A comparison of key risk management frameworks: COSO-ERM, NIST RMF, ISO 31.000, COBIT

Öz

Risk management frameworks play an essential role in identifying, assessing, and mitigating risks to ensure the effective governance and operation of organizations. It is also one of the key elements of assurance and consultancy services of internal auditing in risk-based audit plans and programs. This study aims to provide an in-depth comparison of four widely used risk management frameworks: the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO-ERM), the National Institute of Standards and Technology Risk Management Framework (NIST RMF), the International Organization for Standardization 31000 (ISO 31.000), and Control Objectives for Information and Related Technologies (COBIT). The analysis is conducted based on their underlying principles, structure, risk assessment methodologies, and applicability in various industries. We evaluate the strengths and weaknesses of each framework, including their adaptability and relevance in addressing emerging risks, such as cybersecurity and data privacy. It is found that implementing ISO 31000 and COBIT frameworks requires addressing challenges and limitations, including commitment from top management, knowledge and training, customization, and monitoring. To succeed, organizations should demonstrate commitment, provide training, customize the frameworks, and establish robust monitoring systems. The findings from this study serve as a guide for organizations seeking to adopt or transition between risk management frameworks, ultimately enabling them to select the most suitable approach tailored to their specific needs and risk landscape.

Anahtar Kelimeler

• Risk management frameworks
• COSO-ERM
• NIST RMF
• ISO 31.000
• COBIT

Temel Risk Yönetimi Çerçevelerinin Karşılaştırması: COSO-ERM, NIST RMF, ISO 31.000, COBIT

Öz

Risk yönetimi çerçeveleri, kuruluşların etkin yönetişimini ve işleyişini sağlamak için risklerin tanımlanmasında, değerlendirilmesinde ve azaltılmasında önemli bir rol oynar. Aynı zamanda risk esaslı denetim plan ve programlarında iç denetimin güvence ve danışmanlık hizmetlerinin de temel unsurlarından biridir. Bu çalışma, yaygın olarak kullanılan dört risk yönetimi çerçevesinin derinlemesine bir karşılaştırmasını sağlamayı amaçlamaktadır: Treadway Komisyonu Kurumsal Risk Yönetiminin Sponsor Kuruluşları Komitesi (COSO-ERM), Ulusal Standartlar ve Teknoloji Enstitüsü Risk Yönetimi Çerçevesi (NIST RMF), Uluslararası Standardizasyon Örgütü 31000 (ISO 31.000) ve Bilgi ve İlgili Teknolojiler için Kontrol Hedefleri (COBIT). Analiz, temel ilkelerine, yapısına, risk değerlendirme metodolojilerine ve çeşitli endüstrilerdeki uygulanabilirliğine göre yapılmaktadır. Siber güvenlik ve veri gizliliği gibi ortaya çıkan riskleri ele almadaki uygunlukları ve uygunlukları dahil olmak üzere her bir çerçevenin güçlü ve zayıf yönleri değerlendirilmektedir. ISO 31000 ve COBIT çerçevelerinin uygulanmasının, üst yönetimin taahhüdü, bilgi ve eğitim, özelleştirme ve izleme dahil olmak üzere zorlukların ve sınırlamaların ele alınmasını gerektirdiği bulunmuştur. Başarılı olmak için kuruluşlar bağlılık göstermeli, eğitim sağlamalı, çerçeveleri özelleştirmeli ve sağlam izleme sistemleri kurmalıdır. Bu çalışmadan elde edilen bulgular, risk yönetimi çerçevelerini benimsemek veya bunlar arasında geçiş yapmak isteyen kuruluşlar için kapsamlı bir rehber işlevi görerek nihai olarak kendi özel ihtiyaçlarına ve risk ortamına göre en uygun yaklaşımı seçmelerine olanak tanımaktadır.

Anahtar Kelimeler

• Risk yönetimi çerçeveleri
• COSO-ERM
• NIST RMF
• ISO 31.000
• COBIT

Kaynakça

1. Arena, M., Arnaboldi, M., and Azzone, G. (2010). The organizational dynamics of enterprise risk management. Accounting, Organizations and Society, 35(7), 659–675. doi: 10.1016/j.aos.2010.07.003
2. Aven, T. (2016). Risk assessment and risk management: review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1–13. doi: 10.1016/j.ejor.2015.12.023
3. Barker, W. C. (2016). Guide for applying the risk management framework to federal information systems: A security life cycle approach. National Institute of Standards and Technology.
4. Bayuk, J. L. (2010). Cyber Security Policy Guidebook. Hoboken, NJ: Wiley.
5. Beasley, M. S. (2016). Enterprise risk management: today's leading research and best practices for tomorrow's executives (Vol. 504). John Wiley and Sons.
6. Bjerga, T., Dingsør, A., and Kjelland, H. (2013). Risk management in the Norwegian oil and gas industry: Implementation of ISO 31.000. Safety Science, 55, 82-91.
7. Bromiley, P., McShane, M., Nair, A., and Rustambekov, E. (2015). Enterprise Risk Management: Review, Critique, and Research Directions. Long Range Planning, 48(4), 265–276. doi: 10.1016/j.lrp.2014.07.005
8. Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., and Robinson, W. (2008). Performance measurement guide for information security. NIST Special Publication, 800(55), 1-64.

9. Committee of Sponsoring Organizations of the Treadway Commission. (2017). Enterprise risk management - Integrating with strategy and performance. Retrieved from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
10. COSO (2013). Internal control - integrated framework. Committee of Sponsoring Organizations of the Treadway Commission. Retrieved from https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf
11. COSO (2017). Enterprise Risk Management: Integrating with Strategy and Performance. Committee of Sponsoring Organizations of the Treadway Commission. Retrieved from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
12. COSO (n.d.). About COSO. Retrieved from https://www.coso.org/Pages/aboutus.aspx
13. De Haes, S., and Van Grembergen, W. (2008). An exploratory study into the design of an IT governance minimum baseline through delphi research. Communications of the Association for Information Systems, 22(1), 443–458.
14. Deloitte (2018). COSO ERM framework: Helping organizations to align their risk management approach with strategic objectives. Retrieved from https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/ Risk/IE_RA_COSOERMFramework_150518.pdf
15. Department of Defense (2014). Risk management framework (RMF) for DoD information technology (IT). DoD Instruction 8510.01. Retrieved from https://www.esd.whs.mil/Portals/54/Documents/ DD/issuances/dodi/851001p.pdf
16. EFE, A. (2016). Devlet Denetleme kurulu raporunda belirtilen kalkınma ajansları sorunları üzerinden COSO ve COBIT standartlarına göre kök neden analizleriyle çözümleme. Journal of Knowledge Economy & Knowledge Management, 11(1).
17. EFE, A. (2018). An Analysıs of COBIT-5 process capability level for regional development agencies at public sector. Erzincan Üniversitesi Sosyal Bilimler Enstitüsü Dergisi, 11(1), 321-335. Retrieved from https://dergipark.org.tr/en/pub/erzisosbil/issue/37685/435976
18. EFE, A. (2021). COSO bilgi ve iletişim bileşeninin kalkınma ajansları üzerinden analizi. Denetişim, (22), 69-88.
19. Elmoghazy, A. H., Aldebasi, B., Alkhaldi, W. M., and Alotaibi, A. F. (2019). The impact of ISO 31.000 on patient safety: A case study of a Saudi Arabian hospital. Journal of Healthcare Risk Management, 38(1), 15-24.
20. Guldentops, E. (2004). Governing and managing IT risks. Information Systems Control Journal, 3, 21-27.
21. Guldentops, E. (2004). Governing IT: the need for measures. Information Systems Control Journal, 2, 1–4.
22. HHS (2017). Risk management framework for EHR systems: A case study. U.S. Department of Health and Human Services. Retrieved from https://www.hhs.gov/sites/default/files/2017HealthITACRMFCaseStudy.pdf
23. Institute of Internal Auditors. (2021). International Professional Practices Framework (IPPF). Retrieved from https://na.theiia.org/standards-guidance/ippf/Pages/Standards-and-Guidance.aspx
24. International Aerospace Quality Group. (2016). The AS9100 family of standards for aerospace quality management. Retrieved from https://www.sae.org/iaqg/organization/as9100family
25. ISACA (2009). Risk IT framework for management of IT-related business risks. Retrieved from https://www.isaca.org/resources/bookstore/pages/product-details.aspx?sku=ISARITFV
26. ISACA (2019). COBIT 2019 Framework: Introduction and Methodology. Rolling Meadows, IL: ISACA. ISO (2018). ISO 31000:2018 Risk management — Guidelines. International Organization for Standardization. https://www.iso.org/standard/65694.html
27. ISO (2018). ISO 31000:2018 Risk management - Guidelines. Retrieved from https://www.iso.org /standard/65694.html
28. Joint Task Force Transformation Initiative (2018). Risk management framework for information systems and organizations: A System Life Cycle Approach. National Institute of Standards and Technology Special Publication 800-37 Revision 2.
29. Kaplan, R. S., and Mikes, A. (2012). Managing risks: a new framework. Harvard Business Review, 90(6), 48–60. Leitch, M. (2010). ISO 31000:2009—The new international standard on risk management. Risk Analysis, 30(6), 887–892.
30. Mikes, A., and Kaplan, R. S. (2015). When one size doesn’t fit all: evolving directions in the research and practice of enterprise risk management. Journal of Applied Corporate Finance, 27(1), 37–40.
31. Murali, R., Balakrishnan, K., and Vignesh, R. (2020). Implementation of ISO 31.000 for risk management in construction projects: A case study in India. Journal of Construction in Developing Countries, 25(1), 45-66.
32. National Institute of Standards and Technology. (2018). NIST special publication 800-37, Revision 2: Risk management framework for information systems and organizations. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
33. NIST (2004). Standards for security categorization of federal information and information systems. Federal Information Processing Standards Publication 199. Retrieved from https://nvlpubs.nist.gov/ nistpubs/FIPS/NIST.FIPS.199.pdf
34. NIST (2009). Standards for security categorization of federal information and information systems (FIPS PUB 199). Retrieved from https://csrc.nist.gov/publications/detail/fips/199/archive/2004-02-01
35. NIST (2013). Security and privacy controls for federal information systems and organizations (Special Publication 800-53, Rev. 4). Retrieved from https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-53r4.pdf
36. NIST (2018). Risk management framework for information systems and organizations: a system life cycle approach for security and privacy. NIST Special Publication 800-37, Revision 2. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
37. NIST (2020). Security and privacy controls for information systems and organizations. NIST Special Publication 800-53, Revision 5. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
38. Nocco, B. W., and Stulz, R. M. (2006). Enterprise risk management: theory and practice. Journal of Applied Corporate Finance, 18(4), 8–20.
39. Protiviti. (2019). Implementing COSO's enterprise risk management framework in healthcare organizations. Retrieved from https://www.protiviti.com/US-en/insights/implementing-cosos-enterprise-risk-management-framework-healthcare-organizations
40. Purdy, G. (2010). ISO 31000:2009—setting a new standard for risk management. Risk Analysis, 30(6), 881–886.
41. PwC (2020). Aligning COSO ERM with supply chain risk management. Retrieved from https://www.pwc.com/us/en/services/consulting/library/aligning-coso-erm-with-supply-chain-risk-management.html
42. Ramachandran, S. (2012). Corporate risk management: process, techniques and insights. International Journal of Physical Distribution & Logistics Management, 43(5/6), 480–484.
43. Ridley, G., Bayne, K., Outlay, C., and Ward, T. (1998). Evaluating the effectiveness of it governance. Journal of Information Technology, 13(4), 303–319.
44. Ross, R., McEvilley, M., and Oren, J. (2018). Risk management framework for information systems and organizations: a system life cycle approach. NIST Special Publication 800-37.
45. Smit, P. J. (2012). ISO 31000:2009 ERM standard in clinical medicine manufacturing. International Journal of Health Care Quality Assurance, 25(2), 126–140.
46. Spira, L. F., & Page, M. (2003). Risk Management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640–661.
47. Stamatis, D. H. (2003). Failure mode and effect analysis: FMEA from theory to execution. Quality Press.
48. Stoneburner, G., Goguen, A., and Feringa, A. (2002). Risk management guide for information technology systems. NIST Special Publication, 800-30.
49. Van Grembergen, W., and De Haes, S. (2009). Enterprise governance of information technology: achieving alignment and value, featuring COBIT 5. Springer Science & Business Media.
50. Weill, P., and Ross, J. W. (2004). IT governance: How top performers manage IT decision rights for superior results. Boston, MA: Harvard Business School Press.