakeholders, the project manager and the business analyst.
The Committee of Sponsoring Organizations for the Treadway Commission (COSO) has created a framework for understanding and managing risk. This is often referred to as Enterprise Risk Management (ERM). COSO created an eight step process for establishing and managing ERM, which is shown in Table 4-2. Of the eight steps, the Software Business Analyst is typically only involved in Steps 3, 4, 5 and 6. The eventual implementation of ERM is a SOX requirement for larger organizations.