Many IT risk professionals do not see their biggest risks showing up on the corporate risk register. Traditional enterprise risk management (ERM) metrics do not fit neatly with common IT risk metrics such as system criticality and vulnerability. Even at the Federal level, the Office of Management and Budget recommends moving from compliance-based metrics to security- and vulnerability-based. Measurement of IT risks in the same way as financial, legal, or environmental risks is the best way to demonstrate how serious they are.”]
Source: https://www.csoonline.com/article/2136022/is-it-risk-management-compatible-with-erm-.html