The Top 10 Enterprise Risk-Management Myths

July 30, 2008

To address Sarbanes-Oxley compliance, many companies put in place technology platforms that now support a variety of risk and compliance initiatives. Sarbanes-Oxley solutions were generally purchased with the tacit approval of IT, but few IT organizations standardized on a strategy for managing risk and compliance data.

A lot of companies have moved to augment enterprise risk management platforms with dedicated governance, risk and compliance (GRC) solutions. That trend isn’t going to disappear anytime soon, but some companies will likely come away disappointed with the results. It’s fair to say that automation can seem like anything but in a lot of cases. offers a list of 10 ERM-GRC myths.

Few companies can grow without taking risks. But poor risk management leads to surprises in business operations that can impact shareholder confidence, regulatory oversight and the bottom line. An unprecedented wave of regulatory oversight in recent years has convinced many organizations how inadequate their enterprise risk management (ERM) policies and procedures really are.

  1. Myth Number 10: IT Risk Management = Information Security
  2. Myth Number 9: CIOs Embraced Enterprise GRC
  3. Myth Number 8: A Rigid, Standardized Approach Is Best
  4. Myth Number 7: You Can Manage Risk Only from the Center
  5. Myth Number 6: You Can Manage Risk and Compliance with Spreadsheets
  6. Myth Number 5: Traditional Audit Planning Is Good Enough
  7. Myth Number 4: Enterprise Risk Management Is Dead!
  8. Myth Number 3: It Just Takes Common Sense
  9. Myth Number 2: TJX — It Can’t Happen Here
  10. The Number One Myth about ERM: You Can’t Plan for the Unknown