What are the most common risk management frameworks?

The most widely used risk management frameworks are: ISO 31000 (general-purpose, applicable to any risk type), NIST Risk Management Framework (cybersecurity-focused, US government origin), COSO ERM (enterprise risk management for corporate governance), COBIT 2019 (IT governance and management, 40 objectives across 5 domains), ISO 27005 (information security risk management, pairs with ISO 27001), and FAIR (quantitative cyber risk analysis). The right choice depends on your industry, regulatory requirements, and risk scope.

What is COBIT 2019 and how does it differ from ISO 31000?

COBIT 2019 is an IT governance and management framework published by ISACA, structured around 40 governance and management objectives across five domains: EDM (Evaluate, Direct, Monitor), APO (Align, Plan, Organize), BAI (Build, Acquire, Implement), DSS (Deliver, Service, Support), and MEA (Monitor, Evaluate, Assess). Unlike ISO 31000, which is a broad principles-based risk framework, COBIT specifically focuses on IT governance — aligning IT strategy with business goals. COBIT is particularly relevant for DORA compliance, which requires a structured IT governance approach for financial entities.

What is the difference between ISO 31000 and NIST RMF?

ISO 31000 is a broad, principles-based framework applicable to any type of risk (financial, operational, strategic, compliance). NIST RMF is specifically focused on information systems and cybersecurity risk, with prescriptive steps for federal systems. ISO 31000 tells you how to think about risk; NIST RMF tells you exactly what to do for IT systems. Many organizations use ISO 31000 as the overarching framework and NIST RMF for cybersecurity-specific processes.

How do risk management frameworks relate to NIS2 and DORA?

NIS2 Article 21 requires organizations to implement risk analysis and information security policies — effectively mandating a risk management framework. DORA Articles 5–16 require financial entities to establish comprehensive ICT risk management frameworks. Both regulations expect documented risk assessment processes, regular reviews, and evidence of risk-based decision-making. COBIT 2019 maps well to DORA's governance requirements; ISO 27005 or NIST RMF directly supports NIS2 Article 21(2)(a).

What is the FAIR risk management framework?

FAIR (Factor Analysis of Information Risk) is a quantitative risk management framework that expresses cyber risk in financial terms. Unlike qualitative frameworks that use high/medium/low ratings, FAIR calculates the probable frequency and magnitude of loss events in monetary values. It helps organizations prioritize investments by comparing the cost of controls against the expected loss reduction.

How do I choose the right risk management framework?

Consider four factors: (1) Regulatory requirements — NIS2, DORA, and SOX each expect specific approaches; (2) Risk scope — information security only (ISO 27005, NIST RMF) or enterprise-wide (ISO 31000, COSO ERM); (3) IT governance focus — COBIT 2019 is essential for organizations where IT governance and DORA compliance are priorities; (4) Organization maturity — principles-based frameworks (ISO 31000) offer flexibility while prescriptive ones (NIST RMF, COBIT) offer step-by-step guidance.

Can I use multiple risk management frameworks?

Yes, and most organizations do. A common approach is to use ISO 31000 as the overarching enterprise risk framework, COBIT 2019 for IT governance, ISO 27005 or NIST RMF for cybersecurity risk, and FAIR for quantitative analysis of specific high-impact risks. The key is establishing clear governance so frameworks complement rather than conflict with each other.

Risk Management Frameworks: Complete Guide for 2026

Published Mar 7, 2026

Updated Apr 9, 2026

By Emre Salmanoglu

Risk Management Frameworks: Complete Guide for 2026

Q: Do I need a risk management framework if I already have ISO 27001?

ISO 27001 includes risk management as a core requirement (Clause 6.1), but it doesn't prescribe a specific methodology. Many organizations pair ISO 27001 with ISO 27005 (which provides detailed guidance for information security risk assessment) or adopt ISO 31000 for enterprise-wide risks beyond information security. Your ISMS already contains a risk management process — a framework formalizes and extends it.

Compare ISO 31000, NIST RMF, COSO ERM, COBIT 2019, ISO 27005, and FAIR — the major risk management frameworks for NIS2, DORA, and ISO 27001 compliance in 2026.

Risk Management

Frameworks

ISO 31000

NIST RMF

COSO ERM

COBIT

ISO 27005

Compliance

Risk Management Frameworks: Complete Guide for 2026

A risk management framework is a structured set of principles, processes, and practices for identifying, assessing, treating, and monitoring risks systematically. The six most widely used frameworks are ISO 31000, NIST RMF, COSO ERM, COBIT 2019, ISO 27005, and FAIR — each designed for different organizational contexts and regulatory requirements.

Under NIS2 Article 21 and DORA Articles 5–16, European organizations must implement documented risk management processes. A recognized framework provides the evidence base that regulators and auditors expect.

This guide covers each major framework, how they compare, and how to choose the right one for your regulatory context.

Key Takeaways

NIS2 and DORA mandate risk management frameworks — not just controls. Article 21(2)(a) of NIS2 explicitly requires risk analysis policies.
COBIT 2019 (40 governance objectives across 5 domains) is increasingly relevant for DORA compliance in financial services.
Most organizations use layered frameworks: ISO 31000 as umbrella → COBIT/ISO 27005 for domain-specific processes → FAIR for quantitative analysis.
ISO 27005 is the practical choice for ISO 27001 implementers — it directly satisfies Clause 6.1.
A framework on paper isn't compliance evidence — you need a living risk register, documented decisions, and board-level oversight.

What Is a Risk Management Framework?

A risk management framework is a set of principles, processes, and practices for managing risk systematically. It defines:

How to identify risks — what can go wrong, and where
How to assess risks — likelihood, impact, and priority
How to treat risks — accept, mitigate, transfer, or avoid
How to monitor risks — ongoing tracking and review
How to report on risks — communication to stakeholders and regulators

Without a framework, risk management becomes inconsistent — different teams assess risks differently, documentation gaps emerge, and regulatory evidence is hard to produce.

The Major Risk Management Frameworks

ISO 31000: Risk Management — Principles and Guidelines

Best for: Organizations that need a universal risk management approach applicable across all risk types.

ISO 31000 is the international standard for risk management, applicable to any organization regardless of size, industry, or sector. It provides principles and a generic process — not prescriptive controls.

Key elements:

Integration into governance and decision-making
Risk assessment process: identification → analysis → evaluation
Risk treatment with continuous monitoring and review
Communication and consultation throughout

Strengths: Flexible, industry-agnostic, widely recognized. Works as an umbrella framework.

Limitations: High-level — doesn't tell you what specific controls to implement. Needs to be supplemented for specific domains.

NIST Risk Management Framework (RMF)

Best for: Organizations managing information systems, especially those aligned with US cybersecurity standards or NIST CSF.

The NIST RMF (SP 800-37) provides a structured, seven-step process for integrating security and risk management into information systems:

Prepare — Establish context and priorities
Categorize — Classify information systems by impact level
Select — Choose security controls from NIST SP 800-53
Implement — Deploy controls
Assess — Evaluate control effectiveness
Authorize — Risk-based decision to operate
Monitor — Ongoing assessment and response

Strengths: Prescriptive, well-documented, integrates with NIST CSF and SP 800-53 control catalogue. Free and publicly available.

Limitations: US-centric. Can be complex for smaller organizations. Primarily focused on information systems rather than enterprise-wide risk.

COSO ERM (Enterprise Risk Management)

Best for: Organizations focused on corporate governance, financial reporting, and board-level risk oversight.

COSO ERM is the dominant framework for enterprise risk management in corporate governance contexts. Updated in 2017, it organizes risk management across five components:

Governance and Culture — Board oversight and risk culture
Strategy and Objective-Setting — Risk appetite and business strategy alignment
Performance — Risk identification, assessment, and response
Review and Revision — Monitoring and improvement
Information, Communication, and Reporting — Stakeholder communication

Strengths: Strong governance and board-level focus. Widely adopted in financial services and publicly traded companies. Aligns with SOX compliance requirements.

Limitations: Broad and governance-focused — needs supplementation for specific domains like cybersecurity. Can be abstract for operational teams.

ISO 27005: Information Security Risk Management

Best for: Organizations implementing or maintaining ISO 27001.

ISO 27005 provides detailed guidance for information security risk management, designed to complement ISO 27001. It covers:

Context establishment (scope, criteria, organization)
Risk identification (assets, threats, vulnerabilities, impacts)
Risk analysis (qualitative, quantitative, or semi-quantitative)
Risk evaluation (comparing against acceptance criteria)
Risk treatment (control selection and residual risk acceptance)
Risk monitoring and review

Strengths: Directly supports ISO 27001 Clause 6.1 requirements. Practical and specific to information security. Well-established methodology.

Limitations: Scoped to information security — doesn't cover enterprise risks. Requires ISO 27001 context to be most useful.

FAIR (Factor Analysis of Information Risk)

Best for: Organizations that need to quantify cyber risk in financial terms for board reporting or investment decisions.

FAIR is a quantitative risk analysis framework that expresses risk as probable financial loss:

Loss Event Frequency — How often a threat event results in loss
Loss Magnitude — How much each loss event costs

FAIR decomposes these into measurable factors: threat event frequency, vulnerability, primary/secondary loss, and response costs.

Strengths: Produces financial metrics that boards and executives understand. Enables cost-benefit analysis of security investments. Complements qualitative frameworks.

Limitations: Requires reliable data for accuracy. More complex to implement than qualitative approaches. Works best as a supplement to a structural framework, not as a standalone.

COBIT 2019: IT Governance and Management

Best for: Organizations that need structured IT governance — particularly financial entities under DORA, or any organization where IT strategy alignment with business objectives is a board-level priority.

COBIT 2019, published by ISACA, is the leading framework for IT governance and management. Unlike the frameworks above (which address risk management broadly), COBIT specifically governs how IT creates and protects value within an organization. It contains 40 governance and management objectives organized across five domains [1]:

EDM — Evaluate, Direct, and Monitor: Governance body evaluates strategic options, directs implementation, monitors performance. Covers risk optimization (EDM03).
APO — Align, Plan, and Organize: Structures IT strategy, risk management, and resource allocation. APO12 directly addresses enterprise risk management.
BAI — Build, Acquire, and Implement: Governs how IT solutions are acquired, built, and integrated into business processes.
DSS — Deliver, Service, and Support: Addresses operational delivery, incident management, and business continuity.
MEA — Monitor, Evaluate, and Assess: Covers performance monitoring and regulatory compliance assessment.

COBIT and DORA: DORA (EU Regulation 2022/2554) requires financial entities to implement ICT risk management frameworks with board-level accountability, documented governance structures, and continuous monitoring. COBIT 2019's EDM and APO domains map directly to these requirements. ISACA has published specific guidance on using COBIT to implement NIS2 and DORA requirements [2].

COBIT and NIS2: COBIT's risk management objective APO12 supports NIS2 Article 21(2)(a)'s requirement for risk analysis policies. Organizations using COBIT can map their existing governance objectives to NIS2's ten risk management measures.

Strengths: Comprehensive IT governance scope. Clear mapping to regulatory requirements including DORA and NIS2. Strong board-level governance focus. 40 well-documented objectives with measurable outcomes.

Limitations: Complex to implement fully — not all 40 objectives are relevant for every organization. IT-focused, so needs supplementation with ISO 31000 for non-IT risks. Requires ISACA membership or purchase to access full guidance.

Framework Comparison

Framework	Scope	Approach	Best For	Regulatory Alignment
ISO 31000	All risk types	Principles-based	Enterprise-wide risk programme	General (supports any regulation)
NIST RMF	Information systems	Prescriptive, step-by-step	Cybersecurity risk management	NIST CSF, FedRAMP, CMMC
COSO ERM	Enterprise risk	Governance-focused	Board-level risk oversight	SOX, corporate governance
COBIT 2019	IT governance & management	Objectives-based, 40 objectives	DORA compliance, IT governance	DORA, NIS2, SOX (IT controls)
ISO 27005	Information security	Methodology-focused	ISO 27001 implementation	ISO 27001, NIS2, DORA
FAIR	Cyber risk (quantitative)	Data-driven, financial	Risk quantification and ROI	Board reporting, investment decisions

How Risk Management Frameworks Connect to Regulations

NIS2

NIS2 Article 21(2)(a) explicitly requires "policies on risk analysis and information system security." This means affected organizations must have a documented risk management process. ISO 27005 or NIST RMF directly supports this requirement.

Beyond risk analysis, NIS2's ten risk management measures (Article 21) effectively define the control domains your framework must address. COBIT 2019's APO12 (Manage Risk) objective provides a structured process for implementing these measures and building the audit evidence NIS2 supervisory authorities expect.

DORA

DORA Articles 5–16 mandate a comprehensive ICT risk management framework for financial entities. DORA is more prescriptive than NIS2 — it specifies governance requirements (management body responsibility, Article 5), risk identification processes (Article 8), and continuous monitoring obligations (Article 10). Separate testing requirements appear later in DORA, including Articles 24–25.

Financial entities typically use COBIT 2019 for the governance and management layer (EDM, APO domains), combined with ISO 27005 or NIST RMF for the ICT-specific risk assessment process. ISACA's 2025 guidance on DORA is useful background for mapping governance requirements under Articles 5–6, but COBIT should be treated as a strong fit rather than a formally mandated model [2].

ISO 27001

ISO 27001 Clause 6.1 requires organizations to "determine the risks and opportunities" and plan actions to address them. It doesn't prescribe a specific risk assessment methodology — this is where ISO 27005 fills the gap.

SOC 2

SOC 2's Trust Services Criteria require risk assessment as part of the common criteria. Organizations often use COSO ERM concepts for the governance layer and NIST or ISO 27005 for the technical risk assessment.

How to Choose the Right Framework

Step 1: Identify Your Regulatory Drivers

If you need to comply with...	Consider...
NIS2	ISO 27005 + ISO 31000
DORA	COBIT 2019 + ISO 27005
ISO 27001	ISO 27005
SOX	COSO ERM
NIST CSF	NIST RMF
Multiple EU regulations	ISO 31000 (umbrella) + COBIT 2019 + ISO 27005

Step 2: Determine Your Risk Scope

Information security only → ISO 27005 or NIST RMF
IT governance and management → COBIT 2019 (especially for DORA-regulated entities)
Enterprise-wide → ISO 31000 or COSO ERM
Financial quantification → Add FAIR as a supplementary approach

Step 3: Consider Your Maturity

Starting out: ISO 27005 provides the most structured, practical approach for ISO 27001 and NIS2
Intermediate: ISO 31000 as an umbrella with domain-specific additions (COBIT for IT governance, ISO 27005 for infosec)
Advanced: Multi-framework approach with COBIT 2019 at governance layer and FAIR for quantitative analysis

Common Mistakes

Treating risk assessment as a checkbox exercise. Annual risk assessments that sit in a drawer don't reduce risk. Effective frameworks integrate risk management into daily operations and decision-making.
Using a single framework for everything. Enterprise risk, information security risk, and financial risk have different dynamics. A layered approach (umbrella framework + domain-specific frameworks) is more effective.
Confusing frameworks with controls. A framework tells you how to manage risk. Controls (like MFA, encryption, or backup policies) are what you implement to treat specific risks. Don't skip the framework and jump straight to controls.
Not connecting risk management to compliance evidence. Your risk register, treatment plans, and residual risk decisions are compliance evidence. If they're not documented and accessible, regulators and auditors can't verify your approach.

From Framework to Operational Evidence

The gap between having a risk management framework and demonstrating it to stakeholders — customers, auditors, regulators — is where many organizations struggle. A framework on paper needs to be backed by:

A living risk register with current assessments
Documented treatment decisions and their rationale
Evidence of regular review and board-level oversight
Proof that risk appetite aligns with actual practice

This is where a Trust Center becomes the external-facing evidence layer — publishing your security posture, compliance status, and risk management approach to the stakeholders who need to see it. Compliance automation bridges this gap by continuously collecting evidence and feeding it into your external-facing documentation.

How Orbiq Supports Risk Management

Trust Center: Publish your security posture, certifications, and compliance status as a buyer-ready evidence package
Continuous Monitoring: Track the effectiveness of your controls and surface changes that affect your risk landscape
Evidence Management: Automated collection of compliance evidence for audits and regulatory inspections
Vendor Risk Monitoring: Assess and monitor third-party risk as part of your supply chain risk management

Sources & References

ISACA - COBIT 2019 Framework: Introduction and Methodology
ISACA - Resilience and Security in Critical Sectors: Navigating NIS2 and DORA Requirements
European Parliament, "Directive (EU) 2022/2555 (NIS2)," Article 21, eur-lex.europa.eu
European Parliament, "Regulation (EU) 2022/2554 (DORA)," Articles 5–16, eur-lex.europa.eu
ISO, "ISO 31000:2018 Risk Management — Guidelines," iso.org
ISO, "ISO/IEC 27005:2022 Information Security Risk Management," iso.org

Risk Management Frameworks: Complete Guide for 2026

Risk Management Frameworks: Complete Guide for 2026

Key Takeaways

What Is a Risk Management Framework?

The Major Risk Management Frameworks

ISO 31000: Risk Management — Principles and Guidelines

NIST Risk Management Framework (RMF)

COSO ERM (Enterprise Risk Management)

ISO 27005: Information Security Risk Management

FAIR (Factor Analysis of Information Risk)

COBIT 2019: IT Governance and Management

Framework Comparison

How Risk Management Frameworks Connect to Regulations

NIS2

DORA

ISO 27001

SOC 2

How to Choose the Right Framework

Step 1: Identify Your Regulatory Drivers

Step 2: Determine Your Risk Scope

Step 3: Consider Your Maturity

Common Mistakes

From Framework to Operational Evidence

How Orbiq Supports Risk Management

Further Reading

Sources & References