Selecting a risk management framework should not be treated solely as a technical or compliance exercise.

The choice between frameworks such as COSO-ERM, NIST RMF, ISO 31000, and COBIT is ultimately a governance decision. It reflects how an organisation understands risk, accountability, technology, performance and control.

The article by Dr Ahmet Efe correctly highlights that no single framework fits every organisation. COSO-ERM is strongly positioned for enterprise risk management and strategic governance. NIST RMF focuses on information systems, security and privacy risks throughout the system life cycle. ISO 31000 provides broad, principle-based guidance that can be applied across sectors. COBIT is especially useful where information and technology governance must be aligned with business objectives. This distinction matters.

Organisations should not choose a framework simply because it is popular, familiar, consultant-recommended or regulator-friendly. The better motivation is the answer to the question:

What risk problem is the organisation trying to solve?

A strategy-driven organisation may lean towards COSO-ERM. A technology-heavy or regulated environment may require NIST RMF. A diversified organisation may benefit from ISO 31000's flexibility. An enterprise struggling with digital risk, IT governance and technology performance may find COBIT most useful.

The article's focus on implementation challenges is also important. Frameworks often fail not because they are weak, but because leadership commitment is shallow, staff are poorly trained, risk language is inconsistent, or monitoring becomes a tick-box activity. A framework that looks good on paper can quickly become governance wallpaper — visible, formal and largely ignored.

One editorial concern is that the conclusion focuses mainly on ISO 31000 and COBIT, even though the paper begins by comparing four frameworks. COSO-ERM and NIST RMF should be brought back into the final synthesis. These frameworks are not always competitors; in many organisations, they may work together. COSO-ERM may guide enterprise risk governance; ISO 31000 may provide general principles; NIST RMF may support cybersecurity and privacy risk; and COBIT may strengthen IT governance.

A small but important correction is also needed: the standard should be written as ISO 31000, not ISO 31.000. (I am a firm believer that the correct way is ISO 31000:2018). In professional risk management writing, precision matters. Loose terminology can too easily suggest loose thinking.

The practical lesson is clear: begin with the organisation's risk context, not with the framework. Consider the industry, regulatory environment, strategic objectives, technology dependency, maturity level and leadership culture. Then select and adapt the framework that best supports sound decision-making. Effective risk management is not achieved by naming a framework in a policy document. It is achieved when risk thinking becomes part of strategy, operations, reporting and accountability. The best framework is the one an organisation understands, adapts, embeds and uses consistently.

Read more in the source.

Source: 

Efe, A. (2023). A comparison of key risk management frameworks: COSO-ERM, NIST RMF, ISO 31.000, COBIT. Denetim Ve Güvence Hizmetleri Dergisi, 3(2), 185-205. https://dergipark.org.tr/en/pub/audas/article/1291915

Image: QuillBot (2026). Forensic Investigative Leads [AI-generated image].