7 Essential Risk Management Frameworks - Management

What is a risk management framework?

Implementing the principles and guidelines of a risk management
framework (RMF) is not just an effective way to manage current
risks, it also provides a structured risk assessment process for
risk identification, mitigation, and compliance alignment. This
helps organizations more quickly and easily adapt to new and
emerging risks, enhancing resiliency overall.

Beyond the wide array of regulatory compliance and operational
risks that organizations face, cyber risk has now also taken center
stage. With escalating threats caused by artificial intelligence
(AI), cyber risk can no longer be viewed as a technology risk
alone. Rather, it is a strategic and urgent business issue that
must be addressed alongside all other organizational risks.

7 essential risk management frameworks for organizations

This article explores seven essential RMFs organizations should
adopt today. Collectively, they address not just traditional risk
management concepts, but how to address heightening AI-related
threats.

1. ISO 31000:2018 Risk Management Framework

First published in 2009 by the International Organization for
Standardization (ISO), ISO 31000 is an internationally accepted enterprise risk management framework that
establishes principles for organizations to integrate risk-based
decision-making into their governance, planning, management,
reporting, policies, values, and cultures. ISO 31000 is applicable
to all organizations, regardless of type, size, activities and
location, and is intended for use by anyone who manages risks.

Last reviewed in 2023, the most recent updates made to ISO 31000
in 2018 remain. ISO 31000:2018 provides more strategic
guidance than ISO 31000:2009 and places more emphasis on both the
involvement of senior management and the integration of risk
management into the organization,” according to an overview document of the standard.

Among the recommendations in ISO 31000:2018 include:

Developing a statement or policy that confirms a commitment to
risk management

Assigning authority, responsibility and accountability at
appropriate levels within the organization

Ensuring necessary resources are allocated to risk
management

Embedding risk management into the organization’s
structure, processes, objectives, strategy, and activities

ISO 31000:2018 places greater focus on value creation overall as
the key driver of risk management and features other related
principles, including the inclusion of all key stakeholders,
continuous improvement, and taking into consideration human and
cultural factors.

2. Factor Analysis of Information Risk Management
Framework (FAIR)

Factor Analysis of Information Risk (FAIR) is
described as the only international standard of its kind that
provides organizations with a model for understanding, analyzing,
and quantifying cyber risk and operational risk in financial terms.
Unlike many qualitative risk assessment frameworks, the FAIR model
provides a means for organizations to quantify their exposure to
risk – both the probability of a loss occurring and the
magnitude of loss – to measure risk more effectively and,
thus, make better informed decisions as it regards risks.

Having this insight helps organizations better prioritize risk
mitigation efforts by focusing on the risks that could have the
biggest financial impact. Jack Jones, former CISO and creator of
FAIR, explained the model in this way: “In a
compliance-focused risk management effort, we look for gaps. We
look for deficiencies in controls. But we’ve never had the
means of understanding, ‘so what? How much does this loss
matter in the grand scheme of things, or in our loss
exposure?'” Using the FAIR method, organizations can now
see how much those gaps mean from a frequency of loss or magnitude
of loss perspective.

3. COSO Enterprise Risk Management Framework –
Integrating with strategy and performance

In 2004, the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) Board published the first version of its
Enterprise Risk Management—Integrated Framework, a
principles-based standard that over the years has become a widely
adopted compliance and enterprise risk management framework by
organizations everywhere seeking to more effectively manage
enterprise-wide risks.

Since that time, the risk landscape has changed drastically, as
have the demands placed on organizations to manage new and
fast-evolving risks. This prompted COSO in 2017 to publish an
updated version of its ERM Framework, with a new title, Enterprise Risk Management—Integrating
with Strategy and Performance.

As described in the executive summary, the updated framework:

Provides greater insight into the value of ERM when setting and
carrying out strategy

Enhances alignment between performance and ERM to improve the
setting of performance targets and understanding the impact of risk
on performance

Accommodates expectations for governance and oversight

Recognizes the globalization of markets and operations and the
need to apply a common – albeit tailored – approach
across geographies

Presents new ways to view risks to set and achieve
objectives

Expands reporting to address expectations for greater
stakeholder transparency

Accommodates evolving technologies and the proliferation of
data and analytics in supporting decision-making

Sets out five core components and 20 underlying principles for
all levels of management involved in designing and implementing ERM
practices

The five core components set out in the framework are governance
and culture; strategy and objective-setting; performance; review
and revision; and information, communication, and reporting.

4. COSO Compendium of Examples Risk Management
Framework

As a supplement to COSO Enterprise Risk Management -
Integrating with Strategy and Performance, a complementary
publication also was published, titled COSO Enterprise Risk Management – Integrating
with Strategy and Performance: Compendium of Examples.
This publication sets out several illustrative examples of how
organizations of different types, sizes, industries, and
geographies might apply the principles from the framework to
day-to-day practice. Collectively, the examples covered in
the compendium relate to each of the five core components and 20
underlying principles set out in the framework. The authors of the
compendium developed the examples by identifying industry practices
through interviews, case studies, and research.

5. NIST Cybersecurity Risk Management Framework
2.0

The NIST Cybersecurity Framework is one of the most widely
adopted cybersecurity frameworks, guiding organizations in risk
response and mitigation strategies. The National Institute of
Standards and Technology Cybersecurity Framework 2.0 (CSF 2.0) is
designed to help organizations of all sizes and across all sectors
manage and reduce their cybersecurity risks – no matter the
maturity level or technical sophistication of the
organization’s cybersecurity program. According to NIST, the
CSF “describes desired outcomes that are intended to be
understood by a broad audience, including executives, managers, and
practitioners, regardless of their cybersecurity
expertise.”

To provide each organization the flexibility to address its own
unique cybersecurity risks, risk appetite, and maturity level, the
CSF intentionally “does not prescribe how outcomes
should be achieved.” Instead, it directs users to other NIST
online resources, including its series of CSF 2.0 Quick Start Guides, that provide
additional guidance on practices and controls that could be used to
achieve those outcomes.

6. NIST Cybersecurity Risk Management Framework
2.0

7. ISO/IEC 42001 Risk Management Framework

Another AI risk management framework is ISO/IEC
42001, an international standard that specifies requirements
for establishing, implementing, maintaining, and continually
improving an AI Management System (AIMS) within organizations.
ISO/IEC 42001 defines an AIMS as “a set of interrelated or
interacting elements of an organization intended to establish
policies and objectives, as well as processes to achieve those
objectives, in relation to the responsible development, provision
or use of AI systems.”

ISO/IEC 42001 is intended to be used by organizations, including
non-profits, of all sizes involved in developing, providing, or
using AI-based products or services, ensuring responsible
development and use of AI systems. It is also intended to be
relevant to both the private and public sector and apply across all
industries. Designed to cover the various aspects of AI and the
different applications an organization may be running, it provides
an integrated approach to managing AI projects – from risk
assessments to the effective treatment of AI risks.

Final thoughts

Thoughtful, comprehensive and forward-thinking risk management
frameworks are an essential practice for organizations of all
sizes, industries and geographies. By combining traditional
enterprise risk management frameworks with modern cybersecurity and
AI governance frameworks, organizations can strengthen compliance
and build resiliency in a rapidly evolving risk landscape. Ready to
learn more about how NAVEX can support and automate risk and
compliance at your organization? Find out more below.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

7 Essential Risk Management Frameworks – Management

Tags: