This article was first published on borsen.dk on 26 January 2026
IT security should be integrated into companies’ overall risk management – alongside financial, operational, reputational and organisational risk management, says Martin Brogaard Nielsen, Partner and Head of IT Risk, Assurance & Advisory at Grant Thornton.
Forty per cent of Danish SMEs do not have a genuine IT contingency plan. According to the audit and advisory firm Grant Thornton, this should be a clear management priority.
What does it cost per hour if the network, payment systems or invoicing systems go down? And what does it cost if the disruption lasts a day – or even longer?
These are questions every management team should ask themselves, according to Grant Thornton:
“When you see the cost of an IT outage in terms of lost revenue and reduced operational capability, there is no doubt that IT governance is a management responsibility. And this applies whether you run a hair salon or a manufacturing plant,” says Martin Brogaard Nielsen, Partner and Head of IT Risk, Assurance & Advisory.
He points out that companies’ IT environments – with cloud solutions, third-party providers and automation – have changed dramatically in just a few years. IT is no longer merely a technical support function but has become business-critical infrastructure.
“IT is business-critical infrastructure – and should be prioritised accordingly.”
Martin Brogaard Nielsen
This transformation places entirely new demands on governance, control and documentation, he explains:
“Many companies have outsourced large parts of their IT landscape to cloud providers and other third parties without having a complete overview of dependencies, responsibilities and contingency arrangements. This is not a technical problem, but a governance issue that requires attention from management.”
Many companies live with the risk
The lack of attention has recently been documented in a study by Danish Chamber of Commerce. As many as 40 per cent of small and medium-sized enterprises do not have cybersecurity measures that match the current risk landscape.
According to Martin Brogaard Nielsen, it highlights a structural blind spot in management practices when more than half of the companies in the same survey state that they cannot perform their core activities without IT, yet still lack proper contingency planning.
“It is not only the major system outages – which fortunately are rare – that pose a problem. It can also be small digital components affecting accounting, inventory management, customer communication or an online shop. In reality, it does not take much before the business is affected,” he says, adding:
“We have contingency plans for physical disruptions, but when it comes to IT, the same level of systematic preparation is often missing. My point is that companies should integrate IT security into their overall risk management – alongside financial, operational, reputational and organisational risk management.”
IT compliance is common sense
The good news, according to Martin Brogaard Nielsen, is that getting started does not have to be complicated. Supplier management is a good place to begin:
“Start by gaining an overview of your suppliers: what exactly are they delivering? Who are their subcontractors, what responsibilities do they assume, and are their certifications in order? Many companies overestimate how much security the major cloud providers actually guarantee.”
At the same time, new regulations such as GDPR and NIS2 place greater demands on management oversight. According to Martin Brogaard Nielsen, companies should view this as a business opportunity:
“IT governance should increasingly be seen as an active management tool rather than a retrospective control exercise to comply with regulatory requirements.”
He emphasises that the companies that succeed best are those that use regulation as an opportunity to strengthen governance, preparedness and decision-making:
“Compliance is essentially about exercising due diligence. It is simply good business practice to protect your data, maintain oversight of your supply chains and have a plan for what to do if a digital service fails,” says Martin Brogaard Nielsen.
From risk to clarity
Contact Grant Thornton for an informal discussion about how IT governance, supplier management and cybersecurity can be integrated into your corporate governance – before the next outage tests your preparedness in practice.
