Economic Translation of IT Risk
Context & Stakes
A global insurance group managed approximately 500 IT risks across multiple entities. Risk management operated as a compliance exercise — red/amber/green ratings reported to audit committees without economic context.
The Real Problem (Not the Stated One)
They Thought
IT risk management is a compliance exercise — catalog risks, rate by severity, report to audit. Investment driven by fear or regulation, not economics.
My Findings
Risk discussions were disconnected from economics. No shared language existed for comparing risk exposure with remediation cost. Different functions couldn't participate in the same investment conversation.
Key Interventions
- Risk-weighted exposure modeling: Translated ~500 IT risks into economic exposure comparable across entities.
- Cross-entity benchmarking: Calibrated assumptions against actual performance for relative prioritization.
- ROI-based investment logic: Replaced compliance-driven investment with explicit return-on-remediation analysis.
Measured Outcomes
IT risk discussions shifted from compliance to economics. Investment decisions became faster and higher-quality. Business, security, and technology leaders could participate in the same conversation for the first time.
Why This Case Is Reusable
Any organization where risk management operates as compliance rather than economics is likely making suboptimal investment decisions. The pattern applies wherever technical risks are catalogued but not translated into business language.
If this resembles your situation, I'm available for a confidential conversation.
eric.de.morgoli@proton.me or View engagement criteria