With all the attention at the moment on the latest ransomware attacks, IT risk management is a timely topic. Having a risk management system in place puts your organisation on the front foot when dealing with any risk event, but especially major events. And getting a basic risk management system in place need not be a mammoth undertaking. Common sense needs to prevail. Start small, embed the practices in your day-to-day operations and only then take risk management to the level that is necessary for your business. The best advice is, don’t try to shoehorn a large risk management system into a small-to-medium business, the governance will simply slow you down your IT delivery.
Where do you start?
Before you purchase expensive software tools and equally expensive risk consultants in to bolt on an enterprise-grade risk management framework to your business, I would advise that you put the simple things in place. More importantly, start to understand the basics of risk management.
Effective risk management consists of 7 cyclic elements or processes.
Avoid bad Risk where possible
Develop Risk where there is opportunity
Reduce Risk if unavoidable
Shift Risk that cannot be reduced
Accept Risk that remains
Continuously Improve Risk items over time
The key to this working is a rinse and repeat of this process regularly
Putting this into practice can be quite an undertaking if you let it. If you do not have the time and resource, then some simple advice
Start with basic risk analysis and over time develop. Risk management theory can become complex quickly, start simple and evolve.
Start with one department and expand into all departments in due course.
Start with the IT department. The work you do here will cut across your entire business and IT is most likely the area with most risk. You will get the most value.
Taking the first steps will be the hardest of steps. A small yet effective risk management framework would be the introduction of 2 things to your business:
A risk register – this can be a simple spreadsheet. A working document that records your risk items (Identify) and the risk responses (Avoid, Develop, Reduce, Shift, Accept).
Regular meetings with the senior management to review the risk register, the progress of action items and discuss any new risk items (Improve).
Going through the process of identifying your risks, through the creation of a risk register, is an enlightening exercise in itself. The contrast of the perceived risk when compared to the documented risk is usually stark.
Any way you look at it risk management has real value for any business, large and small, including: