DZ
Uploaded byDaniel Kapellmann Zafra
13,018 views

Risk Management Frameworks

The document compares three major risk management frameworks: NIST, ISO, and COSO. NIST focuses on information security and risk management for US federal systems. ISO provides generic international guidelines for diverse organizations. COSO emphasizes internal controls and accurate reporting. While the frameworks differ in scope and focus, they all aim to guide organizations in managing risks through integrated strategies. Organizations should analyze features of each to determine the best combination for their unique needs and objectives.

Embed presentation

Downloaded 325 times
Daniel Kapellmann Zafra University of Washington Assignment #1 Risk Management Frameworks: A Comparison between NIST, ISO and COSO
Introduction Organizations operating in today’s digital economy depend each day more and more on technology for managing their information assets in order to achieve their main goals and objectives. For this reason, it is important for companies to develop integral plans and strategies that enable them to know the threats they face and manage risks efficiently thus promoting a more secure information environment. Information Risk Management refers to the integral and ongoing process that involves an entire entity on the identification, analysis and response to external or internal factors that can damage its main information assets (Elky, 2007, pp. 1-2). It consists on the continuous security framing, assessment and evaluation of risks followed by risk control actions to address impacts on a company´s performance and the follow-up actions to monitor success and define next steps. (Vladimirov, et al., 2010, p.264) Even though risk management does not seem to have an evident repercussion on an organization’s overall performance, it certainly generates numerous benefits. Efficient risk management programs allow organizations to better allocate resources, enhance decision-making, support business continuity, affect the likelihood of materializing risks, increase operational efficiency, promote accurate financial reporting, generate better reputation and comply with regulation, among other things. (AIRMIC, Alarm, IRM, 2010) The increasing importance of dealing with informational risks nowadays has led to the development of different frameworks and methodologies that provide guidance for securing information assets. Some of the most commonly used frameworks include the NIST Risk Management Framework, the ISO 31000 series, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Risk Management Framework, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) and the Security Risk Management Discipline (SRMD). In the next sections of this paper three of the most well recognized risk management frameworks will be presented and compared. Organizations may use these frameworks as guidance, but must ultimately combine features from different methodologies to tailor their own risk management strategies based on their culture, values, budget, nature, missions and objectives. NIST Cybersecurity and Risk Management Framework The National Institute of Standards and Technology (NIST) Risk Management Framework is designed to comply with the USA Federal Information Security Management Act (FISMA) and attempts to provide information security guidance for federal systems. It seeks to protect individuals, operations and assets relevant for the business objectives and mission of an organization. (Computer Security Division) This framework offers a holistic approach that integrates risk management guidance, cybersecurity guidelines and compliance with federal regulations while offering abundant freely available information. (CESG, 2015) Even though it is designed particularly for public institutions, the framework may be adjustable for business entities within the USA. The NIST approach is contained within a series of special publications that deal with different aspects of risk management and their application. Particularly four documents are relevant for this paper: NIST SP 800-30, 800-37, 800-39 and 800-53.
In the first place, the NIST SP 800-39 defines how information security risk management must be managed within the three tiers of an institution, which are the organization, mission/business processes and information systems. The implicated process mostly deals with framing the risk, assessing, responding and monitoring without establishing a particular order for the process. (NIST, 2011, pp. 9-32) To address risk assessment methodologies, the NIST SP 800-30 document provides further support. This publication explains how to prepare, conduct, constantly communicate and maintain an assessment. The main exercise is subdivided in five actions which start with the identification of threat sources, identification of vulnerabilities, determination of likelihood, impact calculation and definition of the risk. (NIST, 2012, pp.32-35) NIST Risk Assessment Model Source: NIST SP 800-30 Guide for Conducting Risk Assessments Finally, the NIST SP-37 and NIST SP-53 explain the process that must be followed for implementing the Risk Management Framework and Security Controls throughout the System Development Life Cycle in federal information systems. The process consists in six steps that are categorizing systems and managed information, selecting a security baseline, implementing security controls, assessing controls and their performance, authorizing information systems operation once risks are acceptable and monitoring the security controls on a continuous basis. (NIST, 2010, pp. 7-9) ISO 31000 Risk Management Framework The ISO 31000 Risk Management Framework was published in 2009 by the International Organization for Standardization. This document contains principles and generic guidelines for risk management in the public, private and community sectors. (ISO 31000, 2009) Further details are provided by three main additional tools: an implementation guide (ISO/TR 31004:2013), vocabulary compilation (ISO 73:2009) and risk assessment techniques (ISO/IEC 31010:2009). What is mostly relevant from this framework besides from its international recognition is the fact that it offers a generic approach that is not specific for any industry or sector and does not seek to generate
uniformity in risk management. It can be applied to a diverse set of activities within organizations, including strategies, decisions, operations, functions, services and assets, among others. Furthermore, it is adaptable to any nature of risks and also contemplates opportunities or positive events. (ISO 31000, 2009) The main ISO architecture scheme for managing risks is represented by the following diagram: Risk Management Principles, Framework and Process Source: ISO 31000 Risk Management Framework The ISO Risk Management Framework is implemented, monitored and continuously improved based on a set of principles that include value creation, decision making, systematization, transparency and dynamism, among other things. Finally, the ISO/IEC 31010:2009 document explains the risk management process, which consists on establishing the context, risk assessment and implementing treatments. This happens simultaneously with two feedback mechanisms, which are communication/consulting and monitoring/review. It is important to notice that the process does not include reporting or disclosure steps, and that feedback mechanisms exclude monitoring risk performance as well as framework review. (AIRMIC, Alarm, IRM, 2010) COSO Risk Management Framework The Committee of Sponsoring Organizations of the Treadway Commission was created in 1985 under the sponsorship of five major financial and accounting US organizations. The group is specialized in developing guidelines related to three main areas: enterprise risk management, internal control and fraud deterrence. (COSO) For the objective of this paper, two main documents will be addressed: the Enterprise Risk Management (ERM) and the Internal Controls Integrated Frameworks. Both of these frameworks are designed to interrelate in such a way that they promote better risk management guidance through the incorporation of internal controls as a main strategy for mitigating risks, adapting to a changing business environment and accomplishing an organization’s objectives. (COSO, 2013)
The combination of these frameworks allows an organization to manage uncertainty and enhance its performance by strengthening the internal processes and governance. It helps to align risk appetite with business strategies, enhance the decision making process, reduce operational losses, identify and manage risks, seize opportunities and improve the deployment of capital. (COSO, 2004) All of this, bearing in mind the main objectives of the institution for preserving value among the stakeholders. The COSO Framework recognizes three main concepts worth noticing: objectives, components and organizational structure. In order to achieve effective risk management and internal controls, three main objectives must be achieved by following a set of guidelines or principles related to each of the six main components. (COSO, 2013) COSO Framework Model Source: COSO Internal Control – Integrated Framework Executive Summary The entire process must be accomplished within all the levels of the organizational structure, incorporating entity level (institutional), division, operating unit and function. This provides a general overview about the importance of engaging the entire company on risk management despite of requiring clear roles and accountability among directives. Selecting a Framework for Your Organization The three risk management frameworks studied in this paper share the common goal of guiding organizations for managing risks through the integration of overall strategies that run over all the levels of an institution. Nevertheless, there are several differences between each of these approaches. They offer a diverse set of positive and negative features that may be combined in order to attain an organization’s needs. The first relevant contrasts between them are the area of validation and their main target. While the NIST Risk Management Framework is mostly validated in the USA and focused on federal institutions, ISO 31000 –and its supporting documents- have international recognition and may be adapted for its use in
the public, private and community domains. COSO is mostly accepted within the USA and targets private organizations. Frameworks Comparison Source: Created based on information from the official webpages of NIST, ISO and COSO In terms of their main focus, the NIST Framework is the only one of the three directly specialized on the assurance of information assets and cybersecurity, adopting a defensive approach that results strongly convenient for relevant government institutions. Besides, the framework offers abundant freely available information for supporting both public and private institutions in developing risk management strategies. It is important to remember that this approach is substantially robust in terms of information systems protection and that it is also useful for complying with FISMA regulation under the validation of the US government. Differently, ISO offers generic guidelines for risk management in a wide range of activities within the industry and with the absence of adequate monitoring considerations. COSO is mostly specialized in internal controls and accurate reporting as mechanisms for mitigating risks. The COSO framework ensures transparency and adequate control over the processes of both big and small companies, adopting a stakeholder oriented approach that bears in mind the creation of value for a firm. As proven by the former descriptions and comparisons, risk management is not a simple one way process. Organizations may find guidance from these frameworks, but must carefully analyze which ones work best for their particular cases based on their structure, values and main objectives. It is also important to remember that the threats being faced by organizations are dynamic, thus making it necessary for these frameworks to suffer continuous modifications for adaptation purposes. Framework Organization Validation Orientation Relevant Publications Focus Overall Strategy NIST Special Publication 800-30 Guide for Conducting Risk Assessments NIST Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View NIST Special Publication 800-53 and 53A Recommended Security Controls for Federal Information Systems and Organizations, and Guide for Applying Security Controls ISO 31000:2009 Risk Management Principles and Guidelines ISO Guide 73:2009 Risk Management Vocabulary ISO/TR 31004:2013 Guidance for Implementation of ISO 31000 ISO/ IEC 31010:2009 Risk Assessment Techniques Internal Control — Integrated Framework 2013 Fraudulent Financial Reporting: 1998-2007 2004 Enterprise Risk Management - Integrated Framework (next version in process) National Institute of Standards and Technology NIST Generic guidelines for Risk Management in a diverse set of activities from the industry Framework design based on risk management principles. Process consistent on context review, risk assessment and treatment. Includes feedback mechanisms Information Security and Risk Management Achieved by separating in different processes. The Assessment consists on preparation, conduction, communication and maintenance. Information Risk Management, Assessment, Monitoring and Cybersecurity Government (possible adaptation for industry) USA ISO International Organization for Standardization International Public, private and community organizations COSO Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management, Internal Controls and Financial Fraud Deterrence Aligns objectives, components (with principles or guidelines) and organizational structure USA
References: AIRMIC, Alarm, IRM. (2010). A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000. Available in: https://www.theirm.org/media/886062/ISO3100_doc.pdf Committee of Sponsoring Organizations Treadway Commission. About Us. Available in: http://www.coso.org/aboutus.htm Committee of Sponsoring Organizations Treadway Commission. (2004). Enterprise Risk Management – Integrated Framework. Available in: http://www.coso.org/documents/coso_erm_executivesummary.pdf Committee of Sponsoring Organizations Treadway Commission. (2013). Internal Control – Integrated Framework. Available in: http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf Computer Security Division. Risk Management Framework (RMF) Overview, National Institute for Standards and Technology. Available in: http://csrc.nist.gov/groups/SMA/fisma/framework.html Elky, Steve. (2007). An Introduction to Information System Risk Management, SANS Institute. Available in: https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk- management-1204 International Organization of Standardization. (2009). ISO 31000:2009 Risk Management – Principles and guidelines. Available in: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 National Institute for Standards and Technology. (2010). Guide for Applying the Risk Management Framework to Federal Information Systems. Available in: http://csrc.nist.gov/publications/nistpubs/800- 37-rev1/sp800-37-rev1-final.pdf National Institute for Standards and Technology. (2011). Managing Information Security Risk. Available in: http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf National Institute for Standards and Technology. (2012). Guide for Conducting Risk Assessments. Available in: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf National Technical Authority for Information Assurance (CESG). (2015). Analysis of information risk management methodologies, March 2015. Available in: https://www.gov.uk/guidance/analysis-of- information-risk-management-methodologies Vladimirov A, et al. (2010). Assessing Information Security, IT Governance Publishing. Accessed via Jstor, available in: http://www.jstor.org/stable/j.ctt5hh6v9.11

More Related Content

PDF
Enterprise Risk Management (ERM) Framework 2020
byRichard Swartzbaugh
 
PPTX
Risk Management ERM Presentation
byalygale
 
PDF
Iso 31000 Risk management Principles and guidelines
byMohsen Gharakhani
 
PPT
Coso Erm(2)
bydeeptica
 
PDF
How to Build an Enterprise Risk Management Framework
byColleen Beck-Domanico
 
PPTX
GRI ERM Roadmap - Program Overview
byDenise Robinson
 
PPTX
Business continuity management per ISO 22301 - a certification training cour...
byMart Rovers
 
PDF
08 enterprise risk management telkom 2011 risk profile
bywisnu wardhana, i nyoman
 
Enterprise Risk Management (ERM) Framework 2020
byRichard Swartzbaugh
 
Risk Management ERM Presentation
byalygale
 
Iso 31000 Risk management Principles and guidelines
byMohsen Gharakhani
 
Coso Erm(2)
bydeeptica
 
How to Build an Enterprise Risk Management Framework
byColleen Beck-Domanico
 
GRI ERM Roadmap - Program Overview
byDenise Robinson
 
Business continuity management per ISO 22301 - a certification training cour...
byMart Rovers
 
08 enterprise risk management telkom 2011 risk profile
bywisnu wardhana, i nyoman
 

What's hot

PPTX
DSS RMF Training.pptx
byMuhammad Mazhar
 
PPTX
Konsep Fundamental ISO 22301_BCMS & Crisis Management _ Materi Training BCMS...
byKanaidi ken
 
PPTX
Palestra sobre Gestão de Continuidade de Negócios
byGLM Consultoria
 
PPTX
Implementing Enterprise Risk Management with ISO 31000:2009
byGoutama Bachtiar
 
PDF
ISO 22301:2019 BCMS Awareness
byAli Fuad R
 
DOCX
Risk Matrix.docx
byShivani54174
 
PDF
COSO ERM 2017
byJorge A. Gomez P.
 
PDF
ERP Finance Module
bySean Badiru
 
PDF
A structured approach to Enterprise Risk Management (ERM) and the requirement...
byHassan Zaitoun
 
PDF
ERM-Enterprise Risk Management
byJorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
PDF
Enterprise Risk Management Framework
byNigel Tebbutt
 
PDF
Data Protection & Resilience in Focus.pdf
byAmyPoblete3
 
PDF
HR Standards & metrics driving good governance, slides by Marius Meyer, CEO o...
bySABPP
 
PDF
Enterprise Risk Management (ERM); From theory to practice
bySegun Ogunwale
 
PPTX
Integrating Strategy and Risk Management
byAndrew Smart
 
PDF
Introduction to Business Continuity Management
byProf. David E. Alexander (UCL)
 
PPTX
New ISO 20000-1:2018 Changes, Implementation Steps
byIntegration Technologies Group Inc
 
PDF
Demo of ISO 37001:2016 documentation kit
byGlobal Manager Group
 
PDF
Proposal for rolls royce to adapt an erp system
byKunal Chadha
 
PPTX
ISO 31000 risk management process
byMuizz Anibire
 
DSS RMF Training.pptx
byMuhammad Mazhar
 
Konsep Fundamental ISO 22301_BCMS & Crisis Management _ Materi Training BCMS...
byKanaidi ken
 
Palestra sobre Gestão de Continuidade de Negócios
byGLM Consultoria
 
Implementing Enterprise Risk Management with ISO 31000:2009
byGoutama Bachtiar
 
ISO 22301:2019 BCMS Awareness
byAli Fuad R
 
Risk Matrix.docx
byShivani54174
 
COSO ERM 2017
byJorge A. Gomez P.
 
ERP Finance Module
bySean Badiru
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
byHassan Zaitoun
 
ERM-Enterprise Risk Management
byJorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
Enterprise Risk Management Framework
byNigel Tebbutt
 
Data Protection & Resilience in Focus.pdf
byAmyPoblete3
 
HR Standards & metrics driving good governance, slides by Marius Meyer, CEO o...
bySABPP
 
Enterprise Risk Management (ERM); From theory to practice
bySegun Ogunwale
 
Integrating Strategy and Risk Management
byAndrew Smart
 
Introduction to Business Continuity Management
byProf. David E. Alexander (UCL)
 
New ISO 20000-1:2018 Changes, Implementation Steps
byIntegration Technologies Group Inc
 
Demo of ISO 37001:2016 documentation kit
byGlobal Manager Group
 
Proposal for rolls royce to adapt an erp system
byKunal Chadha
 
ISO 31000 risk management process
byMuizz Anibire
 

Similar to Risk Management Frameworks

PDF
Module 2 - Approaches to Risk Management.pdf
bymarjondimafilis
 
DOCX
CHAPTER 5Risk Response and MitigationIn this chapter, you will
byJinElias52
 
DOCX
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
byAbhinav816839
 
DOCX
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
byransayo
 
PDF
Theoretical framework for Risk management monitoring, review and improvement ...
byMarcelo Horacio Fortino
 
PPTX
CISM_WK_1.pptx
bydotco
 
PDF
Enterprise risk management
bykris489049
 
PPTX
Risk Management Strategy (RMF v2)
byAmy Nicewick, CISSP, CCSP, CEH
 
PPT
IT Policy, RISK MANAGEMENT
byUniversity of Basrah
 
PDF
Risk management erm
byAlberto Garcia Romera
 
PDF
12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf
byGabayo
 
PDF
Risk Management and Trust
byGerson Borges, MSc, CPP
 
PDF
Sensible defence
byKoen Maris
 
PDF
Dr.M.Florence Dayana - Risk Management.pdf
byDr.Florence Dayana
 
PDF
Risk management standard_030820
byสปสช นครสวรรค์
 
PDF
Risk management standard
byLuis Vitiritti
 
PDF
Risk management standard_030820
byVijay Kejriwal
 
PDF
Risk management standard_030820
byminhaj52
 
PDF
Risk management standard_030820
byTim Smith
 
PPT
Risk Management 101
byBarry Caplin
 
Module 2 - Approaches to Risk Management.pdf
bymarjondimafilis
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
byJinElias52
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
byAbhinav816839
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
byransayo
 
Theoretical framework for Risk management monitoring, review and improvement ...
byMarcelo Horacio Fortino
 
CISM_WK_1.pptx
bydotco
 
Enterprise risk management
bykris489049
 
Risk Management Strategy (RMF v2)
byAmy Nicewick, CISSP, CCSP, CEH
 
IT Policy, RISK MANAGEMENT
byUniversity of Basrah
 
Risk management erm
byAlberto Garcia Romera
 
12-RISK-MANAGEMENT-PROCEDURES-METHODS-AND-EXPERIENCES-RTA_2_2010-09.pdf
byGabayo
 
Risk Management and Trust
byGerson Borges, MSc, CPP
 
Sensible defence
byKoen Maris
 
Dr.M.Florence Dayana - Risk Management.pdf
byDr.Florence Dayana
 
Risk management standard_030820
byสปสช นครสวรรค์
 
Risk management standard
byLuis Vitiritti
 
Risk management standard_030820
byVijay Kejriwal
 
Risk management standard_030820
byminhaj52
 
Risk management standard_030820
byTim Smith
 
Risk Management 101
byBarry Caplin
 

Risk Management Frameworks

  • 1.
    Daniel Kapellmann Zafra Universityof Washington Assignment #1 Risk Management Frameworks: A Comparison between NIST, ISO and COSO
  • 2.
    Introduction Organizations operating intoday’s digital economy depend each day more and more on technology for managing their information assets in order to achieve their main goals and objectives. For this reason, it is important for companies to develop integral plans and strategies that enable them to know the threats they face and manage risks efficiently thus promoting a more secure information environment. Information Risk Management refers to the integral and ongoing process that involves an entire entity on the identification, analysis and response to external or internal factors that can damage its main information assets (Elky, 2007, pp. 1-2). It consists on the continuous security framing, assessment and evaluation of risks followed by risk control actions to address impacts on a company´s performance and the follow-up actions to monitor success and define next steps. (Vladimirov, et al., 2010, p.264) Even though risk management does not seem to have an evident repercussion on an organization’s overall performance, it certainly generates numerous benefits. Efficient risk management programs allow organizations to better allocate resources, enhance decision-making, support business continuity, affect the likelihood of materializing risks, increase operational efficiency, promote accurate financial reporting, generate better reputation and comply with regulation, among other things. (AIRMIC, Alarm, IRM, 2010) The increasing importance of dealing with informational risks nowadays has led to the development of different frameworks and methodologies that provide guidance for securing information assets. Some of the most commonly used frameworks include the NIST Risk Management Framework, the ISO 31000 series, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Risk Management Framework, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) and the Security Risk Management Discipline (SRMD). In the next sections of this paper three of the most well recognized risk management frameworks will be presented and compared. Organizations may use these frameworks as guidance, but must ultimately combine features from different methodologies to tailor their own risk management strategies based on their culture, values, budget, nature, missions and objectives. NIST Cybersecurity and Risk Management Framework The National Institute of Standards and Technology (NIST) Risk Management Framework is designed to comply with the USA Federal Information Security Management Act (FISMA) and attempts to provide information security guidance for federal systems. It seeks to protect individuals, operations and assets relevant for the business objectives and mission of an organization. (Computer Security Division) This framework offers a holistic approach that integrates risk management guidance, cybersecurity guidelines and compliance with federal regulations while offering abundant freely available information. (CESG, 2015) Even though it is designed particularly for public institutions, the framework may be adjustable for business entities within the USA. The NIST approach is contained within a series of special publications that deal with different aspects of risk management and their application. Particularly four documents are relevant for this paper: NIST SP 800-30, 800-37, 800-39 and 800-53.
  • 3.
    In the firstplace, the NIST SP 800-39 defines how information security risk management must be managed within the three tiers of an institution, which are the organization, mission/business processes and information systems. The implicated process mostly deals with framing the risk, assessing, responding and monitoring without establishing a particular order for the process. (NIST, 2011, pp. 9-32) To address risk assessment methodologies, the NIST SP 800-30 document provides further support. This publication explains how to prepare, conduct, constantly communicate and maintain an assessment. The main exercise is subdivided in five actions which start with the identification of threat sources, identification of vulnerabilities, determination of likelihood, impact calculation and definition of the risk. (NIST, 2012, pp.32-35) NIST Risk Assessment Model Source: NIST SP 800-30 Guide for Conducting Risk Assessments Finally, the NIST SP-37 and NIST SP-53 explain the process that must be followed for implementing the Risk Management Framework and Security Controls throughout the System Development Life Cycle in federal information systems. The process consists in six steps that are categorizing systems and managed information, selecting a security baseline, implementing security controls, assessing controls and their performance, authorizing information systems operation once risks are acceptable and monitoring the security controls on a continuous basis. (NIST, 2010, pp. 7-9) ISO 31000 Risk Management Framework The ISO 31000 Risk Management Framework was published in 2009 by the International Organization for Standardization. This document contains principles and generic guidelines for risk management in the public, private and community sectors. (ISO 31000, 2009) Further details are provided by three main additional tools: an implementation guide (ISO/TR 31004:2013), vocabulary compilation (ISO 73:2009) and risk assessment techniques (ISO/IEC 31010:2009). What is mostly relevant from this framework besides from its international recognition is the fact that it offers a generic approach that is not specific for any industry or sector and does not seek to generate
  • 4.
    uniformity in riskmanagement. It can be applied to a diverse set of activities within organizations, including strategies, decisions, operations, functions, services and assets, among others. Furthermore, it is adaptable to any nature of risks and also contemplates opportunities or positive events. (ISO 31000, 2009) The main ISO architecture scheme for managing risks is represented by the following diagram: Risk Management Principles, Framework and Process Source: ISO 31000 Risk Management Framework The ISO Risk Management Framework is implemented, monitored and continuously improved based on a set of principles that include value creation, decision making, systematization, transparency and dynamism, among other things. Finally, the ISO/IEC 31010:2009 document explains the risk management process, which consists on establishing the context, risk assessment and implementing treatments. This happens simultaneously with two feedback mechanisms, which are communication/consulting and monitoring/review. It is important to notice that the process does not include reporting or disclosure steps, and that feedback mechanisms exclude monitoring risk performance as well as framework review. (AIRMIC, Alarm, IRM, 2010) COSO Risk Management Framework The Committee of Sponsoring Organizations of the Treadway Commission was created in 1985 under the sponsorship of five major financial and accounting US organizations. The group is specialized in developing guidelines related to three main areas: enterprise risk management, internal control and fraud deterrence. (COSO) For the objective of this paper, two main documents will be addressed: the Enterprise Risk Management (ERM) and the Internal Controls Integrated Frameworks. Both of these frameworks are designed to interrelate in such a way that they promote better risk management guidance through the incorporation of internal controls as a main strategy for mitigating risks, adapting to a changing business environment and accomplishing an organization’s objectives. (COSO, 2013)
  • 5.
    The combination ofthese frameworks allows an organization to manage uncertainty and enhance its performance by strengthening the internal processes and governance. It helps to align risk appetite with business strategies, enhance the decision making process, reduce operational losses, identify and manage risks, seize opportunities and improve the deployment of capital. (COSO, 2004) All of this, bearing in mind the main objectives of the institution for preserving value among the stakeholders. The COSO Framework recognizes three main concepts worth noticing: objectives, components and organizational structure. In order to achieve effective risk management and internal controls, three main objectives must be achieved by following a set of guidelines or principles related to each of the six main components. (COSO, 2013) COSO Framework Model Source: COSO Internal Control – Integrated Framework Executive Summary The entire process must be accomplished within all the levels of the organizational structure, incorporating entity level (institutional), division, operating unit and function. This provides a general overview about the importance of engaging the entire company on risk management despite of requiring clear roles and accountability among directives. Selecting a Framework for Your Organization The three risk management frameworks studied in this paper share the common goal of guiding organizations for managing risks through the integration of overall strategies that run over all the levels of an institution. Nevertheless, there are several differences between each of these approaches. They offer a diverse set of positive and negative features that may be combined in order to attain an organization’s needs. The first relevant contrasts between them are the area of validation and their main target. While the NIST Risk Management Framework is mostly validated in the USA and focused on federal institutions, ISO 31000 –and its supporting documents- have international recognition and may be adapted for its use in
  • 6.
    the public, privateand community domains. COSO is mostly accepted within the USA and targets private organizations. Frameworks Comparison Source: Created based on information from the official webpages of NIST, ISO and COSO In terms of their main focus, the NIST Framework is the only one of the three directly specialized on the assurance of information assets and cybersecurity, adopting a defensive approach that results strongly convenient for relevant government institutions. Besides, the framework offers abundant freely available information for supporting both public and private institutions in developing risk management strategies. It is important to remember that this approach is substantially robust in terms of information systems protection and that it is also useful for complying with FISMA regulation under the validation of the US government. Differently, ISO offers generic guidelines for risk management in a wide range of activities within the industry and with the absence of adequate monitoring considerations. COSO is mostly specialized in internal controls and accurate reporting as mechanisms for mitigating risks. The COSO framework ensures transparency and adequate control over the processes of both big and small companies, adopting a stakeholder oriented approach that bears in mind the creation of value for a firm. As proven by the former descriptions and comparisons, risk management is not a simple one way process. Organizations may find guidance from these frameworks, but must carefully analyze which ones work best for their particular cases based on their structure, values and main objectives. It is also important to remember that the threats being faced by organizations are dynamic, thus making it necessary for these frameworks to suffer continuous modifications for adaptation purposes. Framework Organization Validation Orientation Relevant Publications Focus Overall Strategy NIST Special Publication 800-30 Guide for Conducting Risk Assessments NIST Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View NIST Special Publication 800-53 and 53A Recommended Security Controls for Federal Information Systems and Organizations, and Guide for Applying Security Controls ISO 31000:2009 Risk Management Principles and Guidelines ISO Guide 73:2009 Risk Management Vocabulary ISO/TR 31004:2013 Guidance for Implementation of ISO 31000 ISO/ IEC 31010:2009 Risk Assessment Techniques Internal Control — Integrated Framework 2013 Fraudulent Financial Reporting: 1998-2007 2004 Enterprise Risk Management - Integrated Framework (next version in process) National Institute of Standards and Technology NIST Generic guidelines for Risk Management in a diverse set of activities from the industry Framework design based on risk management principles. Process consistent on context review, risk assessment and treatment. Includes feedback mechanisms Information Security and Risk Management Achieved by separating in different processes. The Assessment consists on preparation, conduction, communication and maintenance. Information Risk Management, Assessment, Monitoring and Cybersecurity Government (possible adaptation for industry) USA ISO International Organization for Standardization International Public, private and community organizations COSO Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management, Internal Controls and Financial Fraud Deterrence Aligns objectives, components (with principles or guidelines) and organizational structure USA
  • 7.
    References: AIRMIC, Alarm, IRM.(2010). A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000. Available in: https://www.theirm.org/media/886062/ISO3100_doc.pdf Committee of Sponsoring Organizations Treadway Commission. About Us. Available in: http://www.coso.org/aboutus.htm Committee of Sponsoring Organizations Treadway Commission. (2004). Enterprise Risk Management – Integrated Framework. Available in: http://www.coso.org/documents/coso_erm_executivesummary.pdf Committee of Sponsoring Organizations Treadway Commission. (2013). Internal Control – Integrated Framework. Available in: http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf Computer Security Division. Risk Management Framework (RMF) Overview, National Institute for Standards and Technology. Available in: http://csrc.nist.gov/groups/SMA/fisma/framework.html Elky, Steve. (2007). An Introduction to Information System Risk Management, SANS Institute. Available in: https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk- management-1204 International Organization of Standardization. (2009). ISO 31000:2009 Risk Management – Principles and guidelines. Available in: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 National Institute for Standards and Technology. (2010). Guide for Applying the Risk Management Framework to Federal Information Systems. Available in: http://csrc.nist.gov/publications/nistpubs/800- 37-rev1/sp800-37-rev1-final.pdf National Institute for Standards and Technology. (2011). Managing Information Security Risk. Available in: http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf National Institute for Standards and Technology. (2012). Guide for Conducting Risk Assessments. Available in: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf National Technical Authority for Information Assurance (CESG). (2015). Analysis of information risk management methodologies, March 2015. Available in: https://www.gov.uk/guidance/analysis-of- information-risk-management-methodologies Vladimirov A, et al. (2010). Assessing Information Security, IT Governance Publishing. Accessed via Jstor, available in: http://www.jstor.org/stable/j.ctt5hh6v9.11