upgrade
upgrade

⚖️Risk Assessment and Management

Common Risk Management Frameworks

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

Risk management frameworks aren't just bureaucratic checklists—they're the blueprints organizations use to systematically identify, evaluate, and respond to threats before they become crises. On exams, you're being tested on your ability to distinguish when and why different frameworks apply: Is this a federal IT system requiring compliance? A project with defined timelines? An enterprise seeking to quantify financial exposure? The framework choice reveals the organization's priorities and constraints.

Understanding these frameworks means grasping their underlying philosophies: qualitative vs. quantitative analysis, enterprise-wide vs. domain-specific scope, compliance-driven vs. performance-driven goals. Don't just memorize acronyms—know what problem each framework solves and how its approach differs from alternatives. When an FRQ asks you to recommend a framework for a specific scenario, you need to match the organization's context to the right tool.

Universal Enterprise Frameworks

These frameworks provide organization-wide guidance applicable across industries and sectors. They establish foundational principles rather than prescriptive checklists, making them adaptable to virtually any context.

ISO 31000

  • Internationally recognized standard that provides principles and guidelines applicable to any organization regardless of size, industry, or sector
  • Integration-focused approach—emphasizes embedding risk management into governance, strategy, planning, and operational processes rather than treating it as a standalone activity
  • Continuous improvement cycle promotes building a risk-aware culture where risk management evolves with organizational changes

COSO ERM Framework

  • Strategy-aligned risk management that connects risk appetite directly to organizational objectives and performance metrics
  • Holistic enterprise view—examines risk across all business units, functions, and levels including governance, compliance, and operations
  • Five interrelated components: governance and culture, strategy and objective-setting, performance, review and revision, and information and communication

AS/NZS 4360

  • Pioneer standard that served as the foundation for ISO 31000 and established many now-universal risk management principles
  • Sector-agnostic framework applicable to public, private, and nonprofit organizations across Australia and New Zealand
  • Proactive identification emphasis—encourages organizations to anticipate risks before they materialize rather than reacting to incidents

Compare: ISO 31000 vs. COSO ERM—both provide enterprise-wide guidance, but ISO 31000 focuses on process principles while COSO ERM emphasizes strategic alignment and performance. If an exam scenario involves linking risk tolerance to business objectives, COSO is your answer.

Information Security and IT Frameworks

These frameworks address the unique challenges of managing technology-related risks, from federal compliance requirements to IT governance alignment.

NIST Risk Management Framework (RMF)

  • Federal compliance standard required for U.S. government agencies and contractors handling federal information systems
  • System development lifecycle integration—embeds security controls from initial design through deployment, operation, and disposal
  • Continuous monitoring requirement ensures security posture is assessed and updated throughout the system's operational life, not just at implementation
  • IT governance framework that aligns technology goals with broader business objectives and stakeholder expectations
  • Process-based structure organizes IT activities into domains covering planning, building, running, and monitoring technology resources
  • Maturity assessment capability allows organizations to benchmark their IT governance practices and identify improvement opportunities

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

  • Self-assessment methodology designed for organizations to evaluate their own security risks without external consultants
  • Asset-centric approach—begins by identifying critical information assets, then evaluates threats and vulnerabilities specific to those assets
  • Workshop-driven process engages cross-functional teams to develop risk mitigation strategies aligned with organizational priorities

Compare: NIST RMF vs. COBIT—NIST RMF is compliance-focused for federal systems with specific control requirements, while COBIT is governance-focused for aligning IT with business strategy. A federal agency managing classified data needs NIST; a corporation optimizing IT investments needs COBIT.

Quantitative and Analytical Frameworks

When organizations need to express risk in financial terms or make data-driven decisions, these frameworks provide structured approaches to measurement and analysis.

FAIR (Factor Analysis of Information Risk)

  • Quantitative risk model that expresses information risk in financial terms—dollars of probable loss rather than subjective ratings
  • Decomposition methodology breaks risk into measurable factors: threat event frequency, vulnerability, and loss magnitude
  • Decision support tool enables clearer communication with executives and boards by translating technical risks into business impact language

Compare: FAIR vs. OCTAVE—both assess information risk, but FAIR provides quantitative financial estimates while OCTAVE produces qualitative prioritized recommendations. When leadership asks "how much could this cost us?" FAIR delivers the answer.

Domain-Specific Frameworks

These frameworks tailor risk management principles to specific professional contexts, ensuring relevance to particular disciplines and their unique challenges.

PMBOK Risk Management

  • Project lifecycle integration addresses risks from initiation through planning, execution, monitoring, and closure phases
  • Six-process structure: plan risk management, identify risks, perform qualitative analysis, perform quantitative analysis, plan risk responses, and monitor risks
  • Schedule and budget focus—particularly concerned with risks affecting project timelines, costs, scope, and quality deliverables

IRM Risk Management Standard

  • Professional practice guidance developed by risk management practitioners for practitioners across all industries
  • Framework integration emphasis—designed to complement rather than replace other standards like ISO 31000
  • Communication and reporting focus provides detailed guidance on how to present risk information to different stakeholder audiences

Compare: PMBOK vs. IRM Standard—PMBOK applies specifically to temporary endeavors with defined endpoints (projects), while IRM provides ongoing organizational guidance. A construction project uses PMBOK; the construction company's overall risk program uses IRM.

Maturity and Improvement Frameworks

These frameworks help organizations evaluate their current risk management capabilities and chart a path toward greater sophistication.

RIMS Risk Maturity Model

  • Capability assessment tool that evaluates risk management practices across seven key attributes including ERM-based approach, process management, and root cause discipline
  • Maturity levels range from ad hoc (reactive, inconsistent) to leadership (risk-intelligent decision-making embedded throughout the organization)
  • Benchmarking capability allows organizations to compare their maturity against industry peers and identify specific improvement priorities

Compare: RIMS Risk Maturity Model vs. COSO ERM—COSO tells you what good enterprise risk management looks like, while RIMS helps you assess how well you're currently doing it. Use COSO to design your program; use RIMS to evaluate its effectiveness.

Quick Reference Table

ConceptBest Examples
Enterprise-wide applicabilityISO 31000, COSO ERM, AS/NZS 4360
Federal/government complianceNIST RMF
IT governance alignmentCOBIT
Quantitative financial analysisFAIR
Self-assessment methodologyOCTAVE
Project-specific risk managementPMBOK
Professional practice standardsIRM Standard
Maturity evaluationRIMS Risk Maturity Model

Self-Check Questions

  1. An organization wants to express cybersecurity risks in dollar terms for a board presentation. Which framework provides the most appropriate methodology, and what factors would it analyze?

  2. Compare and contrast NIST RMF and COBIT: What type of organization would prioritize each, and what fundamental difference in focus distinguishes them?

  3. A mid-sized company has never formally assessed its risk management capabilities and wants to benchmark against industry standards. Which framework would help them evaluate their current maturity level?

  4. Which two frameworks served as foundational influences on modern risk management standards, and how do their scopes differ?

  5. A project manager needs to integrate risk management into a two-year software development initiative. Which framework provides the most relevant guidance, and what six processes would they implement?