This question is a little confusing. Are you only reviewing the security of the applications? Or is it the environments they are included in also? To answer the question of
How do I do a risk assessment at an enterprise level?
Defense in Depth is an understanding that there are multiple layers of security that need to be addressed in a wholistic approach. See this picture
https://blog.knowbe4.com/hubfs/Defense_in_Depth.jpg
and wiki: https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
There are multiple ways to go about this but first you must define the scope, which seems missing in your question. Is network security included? Is "endpoint" included? Does phishing fall into your scope. Is it just application security? What about physical security? When you say Data Loss Prevention are you talking about information leakage from a database or restricting corp laptops from sending company files outbound? You have to clarify the scope before you can come up with a clear plan. Once you have done that:
https://en.wikipedia.org/wiki/Cyber_security_standards#ANSI/ISA_62443_(Formerly_ISA-99)
The 62443 family of standards covers most of the ground you mention above, including SDLC. It is "bulky" and doesn't mandate specific testing in many of the certs but is also robust and gives a great "envelope" of testing to start from.
OWASP has a framework for developing secure code and secure coding practices and they have assessment templates:
https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework
https://www.owasp.org/index.php/OWASP_ASVS_Assessment_tool
For a more classic approach use Microsoft's baseline framework:
https://en.wikipedia.org/wiki/Microsoft_Baseline_Security_Analyzer
This will cover most levels of security for a Windows based environment.
US-Cert has frameworks:
https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/commercial-facilities-framework-implementation-guide-2015-508.pdf
https://www.us-cert.gov/sites/default/files/resources/ncats/VADR%20Sample%20Report_508C.pdf
https://www.us-cert.gov/resources/ncats
And SANS has BASE which covers a lot of ground also:
https://www.sans.org/reading-room/whitepapers/auditing/base-security-assessment-methodology-1587
Don't forget about compliance also. Hippa, PCI, SOX and etc. all information available you can easily find with an internet search.