If you own or run a business, you’re addressing business risks on a daily basis. Insurance is a common risk management solution, and there are countless other ways to lessen the severity of a bad event.
I’m always shocked at how little thought goes into managing IT risk. IT risk management is a component of a larger enterprise-wide risk management strategy. This includes not only the risks and negative effects or operations and services that can diminish a business’ value, but it should also take into account the potential benefits of risky ventures.
Most business owners think of IT Risk in terms of Anti-Virus, firewalls and backups. The amount of time and attention put into these solutions is frequently brief, seldom revisited, and rarely properly tested. I’ve worked with business owners that will spend days pouring over their business liability insurance, and literally minutes understanding and approving an IT solution that they assume will protect millions of dollars in intellectual assets. Worse, many organizations fail to perform even a rudimentary IT risk analysis; not just annually, but ever.
With the growing popularity of the Cloud and organizations moving to a hybrid architecture (where some assets are still in-house, and some are running on cloud services), taking the time to catalog resources, exposure, frequency and impact is essential. In the most fundamental of ways, risks are managed with the following steps:
- Assessment – Each risk is identified and assessed for severity and frequency
- Mitigation – Countermeasures are implemented to reduce the impact or frequency of certain risks.
- Evaluation – The effectiveness of any risk mitigation measures, including costs, are evaluated. Based on the results, additional actions or adjustments are taken to improve the plan.
As an IT service provider, a large part of our project design, and virtually everything associated with our managed services, includes risk management mitigation. Much like your insurance analyst or compliance officer, we are uniquely suited to help organizations get a handle on IT Risk. Don’t be that company that learns about frequency and severity the hard way. Invest a little of your time to insure that WHEN bad things happen, you’ll be prepared.
One final thought regarding IT Risk. I read the other day that 40% of businesses that experience an event that closes their business NEVER reopen…