The management of risks is a cornerstone of IT governance, ensuring that the strategic objectives of the business are not jeopardised by IT failures. Risks associated with technology issues are increasingly evident on board agendas, as the impact on the business of an IT failure can have devastating consequences. Risk is, however, as much about failing to grasp an opportunity to use IT—for example, to improve competitive advantage or operating efficiency—as it is about doing something badly or incorrectly.

Managing IT risks and exercising proper governance are challenging experiences for business managers faced with technical complexity, dependence on an increasing number of service providers, and a limited supply of reliable risk-monitoring information.

– ISACA, Managing Risk: Whose Business?