Organizational Risk Categories and Standards

Risk and Change
Taking risks is the essence of doing business. Without it, very few organizations would have started, let alone thrived. However, risks need to be understood well and managed carefully. Let novaturient help your organization identify its particular risk map, and suggest solutions based on proven industry standards.


Organizational Risk Categories
While there is no generally accepted taxonomy of risks to an organization or enterprise, there are some categories that are repeatedly and consistently mentioned in the context of enterprise risk management (ERM) concepts. The left side of the map reflects the emphasis on financial risks, while risks to cyber-physical systems (CPS) are mapped on the right side:

risks

Frameworks and Standards
The four key frameworks and standards used in the private sector today are SOX, COSO, COBIT, and ISO 27001/2. In addition, there is a significant push towards a new, broad-based NIST framework for cybersecurity. SOX requires publicly-traded firms to adopt a financial control framework (sections 302 and 404). COSO defines such a framework for internal controls. Various training vendors have built curricula to provide companies with knowledge and tools to implement the framework, which covers all business practices that impact financial controls and reporting – business and technical. It covers governance, and it refers to COBIT, which addresses IT governance across the enterprise; it also includes security. ISO 27001 is an international standard for specifications for information security management, while ISO 27002 (formerly ISO 17799) is a code of practice. Currently, a new cybersecurity framework is being developed by the National Institute of Standards and Technology, the NIST-CSF. This framework is intended for a broader audience, to supplement the NIST SP 800 series of computer security publications. In short, businesses should be aware of these standards, and apply/implement them as required or needed:

  • SOX to understand regulatory compliance requirements;
  • COSO to define the financial framework;
  • COBIT to set IT control objectives;
  • ISO 27001/27002 to certify information security management practice and specifications; and
  • NIST-CSF to guide private-sector organizations of all levels on cybersecurity
, ,