Date of Award


Document Type


Degree Name

Master of Science in Information Systems and Technology


Information and Decision Sciences

First Reader/Committee Chair

Shayo, Conrad


This culminating experience project examined common risk management trends and challenges that SMEs face and provided methods and tools that could limit threats and impact of unforeseeable events. This project demonstrates why business owners should use a risk management planning framework. The research questions were: (Q1) What are risk identification strategies which do not overstrain SMEs' limited resources? (Q2) How may risk analysis be performed effectively in SMEs? (Q3) How does the SMEs risk management system change over time? (Q4) What are the most effective risk analysis techniques and strategies for SMEs with limited resources?

A case study was examined using the COSO Enterprise Risk Management (ERM) process to identify unique risk management challenges that SMEs face and to provide recommendations. The results were as follows: (Q1)Use brainstorming workshops to identify risks. Use face-to-face discussions to share ideas and provide feedback. Use a qualitative top-down approach with stakeholders to identify organizational and strategic risks. Use functional diagrams and interviews with risk owners to understand and identify risks. (Q2)Consider risks in every activity from organizational level to business unit. Hold meetings with stakeholders to gain insight. Understand the enterprise’s risk culture and objectives. Conduct a risk assessment. Involve board members and managementthroughout the ERM processes. Understand and define organizational objectives. Define risk tolerance, develop risk response, and control activities.

(Q3) Once ERM was successful in the Portfolio Management Department (PMD) it was expanded throughout the enterprise. Continuous monitoring, assessment, and updating was critical throughout the enterprise life cycle. Routine maintenance was required, and the risk register was updated periodically. Threats and risks are always changing and evolving so they were continuously revisited. Controls were checked for effectiveness and risks werereevaluated. (Q4) Risk tolerance was defined by specifying risk appetite using a financial risk tolerance-based benchmark. PMD Risk Map was used to calculate likelihood and impact. The PMD risk table was continuously updated to show current risks.

Likelihood and impact ordinal scales to measure the impact of risks and portfolio management software was used to monitor and receive feedback. This case study shows that SMEs should focus on training and learning, cultivate strong governance and culture, allocate a team to understand and execute strategic objectives, and utilize a framework to help organize and guide internal operations. An enterprise risk management plan strengthened communication and collaboration and helped the enterprise accomplish various objectives that align with the enterprise's mission statement and core values. Areas for further study include: The use of artificial intelligence and machine learning to predict both internal and external risks. The use of alternative frameworks such as: the NIST Risk Management Framework (RMF), the ISO 31000, or the COBIT ERM Framework.