Risk Frameworks in Modern Day Management
Full control over potential risks to your organization is critical, and abiding by industry standards or frameworks can help you mitigate and prepare for these risks. We recently sat down with Andrew Gunter and Jannie Wentzel at Cential, a GRC agency and consulting firm that specializes in advising customers on risk decisions and risk management programs, in talking about the importance of foundations and frameworks, and how to implement them in your organization.
Whether you’re new to risk management or a seasoned vet, getting back to the basics of managing risk is always helpful. We want to ensure you’re confident in your strategies and know how to monitor and mitigate potential risks. And the best place to start is by building a foundation to support the frameworks you choose to implement into your risk mitigation strategy.
This article dives into:
- The background of a risk foundation and how it supports your frameworks
- Different types of frameworks and how to choose the right one(s) for your organization
- How to implement frameworks into your risk management program
Back to the basics
Regarding managing risk, two key parts make up a successful risk management program: foundations and frameworks.
A foundation is the backbone of your risk management strategy.
It houses the core components behind your platform, including your controls, which risks they map to, and how your risk scores and assessments are calculated.
A framework is a starting point or accelerator in your risk management process.
Frameworks are generic outlines that help organizations fully understand their risks. There are multiple frameworks, each focusing on different topics, but there are also different formats of frameworks – content, structural, or a combination of both.
A content framework, as Jannie explains, “provides examples of starting points for content risk controls and compliance obligations,” bringing consistency across your processes. A structural framework explains the ‘how’ behind the content strategy, describing how to create controls and map them to certain risks.
So, do I need a foundation or a framework…or both?
“It’s not necessarily that framework and foundation are against each other; they work together in how they operate,” says Andrew. “Often we get asked, ‘which one should we implement: a framework or foundation?’ and the answer is you should look at doing both. Understand what your framework is and, what it provides, plus understand the gaps. Then build a foundation around it to support it.”
Andrew and Jannie expressed how implementing both a foundation and framework are important to the success of your risk management program. But you only need one foundation, as it serves as the core structure on which frameworks are based, and you can implement as many frameworks as deemed necessary for your industry and line of work. It’s important to understand the frameworks you’re implementing and what they provide and notice any gaps. The right foundation will support the frameworks you have put in place because it offers checks and balances to those frameworks.
Types of frameworks
As we mentioned, countless frameworks are out there, each playing different roles in your risk management strategy. Some frameworks are specific to business processes – COSO, which measures the effectiveness of an organization’s internal controls – while others are used to manage technology – COBIT – or provide standards for security and privacy – HITRUST. And there are also certain frameworks used by different industries, such as FAIR, mostly used by financial institutions, and HITRUST, which is widely used in healthcare.
Then some frameworks, such as the Maturity Framework, outline how your organization is progressing in its risk management journey.
But before diving into each framework, it’s important to build your foundation and determine your goal in building a risk management program. ISO is a great place to start when it comes to implementing frameworks, as it guides how your organization can approach risk management. If your organization operates in different countries, ISO is great for organizing the regulations and compliance procedures you must abide by.
Selecting the right framework(s)
So, how do you choose the right framework(s) for your organization? As Jannie says, “there are frameworks that focus on business and information technology. You probably want to use a multitude of frameworks as an accelerator starting point,” because each framework will provide controls for different facets of your risk management processes.
Choosing the right framework depends on the following three factors:
- Industry – certain industries require different frameworks
- Maturity – frameworks are applied to each level of maturity of an organization’s risk management program
- Culture – This includes the type of culture instilled in your organization, how leadership drives employees, and what will be a good fit for your organization.
But before you can begin implementing frameworks for your risk management program, ensuring you have your Three Lines of Defense in place will guarantee a smooth framework execution.
The Three Lines of Defense consist of – you guessed it – three levels:
- assistance and enforcement
Because frameworks are generic, they can be applied to any organization in any industry. But that doesn’t always work for your organization. A framework might have options to map certain controls to risks that don’t apply to your organization or industry, so it helps to tailor that framework to your specific needs. The Three Lines of Defense provide that tailoring ability and ensure compliance by making the frameworks organization-specific and allowing employees to translate the framework’s controls and mapping to the risks that affect their organization.
How to implement a framework
After learning about the different styles and examples of frameworks and how to choose the best ones for your organization, follow these steps to ensure a successful framework implementation:
- Determine which framework or frameworks you want to implement for your organization
- Understand what each framework offers and what’s not included
- Develop a governance strategy or structure before implementing so you have the proper controls in place
- Build a roadmap and set milestones for each framework you’re implementing
But risk mitigation doesn’t stop at implementing a framework or two. Risk constantly needs to be monitored and assessed, and software platforms help you do just that – like Onspring.
HIPAA Compliance in HITRUST & NIST Frameworks
See how OCR & HIPAA compliance can be managed—all under the HITRUST and NIST frameworks.
Onspring is a no-code GRC software platform that connects data and teams to improve business intelligence, governance, alignment, and resilience. With business users around the globe, Onspring’s software helps businesses in every industry track and better manage their workflows through automation.
Onspring easily connects with hundreds of frameworks, so you have full visibility into your risk management program and can monitor and assess risk in real-time through the power of automation. And because foundations are critical to organizations using different frameworks at the same time – keeping things organized around one central system – Andrew notes that “with Onspring, if you’re looking to enable multiple process areas to utilize the solution [and] begin to standardize tests, it becomes all the more important to provide that foundation where you could have a NIST and ISO or other frameworks all operating inside the same system.”
Onspring enables this coordination and confirms that each group or framework can practice in its own area and not conflict with each other – providing you with the proper guidance and structure to support your organization’s compliance goals. Read more about Onspring’s Risk Management Enterprise Solution.
More Reading to Check Out
Emerging Tech in Third-party Risk Management
As part of our vendor risk Q&A series, we discuss how organizations can utilize emerging tech to evolve their risk management maturity.
The Key to Proactive Third-party Risk Management
As part of our vendor risk Q&A series, we discuss cybersecurity risk trends and how organizations can stay on top of third-party vendor risk.
Warner Bros Discovery – GRC Case Study
See how Warner Bros. Discovery built an all-in-one GRC solution that simplifies and modernizes the company’s approach to financial compliance and internal audit.