When I first started regularly travelling to Europe back in the mid-1980s, my American colleagues and I used to joke about heading off to The Land of No. We said this because it seemed that whenever we came up with a new business or IT idea, the typical response of our US team was "Cool, let’s try it". But when we presented the very same idea to our European organizations, the first response was inevitably more like "Well, the problem with that is ...". Happily, these differences have narrowed considerably in recent years, as Europe has prospered and America become somewhat less self-assured.

These memories have resurfaced many times over the last year during the research for our project Rethinking Risk. But this time the differences are not between two geographic cultures, but the vastly different management cultures of business and Enterprise IT.

Successful business people all around the world tend to have a let’s try it attitude. They know that business and risk are virtually synonymous, and that risk-taking and executive leadership are almost inseparable. In contrast, Enterprise IT tends to see risk as being largely synonymous with security. Risk is something to be minimized, and ideally eliminated entirely. Where business leaders look at risk in terms of its potential upside rewards, Enterprise IT focuses mainly on the potential downside losses in terms of compliance, information management, liability and other areas.

While the reasons behind these two completely different world views are readily understandable, a worrisome effect is that IT can easily become its own Land of No. In the past, this has meant no personal computers, no local area networks, no mobile phones and no internet access. Today, it often means no iPhone, no Facebook, no Gmail, no instant messaging, no web back-up, no Skype – and don’t even ask about the iPad.

But if business and IT are to truly co-evolve, these cultural differences must narrow. As IT becomes inseparable from key business requirements (such as smart products, e-commerce, collaboration, business intelligence, mobility, social media, etc.), business and IT perceptions of risk will need to become more closely aligned. Business leaders will have to better understand the real downside risks of the complex business information systems and internet infrastructures they depend upon, while Enterprise IT must improve its ability to say "yes" to emerging company needs. These formidable educational and cultural changes will define the future of integrated business/IT risk management.

The nature of the required changes is shown in the figure below, which we often use in our Business/IT Relationship Management workshops. Business leaders live mostly in the area of discretion, where judgement, gut feel and a sense of risk/reward dominate. Here, the art of management is to know when and how to say "yes". In contrast, Enterprise IT mostly lives in the area of prescription where systems, rules and control are the dominant values. It’s a realm where it's very easy and often necessary to just say "no". We believe that the Business/IT leaders of the future will need to straddle both realms without excessive fear, bias or deference to others.

How might this co-evolved style of business/IT leadership emerge? When we look at the supply side of the IT industry, we see that Steve Jobs, Larry Ellison, Larry Page and their peers have tremendous confi dence in both their own gut feel for the market and the wisdom of making big bets on emerging but risky technologies. Entrepreneurs, venture capitalists and industry giants (including Apple, Microsoft, Google and Oracle) all embrace the inherent ambiguity of market developments and the long-term rewards of aggressive risk-taking.

A supply-and-demand perspective also helps us see that both Enterprise IT and the IT professional services industry have historically been isolated from where the real risk-taking in the IT business takes place. Broadly speaking, the IT business is riskier than many other industry sectors in terms of its rate of change and turmoil, but the implementation side of our business (Enterprise IT and IT services firms) has for literally decades off-loaded most of the upside risk to the IT supplier community. No wonder that risk-averse and downside-oriented customer IT cultures have become so entrenched.

But as the pace of business/IT co-evolution accelerates, this situation will become increasingly difficult to sustain, and upside risk-taking will have to span both the customer and supplier domains. Business leaders from the board of directors on down will increasingly be held accountable for the risks that many new business/IT initiatives will entail. Similarly, IT will have to accept that it can no longer control the means of IT production, and thus it will not be able to maintain the fortress-like mindset of the past. The current business climate of increasingly assertive and punitive government regulation will slow these developments, but not reverse them.

This emerging alignment of upside and downside business/IT interests will be a major area of focus in our upcoming Position Paper (to be published in the summer). We have identified a variety of organizational, cultural and technical mechanisms that companies are deploying to bridge the gaps between their business and IT risk management processes. While we are well into this research, it isn’t too late for interested firms to participate, and we encourage clients to explore with us how the concept of Enterprise Risk Management is evolving in their firms.