Risk Management Framework, in simple terms, provides a balance between taking risks and reducing them while achieving business objectives.
NIST Definition of Risk Management Framework
According to NIST the Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.
Different Types of Risk management frameworks
Enterprise Risk Management Framework
Enterprise risk management framework deals with identifying, analyzing, and treating the exposures an organization faces as seen by the executive levels of management. This means looking at exposures in finance, credit, fraud, strategic and operational matters for the company. Most matters at the enterprise level only peripherally consider technological risk, and that’s when they are looking at how technology increases or decreases those business exposures.
Types of ERM Frameworks
- CAS- Casualty Actuarial Society
- COSO ERM Integrated Framework
- ISO 31000 ERM Framework
- COBIT ERM Framework
- NIST ERM Framework
Operational risk management framework
The operational risk management framework deals with the management of granular business risks between the security governance layer and the enterprise risk management layer. Risk managers look at more operational and tactical exposures to the business that can be summarized and abstracted to inform enterprise risks. They manage areas such as vendor risk management, audit management, corporate risk and compliance, legal matters that affect risk, and even business continuity risks. This is also the bridge where cyber risks are addressed, using the information to and from the security management layer.
Third party risk management Framework
The third risk management Framework is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. TPRM technology supports enterprises that must assess, monitor and manage their risk exposure from third-party suppliers (TPSs) that provide IT products and services, or that have access to enterprise information.
Integrated risk management Framework (IRM)
Integrated risk management framework is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.
Compliance risk management framework
A compliance management framework is a critical part of the structure of every company. It can be defined as a set of procedures for organizations to follow to conduct their businesses within the laws, regulations, and specifications. It consists of tools, processes, functions, and controls that are written down by the top management and directors of each organization. The benefits of these compliance procedures include:
- Prevents breaking the law which may affect the company’s reputation and avoid heavy penalties.
- Providing guidelines for operations and implementation of the organization
- Assigning responsibilities to different people in a company and holding them accountable
- Help in gathering information for reports.
Key components of risk management frameworks
All risk management frameworks consist of 5 things, some may have more but these 5 are always represented. They include risk identification; risk measurement and assessment; risk mitigation; risk reporting and monitoring; and risk governance.
The first step in identifying the risks a company faces is identifying all the possible risks. Examples include IT risk, operational risk, regulatory risk, legal risk, political risk, strategic risk, and vendor risk.
After listing all risks, the company can then select the risks to which it is exposed and categorize them into core and non-core risks. Core risks are those that the company must take in order to drive performance and long-term growth. Non-core risks are often not essential and can be minimized or eliminated completely.
Risk measurement provides information on the quantum of either a specific risk exposure or an aggregate risk exposure and the probability of a loss occurring due to those exposures. When measuring specific risk exposure, it is important to consider the effect of that risk on the overall risk profile of the organization.
Some risks may provide diversification benefits while others may not. Another important consideration is the ability to measure exposure. Some risks may be easier to measure than others. For example, market risk can be measured using observed market prices, but measuring operational risk is considered both an art and a science.
Specific risk measures often give the profit and loss (“P/L”) impact that can be expected if there is a small change in that risk. They may also provide information on how volatile the P/L can be. For example, the equity risk of a stock investment can be measured as the P/L impact of the stock as a result of a 1 unit change in, say, the S&P500 index or as the standard deviation of the particular stock.
Common aggregate risk measures include value-at-risk (VaR), earnings-at-risk (EaR), and economic capital. Techniques such as scenario analysis and stress testing can be used to supplement these measures.
Having categorized and measured its risks, a company can then decide on which risks to eliminate or minimize, and how much of its core risks to retain. Risk mitigation can be achieved through an outright sale of assets or liabilities, buying insurance, hedging with derivatives, or diversification.
Risk Reporting and Monitoring
It is important to report regularly on specific and aggregate risk measures in order to ensure that risk levels remain at an optimal level. Financial institutions that trade daily will produce daily risk reports. Other institutions may require less frequent reporting. Risk reports must be sent to risk personnel who have the authority to adjust (or instruct others to adjust) risk exposures.
Risk governance is the process that ensures all company employees perform their duties in accordance with the risk management framework. Risk governance involves defining the roles of all employees, segregating duties, and assigning authority to individuals, committees, and the board for approval of core risks, risk limits, exceptions to limits, and risk reports, and for general oversight.