Any number of scholarly books and articles are available on ways to identify, assess, and quantify IT risk. The goal of this article is to present a simple view of risk management concepts, while avoiding complex definitions and confusing mathematics.
Simply stated, risk is the potential for a vulnerability to be exploited in a way, causing loss or damage to your IT system and/or to your business:
- A Vulnerability is a weakness, such as an overlooked gap in defenses or controls. Vulnerabilities might also be created by uncorrected process or procedural errors, or by lack of due diligence when selecting who is to be trusted with access to valuable resources.
- Exploitation is when some person, malware, environmental potential (flood, fire, earthquake), or other threat agent takes advantage of a vulnerability. For example, a hacker may gain network access via unchanged default passwords.
- Impact is the bad stuff that happens to the organization when a vulnerability is exploited. Examples include loss of critical data, system interruption, recovery costs, and lost revenue or customer trust.
Every day, all of us must manage risk. Risk management professionals tell us that there are risks, large or small, associated with every activity that we undertake. Despite the inescapable nature of risk, there are really only four strategies with which to address it:
- Avoid the activity presenting risk
- Act to reduce the risk impact or likelihood
- Transfer the risk
- Accept the risk
These strategies are not individually exclusive. Deciding which approach to use (or combination of approaches) to use requires recognizing and evaluating that risk:
- Does a vulnerability exist?
- Is there a threat that could reasonably exploit that vulnerability?
- How often is a threat event likely to occur?
- How much will it hurt if the event happens?
- How much hurt is acceptable?
Anyone who ever leaves their house will agree that travel in today’s world creates risks. Those risks apply to travelers, companions, bystanders, and property. Let’s examine how those four strategies might apply using simple examples of travel risks.
Risk Avoidance: If you were thinking of traveling somewhere by car, airplane, bike, etc., using a risk avoidance strategy would mean that you simply do not go. Avoiding travel also avoids related travel risks. Easy enough, but not traveling may create alternative risks such as an unhappy family. In the business world a risk avoidance strategy is undesirable if it results in significant lost opportunities (i.e., lost sales, revenue, market share, stake holder satisfaction, and career advancement).
Risk Transfer: We all understand that driving an automobile presents several potential risks. One obvious risk is being involved in an accident resulting in injury and/or property damage. Additionally, an auto accident may result in a significant financial burden or legal complications. Insurance policies for medical, property damage, or legal bills may transfer part of the financial impact to the insurance company but it does not transfer risk ownership or responsibility. This is also true for a business. A company may transfer financial risk to an insurance company or a third-party provider, but the ownership and ultimate responsibility remains with the company.
Risk Reduction: Continuing to use the example of travel by car: do you require everyone to use a seat belt? Do small children use approved and properly installed child-restraint seats? Is a fire extinguisher and first aid kit on board? Are tires properly inflated, including the spare? Is vehicle safety equipment (exterior lights, mirrors, horn) inspected and working properly? Those are a few examples of reducing risk by acting to limit the likelihood or seriousness of an accident. The goal of risk reduction is limiting the potential impact or likelihood to a level where the residual risk is acceptable to the owner.
Risk Acceptance: The “Nike approach” for risk management, is risk acceptance. In other words, “just do it.” For example, a short drive in light traffic to Grandmother’s house for a home-cooked meal — you just pack up the kids and go. In your mind, you know that there is potential for risk, but you have reduced the risk with the reduction efforts listed above. The remaining risk is acceptable. In the business world, things are a bit more complicated thanks to due diligence requirements, but the decision equation looks similar. Risk acceptance is proper to consider when the expense of reducing risk (either initial or residual) is not cost-effective, the likelihood of the event is low, and there is a desired benefit in accepting the risk (i.e., Grandma’s home-cooked meal).
The following chart generalizes a view of how risk strategies play together in the decision process:
How much risk a company is willing to absorb depends on its culture and its capabilities. Some fast-moving, more entrepreneurial organizations will accept a certain amount of risk in order to, for example, be able to retain their agility in the marketplace. Organizations with a lower risk appetite are more likely to engage in more aggressive risk remediation actions, including avoidance of the risky activity completely.
Managing Risk with NorthState Technology Solutions
Every IT organization needs to work through identifying, understanding, and remediating its existing and potential risk. Perhaps you would like information on cost-effective processes and tools for monitoring and managing your risk environment. Or, you might be wondering how to best recognize and manage evolving and emerging risks.
At NorthState Technology Solutions we provide tested and proven methodologies to help you accomplish these goals. These include engaging with organizational subject matter experts and risk owners to identify and assess your IT risks:
- Physical: Threats of weak access controls; damage to IT resources
- Technical: Threats of loss, compromise, or corruption of critical business information; ineffective device management; weak connectivity controls; lack of disaster, business continuity, and capacity management
- Human error: Threats from intentional acts, errors, or omissions.
- Governance: Threats from a lack of controls; regulatory/legal non-compliance
As part of this process, you will receive a formal, documented assessment containing detailed findings and actionable recommendations. We also provide post-project support to ensure your continued success.
At NorthState Technology Solutions, our risk management services give you a unique advantage, thanks to the abilities of our experienced, skilled experts. We assist organizations of every size, and are able to help them attain an effective, mature, and reliable risk management process. We have a track record as valued partners in our clients’ success, and offer the industry’s only 100% satisfaction guarantee on professional services.