A Closer Look at Risk Assessment
Just as some people are more likely than others to jump out of planes or ride fast motorcycles, so businesses have different attitudes to risk. Unlike individuals, though, businesses may have to meet stringent legal requirements, or satisfy shareholders that risk is appropriately managed. Failing to manage business risk can be the equivalent of sky-diving without a parachute.
When we mention risk in the context of IT, the first category that springs to mind is likely to be data. After headlines about cyber-crime, what business leader would fail to appreciate the potential cost of losing access to customer records, for example?
But there are other assets that need to be safeguarded, ranging from software, hardware and network to the people in your IT team. Your administrative processes and your physical environment should also be considered – if you do ever find yourself rebuilding from some crisis, your documentation is invaluable.
Your risk assessment might consider software vulnerabilities, the possible impact of bugs and errors, as well as the more obvious virus and malware threat. More commonly missed, software obsolescence, and limited or non-existent vendor support, can be costly in the event of problems. Nobody wants to be frantically seeking someone with obscure skills when a key legacy system is unavailable.
Much the same risks apply to hardware, along with machine failure of course. And hardware is more vulnerable to environmental issues, from the everyday, such as heat or power failure, to the more dramatic natural disasters. Even when the hardware is doing its job as intended, there is another risk. Reaching maximum capacity without a plan is never a good idea – especially because it is bound to be on Friday night with a long weekend ahead (if that happens, we’re here – but we’d still prefer you to plan ahead).
Where businesses are more likely to invest time is assessing risk to data. Availability is all-important in the always-on digital era, but there are risks to consider beyond that. What happens if it becomes corrupted? Are we adequately controlling who can access data? And are we complying with all legal and industry requirements?
This last consideration is a big one. Non-compliance attracts increasingly hefty fines as governments crack down on wrongdoers, making an example of those caught out. In some industries – in particular financial and healthcare – failing to comply with data regulations can cause such tremendous loss of consumer confidence that a business cannot continue to trade.
Some risks are subtler, making them harder to detect. The network complexity that leaves a chink through the curtains for cyber-criminals; the limited capacity that slows business growth; fraud that over time represents a considerable cost. Oh yes, and the less subtle, such as theft and damage haven’t gone away.
Once you’ve identified risks, they need to be classified and considered carefully. A formal risk assessment includes the likelihood of a situation occurring, the potential cost of that occurrence, whether it can be fixed, and the cost of prevention. We then look at mitigating the risk, and put together a risk management plan, including policies and procedures, instructions, training, and all the tools needed to implement the plan.
It is interesting what our risk assessment specialists uncover. A fresh pair of eyes can make all the difference, even if your risk assessment plan is mature and well documented. Often it is a simple matter of a new hardware or personnel addition that changes the risk landscape, while other times we help growing businesses that have never formally addressed risk.
Wherever you are on your risk journey, our experienced Team Computing risk assessment specialists can help you to work through your risk profile – and every assessment includes plain-English recommendations and an easy to understand report.
To help your understanding we also include charts like the one below that you can use when reporting to your senior management.
Need to know more? Give us a call.
Examples of Impact (Consequences)
People: Minor injury through to death
Information: Compromise of internal information – minor impact through to compromise of sensitive information with significant ongoing ramifications
Property: Minor damage or vandalism through to complete loss of all assets
Economic: Loss of 1% of budget through to greater than 30% of annual budget
Reputation: Local. Forgotten quickly, self-improvement required through to Govt Inquiry & national or international media coverage
Capability: Minor impact on organisational capability, no delays, dealt with by routine operations through to critical failures, unavailability of key people and skills. Organisational survival threatened.