Skip to main content
Login
Request Demo
Go Back
May 15, 2026

How Business Risk Management Frameworks Shape Risk Advisory Engagements

Amanda Waldmann
Amanda Waldmann

Increasing trust with AI for audit and advisory firms.

Key Insights:

  • The framework a client adopts (COSO ERM, ISO 31000, or NIST RMF) shapes engagement scope, methodology, and documentation.
  • The current IIA Standards now require internal audit to plan engagements around the client's framework, which raises the bar for the advisory work supporting them.
  • Purpose-built audit technology closes the execution gap that generic tools leave open.

Risk advisory engagements are only as strong as the client's risk management framework underneath them. The framework defines what counts as a risk, how it gets prioritized, who responds to it, and how that response gets documented and tested. When advisory firms come in to support that work, the framework is also what their scope, methodology, and reporting have to align with.

This article covers the three frameworks risk advisory firms encounter most often, the components that determine whether any of them work in practice, and how AI is changing what framework execution actually looks like in 2026.

What Is a Business Risk Management Framework?

A risk management framework gives your client a structured system for identifying risks, determining which ones matter, and deciding how to respond, in a way that is repeatable and tied to the organization's objectives.

The three most common frameworks in audit and advisory contexts are COSO ERM, ISO 31000, and NIST RMF. They differ meaningfully in scope, structure, and audience, which matters when you are translating a client's framework into engagement decisions.

COSO ERM 2017

Issued by: The Committee of Sponsoring Organizations of the Treadway Commission, sponsored by five U.S. professional bodies including the AICPA and The Institute of Internal Auditors.

Scope: Enterprise risk management across the whole organization, with strong emphasis on linking risk to strategy, governance, and financial reporting. (COSO also publishes the Internal Control – Integrated Framework, which is what most U.S. SOX programs are built around. The ERM and Internal Control frameworks are related but separate.)

Structure: Five interconnected components, with 20 underlying principles distributed across them.

  • Governance and Culture
  • Strategy and Objective-Setting
  • Performance
  • Review and Revision
  • Information, Communication, and Reporting

Best for: U.S.-headquartered organizations, public companies, and any client where board oversight, strategy alignment, and financial reporting integration matter most. The most common ERM framework you will encounter in U.S. audit and advisory practice.

ISO 31000:2018

Issued by: The International Organization for Standardization (ISO), the global standards body, with input from national standards committees worldwide.

Scope: Risk management as a discipline, applied to any type of risk and any size of organization. The 2018 revision sharpened the focus on risk management as an input to decision-making, explicit senior-management accountability, and value protection alongside value creation. ISO 31000 is principles-based rather than certifiable, so organizations don't get audited against it the way they would against a management system standard.

Structure: Three connected elements that work together.

  • Principles that define what good risk management looks like (integrated, structured, customized, inclusive, dynamic, and so on)
  • A Framework for embedding risk management into governance, leadership, and operations
  • A Process covering communication and consultation, scope and context, risk assessment (identification, analysis, evaluation), risk treatment, monitoring and review, and recording and reporting

Best for: Internationally oriented clients, organizations that prefer standards-body governance over professional-body governance, and clients who want a single risk management approach that travels across jurisdictions and risk types.

NIST RMF

Issued by: The U.S. National Institute of Standards and Technology (NIST), the federal agency responsible for measurement standards and cybersecurity guidance, anchored in SP 800-37 Rev. 2 and related publications.

Scope: System-level risk for information security, privacy, and supply chain risk. Narrower than COSO ERM or ISO 31000, but much deeper inside its scope. It assumes you are managing a portfolio of information systems and need to make authorization decisions about each one.

Structure: A seven-step cycle applied to each information system.

  • Prepare
  • Categorize
  • Select
  • Implement
  • Assess
  • Authorize
  • Monitor

Best for: U.S. federal agencies, defense contractors, federally regulated industries, and organizations pursuing FedRAMP or CMMC, where NIST RMF is either required outright or treated as the de facto standard for systems-level risk.

How a Risk Management Framework Connects to Risk Advisory Engagements

The framework a client picks isn't just a governance choice. It shapes the scope, methodology, and documentation your engagement has to deliver, because the client's own internal audit function is already working off it.

The clearest example is the IIA Standards. The Institute of Internal Auditors (IIA) sets the global rules for how internal audit functions plan and run their work, and those rules now formally expect engagements to be planned around the organization's objectives and risks. In practice, that means the Chief Audit Executive (CAE), the leader of the internal audit function, builds the audit plan around whatever risk framework the organization has adopted (COSO ERM, ISO 31000, NIST RMF, or another). The current IIA Standards don't prescribe a particular framework, but they do require that internal audit's work be anchored in whichever one the organization has chosen.

That expectation flows downstream to the advisory firms supporting that work. If your engagement isn't aligned with the client's framework, it doesn't fit the picture the CAE is building, and the gap shows up in scoping, sampling, and reporting decisions that have to be reworked later.

Core Components of an Effective Business Risk Management Framework

Regardless of which framework a client adopts, the same core components determine whether it works in practice.

Risk Identification

Risk identification is the work of finding the risks that actually exist in the organization, not just the ones that already sit on the risk register. Three activities tend to surface the most:

  • Process mapping: Confirming how activities and dependencies actually work, not just how they're documented.
  • Risk and control self-assessments: Comparing management's view of risk with what the people doing the work see day-to-day.
  • External scanning: Picking up emerging risks (regulatory changes, new threats, market shifts) that may not yet appear in internal registers.

In practice, clients rarely skip identification entirely. The more common failure is identifying risks and never translating them into anything actionable. That's where the assessment work comes in.

Risk Assessment

Risk assessment is the work of deciding which of the identified risks matter, how much, and to whom. The questions are about likelihood, impact, and which risks rise to the level the framework's escalation paths are designed for.

This is where the criteria the client uses do the heavy lifting: the likelihood and impact scales, the materiality thresholds, the risk appetite statements. If those criteria are inherited defaults rather than things the leadership team actually agrees with, the assessment will produce a register that nobody acts on. That's where advisory firms add value: turning a static register into a plan the client can execute against.

Risk Response and Control Mapping

Once risks are assessed, responses should align with the organization's approved risk appetite and tolerances. Inspection findings show how often this breaks down. For example, in the Crowe 2024 inspection, the firm identified a control deficiency over volume data but still relied on those data without sufficient testing of accuracy and completeness. Identifying a risk and then failing to respond is itself a system failure, a principle the GAO standards reinforce by requiring that risk responses be designed and implemented, not just documented.

The way to prevent that gap is control mapping: tying each assessed risk to the specific control (or controls) the client is relying on to manage it. When that mapping is done well, every risk on the register has a named owner, a defined response, and a clear way to test whether the response is working. When it's done poorly, the register and the controls drift apart, which is how Crowe-style failures happen. Control mapping is where risk advisory engagements add the most value. Clients usually need help with three things:

  • Linking responses to controls: Connecting each risk response to a specific control or set of controls so coverage is traceable.
  • Documentation quality: Documenting the rationale clearly enough for reviewers and future teams to follow.
  • Monitoring triggers: Setting indicators that show when a control weakens or stops working.

Without that discipline, the framework looks complete in policy documents while response failures continue in practice.

Monitoring, Review, and Governance

The monitoring triggers set during control mapping are only useful if someone actually watches them and acts on what they say. That is what this part of the framework does, and it's where the difference between paper and practice shows up most clearly. Effective monitoring produces useful risk intelligence; ineffective monitoring is just a periodic compliance exercise. The difference comes down to three factors:

  • Signal quality: Do key risk indicators flag change early enough to support action?
  • Reporting cadence: Is it frequent enough to stay useful, or does information arrive too late to matter?
  • Monitoring scope: Are teams clear about when monitoring is continuous versus periodic?

Governance and culture create the conditions for monitoring to work:

  • Risk ownership: It has to be explicit, with named owners at each level.
  • Board-level escalation: Challenge and escalation need a clear home at the board level.
  • Leadership behavior: How leaders respond to risk issues shapes whether teams raise them at all.
  • Threshold accountability: People need to know who acts when thresholds are crossed.

One area that often falls outside these monitoring structures is third-party risk. It belongs inside the enterprise risk management framework, not alongside it, and that is also how the IIA frames it. When clients manage third-party risk in isolation, that is a framework gap worth raising.

How Technology and AI Help Operationalize the Risk Management Framework

A lot of risk advisory engagement hours go to procedural work: gathering and organizing evidence, matching it to samples, identifying exceptions, producing reviewable documentation. That is exactly the work AI is best suited to take on, and it's why the daily workflow is where AI is reshaping how frameworks actually get executed.

Where AI Fits in Framework Execution

Most AI in audit and advisory today is assistive: chat, copilots, point automations triggered by a person. These tools matter. They make individual steps faster and give practitioners on-demand help where they want to drive the work themselves. Agents are something different. They execute multi-step procedural work on their own, with the practitioner reviewing the result rather than driving each step.

Fieldguide AI gives you both. AI Assist for the on-demand work practitioners want to drive themselves, and Field Agents for the multi-step procedural work. Testing Agent runs end-to-end control testing: matching evidence to samples, validating data, identifying exceptions, and producing reviewable documentation the practitioner signs off on. Request Agent reviews client evidence the moment it's submitted, flags gaps and inconsistencies, and tells the client exactly what's needed before the team picks the engagement up.

Agents plan, execute and document. Humans review, judge and advise. That is what changes how a framework actually gets operationalized.

Strengthen Your Risk Framework Engagements with Fieldguide

Fieldguide is the industry's only end-to-end AI-native engagement platform, purpose-built for audit and advisory, with the Agent Workforce, methodology depth, and audit-grade rigor firms need to operationalize their risk management frameworks.

The platform is built to layer your work on top: Field Agents tailored to your methodology, your own data and context shaping how the agents reason, open APIs that fit existing operations, and IP protection that keeps your methodology yours.

The advisory practices getting the most out of their risk frameworks in 2026 are the ones changing how the work gets done, not the ones layering more tools on top of an old model.

To see how it works in your risk advisory engagements, request a demo.

 
Amanda Waldmann

Amanda Waldmann

Increasing trust with AI for audit and advisory firms.

Chad Williams
fg-gradient-light