Most organisations have an enterprise risk management framework in place. They have policies, governance structures, and reporting processes. What many of them do not have is enough people who actually know how to execute across all of it, particularly when it comes to IT and cyber risk.
That gap is not new. But it is widening. According to a Forrester survey of 360 ERM decision-makers in North America and Europe, information security risks are already the primary concern for 32% of enterprise risk management professionals. At the same time, 41% of those organisations have experienced three or more critical risk events. Frameworks are not the problem. The people needed to run them effectively are.
Why IT risk is the hardest part to staff?
IT and cyber risk management requires a combination of skills that does not exist in large supply. Professionals in this space need to understand technical risk well enough to assess it accurately, and business operations well enough to communicate it to leadership and translate it into decisions that hold up at the board level. That intersection is genuinely rare.
Most organisations filling these roles find that technical professionals lack the governance and business alignment skills the work demands, while risk and compliance professionals often lack the technical depth to assess modern cyber threats meaningfully. The result is a persistent gap between what risk management programs require and what the teams running them can actually deliver.
Credentials designed specifically for this role exist. The Certified in Risk and Information Systems Control (CRISC), offered by ISACA, is the most widely recognised qualification for IT risk management professionals. It covers governance, IT risk assessment, risk response and reporting, and information technology and security, mapping directly to what organisations need from risk professionals operating at the intersection of IT and business.
Over 30,000 professionals currently hold the certification globally. Investing in CRISC training is one of the more direct ways organisations can develop that capability internally rather than continuing to search for it externally.
The gap between risk frameworks and operational reality
Having a framework and running one effectively are two different things. Most organisations know what a good risk management strategy looks like on paper. The IIA Foundation found that 59% of organisations still rely on spreadsheets for ERM program management, with only 21% implementing dedicated GRC platforms. The tools and frameworks exist. The professionals who can bridge technical risk knowledge with enterprise governance are much harder to find.
This is compounded by the pace of change. AI adoption, cloud migration, and increasing third-party dependencies are all adding new risk vectors faster than most risk teams can absorb them. According to Verizon’s 2025 Data Breach Investigations Report, third-party involvement in breaches doubled from 15% to 30% in a single year. Risk programs built around yesterday’s threat model are already behind the curve, and the professionals needed to update them are not sitting in a queue waiting to be hired.
Why this is a leadership problem, not just an HR one?
The skills shortage in enterprise risk management does not start in the hiring process. It starts at the leadership level, where risk capability is either treated as a strategic priority or left to the hiring manager to sort out.
A well-designed enterprise risk management policy requires leaders who understand what risk professionals actually need to do their jobs, including authority, access to the right information, and genuine integration into business decision-making rather than a seat at the end of the table. Without that, even capable risk professionals cannot function effectively.
The question most senior leaders are not asking is whether their organisation has the human capability to execute on its risk program, not just the frameworks and tools. As the risks facing enterprise security teams continue to evolve, the organisations that treat this as a leadership question rather than a staffing one will be significantly better positioned.
What needs to change?
Closing the skills gap in enterprise risk management requires organisations to make deliberate investments rather than reactive ones. That means identifying the specific capability gaps within existing risk teams, creating structured pathways for professionals to develop the combination of technical and governance knowledge the roles require, and building the kind of internal recognition that retains risk professionals once they are developed.
It also means treating risk management credentialing as a legitimate investment rather than an optional add-on. The organisations that are managing IT risk most effectively are not doing so by accident. They have people in place who understand risk deeply, have the credentials to demonstrate it, and have been given the authority to act on it.
The skills problem is solvable. But it requires treating it as a priority rather than a consequence.
