The trends above make IT failure a greater threat to the business. At the same time, some traditional risk management tools have become less applicable.

IT operations staff traditionally managed risks to the production infrastructure by relying solely on restrictive change practices. Changes to the infrastructure were either denied or they were managed with a strict process and a long timeline. This ensured stability "by default," but reduced organizational flexibility. Today, business management is more likely to tell IT what to implement, rather than ask, so IT cannot adopt a strategy of managing risk by denying change requests.

In addition to business-driven changes, organizations must be able to quickly respond to security threats such as virus or denial of service attacks. In such cases, managing risk through timely action is of paramount importance. An IT group that used to reduce risk through six-week change cycles might now find itself forced to make changes in six days, six hours, or even less.