By Graeme Zwart, Head of Security
Time, budget and resource are finite for every organisation. So, spending your way out of a situation is often not an option. It’s a case of doing more with less, and working efficiently and effectively. On that basis, here are our top tips for conducting a risk assessment.
Determine your objectives
What are your business objectives? And how certain are you that you’ll achieve them? The effect of uncertainty on objectives can be termed risks. Remember that an effect may be positive, negative or a deviation from the expected. Either way, you’ll need to be clear on your objectives before you can identify the risks you face.
Identifying your risks is critical. If a risk remains unidentified, there is no opportunity to do anything to prevent or mitigate it.
With specific reference to data security risks, auditing all the places you hold data is an important step. This could be customer data, sensitive customer data (e.g. account numbers, expiration dates and 3-digit security codes from payment cards), staff or payroll data, strategic marketing plans and so on.
A more general risk assessment should consider all categories of risks. For example, strategic, financial, operational, third-party risks. Consult widely across your business to get the full picture, and record the risks for the next stage.
Analyse and evaluate
Not all risks are equal. After identifying and recording your risks, assess their likelihood and impact. This will help prioritise risks in terms of significance as well as how budget and resource are allocated to mitigate them.
It’s important to consider the potential causes of risks, any control measures that act to prevent them, the potential consequences of the risk, and any control measures to mitigate them. Likelihood and impact measurement scales are helpful here.
So is risk appetite. This is the amount and type of risk your organisation is willing to seek, accept and hold in pursuit of your objectives. It’s a question of balance. Taking on too little risk could be as detrimental as taking on too much.
There are always several options for managing risk. A common way is with the 4 Ts of risk management: terminate, tolerate, treat and transfer. This could be the subject of several blogs in itself, but in summary:
- Terminate — sometimes a risk is assessed as having such a severe impact on your business that you have to stop (i.e. terminate) the activity causing it.
- Tolerate — sometimes it’s okay to do nothing. The likelihood and impact of the risk is low, so you log and monitor the risk as an informed choice.
- Treat — consider the policies and controls already in place to manage the risk and update them as appropriate.
- Transfer — insurance isn’t available for everything and sometimes while it’s possible to transfer the activity to a third party, you still retain the liability if things go wrong.
The biggest mistake businesses make is to identify their risks, devise and record mitigation plans, before filing them away to gather dust. Risk just as risk management is dynamic. As circumstances change internally or externally to your business, ongoing monitoring and review is a way to manage your exposure and make any adjustments necessary.
For a free consultation on your data security needs, e-mail email@example.com or complete your details on the contact form below.