Technology risks are becoming more prominent as our digital landscape grows. From disruption of processes to breaches of sensitive customer or employee data to coordinated denial of service attacks, the risk grows each year. Accordingly McKinsey reports that Cybersecurity alone can account for over 10% of total information-technology spending and is growing at three times the rate of the budget allocated to the technology being secured.
Traditional risk management is changing as well and moving toward risk analysis to provide the best solutions. Risk analysis identifies the situations that cause disruption to you or your customers.
“Traditional risk analysis fails to keep the customer in focus. More often than not, I review risk registers and business continuity plans that begin with items like “hurricane” and “building fire”,” said Jason Sgro, security and compliance expert at The ATOM Group and strategic Axis partner. “Beginning your risk planning with those types of events prioritizes the companies risk over the customers’ risk. A customer may rank a building being offline for a week during a hurricane as less risky than losing their data. The harm done by being offline, even for an extended period of time, is often less than data loss.”
So what constitutes risk analysis? According to Sgro, is can be as simple as three things:
- A risk register
- An executive summary
- Process documentation
It is also important that you are honest about where your company is at when beginning your analysis. Don’t over complicate an already tough task by bringing too much complexity to the table in the initial stages either. Then you are ready to build a team and begin moving forward with choosing a framework and establishing a risk register.
“When conducting a risk analysis, follow the fear of your customer,” said Sgro. “I recommend using a journey map technique where simple sticky notes can identify the path a customer takes using your product or service. Then add in the emotions, the risks, and the technological mitigations. More often than not a risk analysis produced by this method will yield many important risks that your previous risk registers missed.”
By using tools like a Risk Journey Map you can walk through the user experience while noting risks. That ensures you keep the customer – internal or external – in focus. “The journey mapping technique shows that risk programs don’t have to be complex and cumbersome. They can start out as simple as a stack of sticky notes and an excel worksheet” added Sgro.
Risk analysis is also a way to ensure you are using your resources – physical and financial – in the most efficient way.
“Risk analysis should be used as a guide to show where effort and spending are best placed. We all have limited resources. If you keep the customer in focus when you think about risk, you’ll be spending your time and money on the types of mitigations that add value, drives sales and safeguard the brand against the most problematic events,” said Sgro.
For the last twenty years, Jason Sgro has been a servant of leadership, an expert generalist at the intersection of humanity and technology. Today, he assists the teams at ATOM in driving the company’s strategic initiatives, management consulting and security practices. He brings 20 years experience as a practitioner, technical strategist, investor, and advisor to the Axis community and beyond.