Site icon IT World Canada

Building a basic risk program? Remember these 4 steps

Risk Knob

Image from Shutterstock.com

Businesses can generally list their most common risks, but very few have taken the time to analyze how the top five or ten truly impact them. Knowing that a single event could cripple you, isn’t it time you took a few hours out of your day to see how to keep your business safe?

What kind of risks are we talking about here? Anything from pandemics to ransomware to labour strikes to blocking the Suez Canal (who would have considered that last one?). This blog is targeted towards small to medium businesses to implement a simple risk program.

Let’s start with a fictional business for us to review. You sell products online; these products are manufactured overseas and you package and ship the products to your customers at your local warehouse. You can complete this simple four-step process in a few hours to create your basic risk program.

Step One

Set up a 30-minute meeting with your executive team and think of the top ten risks that your company might encounter. Consider the likelihood, frequency, or potential to damage the business. For simplicity, let’s list our top five we’ve chosen:

Step one complete, now we need to understand those risks.

Step Two

In order to complete this step, you’ll want to “score” (High, Moderate, Low, N/A etc.) for the following categories:

Let’s take the “Loss of local warehouse” and fill in the scores:

Frequency Functional Impact Informational Impact Recoverability
Low High Moderate High

Repeat this process for all of your identified risks.

Step Three

Now that we know the impact, we need to deal with this risk. There are four options available for any type of risk. Let’s continue using the “Loss of local warehouse” example to explain each of them:

The key here is to figure out what the cost of this event might be and then weigh that against the options you’ve outlined. Perhaps a warehouse loss costs you $50k per day, well then insurance for $5k a year might be worthwhile. If you feel the risk is large enough, you might take a blended approach to the problem and apply some or all of the options above.

Step Four

Now that you have identified, classified, and determined your approach, you need to document and maintain your list. To complete this last step, create a policy, keep it updated, and make sure everyone knows about it. You want to review this at least annually but ideally any time the business has material changes. A good example might be if you’ve decided to switch to direct shipping, now your local warehouse may not be as important.

That’s it, you’ve completed your first risk analysis and you now know what measures you need to take to protect your business from these threats. Remember to actually put your plans into action, if you only talk about what you’re going to do, it’s not going to make you any safer.

Bringing in a virtual CISO / CIO can help you determine what your largest risks are and lower your overall risk profile. As the old saying goes, an ounce of prevention is worth a pound of cure.

Exit mobile version