Many in the IT profession confuse risk treatment with risk management.

Risk treatment is the process of reviewing a relevant risk and finding out what to do about it: mitigate, accept, or whatever it is you deem appropriate. If you look closely, there is so much risk in IT. Every individual device, every configuration setting (MS-Teams has over 2000 of them), every line of code, is potentially a risk.

That is a lot of risk.

This is the reason why you need to manage risks at scale.

You need to manage how you identify a lot of risk, how you are going to distribute that work to teams and individuals, what guidelines you are going to give these individuals, and how you are going to collect, consolidate, and review the resulting problems you identify in the process.

Confusingly, inadequate risk management is a risk to be treated. If you do not have a properly working risk management system, you are unlikely to treat the most important risks well. So if there is one risk to treat well, it is that one.

Even more confusing is that many control frameworks are a mix of controls on technology and controls on the risk management process. An example of the latter is understanding which compliance requirements are relevant in the company situation. That is not a technical risk.

You can treat a lot of these management risks and think you have made progress, but if that is all you do, your systems won’t be one bit more secure. You have done the paperwork, but not the real work.

Read more in my book Digital Power: How Digital Infrastructures at Scale lead to Value, Power, and Risk.

Here are some relevant sections:

Information security assets https://digitalinfrastructures.nl/book/risk/assets/

Compliance is a risk https://digitalinfrastructures.nl/book/risk/uneasy-compliance-risk/