Businesses can generally list their most common risks, but very few have taken the time to analyze how the top five or ten truly impact them. Knowing that a single event could cripple you, isn’t it time you took a few hours out of your day to see how to keep your business safe?
What kind of risks are we talking about here? Anything from pandemics to ransomware to labour strikes to blocking the Suez Canal (who would have considered that last one?). This blog is targeted towards small to medium businesses to implement a simple risk program.
Let’s start with a fictional business for us to review. You sell products online; these products are manufactured overseas and you package and ship the products to your customers at your local warehouse. You can complete this simple four-step process in a few hours to create your basic risk program.
Set up a 30-minute meeting with your executive team and think of the top ten risks that your company might encounter. Consider the likelihood, frequency, or potential to damage the business. For simplicity, let’s list our top five we’ve chosen:
- Ransomware – encrypting of some or all of our systems
- E-commerce site failure – denial of service, hijack, attacks etc.
- Loss of manufacturing facility/vendor
- Loss of critical staff member
- Loss of local warehouse
Step one complete, now we need to understand those risks.
In order to complete this step, you’ll want to “score” (High, Moderate, Low, N/A etc.) for the following categories:
- Frequency – how often might this event occur?
- Functional impact – how badly would my company be impacted by this type of event?
- Information impact – what type of data might leak as a result of this attack?
- Recoverability – how hard is it for me to recover in the event of this type of attack?
Let’s take the “Loss of local warehouse” and fill in the scores:
|Frequency||Functional Impact||Informational Impact||Recoverability|
Repeat this process for all of your identified risks.
Now that we know the impact, we need to deal with this risk. There are four options available for any type of risk. Let’s continue using the “Loss of local warehouse” example to explain each of them:
- It’s not every day that you lose a warehouse location. Since it’s a low-frequency event, we might accept this risk. In which case, no further action is required unless circumstances change the risk level. For example, the warehouse beside you has decided to store fireworks. That significantly changes the risk level and might have a high probability of fire.
- We feel like we don’t want to take on this risk so we’ve decided to buy insurance to cover any potential business interruption and pay someone else to take the risk.
- We’ve decided to install fire suppression systems in the warehouse and not allow any combustible materials to enter the facility. You have mitigated the risk by putting further protections in place.
- We’re adding a second warehouse and will distribute our load between the two sites so that if one should go down, the other can take over. This option generally comes at a higher cost.
The key here is to figure out what the cost of this event might be and then weigh that against the options you’ve outlined. Perhaps a warehouse loss costs you $50k per day, well then insurance for $5k a year might be worthwhile. If you feel the risk is large enough, you might take a blended approach to the problem and apply some or all of the options above.
Now that you have identified, classified, and determined your approach, you need to document and maintain your list. To complete this last step, create a policy, keep it updated, and make sure everyone knows about it. You want to review this at least annually but ideally any time the business has material changes. A good example might be if you’ve decided to switch to direct shipping, now your local warehouse may not be as important.
That’s it, you’ve completed your first risk analysis and you now know what measures you need to take to protect your business from these threats. Remember to actually put your plans into action, if you only talk about what you’re going to do, it’s not going to make you any safer.
Bringing in a virtual CISO / CIO can help you determine what your largest risks are and lower your overall risk profile. As the old saying goes, an ounce of prevention is worth a pound of cure.