7 Essential Risk Management Frameworks 

7 essential risk management frameworks for organizations

This article explores seven essential RMFs organizations should adopt today. Collectively, they address not just traditional risk management concepts, but how to address heightening AI-related threats. 

1. ISO 31000:2018 Risk Management Framework

First published in 2009 by the International Organization for Standardization (ISO), ISO 31000 is an internationally accepted enterprise risk management framework that establishes principles for organizations to integrate risk-based decision-making into their governance, planning, management, reporting, policies, values, and cultures. ISO 31000 is applicable to all organizations, regardless of type, size, activities and location, and is intended for use by anyone who manages risks. 

Last reviewed in 2023, the most recent updates made to ISO 31000 in 2018 remain. ISO 31000:2018 provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization,” according to an overview document of the standard. 

Among the recommendations in ISO 31000:2018 include: 

• Developing a statement or policy that confirms a commitment to risk management  
• Assigning authority, responsibility and accountability at appropriate levels within the organization 
• Ensuring necessary resources are allocated to risk management 
• Embedding risk management into the organization’s structure, processes, objectives, strategy, and activities 

ISO 31000:2018 places greater focus on value creation overall as the key driver of risk management and features other related principles, including the inclusion of all key stakeholders, continuous improvement, and taking into consideration human and cultural factors.   

2. Factor Analysis of Information Risk Management Framework (FAIR)

Factor Analysis of Information Risk (FAIR) is described as the only international standard of its kind that provides organizations with a model for understanding, analyzing, and quantifying cyber risk and operational risk in financial terms. Unlike many qualitative risk assessment frameworks, the FAIR model provides a means for organizations to quantify their exposure to risk – both the probability of a loss occurring and the magnitude of loss – to measure risk more effectively and, thus, make better informed decisions as it regards risks.  

Having this insight helps organizations better prioritize risk mitigation efforts by focusing on the risks that could have the biggest financial impact. Jack Jones, former CISO and creator of FAIR, explained the model in this way: “In a compliance-focused risk management effort, we look for gaps. We look for deficiencies in controls. But we’ve never had the means of understanding, ‘so what? How much does this loss matter in the grand scheme of things, or in our loss exposure?’” Using the FAIR method, organizations can now see how much those gaps mean from a frequency of loss or magnitude of loss perspective.

3. COSO Enterprise Risk Management Framework – Integrating with strategy and performance

In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Board published the first version of its Enterprise Risk Management—Integrated Framework, a principles-based standard that over the years has become a widely adopted compliance and enterprise risk management framework by organizations everywhere seeking to more effectively manage enterprise-wide risks.  

Since that time, the risk landscape has changed drastically, as have the demands placed on organizations to manage new and fast-evolving risks. This prompted COSO in 2017 to publish an updated version of its ERM Framework, with a new title, Enterprise Risk Management—Integrating with Strategy and Performance.  

As described in the executive summary, the updated framework: 

• Provides greater insight into the value of ERM when setting and carrying out strategy 
• Enhances alignment between performance and ERM to improve the setting of performance targets and understanding the impact of risk on performance 
• Accommodates expectations for governance and oversight 
• Recognizes the globalization of markets and operations and the need to apply a common – albeit tailored – approach across geographies 
• Presents new ways to view risks to set and achieve objectives  
• Expands reporting to address expectations for greater stakeholder transparency 
• Accommodates evolving technologies and the proliferation of data and analytics in supporting decision-making 
• Sets out five core components and 20 underlying principles for all levels of management involved in designing and implementing ERM practices 

The five core components set out in the framework are governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting.  

4. COSO Compendium of Examples Risk Management Framework

As a supplement to COSO Enterprise Risk Management - Integrating with Strategy and Performance, a complementary publication also was published, titled COSO Enterprise Risk Management - Integrating with Strategy and Performance: Compendium of Examples. This publication sets out several illustrative examples of how organizations of different types, sizes, industries, and geographies might apply the principles from the framework to day-to-day practice. Collectively, the examples covered in the compendium relate to each of the five core components and 20 underlying principles set out in the framework. The authors of the compendium developed the examples by identifying industry practices through interviews, case studies, and research. 

5. NIST Cybersecurity Risk Management Framework 2.0

The NIST Cybersecurity Framework is one of the most widely adopted cybersecurity frameworks, guiding organizations in risk response and mitigation strategies. The National Institute of Standards and Technology Cybersecurity Framework 2.0 (CSF 2.0) is designed to help organizations of all sizes and across all sectors manage and reduce their cybersecurity risks – no matter the maturity level or technical sophistication of the organization’s cybersecurity program. According to NIST, the CSF “describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise.”  

To provide each organization the flexibility to address its own unique cybersecurity risks, risk appetite, and maturity level, the CSF intentionally “does not prescribe how outcomes should be achieved.” Instead, it directs users to other NIST online resources, including its series of CSF 2.0 Quick Start Guides, that provide additional guidance on practices and controls that could be used to achieve those outcomes.  

6. NIST Cybersecurity Risk Management Framework 2.0

The NIST Cybersecurity Framework is one of the most widely adopted cybersecurity frameworks, guiding organizations in risk response and mitigation strategies. The National Institute of Standards and Technology Cybersecurity Framework 2.0 (CSF 2.0) is designed to help organizations of all sizes and across all sectors manage and reduce their cybersecurity risks – no matter the maturity level or technical sophistication of the organization’s cybersecurity program. According to NIST, the CSF “describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise.”  

To provide each organization the flexibility to address its own unique cybersecurity risks, risk appetite, and maturity level, the CSF intentionally “does not prescribe how outcomes should be achieved.” Instead, it directs users to other NIST online resources, including its series of CSF 2.0 Quick Start Guides, that provide additional guidance on practices and controls that could be used to achieve those outcomes. 

7. ISO/IEC 42001 Risk Management Framework

Another AI risk management framework is ISO/IEC 42001, an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) within organizations. ISO/IEC 42001 defines an AIMS as “a set of interrelated or interacting elements of an organization intended to establish policies and objectives, as well as processes to achieve those objectives, in relation to the responsible development, provision or use of AI systems.”  

ISO/IEC 42001 is intended to be used by organizations, including non-profits, of all sizes involved in developing, providing, or using AI-based products or services, ensuring responsible development and use of AI systems. It is also intended to be relevant to both the private and public sector and apply across all industries. Designed to cover the various aspects of AI and the different applications an organization may be running, it provides an integrated approach to managing AI projects – from risk assessments to the effective treatment of AI risks.

Final thoughts 

Thoughtful, comprehensive and forward-thinking risk management frameworks are an essential practice for organizations of all sizes, industries and geographies. By combining traditional enterprise risk management frameworks with modern cybersecurity and AI governance frameworks, organizations can strengthen compliance and build resiliency in a rapidly evolving risk landscape. Ready to learn more about how NAVEX can support and automate risk and compliance at your organization? Find out more below.