A lack of IT risk management tools is exposing companies to greater risks than necessary, although help will arrive soon, according to one expert.

The field of IT risk management is far from new, but there are few mature management tools yet because regulations have only recently forced companies to evaluate which threats will be the biggest, and how best to protect the company from them.

"IT risk is really difficult to quantify, because you don't have the experience today. There is also not enough data to calculate it or even how to do it" said Urs Fischer, vice president and head of IT governance and risk management at SwissLife, who this week is in Stockholm for the European Computer Audit Control and Security Conference.

"Everyone at the conference is saying it's something you have to do," said Fischer, adding that when you ask them how to do it, no one has a good answer.

Instead managers have to rely on their own gut feeling.

"Because it's a gut feeling you can make big wrong assessments", said Fischer.

Good risk management can save money, according to Fischer. But wrong assessments can lead to increased costs, and quite simply bad security.

IT risk management is also especially challenging because of the very fast paced nature of security.

"It changes quickly, something that was true one, or two ago isn't true today. To keep up is very difficult," said Fischer.

But help is on the way. The IT Governance Institute, part of the group that organized the Stockholm conference, is developing a framework to simplify IT risk management.

"It will come out this year, and be freely available. It will show managers and IT people how they could approach IT risk management", said Fischer.

"I think it will be a big success, because people are looking for it. There is a pent up demand," said Fischer.

There are also tools on the way.

"Vendors SAP, Oracle, and Microsoft are all working on tools that go in the direction of suits for governance, risk, and compliance," he said.