You may recall that I wrote a piece back in September titled Identifying and Managing IT Risk. That article was well received and sparked some good discussion both here on the blog and amongst my clients. I also polled readers and found that 10% of them had a risk strategy for IT in their organizations, while another 10% had the strategy and were in the process of implementing. Even more encouraging was 30% of respondents who were in the process of developing a strategy now. One of the key points of feedback I got from the 40% that were still in the strategic phase/just starting implementation, was how to get their arms around the long list of risks that had materialized. As I’d suggested pulling together a risk inventory, many of them had done similar exercises, but were now faced with the daunting task of figuring out “where to start”. Time, budget, and resources are all limited and not everything can be started at once. Through the strategic process people begin to ask “What steps do I take in mitigating identified IT risk?”
That’s a great question. It ensures you don’t just run off and start at the top of your list or worse, in some reactive fashion just focusing on the latest fire. In today’s blog post I will provide you with a way to take your identified risks and do some analysis on them.
I am going to use my favourite 2-by-2 matrices to perform two sets of analysis on a hypothetical risk list. Let’s say you’ve completed a thorough inventory of risks within your own organization and have generated the follow list of risks.
- Backup power not sufficient for long power outage
- Data being copied onto USB sticks despite corporate policy
- Security for server room doors
- Data storage of backups not being done offsite
- Lack of processes to audit IT usage of systems
- Need for penetration testing for network
- Redundant servers for email 2 years out of warranty; may fail.
- Laptops are not encrypted; risk of data being comprised if lost
This is a hypothetical list and short one at that (I’ve seen some lists that have 20-25 items on them. I’ve kept it short because it will suffice for illustrative purposes. When you look at the list it’s hard to know where to start. What’s most important? The first step is to establish a Risk Score. For each item you ask yourself two important questions a) what is the likelihood that this risk will happen, and b) if it does happen, what is the impact to my organization. Score each of those questions on a scale of 1 to 10 where 1 is LOW and 10 is HIGH. Once you’ve done that, you can plot each risk on a 2×2 like the one I’ve embedded to the right (click to enlarge). Immediately you can see in the top right quadrant the risks that should be keeping you up at night! In non-technical terms, those are known as “scary risks”. Now you might be tempted to just run off and begin tackling those items, but don’t do that. Not yet. Now we need to do the second piece of analysis.
Remember how for each risk listed above we gave them a score, one for likelihood to happen and the second for impact if it happened. Good, now add those two numbers together and divide by 2. Now you have your Combined Risk Score for each item. Now for each risk ask yourself this question, “how complex will it be to address this risk?” In this question, complexity is a combination of how hard the work will be, how much time it will take, how much money it will take and how much change it might introduce to your organization. Come up with a score between 1 and 10 for this Complexity Score. When you’ve done that you can then plot each risk on a new 2×2 with the Combined Risk Score and the Complexity Score. This piece of analysis will now provide you a snapshot on a single slide that easily depicts where you should start. Risks that have a HIGH Combined Risk Score but a LOW Complexity Score are your low hanging fruit. Typically, you should start there and develop the rest of your plan accordingly.
You can see that with only the first half of the analysis, you’d be faced with risks 2,7,8 all having a serious impact and high likelihood to occur. What if you couldn’t do all of them though…where would you start? By layering in the second piece of analysis, it becomes clearer that issues 2 and 8 are the easier to begin with in this example.
I hope that you found these two tools useful in prioritizing your own risk. If you are having trouble identifying or prioritizing risks, drop me a line. I’d be happy to chat and talk about possible ways forward.