Last month we wrote about Ransomware and the affect it can have on organisations like the NHS – who came under fire, slightly unfairly, for running Windows XP on some kit (did you know almost all ATM cash machines still use Windows XP too?). They saw the impact and likelihood of an attack as lower than other factors required to negate it, but they were proven spectacularly wrong. How do you track and manage risk in your organisation?Would you have handled it differently? How?
Glass Half Full?
Every company operates with a degree of risk. Usually smaller organisations have a higher exposure to risk out of necessity – mitigating every bad outcome would cost too much in time and money, and may hinder their ability to exploit positive risks or outcomes which could make or break them.
The appetite for risk that your organisation runs with will be driven by many factors, and often these are human-centric – the “just do it” attitude of a Chief Exec or the neurotic Finance Director can set a tone that runs from top to bottom.
There’s no right or wrong answer to risk appetite, but broadly speaking there are five core processes to follow in order to keep control of it. It’s that control which is the most important part of Risk Management; you need to be aware of your risk levels and have high level plans ready should something untoward happen. It’s then a case of how likely an event is, and what damage or benefit it would bring.
We can make the analogy of a casino here; how likely is that card to come up? How much are you willing to bet? How much could you win or lose if it does or doesn’t appear on the table?
A flutter on the tables is one thing, but at an organisational level, what would be your response to the Board, or Investors, or the Police (if it got really bad) when asked to explain how a disaster came to pass on your watch?
Just as we as always bang on about the importance of robust backups of your data, you need to have a fall back should the unexpected happen. That fall back is your Risk Management Strategy. It can sound like a headache and a lot of admin, but if can be as lightweight as you need it to be.
The key is that it exists, it’s reviewed regularly, and it’s signed off at a senior level. It is a shared responsibility that keeps you together when things do get tough.
As you plan to control your risks, you are also covering yourself and your team to a large degree. Taking a responsible, proactive and inclusive approach – that is visible and transparent to as many people as possible – will go a long way to protecting yourselves.
The following five steps are iterative; start in simple, high level terms and refine them as time goes on.
- Yes this is a simple list! Split them into “Internal” – a systems failure, someone accidentally deleting core operational files, a lost laptop on a train etc., and “External” – a security breach, the office being shut down or inaccessible; a half hour brain storming session will generate ideas.
- Score each risk out of 10 using metrics such as likelihood, impact on the organisation should it happen, proximity of the risk (e.g. a supplier going bust would further away from you than your in-house payroll system breaking). Scoring the risks should enable you to focus on the top items first.
- Draw up high level plans on your response to each risk. Again, these can be a few lines to start with, at least you are thinking about these risks and you can refine your responses over time
- Share your Risk Management Plan with everyone; build it into the induction, review it at team meetings. You need ears on the ground listening for tremors that might turn into fault lines. You don’t want to have to invoke your risk Reponses if you can nip them in the bud
- Good practice is to meet as a Senior Management Team once a month and zip through the Risk Register you created in steps 1 – 3. Ask the same questions: are the scores still right? Should any be removed or added? Repeating this ensures you are controlling your risk plans.
A common mistake is to forget about positive risk – often defined as doing something too well. What if your marketing campaign produces a million hits? Or all your funding applications succeed and end up costing you more in tax liability than you accounted for?
Equally, these can be “mitigated” by turning them into opportunity – making use of serendipity, good fortune or being in the right place right time by having contingencies to allow you to respond to a change in circumstance or positive risk quicker than anyone else will put you on the front foot.
Into the Unknown unknown..
Don’t ignore risk. We see it happen time and time again, and of course with hindsight everything is clear. But a simply five-point checklist reviewed regularly will embed itself into your operations soon enough. Start small and simple, expand, and seize the initiative. Don’t lose sleep at night over uncertainties; take control and keep everyone calm!
As always, you’ll find a more detailed white paper on this topic at ourEthical IT Knowledgebase; this is completely free, no sign up or personal information, so please read it, share it, spread the word. Knowledge is power!