A Guide to IT Risk Management for Small Businesses – The Motley Fool | Region & Cash

Image source: Getty Images

The threats to your corporate network and its data are constantly increasing. You can’t eliminate the risks they pose, but you can mitigate their impact with these five IT risk management strategies.

Your information technology (IT) department oversees a technical landscape that is becoming more complex and vulnerable to threats by the day. To do this, you need to answer questions like, “What threats are my top priority for my organization?” and “What is my risk tolerance?”

IT risk management formalizes risk assessment and subsequent mitigation efforts. You can’t eliminate risk, but we’ll go through risk management strategies to minimize the impact on your small business.

Overview: What is IT risk management?

IT risk management monitors, measures, controls and reports on risk-related issues within the IT department. Successful risk management ensures high-quality data availability, confidentiality and integrity for internal and external stakeholders.

The classic risk calculation model has three variables:

  • Threat: A defined threat such as a dedicated Denial of Service (DDoS) attack or phishing attempts
  • Vulnerability: An identified gap in your security system
  • Consequence: Amount of damage the company suffers due to the threat

Once these variables are defined – for example, you can rate them on a scale of 1 to 10 based on severity – the risk is calculated as follows:

Risk = Threat x Vulnerability x Consequence

Every business faces multiple constant data security threats, but not all threats are created equal. Prioritize threats based on their potential impact on business operations and stakeholder trust.

Your basic risk management plan consists of four steps: identify risk, assess risk, control risk, and then review those controls.

A circular diagram shows the four steps in the risk management process: Identify Risks, Assess Risks, Control Risks, and Review Controls.

Risk management is an ongoing, recursive process. Image source: author

The IT risk management process typically includes a dedicated Information Security Management System (ISMS) and Information Technology Infrastructure Library (ITIL) version 3 (v3) protocols.

ITIL processes improve the entire IT service lifecycle and better integrate the activities of the IT department with business goals and processes.

Managed Service Providers (MSPs) that provide IT services to external customers or companies with extended corporate networks can deploy a Security Operations Center (SOC).

The SOC focuses solely on network security, leaving overall network performance and direct end-user support to a Network Operations Center (NOC) or IT helpdesk.

What does IT risk management look like in practice?

IT risk management is similar to driving your car on the freeway when various things hit your windshield. You can’t avoid bugs, gravel or rain – or IT risks.

If you drive, make a commitment to risk reduction. You accept bugs hitting your windshield because the potential damage is negligible. If you drive behind a gravel truck, you can pass it if you have a chance to avoid rocks that might fly out.

If this is not possible, you can have another vehicle pull up in order to transfer some risk to it. Or if you’re in a heavy downpour, you can slow down to reduce the risk of restricted visibility or aquaplaning on the road.

A chart uses action arrows to illustrate four types of risk mitigation: Accept, Avoid, Transfer, and Reduce.

Risk mitigation strategies recognize that you cannot eliminate risk. Image source: author

IT risk assessment is critical to determining your risk tolerance and strategies. Categorize identified risks and determine which you can accept, avoid, transfer or reduce.

1. Quantitative risk assessment

Quantitative assessment takes the risk assessment model a step further by calculating the potential financial impact for each threat scenario. The end cost of threats and remediation is a useful starting point for determining optimal risk mitigation.

  • Financial risk: For each risk scenario, calculate the potential financial cost of hardware, software, and devices based on their exposure to risk.
  • mitigation costs: Calculate the cost of each mitigation type; those that cost more than the planned financial risk can be discarded. Then choose the remaining mitigation option that offers the best return on investment (ROI).

Quantitative analysis uses hard data to inform your risk strategies, but its focus on financial costs fails to consider the other important factors that qualitative analysis involves.

2. Qualitative risk assessment

Rather than using hard data, a qualitative assessment answers questions like, “How would service levels be affected?” and “What would be the impact on our reputation?” This approach is subjective as it uses responses and perspectives from multiple stakeholders to generate its results.

  • Business Impact: This assessment identifies the risks with the greatest potential impact on overall business processes. It looks for the cascading effects that unaddressed risk can have in your organization and how it could impact the productivity of multiple workgroups and departments.
  • Impact on Reputation: The qualitative risk assessment evaluates the potential external impacts on end users and customers, including customer satisfaction scores (CSAT), customer churn rates, and social media interactions.

The inherent nature of a qualitative assessment is more amorphous than its quantitative counterpart. However, perception is reality, and how your internal and external users perceive your IT skills directly impacts your bottom line.

3. Problem Management

Risk control is linked to your problem management processes. While incident management is inherently reactive—IT staff responding to unexpected, low-level events or user-submitted help tickets—problem management is proactive.

  • Recurring Incidents: Problem management identifies the underlying cause of recurring events to formulate a risk mitigation strategy.
  • Knowledge Base: Both incident and problem management require a knowledge base, a central repository of approved information, and processes for IT staff. Articles in the online knowledge base document how different types of risk can be mitigated and can be easily updated to reflect current events and incidents.

The best IT management software automates and streamlines issue and change management.

4. Emergency Change Management

Change management, another ITIL process, helps manage risk. While routine and standard changes pose little risk, emergency changes approved by the Emergency Change Advisory Board (ECAB) quickly reduce risk in the event of unexpected critical events or disasters.

  • ECAB: This panel requires representatives from IT, the rest of the business (like financial services, human resources, and marketing), and third-party vendors. The wide range of participants provides a cross-functional perspective of risk and threat assessment.
  • Emergency Changes: While expediting emergency changes—a critical hotfix or responding to a zero-day exploit—to reduce risk, using a defined emergency change process is critical. An ad hoc solution without prior monitoring or discussion can create more problems than it solves.

Your change management plans will help you avoid unnecessary service disruptions, unwanted expenses, and lower CSAT scores.

5. Track your results

Tracking risk mitigation results can be difficult because it is difficult to calculate an absolute value for something that has not occurred or has been minimized.

Comparative financial statistics – year-by-year, quarter-by-quarter, or other defined time period – provide actionable insights into the results of your efforts.

  • downtime: Depending on the size of your business and your industry, network outage costs range from $137/minute to $9,000/minute. These costs include reduced employee productivity, lost e-commerce transactions, Service Level Agreement (SLA) penalties, and government penalties for regulatory violations.
  • data loss: The cost of data loss from hacks, which can take weeks or months to detect, can be even more expensive than downtime. Direct costs include notification processes following a data breach, revenue impact and fines. Indirect costs include loss of customer trust and lost business opportunities. Hidden costs include lost employee productivity as you deal with the injury.

More detailed performance metrics include the number of identified threats versus realized threats, the number and frequency of unexpected threats, and the mean time to resolution (MTTR) of threats.

Tips for successful IT risk management

These practical tips will help you implement risk management strategies in your organization.

1. Collaborate and communicate

The consequences of unaddressed risk impact your entire organization, meaning risk management is too important to delegate to one person or department.

Effective risk management is holistic, incorporates multiple perspectives, and requires ongoing communication between stakeholders during initial assessment and subsequent mitigation.

2. Consider multiple scenarios

Multiple viewpoints help you avoid groupthink by committing to a single assessment or solution without properly considering alternative possibilities. Even if a response to a threat seems “obvious,” ask for additional suggestions and ideas to broaden the scope of your assessment.

3. Use a risk register

A risk registry identifies half a dozen of the most likely current threats and the actions to take when they occur. Loosely adapted from Donald Rumsfeld, the former US Secretary of Defense, the risk register lists:

  • Known acquaintances: Things you need to know about risk.
  • Known unknowns: Things you may know about risk but may be forgetting.
  • Unknown unknowns: Things that exist related to risk that you don’t know about.
  • Positive risks: Opportunities associated with the risk.

The Risk Register is a handy document that allows you to get started immediately when an anticipated threat arises, rather than having to start from scratch.

Manage risks or become victims of them

You can’t eliminate the risks your organization’s network and IT resources face, but don’t be their prisoner. A proactive risk management strategy with input from multiple stakeholders mitigates potential threats to your organization and its external relationships.

Leave a Comment