Compliance risk management (CRM), used to help ensure organizational compliance with applicable laws, regulations, and standards, has no specific risk assessment methodology or framework of its own. A number of existing risk management frameworks and methodologies can be helpful for CRM decision-making, however, if tailored to address compliance risk.
Effective compliance risk management entails an organization-wide approach that takes into account the following considerations:
- Training and communication of relevant employees
- Risk appetite analysis: What’s your enterprise’s acceptable level of risk?
- Policies and procedures for managing compliance risk
- Risk assessment/risk analysis: What are the risks and their priorities/urgency?
- Qualitative risk assessment—relies on adjectives and subjective criteria
- Quantitative risk assessment—relies on data and mathematical probabilities
- Controls testing and monitoring
- Reporting test results and risk posture status
- Choosing and using risk management tools
- Governance and oversight
Your risk management, compliance, and internal audit functions should all be involved in the CRM process.
Common CRM standards, frameworks, and methodologies
ISO 27005:2018 Information technology — Security techniques — Information security risk management provides a framework and an approach, not a methodology, for information security risk management. It offers guidelines for what your risk assessment should include, but not specific steps. Nevertheless, most risk management methodologies derive from this international standard.
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) Allegro Risk Method
Created by the Software Engineering Institute of Carnegie Mellon University, OCTAVE is a qualitative methodology that can be conducted in small groups without disrupting business. Its steps:
- Develop risk measurement criteria consistent with the organization’s mission, goal objectives, and critical success factors.
- Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.
- Identify threats to each information asset in the context of its containers.
- Identify and analyze risks to information assets and begin to develop mitigation approaches
Microsoft Security Assessment Tool
Although not a methodology, the Microsoft Security Assessment and Planning Toolkit offers “Solution Accelerators” that help IT professionals using Microsoft products to target enterprise needs in the areas of security and compliance, management and infrastructure, and communications and collaboration.
NIST SP 800-30 Revision 1- Guide for Conducting Risk Assessments
This National Institute of Standards and Technology special publication discusses risk assessment, analysis, and mitigation, and defines steps in the risk assessment process.
Information Risk Assessment Methodology 2 (IRAM 2) and Risk Analysis Workbench Tool
This Information Security Forum provides a step-by-step guide for security risk assessment models. IRAM2 focuses on internal vulnerabilities and their potential impacts on those outside the organization.