Risk Management isn’t about predicting the future. It’s about identifying potential threats and deciding how to handle them. So, how do I identify risks and decide how to handle them?
You’ll start by making a list. You may find some of this published. You may brainstorm it yourself. And if you’re using consultants, they should bring some ideas too. Of course, your business is constantly evolving and so is the threat landscape, so resist the urge to take an old list and reuse it verbatim.
Once you have your list, you’ll need a way to evaluate it.
In some cases, you’ll have exact numbers. If the employee bike shed sits in the 100-year flood plain, you have a 1% chance it will flood this year. If it costs $10000 to replace it, your risk averages out to $100 a year. You’ll sometime hear this called your Annualized Loss Expectancy.
Often, you won’t have hard numbers like this. What are the odds you’ll be hacked? How much will it cost if you are? You can estimate in real dollars, or you can give each item a relative score. My most likely risks get a 10 for likelihood. My most costly risks get a 10 for cost. Multiple them together to produce a Risk Management Score.
By either method, you should now have a list of threats with a number attached to each one. Rank them to get a prioritized list of threats.
One caution: your estimates are just estimates and the process doesn’t make them any more sure. The number inform your judgement. They don’t replace your judgement. This isn’t a math test.
For each item, you’ll decide whether to accept or avoid – mitigate, share, or transfer the risk. We’ll talk about these options in our next two videos.
I’m Carter Edmonds with 20 Creek. We solve IT challenges.
Episode #17 – 1/2/2019