Why It Matters
Every compliance regulation — GDPR, NIS2, SOX, DORA — requires some form of risk management. But "manage risks" is vague without a framework. A risk management framework gives you a repeatable, defensible process that regulators, auditors, and boards can evaluate. Choosing the right framework (or combination) depends on your industry, regulatory environment, and organizational maturity.
Major Frameworks Compared
NIST Risk Management Framework (RMF)
- Origin: US National Institute of Standards and Technology
- Scope: Information security and privacy
- Best for: US federal agencies, defense contractors, organizations needing NIST compliance
- Process: 7 steps — Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
- Strength: Very detailed, control-based, integrates with NIST CSF and SP 800-53
ISO 31000
- Origin: International Organization for Standardization
- Scope: All types of risk (strategic, operational, financial, compliance)
- Best for: Organizations wanting a universal, certifiable risk approach
- Process: Principles → Framework → Process (identify, analyze, evaluate, treat, monitor)
- Strength: Flexible, applies to any industry, globally recognized
COSO Enterprise Risk Management (ERM)
- Origin: Committee of Sponsoring Organizations of the Treadway Commission
- Scope: Enterprise-wide risk management integrated with strategy
- Best for: Public companies, SOX compliance, board-level governance
- Process: 5 components — Governance & Culture, Strategy & Objective-Setting, Performance, Review & Revision, Information & Communication
- Strength: Connects risk to business strategy and value creation
Three Lines Model (IIA)
- Origin: Institute of Internal Auditors
- Scope: Governance and accountability structure for risk management
- Best for: Defining roles — who owns risk, who oversees it, who provides assurance
- Lines: First line (management/operations), Second line (compliance/risk functions), Third line (internal audit)
- Strength: Clarifies accountability; complements other frameworks
How to Choose
| Factor | NIST RMF | ISO 31000 | COSO ERM | Three Lines |
|---|---|---|---|---|
| Regulatory driver | US federal/defense | Global/flexible | SOX, SEC | Internal audit standards |
| Risk scope | IT/cyber | All risk types | Enterprise-wide | Accountability structure |
| Certification | No | Guidance standard | No | No |
| Complexity | High | Medium | Medium | Low |
| Best combined with | NIST CSF | ISO 27001, ISO 22301 | SOX controls, COSO IC | Any framework |
Many organizations use multiple frameworks together — for example, COSO for enterprise risk, NIST for cybersecurity, and Three Lines for governance.
The Risk Management Process
Regardless of framework, the core process is:
- Identify — what can go wrong? (risk register)
- Assess — how likely and how impactful? (risk matrix)
- Treat — accept, mitigate, transfer, or avoid each risk
- Monitor — track risks, controls, and changing conditions
- Report — communicate risk status to stakeholders and the board
Key Standards
- NIST SP 800-37 — Risk Management Framework
- ISO 31000:2018 — Risk Management Guidelines
- COSO ERM Framework (2017) — Enterprise Risk Management
- IIA Three Lines Model (2020) — Governance framework