Expanding Risk Management to Address Compute Risk

Introduction

IT Risk Management has long been a key part of Enterprise Risk Management (ERM). Its main goal is to protect and ensure the reliability of an organization’s technology systems. Often, regulatory frameworks shape these risk management practices by setting rules, minimum standards, and accountability requirements. These frameworks don’t just mandate compliance—they also serve as best practices, helping organizations identify, assess, and mitigate IT risks effectively.

‍

While traditional risk categories remain important, a new set of trends is reshaping the risk landscape:

• Continuous Digital Transformation: Enterprises are shifting to cloud-native architectures, increasing their reliance on scalable and distributed computing.
• Technological Advances: Explosion of generative AI and large language models is driving unprecedented demand for compute power.
• Environmental and Geopolitical Shifts: Changes to energy and climate policies, supply chain concentration, and evolving trade regulations are creating volatility in both availability and cost of compute.

These factors are exerting significant pressure on compute demand and cost, creating a new strategic exposure that warrant heightened attention: Compute Risk.

‍

The Case for Compute Risk

Compute power is no longer just a technical resource—it is central to an organization’s ability to operate and deliver value. Companies rely on constant access to digital infrastructure for transactions, analytics, customer engagement, automation, and decision-making. Yet, many risk frameworks assume affordable computing capacity will always be available, overlooking the fragility of the systems behind it.

‍

Failing to manage compute risk can leave businesses exposed to serious disruptions or constraint growth. A data center outage, for example, can halt operations just as much as a financial crisis. Similarly, a cloud service interruption can affect an entire supply chain. Recognizing compute risk as its own category emphasizes the need to manage these dependencies with the same care as other critical risk areas.

‍

Macro-Level Factors Driving Compute Risk

Unlike traditional IT risks, such as software failures or cybersecurity threats, compute risk is shaped by factors outside the organization’s immediate control:

• Supply Chain Dependencies: The global hardware ecosystem is sensitive to geopolitical tensions, resource shortages, and manufacturing delays. A shortage of semiconductors, servers, or networking equipment can directly limit compute capacity.
• Power Availability and Reliability: Data centers are among the largest energy consumers. Any disruption in power supply—whether from outages, rising demand, or grid instability—can quickly affect operations.
• Cooling Resources: High-performance computing depends on advanced cooling systems that require water and energy. In regions with water scarcity, maintaining these systems can become challenging.
• Geopolitical and Regulatory Pressures: Changing regulations, trade restrictions, and cross-border data rules can impact access to computing resources, especially for globally distributed enterprises.

‍

These factors show why traditional IT risk approaches alone aren’t enough to manage compute risk effectively.

‍

Governance and Risk Management Imperatives

To address compute risk, organizations need to  evolve their governance and risk management practices:

1. Explicit Recognition: Treat compute risk as a separate category within the entity’s risk management framework.
2. Compute Utilization Assessment: Track how compute resources are used, including critical workloads, peak demand periods, and dependencies, to understand where constraints might have the biggest operational impact.
3. Scenario Planning: Model potential disruptions in power, water, or supply chains to assess their impact on computing capacity.
4. Diversification: Avoid reliance on a single cloud provider, data center, or geographic region.
5. Sustainability Alignment: Incorporate environmental, social, and governance (ESG) considerations into risk planning to ensure long-term viability of compute resources.
6. Compute Resource Monitoring: Continuously track current and projected compute usage to spot bottlenecks, optimize existing resources, and proactively prepare for emerging demands.
7. Regulatory Foresight: Stay alert to changing regulations and geopolitical developments that could affect access to computing infrastructure.

‍

Conclusion

As organizations continue to digitize, compute risk is a critical vulnerability that requires active oversight. Expanding risk management to include macro-level factors—like supply chain fragility, energy reliability, and water dependency—helps enterprises remain resilient in a resource-constrained and interconnected world. By treating compute risk as its own category, organizations and governments can better protect the foundation upon which innovation, competitiveness, and societal progress depend.