As an entrepreneur, you probably already know that every business comes with risks.
The business intelligence company Dun & Bradstreet found that almost 180k businesses filed for bankruptcy in the US between 2014 and mid-2021 — and this doesn’t cover every company that closed its doors. Many more simply stopped doing business.
While there are many reasons that might have forced these companies to go out of business, it’s safe to assume that poor risk management contributed to many of them.
While there are many vulnerabilities a business can face, you can help mitigate them with a risk management framework. These guidelines, first developed by the US government, help you deal with risk mitigation and implement security controls, whether it’s the risks for a new project or a major investment.
There are a few different risk management frameworks (RMFs). In this guide, you’ll learn about what they are, the steps involved in most of them, and the most popular RMFs businesses use today.
What is the risk management framework?
All businesses face security risks during regular operations. On top of natural disasters and unexpected disturbances, there are also risks you can plan for.
Allianz found that for 2023, businesses of all sizes are most concerned with cyberattacks, disruptions in the supply chain, and macroeconomic developments such as inflation.
To combat this risk exposure, the National Institute of Standards and Technology (NIST) developed the first risk management framework as a government guideline to help federal agencies identify, assess, and prepare for risks that occur in the typical business life cycle.
The original framework was created to assess risks in technology the US government was considering, but it quickly gained popularity with businesses.
Private industries adopted it for both cybersecurity frameworks and general business purposes. In addition to the original NIST framework, there are several different frameworks in use today.
While the focus is still generally on computer safety or cybersecurity, there are also frameworks made specifically for small businesses, analyzing the risks of economic factors, or mitigation strategies for financial risk.
Many frameworks help businesses prepare for future issues by creating risk profiles.
With these, you look at each choice your business is considering and work on risk identification associated with that choice. You can then decide whether these risks are justified, plan for additional costs, and create a risk response in case a problem does occur further down the line.
While there are many benefits to these RMF processes, they require time and investment before you see a real return.
Depending on the framework, there will be about five to seven steps to your system. We’ll cover the methodology most frameworks use below.
Risk management framework steps
The risk management framework designed by the NIST includes the following steps:
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
Other frameworks may combine or reduce the number of steps, depending on what the framework intends to monitor.
Prepare
The first step is to get your organization ready to implement the risk management framework. At this stage, you’ll research which type of framework you need and identify managers who will be active in the process.
You might also draw up a timeline and budget for implementing your new RMF.
Categorize
Most frameworks ask you to categorize the systems in your organization and the information stored in each, depending on the type of risk most associated with them.
The NIST focuses on low, medium, and high security as a government organization, but private businesses can use this to categorize personal information, public documents, or other classifications.
Select
Once your initial preparations are complete, you need to select your security controls. You make an informed decision on the controls that will work best for each information system and begin to document your choice.
Implement
Now that you have made your selection, you can begin to implement your new security measures. Once you start using these controls, you need to monitor them and make adjustments as needed. You don’t need to wait to make changes if things aren’t working.
Assess
While this is one of the more costly steps, having a third party determine if you are using the controls effectively can save you money in the long run by helping you identify and correct weaknesses before they become major problems.
Bring in an expert on the security system you’ve selected and ask for a qualified opinion from them. Take any advice they offer seriously and ask for recommendations on ways to improve your steps.
Authorize
This step is mostly relevant for government agencies. You may need to get authorization to operate some of these systems.
For nongovernmental agencies, this can mean a senior manager giving the OK. You might provide a summary of the implementation so far and get approval to continue using the program long-term or at scale.
Monitor
Lastly, you should continue to monitor security controls for your systems to ensure they are working and update them as needed.
Some risks, especially technological ones, will change over time. Check for internal and external changes to risks and determine if you can reduce them and how.
Risk management framework examples
There are a few RMFs on the market today. If you think your business could benefit from a risk management framework, you’ll want to compare a few. The right fit will depend on the size of your organization and which risks you believe could have the biggest impact on your business.
NIST
The NIST is one of the first risk management strategies developed and is often considered a gold standard. The NIST framework focuses on cybersecurity, particularly for the government.
The NIST helped set the groundwork for the Federal Information Security Modernization Act (FIMA) of 2014, which requires government agencies to consider a risk-based approach to managing their information.
The framework has a clearly laid out seven-step process (discussed above), but it can be excessive for many private sector firms, especially smaller businesses.
COSO Enterprise Risk Management Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has multiple private enterprise frameworks focused on increasing confidence and mitigating risk in business decisions. The organization is made up of several independent groups, including the American Institute of Certified Public Accountants (AICPA).
This framework aims to provide a clear internal system for enterprises to follow to help them navigate the risks their business faces. They include cybersecurity, but financial and fraud deterrence is the main focus.
The COSO framework has five steps, with each aiming to help you identify your internal controls and their effectiveness:
- Controlling your environment
- Risk assessment
- Control activities
- Communications
- Monitoring
While the emphasis on managing financial risks is helpful to businesses, the framework has been criticized for its vague definitions and gaps in controls.
ISO 31000
The ISO 31000 from the International Organization for Standardization (ISO) positions itself as an international framework for any organization, regardless of how big the company is. It focuses on preparing for a mix of economic and cybersecurity risks.
Dustin Ray, chief growth officer at Incfile, an online document-filing service firm, has worked with the framework. “The most difficult part of ISO 31000 is evaluating the right treatment. Identification and analysis might be easy in processing, but brainstorming the right treatment and implementing it effectively is a task in itself.”
The ISO 31000 has five major components:
- Policy and governance
- Program design
- Implementation
- Monitoring and review
- Continual improvement
Designing your framework is the main stage and can pose considerable investment.
The ISO 31000 isn’t going to hold your hand and tell you how to approach risk management, but it will make it easier to perform a risk assessment.
Risk IT
Risk IT was created in 2009 by ISACA, a global IT governance group. It helps businesses determine the risks in IT decisions or whether it’s worth acquiring new technology. It also encourages them to frame IT risks in a way that makes sense for non-IT professionals.
This framework aims to make risk management a normal part of your business. It encourages a common language when discussing risks to keep everyone on the same page.
There are three broad categories:
- Risk governance
- Risk evaluation
- Risk response
Each category has three additional steps. Risk IT aims to fill a middle ground between the general frameworks and the more detailed ones that document risks or decisions.
ISACA offers frameworks that focus on newer technologies, including blockchain risk management. This could be a good choice for startups or entrepreneurs who use the latest technology.
How to get the most out of your risk management framework
“I have seen situations where some stakeholders are not fully committed to the risk management process, which can lead to incomplete risk assessments or inadequate risk treatment plans,” notes John Ward, account executive at Mold Busters, a Canadian mold inspection and removal business.
While risk management might involve decision-making from your stakeholders, you still need to get everyone on board. Take your time, and remember it’s a continuous monitoring process.
It’s also important to remember that there’s no one answer with risk governance. Jeremy Dawes, founder of Jezweb, a website design and marketing firm, says, “It can be difficult because it requires balancing the cost and benefits of different risk treatment options, which can be complex and context-dependent.”
Risk management frameworks help you evaluate the risks involved in a given choice, but ultimately, the decision to collaborate with another business or start using a new software is still yours.