Every worthwhile activity involves some amount of risk. How do I deal with risk in a systematic way?
When we think of risk, we often think of cybersecurity, but there are other types of IT risks. What’s the risk that we’re buying the wrong software? What’s the risk that a big project will fail? What’s the risk that our new hire won’t work out?
People talk about firewalls and antivirus, but Cybersecurity pros talk about risk management.
Risk management is an important part of business planning. There are number of frameworks and they can get pretty involved. The National Institute of Standards and Technology publishes a helpful framework which they just updated last month.
For the small to midsize firm, I’m going to boil this down to four pretty simple steps.
First, business managers decide how to frame risk. It varies by firm depending on regulation, finances, and culture. Are we cutting-edge or really conservative? Are we betting the farm hoping to win big? Or we handing this business down to the grandkids?
From there you make a list of risks. You estimate both the likelihood and the impact of the risks to set priorities. This can be done at all levels of the firm. The risk the president sees may be different than the risk the PC tech sees.
For each item, you decide how to respond. Do you accept the risk or avoid it? Can you mitigate it, or share it, or transfer it to others? Or maybe a combination of all.
Finally, you monitor the risks. You figure out who is watching what so you’ll know when a threat occurs or when the landscape itself changes and needs to be reevaluated.
Later this week, we’ll talk about how to quantify risks and we’ll dig deeper into the response.
I’m Carter Edmonds with 20 Creek. We solve IT challenges.
Episode #15 – 12/31/2018