Start fast Modernising risk management without the big bang
Start fast:
Modernising risk management without the big bang
Managing enterprise risk has outgrown the resources of most teams. The instinct is to commission a big program to catch up, but that’s the trap that assigns risk modernisation to the too-hard basket. By rethinking the approach, you may be much closer than you realise.
From big bang implementation
to phased delivery
Every CISO, CRO and head of risk is being asked to do more, with the same team and budget, against an expanding set of obligations.
There’s a perception that “proper” risk management means a twelve-month, seven-figure program with a big consulting partner. The instinct is understandable when faced with serious risks and growing obligations.
The trouble is that the bigger the program, the more likely it is to stall. Budgets get scrutinised, broader transformation priorities take over and the risk team is told to “make do” until the broader rollout is further along.
This is how risk modernisation ends up in the too-hard basket. The scope of the program becomes the reason it never starts.
Big investments
without impact
Gartner estimates Australian organisations will spend over AU$7.5 billion on information security in 2026, up 9.5% from 2025.*
The drivers include AI risk, third-party concentration risk and regulatory pressure such as APRA CPS 230, the Security of Critical Infrastructure Act (SOCI), the Cyber Security Act and the Privacy Act reforms. The money is being invested, but the foundations the risk function actually runs on are not keeping up.
After a decade working with organisations across financial services, superannuation and insurance, I’m still shocked by some of what I find. Even in the most heavily regulated sectors, the system of record for risk is often a spreadsheet and the workflow engine is email. APRA has stopped accepting that level of evidence, with other regulators such as ASIC, AUSTRAC and the OAIC heading the same way.
In some sectors, three or four shared service providers run most of the critical work for an entire industry. The organisations relying on them carry the accountability when something goes wrong, and they don’t always know how exposed they are.
Inside many organisations, risk has been siloed in the teams supposed to be managing it. Cyber, operational and financial risk teams often work with several different approaches without ever agreeing on the basics. Fixing it has just looked harder than carrying on.
The building blocks
are already there
Rather than buying new software and rolling out new systems, modernising risk is mostly about integrating what already exists.
Every organisation already generates the operational data a modern risk function needs. Operational incidents, outages and change records sit alongside asset data, third-party records and the workflow and reporting that supports IT, finance and HR.
A common gap is the layer that turns data into a risk capability. Things like risk registers that reflect what’s actually happening, controls that integrate with the systems they protect and third-party risk that shows the providers you actually depend on.
Building that layer is a much smaller piece of work than starting from scratch, and it doesn’t depend on whatever else is happening on your IT platform.
If your business already runs ServiceNow for IT operations, change, asset management and workflow, you have most of the building blocks for an integrated risk function sitting within your platform. The work is connecting them, not setting up a separate risk system.
Reframe risk management
as a business enabler
A capability is something an organisation grows into over phases, with each phase delivering something the business can actually use. An implementation is delivered all at once, with the organisation expected to be ready for it from day one.
The industry has been making this shift for a while. The discipline used to be called governance, risk and compliance (GRC), where most of the effort went into compliance. The language is shifting toward integrated risk management (IRM), where cyber, operational and financial risk teams share a common approach and view of the organisation.
Modern risk management is connected, active and accountable, not a checklist run at the end of the quarter.
The way you start a program tends to shape what it becomes. A big-bang implementation, where the goal is to deliver the platform, leans the organisation toward a compliance posture. A phased capability build, where each phase has to earn its place, leans it toward a risk posture.
Phases over
perfection
Once framed as a capability, risk modernisation breaks into rolling phases of weeks not months, running alongside whatever else is happening on the platform. A specialist team handles the risk work while the broader transformation partner stays focused on everything else.
Each phase solves specific problems such as a working risk register that connects to incidents, a control library mapped to systems or a third-party risk assessment. What you learn from each phase shapes the next.
You stop waiting for the organisation to be “perfect” before you start. After years of this work, I can tell you no organisation ever is. More typically, processes are messy, ownership of risk is unclear and the underlying data is patchy. If you wait for that to resolve itself, you’ll never start. The phased approach lets you build the capability around the imperfections, with each phase improving the foundation for the next.
There’s another reason the phased model works. Every organisation I walk into is already carrying change fatigue. There’s always another IT program, policy rollout or transformation underway. A risk capability that lands in twelve-week phases respects that reality.
Start where you are
and move fast
is Director ServiceNow at CSO Group, specialising in integrated risk management on the ServiceNow platform.
Subscribe
for updates
for expert insights on cybersecurity strategy, trends, and implementation.