RiskTech Forum

Nasdaq BWise: The Trials and Tribulations of IT and Integrated Risk Management

Posted: 1 February 2017  |  Author: Ladd Muzzy

Integrated risk management is personified when managing the risks of information technology (IT). There is arguably few topics whose influence reaches across all parts of an organization’s value chain, from the back office to the front, from employees to customers, and from vendors to third parties. As a result, IT GRC (Governance, Risk, and Compliance) continues to be of focus. IT and risk management are making efforts to advance their relationship to understand, identify, and thwart unwanted exposures.

However, like any relationship, it is fraught with the realities of everyday life. IT and risk management typically have very limited budgets, are leanly staffed, and must prioritize competing priorities. The edict to “do more with less” seems to be an ongoing mantra for these groups. Unfortunately, this leads to inefficient and ineffective risk management practices. Michael Rasmussen, in one of his recent blog posts (1), cites similar challenges. He argues that uncoordinated activities and multiple IT risk approaches introduce complexity resulting in a loss of proper business support and increasing vulnerabilities.


Cutting through the complication and mire of disparate systems, structured and unstructured data, processes and practices to provide a holistic picture of the risk environment is a strength of a complete GRC software tool. There are a number of other benefits users should also consider in their GRC software:

Some think there is value of having a point solution to address specific facets of risk such as information security and compliance. Risks however, are rarely independent. Links between risks become more transparent when viewed across the value chain. Risks that tend to have the most significant impact tend to have a snowball effect, gathering size as it makes its way through the organization. An effective, integrated risk management software must be able to lever the data throughout the company and pull it together to make sense of its overall affects. Only then can there be the confidence that IT and risk are working in harmony.