OK, that sounds a little provocative. And it should. But in essence, it is true, at least as there is no need for a IT-only Risk Management. What we need is an integrated Risk Management, which covers "enterprise" risks and IT risks. Why?

Let's start with the types of risks. Risks might be divided in three categories:

  • Strategic risks, e.g. the risks of wrong (strategic) decisions, like entering a market with products no one wants to buy, changes in the market themselves and so on.
  • Operational risks. That is what the vendors of ERM tools (Enterprise Risk Management) usually name "enterprise" risks, to distinguish from the (from their perspective) low-level IT risks. Operational risks are the risks in day-to-day operations, from trading with stocks and derivatives to guarantee risks when producing goods.
  • IT risks. These are risks from the perspective of IT systems, e.g. from non-working IT systems to missing access controls and Segregation of Duties.
But if you analyze IT risks, you will always end up with operational risks. IT risks are a part of operational risks. On the other hand, virtually any operational risk is tied to an IT risk, because most operations in organizations heavily build on IT and IT can help in managing, measuring, and mitigating operational risks - like it is frequently done with approaches like attestation and SoD controls.

That leads to the question why we should buy IT Risk Management solutions - and, the other way round, why we should buy Enterprise Risk Management solutions that doesn't cover IT risks. And, unfortunately, there are several vendors out there which sell (sometimes pretty expensive) solutions for Enterprise Risk Management which aren't (at least not without intensive use of professional services for custom interfaces) able to manage IT risks as well because they don't enforce policies on the IT system level and because they don't consume status information for current Key Risk Indicators. IT Risk Management, on the other hand, often doesn't sufficiently support the business view on risks (e.g. the "operational risk" perspective).

There is some reason for all these tools: They are better than nothing. And even better than just using spreadsheets. But, overall, they don't really solve the problem. And, even worse, the customers might think that they've done their job while still being at risk.

What we need is an approach for integrated Risk Management, adding an enterprise perspective to IT Risk Management or vice versa. Given that there is only an artificial distinction between IT risks and operational risks and, in reality, we are dealing with one type of risks, we can't rely on tools which try to dfferentiate between these risks. You might argue that Enterprise Risk Management is for business users whilst IT Risk Management is for IT. But that isn't a valid argument. You still need consistent policies and it are still the same risks. There might be tools at both levels with tight integration, but to claim that you can solve your Risk Management threats with either one of the levels isn't true.

I'm convinced that the market for Risk Management will change, providing much more integration, with IT Risk Management vendors moving to the business level and Enterprise Risk Management vendors, probably through acquisitions and partnerships, will provide integrated support for IT Risk Management.

Until then, you should carefully review the vendor's promises. Do they really solve the problem or do they just give you a better feeling? And, in case you decide for one of today's incomplete offerings, you should be aware of this and understand this as just a step towards Integrated Risk Management.