Risk is a part of life. You can’t avoid it, but if you’re smart, you’ll plan for it and develop strategies to reduce the amount of risk you are facing to a manageable amount. Risk management is the process of identifying, assessing and controlling threats. Threats and risks are not interchangeable terms. A threat is anything that can exploit a vulnerability. A risk is the potential loss or damage to assets resulting from a threat exploiting a vulnerability. In other words, Risk = Threat x Vulnerability. Threats could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic errors, accidents and natural disasters.
As a real-world example, influenza spreads from person to person. There’s a high probability you will encounter someone with influenza at some point during the flu season, and then there’s the added risk that you might spread it to your colleagues. The most obvious consequence is you could be bed-ridden for days. Other consequences could be cancelled meetings, missed deadlines, and delayed projects.
Inaction would simply be risk acceptance. Risk avoidance might be working from home. Risk mitigation could be proactive approaches to risk, such as getting a flu shot or consistently washing your hands. How each person decides to handle risk depends on how they factor the probability and consequences of each risk. That’s the same methodology to employ when considering IT risk management.
Identifying, evaluating and understanding risk is a very important aspect of risk management. It sounds negative, but it’s not. It’s preventative. Issues and threats will inevitably come up, and you need a strategy in place to know how to manage those risks.
When it comes to certain risks in the workplace, many choose to turn a blind eye to the risk because addressing the risk will cost extra time and resources that they simply may not have. That’s especially true in IT. IT Departments are incredibly busy because they touch most, if not all, aspects of the business. Some managers and co-workers might stand around saying things like, “that might eventually be a problem and needs to be fixed” and very few will have the where-with-all to act. There’s an equation for this:
Risk + Planning – Fear = Potential for Action
This formula assumes that some risk is understood by the employees. When the action is less than or equal to zero, nothing will happen. Action will stay at a stand-still. As risk increases and fear decreases, the potential for action becomes greater. Planning can be a powerful offset for fear and can greatly further the potential for action.
But, if the potential for action is positive, things still might not change. There are a mess of variables not included here (such as resources, motivation, change management, leadership, etc.). However, if we can start to understand that potential for action can be increased, then maybe we can plan and educate in a manner that both minimizes fear and helps employees get onboard with an improvement plan.
The world of IT has changed. It used to be a “do it yourself” technology world with many IT Departments forging ahead on new fronts and making discoveries. The world of technology is bigger than any one department. The threats are increasing. Don’t allow yourself to get sucked into the notion that “I can do it by myself.” When was the last time you heard about someone stopping threats on a consistent and regular basis and doing it single-handedly? This is a collaborative world and team-driven dynamics have been proven repeatedly to make the improvements that the next generation of IT will require. There are numerous books that speak well to this point:
- SCRUM by Jeff Sutherland
- The Phoenix Project by Gene Kim
- Meltdown by Chris Clearfield and András Tilcsik
- Red Team by Micah Zenko
Do you have questions about risk management? Are you looking for some guidance to creating a risk management strategy? Speak with one of our experts today.