Organizations face a complex environment of risk, internally and externally. Geopolitical, financial/treasury, economic, operational, legal, and regulatory environments produce compound risks for organizations to manage. Many organizations are learning that these risks often interrelate to create a much larger risk environment than each independent silo is aware of. What may seem an insignificant IT risk in one area of the organization can have profound impact on others. Consider the Société Générale in 2008, in which a rogue trader with excessive rights to IT systems and applications generated a €4.9 billion loss. When the organization approaches risk in scattered silos that do not collaborate, there is no possibility to be intelligent, let alone wise, about risk decisions that could impact business strategy.
Many organizations have separate initiatives to manage IT risk and compliance from other governance, risk and compliance (GRC) initiatives. This leads to a myopic view of risk and compliance within the enterprise — a lack of imagination, foresight, and intellectual insight. The organization fails to understand how IT risk interacts with other enterprise risk and compliance areas and cannot properly protect the organization, or keep the organization on track to meet its corporate performance, strategy, and objectives.
