Avoidable Business Risk Should Not Be Acceptable

Effectively Assess and Mitigate Business Risk

Every business has risk. There are small business risks like running out of paper in the middle of a workday or the risk of an employee calling off with a cold and being shorthanded. There are large risks like natural disasters and major system failures. Though unlikely, a proper IT management strategy and business risk assessment will properly assess and mitigate these major disruptions at an acceptable cost.

Identify the Business Risks

Some risks can be avoided. As the responsible parties, leaders and visionaries of our companies, we must anticipate possible risks that may negatively impact our businesses. It is our responsibility to our businesses, families, employees and customers to find the appropriate solutions.

I run into business owners that cover the broad spectrum of feelings about this issue. Some owners that I meet only concern themselves with new sales and growth. They ignore their own internal risk and the potential harm to which it exposes their customers. Others follow the same strategy but are more motivated my lagging sales and the need to cut costs.

Many business owners that I meet choose to ignore risk not for greed or any other reason than blind optimism, being uninformed, receiving improper advice, or even plain negligence. Over the thirteen plus years that I have owned my business and dealt with other business owners, I am startled by the scarcity of businesses that operate with absolute regard for customers’ privacy and security, and their own business’s welfare.

“If it happens, we’ll deal with it then”

There are numerous articles of data theft from companies that consumers trust like Target and Home Depot. There are now reports that Home Depot ignored warnings about their security as early as 2008. I have come in contact with mortgage companies, dentist offices, accounting firms and financial planners that, when advised that that are not adequately protecting themselves and their clients, respond by stating that “it hasn’t happened yet.” They have ignored the future possibility based on previous good experiences.

Data theft or hacking is not the only risk that impacts clients. Data loss through system failure or employee mistakes are common issues that any business faces. A business must properly assess their own risk and prepare for any scenario. In addition, they also have to trust that their network management company is properly addressing their risk to anticipate technical issues and vulnerabilities that the business owner cannot anticipate simply due to lack of awareness.

Plan for Everything and Anything

Business risk is a critical consideration in the planning, management and ongoing support of a company’s servers, workstations, mobile devices and how employees interact with these devices.

A reputable IT management vendor will take the time to discuss their information and reliability risks.  We must then work to find an acceptable level of risk for the client within the appropriate budget.

Risk is not completely avoidable, we can only properly address it within reasonable budgetary constraints and legal requirements such as HIPAA, FINRA or SEC regulations. However, with proper assessment, best practices and planning, an acceptable result should be achieved.

An example of how we may approach a specific risk:

Data Loss Risk Analysis

1. Failure Point
1. Likelihood
2. Impact to the business workflow
3. Impact to the client’s profitability
4. Methods of protection
5. Cost of data protection platform
6. Time to Recovery (TTR)
7. Risk of recovery failure

I’m not going to give away all of our process.  It goes into much more detail but a good IT vendor will have something similar in place. If not, we should probably have a short chat.

We recommend discussing IT risk at least once a year with our clients and as often as quarterly with some. Properly identifying your company’s business risk is the first step to ensuring that you continue to grow and that it provides your clients a great product or service for years to come. Anything less from an IT service provider should be unacceptable.