Recently, the Committee of Sponsoring Organizations (COSO) released a long awaited exposure draft update to its Enterprise Risk Management (ERM) Framework.\u00a0 The original ERM Framework was issued in 2004.\u00a0 And as we are all aware, much has changed in how we and our organizations view and manage risk.That's right you read it correctly, from the same people that brought you the internal control framework used for Sarbanes Oxley (SOX) - COSO.[ ALSO ON CSO: 5 ways to create a collaborative risk management program ]The ERM Framework is very different than the COSO \u2013 Internal Control Integrated Framework (IC 2013) that was last updated in 2013 and that you are probably very familiar with. The latter focuses on designing, implementing, monitoring internal control effectiveness and is used to assess the internal controls for preparing and reporting on financial statements (SOX compliance). You know, "that framework" responsible for the pain you experience every fall because some executive decided to declare something you do as a critical control, and now you need to make sure you do it right 100 percent of the time - or else you'll be spending your winter vacation trying to satisfy the auditors.\u00a0The ERM Framework is actually a tool you will find helpfulLet\u2019s face it \u2013 whether you are a CISO, technology risk manager or an administrator trying to avoid corporate politics, the proposed ERM Framework will help you. Here are my top reasons why you should care and take this thing seriously:A lot of what you do is risk management. Yet, existing risk assessment tools \u2013 although facilitating strong consideration of technical issues, do a poor job of providing a process on how to communicate the risks to Executive Management and the Board of Directors. This proposed framework helps overcome this challenge.The ERM Framework provides a consistent process that provides a recognized approach to performing risk assessment. You can be confident in your prioritizations \u2013 and more importantly so can those \u201chigher-ups.\u201dBecause at its core it is an \u201centerprise\u201d framework rather than a \u201ctechnology\u201d framework, it will enable you to present you concerns from an enterprise rather than technology perspective (what you\u2019ve always been wishing for). More importantly, your issues will be presented in a language that is used by corporate executives significantly increasing the probability of inclusion in key reports and communications and hopefully more positive response to \u201csecurity investment\u201d requests.The framework forces a \u201ctop-down\u201d approach ensuring that the needs of key stakeholders are understood and risk response strategies align with their needs and are prioritized properly.What is the framework all about?The framework is comprised of five components supported by 23 principles. These are not meant to be a one size fits all \u2013 so a little creativity and thinking outside the box is required to tailor the framework for your unique needs. The five components are risk governance and culture; risk, strategy and objective setting; risk in execution; risk information, communication and reporting; and monitoring enterprise risk management performance. Here is what each of these components mean and their impact:Risk Governance and Culture \u2013 This deals with overall corporate philosophies including Board of Director and Executive buy-in to managing risks and supporting programs that mitigate the risks. This also includes policies, ensuring adequate funding and promoting an appropriate tone at the top.Risk Strategy and Objective Setting \u2013 Helps define risk appetite and what level of risk is or isn\u2019t acceptable. Many information security and technology risk professionals are well aware of the constant need to assess business opportunities by balancing availability with security needs. In this component, these professionals help define what the general parameters of risk are so that they may be applied to assess individual business opportunities or technology issues.Risk in Execution \u2013 This component represents activities where most risk professionals spend their time and for non-enterprise wide assessments it reflects the total assessment. This component addresses the actual process of identifying the risk, assessing its severity, designing and implementing mitigation strategies and responses. Although inherently not technology focused, it challenges technology professionals to translate their technical risks and solutions to a language that business executives can relate to.Risk Information, Communication and Reporting \u2013 Gathering relevant data and converting it into actionable information that can help the organization better achieve its objectives is the purpose of this component. Information security and technology risk professionals \u201clive this challenge\u201d by developing relevant performance metrics that can be used to demonstrate the effectiveness of security management risk reduction programs. That old clich\u00e9 of \u201cwhat gets measured gets done\u201d is relevant here \u2013 so choose the information that you are assessing your work against wisely.\u00a0Monitoring Enterprise Risk Management Performance \u2013 This final component doesn\u2019t always receive the attention that it deserves. We designed and implemented risk management strategies - but do they work? In this component the larger picture is taken to help ensure that what does get developed is effective and efficient for the organization's objectives.I realize that what I\u2019ve described above is what you do as a security risk management professional on a daily basis. By using \u201ctheir language\u201d you\u2019ll have better success in winning executive support (and investments) for your information security program.