Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a

Learning Topic

Print

Risk Management Framework

ISACA Risk IT describes risk management framework as risk holistically across the organization and explains that IT affects risk and the organization concurrently (ISACA, 2009).

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), enterprise risk management is defined as “a process … applied … across the enterprise, designed to identify potential events ... and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). The COSO framework is used by risk executives to manage enterprise risks.

Risk is identified as:

• the risk of not realizing a benefit from IT

• the risk of not delivering on IT programs

• the risk of not providing intended services with IT

What’s important is that the risk management framework definition is largely consistent across four organizations concerned with standardization: ISACA, COSO, ISO (International Organization for Standardization), and NIST (National Institute for Standards and Technology). Differences are understandable for the audience and emphasize variations. The guidance to system security engineers is to recognize requirements, clarify responsibilities, and work as a team to identify and mitigate risk holistically and continuously across the organization.

Risks are evaluated along with benefit using this framework, for a more complete strategic decision process.  Otherwise, the ISACA model is similar to the NIST risk management model in NIST Special Publication 800-39, Managing Information Security Risk. The ISACA risk model (2009) stresses connectivity to the business model (framing), risk governance (leadership involvement), evaluation (assessment) and response, and prescribes communication (cross-organization teams) and continuous assessment (monitoring).

ISACA framework definitions are consistent with ISO 31000 definitions. ISO 31000:2009, “A Practical Guide for SMEs (small- and medium-sized enterprises),” features a process cycle similar to NIST guidance, featuring planning (frame and assess), implementing (respond) and monitoring (monitor), but adds an important continuous improvement prescription to improve the plan and process in response to a changing environment.

ISO Guide 73:2009 is a definitions standard that contains a definition of risk management. Like all ISO standards, it is available for purchase. Nonetheless, the freely available online ISO 31000:2009 defines risk as a combination of the consequences of an uncertain event (including changes in circumstances) and the associated uncertain likelihood of occurrence.

Importantly, “Risk in ISO 31000:2009 is neutral; the consequences associated with a risk can enhance the achievement of objectives (i.e. positive consequences) or can limit or diminish the achievement of objectives (i.e. negative consequences)” (ISO/ITC, 2009). This interpretation is different from that of the NIST special publications.

References

Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2014). Enterprise risk management -- integrated framework. Executive summary. https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf

ISACA. (2009). The risk IT framework. https://www.isaca.org/Knowledge-Center/Research/Documents/Risk-IT-Framework-Excerpt_fmk_Eng_0109.pdf

ISO/ITC. (2009). ISO 31000:2009: A practical guide for SMEs. http://www.iso.org/iso/iso_31000_for_smes.pdf