ITIL Leadership Playbook – Week 8, Blog 1

“CIOs are sitting on one of the biggest enterprise risk landscapes — but most don’t own it. That’s a leadership gap, not a framework flaw.”

⚠️ Most IT Risk Doesn’t Live in the Risk Register

Walk into any boardroom and ask to see the corporate risk register.
You’ll find financial risk, reputational risk, supply chain risk, maybe some climate compliance.

But IT risk?
It’s often represented by a single line: “Cybersecurity risk” or “IT system failure.”

That’s laughable.

Because beneath that line sits:

• Cloud sprawl and shadow IT risk

• Poor change hygiene and release volatility

• Incident response lag and poor supplier handoffs

• Incomplete backup and recovery plans

• Unsupported legacy tech still powering key business functions

And yet these don’t make the risk register. Why?
Because most IT orgs don’t frame operational risk in business terms — so the business doesn’t understand it.

❌ The Problem: Risk Framed Like an Audit Checklist

Here’s where most CIOs go wrong.
They treat risk management as compliance theatre.

They:

• Review it once a year

• Let Audit or InfoSec own it

• Use heatmaps and likelihood ratings

• Track it in spreadsheets no one reads

This leads to what McKinsey call “false confidence through documented controls.”
And it means when a real risk materialises — ransomware, outage, supplier breach — no one’s operationally ready.

“By 2026, 65% of IT leaders will face board-level scrutiny over risk posture after a major incident — but fewer than 25% will have an operationally integrated risk view.”
— Gartner, 2024

✅ The Good: When IT Risk is Embedded in Strategic Governance

In high-maturity environments, IT risk management is an operating discipline — not a compliance report.

Here’s what it looks like:

• Risk is assessed as part of service design and transition, not after-the-fact.

• Every major ITIL practice (change, availability, incident) includes risk triggers.

• The risk register is alive — updated monthly and linked to delivery metrics.

• Control testing is real, not just paperwork.

• Suppliers are rated on risk posture, not just uptime.

And crucially: the CIO is in the room when risk is prioritised — not just IT Security.

❌ The Bad: Risk Management That Doesn’t Touch Reality

If this sounds familiar, you’ve got a risk problem disguised as a governance one:

• The risk register doesn’t match what’s on your incident reports.

• Your “backup tested” control is a screenshot from last year.

• Supplier risk is assumed because they’re ISO certified.

• The same risks reappear every year with different language.

• No one’s mapped Vital Business Functions (VBFs) to actual IT services.

This is how leaders get blindsided.
Not because the risk didn’t exist — but because it didn’t escalate.

🔍 CIO WAR CHEST: Questions That Surface Real Risk Exposure

Time to ask the questions no spreadsheet will answer — but your Ops team will.

1. Which IT risks are in the enterprise risk register — and who put them there?

   • Ask: Head of Risk, Audit Lead

   • Data: Last 2 quarterly risk board updates

2. What business services are most exposed by a major outage — and what’s the cost?

   • Ask: Service Owners, Finance

   • Data: VBF mapping, downtime impact assessments

3. How often do we re-evaluate risk post-incident or post-change?

   • Ask: Change Manager, Problem Manager

   • Data: Change failure rates, PIR actions tagged as “risk reduction”

4. Which suppliers are part of our critical incident supply chain — and do their support hours and SLAs align?

   • Ask: Supplier Management

   • Data: Contract matrix, OLA/SLA comparison

5. How do we test the effectiveness of controls — and when was the last test failed?

   • Ask: Risk Owner, IT Security

   • Data: Audit logs, red team tests, BCP drills

🧨 The Hard Truths for CIOs

• If your IT risk register doesn’t change monthly, it’s dead.

• If your biggest supplier fails and no one knows the handoffs, you’re exposed.

• If the business only sees cybersecurity as “IT risk,” you’ve already lost the narrative.

• If your own service owners can’t articulate their top 3 risks — neither can you.

🧠 What Great CIOs Do Differently

• Integrate IT risk into every ITIL practice — not just security.

• Track risks at service level, not enterprise abstract.

• Demand that suppliers map to your escalation and resolution model, not just theirs.

• Embed risk metrics into command centre dashboards.

• Make risk everyone’s job — not just GRC.

Because here’s the truth:
IT risk is the single biggest operational threat to your business continuity.
Own it — or explain it when it hits.

🚨 Need Help Turning Risk into a Leadership Discipline?

We help CIOs embed risk as a core thread through every layer of service delivery, not just at audit time.

• Live risk dashboards

• VBF mapping and escalation models

• Supplier risk integration

• Change and release risk overlays

• Control assurance testing with impact

👉 Let’s talk risk like a CIO, not an auditor.

🔜 Final Blog Coming This Week:

Blog 16: Information Security Management – Why ITIL Security Practices Must Align With Business Protection

Ready to stop hiding security in the policy binder and start aligning it with business trust? We’re going there next.