I am a risk controller by profession, and can see real benefit in controlling IT risk with a thorough understanding of the IT Function (CIO) and Business objectives. With these in mind, risk decisions can be taken with a real understanding of the implications such decisions will have on driving the business forward and the trade offs that must be considered. IT Risk is, afterall, Business risk.

However, if IT Risk decisions are taken only considering a single IT risk factor (IT Security say) then the likely implication is that the IT function and business will be constrained in other ways.