ENISA RM/RA Framework
The ENISA Risk Management/Risk Assessment (RM/RA) Framework is basically an overview of relevant content found in corresponding literature about Risk Management. In this section we give a short overview of the framework, since it is essential for understanding the project results.
The following figure shows a schematic overview of the framework as it has been published by ENISA in the past (see Current Risks section). The various (sub-) processes of the Risk Management Framework may be performed in isolation or as a whole. In case that all of the processes are performed, the orange, thick arrows represent a cycle which depicts a control flow through the Risk Management processes. The process Definition of Scope and Framework is considered to be the ideal starting point for this control flow. The process aims at the establishment of global parameters for the performance of Risk Management within an organization. For this purpose it takes internal and external aspects into account. Subsequently, a process describing activities which deal with the identification, analysis and evaluation of risks is executed (Risk Assessment). This process is succeeded by Risk Treatment, which selects and implements measures to modify risk. Risk Acceptance aims at deciding which risks are accepted by the responsible management of the organisation. Monitor and Review describes a continuously ongoing process for monitoring the success of the Risk Management implementation and delivering valuable input to any recursion of the (re)definition of the corporate Risk Management. Also included in the framework is a Risk Communication process, which aims at exchanging information about risk to and from all stakeholders. In addition to the above processes the interfaces to operational processes are indicated but not elaborated. This is subject to the project whose results are summarised by this website.
Complementing the framework a number of data elements were identified by ENISA which describe the exchange of information between the various Risk Management processes.