Explanation: Operational risk assessment, financial crime metrics and capacity management can complement the information security framework, but only business continuity management is a key component.