It doesn’t matter if your company is in the Fortune 100 or a small business that you operate from your home, Risk Management needs to be an integral part of your daily considerations to run a profitable business. Of course, depending on your size and scope there will be different factors that need to be considered. A multi-national company needs to focus on different risk factors than a “mom and pop” business. For example, a large company would focus on the risk of a system failure or security breaches while a small business’ focus might be “did I buy too much inventory or provide too much credit to a specific individual”. In either case mitigating risk makes the ‘bottom line’ more attainable.
We’re going to focus this article on Assessing and Mitigating Risk for larger companies that have the resources and data available to track and record data daily, weekly, monthly, etc. and report on that data on a regular basis. If those capabilities are available and not used then lack of risk management becomes another large risk factor that needs to be addressed by the company’s senior management.
While Risk Management is frequently associated with application software risk, it is also very useful when utilized in other activities within an organization. Sometimes the risks associated with a decision isn’t whether moving forward with new products or projects is the right thing to do, but, whether you’re at risk if you don’t move forward. Should we ‘build it and they will come’ or should we wait for a client to ask for it? These types of questions can be built into a risk matrix document specific for a different type of risk assessment than the traditional application model.
To decrease risk in your everyday operational areas, all it takes is the three Rs : The Right Formula, the Right Tactics, and Repeatable Actions.
Let’s start with the first R: What is the Right Formula for risk mitigation? The answer for your technical team(s) will be different than your product or finance teams, so, we’ll focus on the techies and highlight a technical solution:
#1) Identify and document known vulnerabilities
#2) Develop a scoring matrix to rate the highest to lowest risks to the business
#3) Prioritize the remediation of the items at risk
#4) Communicate to all interested parties
#5) Develop project plans to mitigate potential issues
The second R: What are the Right Tactics for delivering on the Right Formula ?
#1) A brainstorming session with the people that know the systems/environments the best. Put together a list containing any known or potential situations that keep the IT teams awake at night. It doesn’t matter whether they are critical situations or just an annoyance, get them on the list so it can be considered complete.
#2) Using criteria such as Severity, Likelihood, and Impact, create a scoring matrix of all the list items.
#3) Align your business leaders and IT teams together to determine prioritization of the items on the risk matrix
#4) Communication is essential. Document and publish details both laterally and upwards in the organization.
#5) Make it happen.
When you follow the steps, you’ll have a concrete customized action plan of necessary changes to get the results you want.
All that’s left to do is rinse and Repeat , by repeating the above exercise on a quarterly or yearly basis, you’ll have the knowledge to make the right decisions on how to spend your investment dollars without putting the company at risk.
A typical Risk Matrix would be a simple document containing things like nature of risk, likelihood of risk occurring, severity of the of the risk, impact of the risk to the business, costs to remediate the risk, when might the risk occur, and $ cost associated in worst case scenario.
Using the operational metrics collected continually on 365/7/24 basis and having your technical teams performing scheduled reviews of their systems and scoring those various systems against the operational metrics data will help to determine the “Risk Factor” associated with any identified event that has occurred in the past and help to determine what’s the likelihood that it will occur in the future. If the results of the review of each system/application are high severity, high likelihood, and high impact, then mitigation is most likely required to get the impact to an acceptable risk rating. If the impact is low, then maybe the risk rating is acceptable nothing needs to be done. Decisions aside, it’s essential that the exercise is performed in order to be able to make a decision on whether or not to accept the risks.
To get a global view of all Risk at the corporate level, each business unit within an organization should create a Risk Matrix for each product/offering available. The business leader of the unit should then prioritize each of the created matrixes to determine the order of importance to the business unit. This will produce at the business unit level a document that can be rolled together with other business units’ Risk Matrixes to assemble an enterprise level matrix to be communicated to the “C” level officers.
Once the organization’s senior management has a thorough understanding of the known vulnerabilities, prospective new products and risks to the organization, deciding on where and when to invest the company’s money and resources becomes a less risky exercise. Having the right process and data available makes this possible.
When you put in a Risk Matrix process it not only captures risk, it becomes a fantastic tool for year-end budgeting activities. When you’re looking to determine where you are going to invest your money, by utilizing your risk matrix you can identify some areas that you might not normally invest in. One area that you might not normally invest in is your KTLO applications. Your team tells you that those applications never have any problems, but if the data shows that if “this this and this” happens to your primary revenue generator, you could potentially be putting 70% of your revenue at risk. Proactively, when we see enterprises engage this systematic technique as a risk matrix exercise we see better risk decisions being made.
For example, one company determined based on the data produced by the Risk Matrix that a high impact outage lasting an hour could cost them $52 million dollars and the cost to bring that impact down to something more manageable would only cost the $1 million dollars, so proactively they made that investment based upon data.
When you institute a repeatable action Risk Matrix, it’s not a one-off exercise that has everyone scrambling around because something just broke, this is being purposeful in determining what your risk posture is on a regular basis, driving your investments and keeping your clients and employees happy. If you use Risk Matrix as a driver for your risk mitigation strategies, you’ll have a safer and more profitable company.
In conclusion, Risk is present in almost all situations and can be detrimental to any business or company. By preparing for and determining your company’s riskiest situations, risk aversion, risk avoidance, and risk acceptance, your people and teams will be able to make Risk a manageable variable in your business decision process.
By Ken Gavranovic & Alan Surrel (former CTO First Data)
