Beginning the journey to risk management can be daunting, but protecting your business is worth every step.

Most of us have seen the movie or read the book The Wizard of Oz. Dorothy Gale and her pals faced — and overcame — huge obstacles as they followed the yellow brick road toward the Emerald City. In today’s fast-paced world, organizations face a variety of obstacles as they try to grow their businesses. And they share a major hurdle with Dorothy on their way to reaching this goal: risk management.

Risk is inevitable, and organizations must have a way to manage it — because risk that goes unmanaged can turn into vulnerabilities that can be exploited by bad actors. And this can result in loss — of reputation, finances, and confidence from clients and partners. This is where risk management, often with a particular framework you follow to achieve it — like the yellow brick road — comes into play.

Risk Management Defined
Risk management is defined as the process of identifying, assessing, and controlling threats to an organization. You can manage your organization’s risk, either eliminating or reducing its severity, by putting controls in place. These controls are normally guided by a framework, such as the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) or the International Organization of Standardization’s (ISO) 31000 Risk Management series.

A big part of risk management is protecting your company’s and your customers’ privacy and sensitive data. And these requirements are not new. For example, the first version of NIST Special Publication 800-53, which covers the steps in the RMF that address security and privacy control selection for federal information systems, was released in 2005; 15 years later, it’s in its fifth revision. Other compliance requirements, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) released in 2018, and Cybersecurity Maturity Model Certification (CMMC) released in 2020, are increasing the focus on managing these types of privacy and data risks and the need for frameworks to help with that. Now, as a result of the global COVID-19 pandemic, organizations have to adopt some kind of risk management strategy and framework to help them cope with new operational processes, such as staff working remotely on unprotected home networks.

What Standards and Frameworks Are Right for Your Business?
Organizations can choose from a variety of risk management standards and frameworks. Which you choose depends on several variables unique to your organization: budget, current processes in place, and needs. Not implementing the proper one could lead to losing a contract or having to pay a regulatory fine. For example, businesses seeking Department of Defense contracts that process sensitive data will be required to implement Cybersecurity Maturity Model Certification. US companies wishing to partner with Japanese organizations must have ISO 27001 accreditation, an information security management standard that is different from ISO 31000.    

If your organization doesn’t have a regulatory body forcing the issue, you should still consider putting a framework in place to better manage risks and help protect your business from hackers and other cybersecurity threats. These situations can and do have real-world adverse business outcomes, including taking down your e-commerce business or confiscating all of your data through a ransomware attack.

The first step to take when embarking down the road to risk management is to pick a framework that complements rather than disrupts your existing practices and meets your business needs. Here are a few of the most common frameworks and the types of organizations that typically use them.


Use case

Risk Management Framework

Federal agencies

Cybersecurity Framework

Nongovernmental organizations 

Federal Risk and Authorization Management Program (FedRAMP)

Cloud services providers

ISO 27001

Private industry

NIST Privacy Framework


Next Steps
A variety of tools are out there to help you implement the best framework and risk management strategy for your business needs. Most organizations use a third-party tool or resource, such as governance, risk, and compliance (GRC) software that can be aligned with the framework you choose or professional services that can help you navigate the different requirements. Some GRC tools are managed services that combine a software as a solution with expert staff that handle the process. These approaches can offer you visibility and control over your risk decisions and build out the risk management and system security programs aligned to your business strategy.

Beginning the journey down the yellow brick road of risk management can be daunting. But protecting your business is worth every step of the way. 

Andrew Lowe serves as Senior Information Security Consultant for TalaTek, an integrated risk management firm in Northern Virginia. He has more than 10 years of information security experience, including risk management and compliance program development and implementation, … View Full Bio


Recommended Reading:

More Insights