Title: Risk Management – Who Needs It
Actually, we all do…
Aside from the larger corporates or those more cautious SMEs, Risk Management is not a topic that receives a great deal of airplay in many NZ companies. After all, who wants to dwell on negative stuff that may never happen? And it’s a pretty boring topic, right?
Well, that depends on your point of view.
If you’re an eternal optimist that assumes everything will always be “sweet”, you’re probably happy to ignore risk. The topic will be uninteresting to you, or even considered completely unnecessary!
However, if you’re concerned about the impact unexpected events can have on your company performance, then you’re more likely to be interested in devoting some time to risk management.
So, why is the technology guy telling me I should be managing risk?
The bad news is that many elements of your technology environment are subject to risk of degradation or failure leading to an unanticipated incident. This can be anything from brief outage of a relatively trivial system to catastrophic failure of a critical technology service.
Your company depends on technology solutions to help you get things done: look after your customers, manage your supply chain, take care of your accounting, keep your administration in order, maintain your online presence and so on. It is important for the overall health of your company that you make sure these don’t experience problems.
The good news is that the IT guys generally are conscious of the “cause and effect” associated with problems in the technology environment. This means they are a great place to start when looking to build a framework to manage risk.
My take on how to go about shaping your risk management effort is shown below.
A key part of Risk Management efforts is the creation of a Risk Register. So what should be included and how do you determine what needs attention?
It’s tempting to assume every possible risk should be identified and mitigation or elimination measures implemented. However, most companies have neither the time nor resources to focus so heavily on risk management. A sensible approach has to be taken.
I’ve provided 5 examples below to illustrate the sort of technology risks that need to be considered. These show the link from identified risk to potential effect and consequence.
Possible mitigations for each are shown later in this material.
Risk (what might exist or go wrong)
- Insufficient outward facing security > cyber-attack
- Component failure > infrastructure and/or platform breakdown
- Internal data security threats > data loss, leakage
- Uncontrolled system introduction/implementation/change > faulty releases
- Poor data management > inaccurate or faulty information
Effect (what could happen if the issue eventuates)
- Hijacked or infected systems: virus, ransomware, malware
- Service interruption: network outage, major platform unavailable
- Exposure of company and/or customer information
- Ineffective application/system enhancements
- Low data quality: ineffective reporting and analytic capabilities
None of these examples are wildly exotic or situations that will rarely be encountered. In fact, you may already have direct experience of some of these. The key point to remember for risk identification is to keep it real. Try not to dwell too much on anything that is completely hypothetical. It’s OK to get detailed if you need to; if a particular system is more prone to breakdown, highlight it and treat it more thoroughly than those systems that are less likely to be problematic.
Having identified realistic risks, you should assess whether it is worthwhile building mitigation for each of these. To do this you need to calculate the likelihood and consequence of each risk. This helps determine how likely is it that the risk becomes an actual issue/problem and what the outcome might be.
Here’s how the 5 examples could be rated:
Likelihood (potential for the risk to become an issue)
- Very likely, has happened before
- Inevitable, happens all the time
- Somewhat possible, happens infrequently
- Very likely, happens frequently
- Unlikely, has never occurred
Consequence (what the outcome is)
- Unexpected cost, lost productivity – major impact
- Reduced operational capability, some lost productivity – insignificant
- Reputational damage, loss of trust, loss of customers – catastrophic
- Rework, remedial action, reduced confidence in systems – major inconvenience
- Inaccurate decision making, faulty planning – minor impact
Including a scoring system in risk management frameworks will generally help provide some relevance to the set of risks. The scoring will allow you to assess which risks need treatment, which need a watching brief and which can be discarded as too trivial. From this you can prioritise the risks that require preventive work or ongoing monitoring.
The method used for scoring is usually a simple calculation of Likelihood (estimated for each risk) multiplied by a rating for the Consequence (based on how serious the outcome) to produce an overall value. A rating of 1 to 5 in each case is common (with 1 being least likely / lowest impact and 5 being almost certain / catastrophic impact). The resulting score will set a guide for the priority of each risk how quickly the risk needs to be dealt with.
How granular you get with calculating a meaningful score, or how you group ranges of scores, is entirely up to you. The financial cost to the company is often a factor that is included in the consequence rating, for instance. Developing a methodology that provides clarity is key to deciding which risks merit focus and how quickly they should be dealt with.
Armed with details of the scores and where the risks fit in terms of priority, suitable mitigations can be created. This is usually about controlling the risk; elimination is not always possible. Continuing with the same 5 examples, here is the list of possible mitigations and/or remediation that could apply to each risk:
Mitigations (how to reduce the likelihood or consequence)
- Construct a security framework – reduce the chance of system breach
- Deploy backup systems – provide failover/redundant options
- Develop awareness of internal vulnerabilities – increase knowledge of data loss causes
- Encourage a change control mindset – introduce governance
- Consider developing a data strategy – improve understanding of the value of data
Much of the treatment of risks involves the construction of preventive measures or raising awareness or a combination of both.
Larger organisations may already have several strong preventive measures in place, especially if you operate in a heavily regulated industry. For the more significant risks this could involve a company Security Policy, Incident Response plans, Service Management measures, education activities and a host of related policies.
SMEs will generally have less onerous solutions, but your approach to which and how many to construct should still use the Likelihood and Consequence ratings as guidance.
Remember – prevention is better than cure, especially if the cure kills the patient!
The technology risks shown above illustrate the type of work that needs to be done in this area. However, the major risks for your company will not be about technology only. You must take a collective approach to identifying and managing risks. Multiple business areas will be required to contribute to the creation of your company Risk Register, Risk Management framework and in building a robust set of mitigations.
Yes, it all sounds boring to begin with, but the more thought you apply to the topic, the more relevant it becomes (even if it never really becomes exciting!). The trick is not to overdo it, otherwise the risk is you spend all your time worrying about risks and not enough on what your business is designed to do!
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.