Risk Management as an IT Tool to Reduce Cyber Risks

It is astonishing how surprised we are by the digital dependencies our companies and organizations have created for themselves. The convenient solutions, long intertwined with business processes, are now being reassessed in light of geopolitical changes – consider the rise of Microsoft 365 products (MS Teams, Office, SharePoint & Co.). The current debate about achieving digital sovereignty does not mean becoming completely independent – that would be unrealistic and commercially unfeasible. Rather, it is about consciously managing these dependencies and limiting them as part of an IT risk strategy. 

Hypothesis: Governance over technology 

Let’s start with a hypothesis: We don’t have a technology problem; we have a governance problem. IT risk and corporate risk often run in parallel. This creates an IT-specific risk appetite that is barely visible to management and therefore hard to control. The result: blind spots such as outdated systems without support, “unremovable” firewall rules, and postponed updates. These risks remain under the radar until they become costly. The same applies to hidden risks in the IT supply chain. 

Currently, discussions about digital sovereignty are gaining momentum – whom can we still trust as a long-term IT partner? What risks arise from new geopolitical conditions? How should “digital sovereignty” be positioned within corporate strategy and, subsequently, the IT roadmap? Digital sovereignty and cybersecurity are closely linked – sovereignty requires technological security and control over your own data. Companies must know where their data resides, which jurisdiction applies, and who has access. Digital self-determination fundamentally depends on infrastructure that adheres to European values, laws, and data protection principles. 

The topic is particularly pressing in the context of cloud usage. One term repeatedly mentioned: the “sovereign cloud.” Moving IT value creation into such a cloud is not just a technical decision – it has become a strategic necessity. Accepting digital dependencies risks compliance and operational capability. So why have so many organizations, despite established risk management, fallen into dangerous reliance on leading cloud providers? 

Clear reporting criteria for IT experts 

IT experts make daily decisions with real risk implications and need clear reporting criteria, a shared register, and simple anchors for evaluation. They must always be able to answer: Is this reportable? Who decides? By when? And how is closure documented? 

Governance requires reliable input data to make the logic “How likely? How severe?” sustainable. It needs a shared data space instead of estimates, traceable thresholds for reporting and escalation, and solid evidence so that assessments remain comparable and neither double-counted nor overlooked. 

Management can only steer effectively with a unified view of the biggest risks, including trends, responsibilities, and deadlines. A few meaningful KPIs help: time from “risk detected” to “risk demonstrably closed,” the share of overdue measures, and the proportion of accepted risks that are time-bound and regularly reviewed. 

Barriers to effective risk communication and governance 

Stakeholders do not seem to interact efficiently. Today, we discuss digital sovereignty in terms of “trust.” This term is interpreted differently by everyone and rarely quantified or tied to measurable criteria. 

In general, a common language and rhythm are missing. Technical findings do not become standardized risk entries; assessments follow inconsistent standards; decisions are rarely time-bound, and closure is not systematically documented. Time is lost, decisions are repeated, and impact cannot be proven.  

The result is tangible: reporting thresholds are missed, priorities blur, and the same risks are assessed multiple times without change. Governance works with estimates instead of comparable data; management sees lists instead of a clear picture of top risks with deadlines and responsibilities. Teams invest energy in status explanations instead of measurably reducing risks. 

What we need 

Leadership wants to steer based on risk appetite and resilience, expects clear gross and net assessments, defined thresholds, and reliable reporting. This only works if decisions are time-bound, responsibilities are clear, and effectiveness is documented. Ultimately, proof of adequate protection matters – not the number of checked boxes. Management needs a consistent view of top risks with trends, deadlines, and evidence, not isolated checklist deviations. 

The initial hypothesis stands: We don’t have a technology problem; we have a connectivity problem. That’s the point: The tools exist, but the link between finding, decision, and evidence is missing. The consequence for tomorrow: a unified language, a single source, and a shared rhythm turn isolated activities into impact. The Risk Flow provides the framework where reporting, assessment, decision, implementation, and evidence interlock seamlessly. Accepted risks get an expiration date; decisions get an owner and a deadline; evidence gets a fixed place. Budgets align with top risks, not the loudest measure. KPIs, overdue actions, and exposure trends make progress visible. 

Rules help with objectivity, like those already effective in regulated markets like finance (DORA) and broadly across the EU (NIS2 Directive). Had such legislative initiatives been implemented years ago, traceable risk assessments would have secured digital sovereignty long ago – and provided early answers to today’s barely comprehensible digital dependencies. 

Since January 2022, Tim Cappelmann has been the Managing Director of AirITSystems GmbH – a managed service provider, consulting company and reseller for security-focused IT solutions in Germany. Prior to that, Cappelmann was Head of Managed Services for more than 10 years at the company and involved in security consulting projects. He is certified as an Enterprise Architect (TOGAF), information Security Manager (ISACA) and CISSP.