Wondering how to manage risk in your business? Keeping track of your risks helps you keep them in check and keep your business up and running. When you're constantly reacting to things you don't expect, it's hard to feel stable and protected. Proactively managing your risk can take you a long way toward protecting the future of your company.
Here at Kalki, we work with clients to help create a customized strategy to their business needs, but we always start from the basics. We use the design in this inforgraphic as our "jumping-off point" for a Risk Management blueprint. Some of the questions you need to answer to make this design unique to your business are:
1. How often should you be adjusting and updating your strategy?
Does your business leadership conduct annual or semi-annual strategy meetings? You should be discussing risk as a part of any good strategy discussion. A good rule of thumb is to address the company's approach to and appetite for risk at least as often you are re-assessing or looking at your business strategy at a whole.
2. How do I determine the IMPACT of risks to my business?
Impact is all about the dollar signs. It should be a realistic estimate of what the financial impact of an event would have on your business. Now remember, impact must be coupled with likelihood to mean very much to you in the evaluation of risk. Let's run through an example. Say the risk we are considering is a breach, let's run through the steps you'd take to estimate the impact of a breach.
Step 1: Determine the potential financial impact of a breach. Start by figuring out the number of records your business holds on its customers that include any PII. The average cost of a breach is $145 per record according to studies by the Ponemon institute. This figure includes fines, costs to provide credit monitoring for victims and costs to investigate the incident. So now take the number of records you hold and multiply by $145 to find out the potential cost of a breach.
Step 2: Determine additional impacts. Might a breach affect your company's reputation? Do you think it would cause customers to leave? The answers to these questions will depend significantly on the type of business you have. Venture a realistic estimate of the percentage of customers you may lose and determine what that means to your bottom line.
Step 3: Determine the likelihood of such an event. We all remember the Y2K craze that resulted in stock-piling and even, in some cases, the creation of bomb-shelters. We don't want to tell you to go crazy worrying about every potential risk in the world; what we do want is for you to include the likelihood of an event into your assessments of risk. Does your company operate 100% offline with no connections to the outside world? Well then a breach may be somewhat less likely for your business than a business that needs to be connected 24/7.
3. How should I track all these risks?
We are giving you a ton of things to think about here; but how should keep track of risks over time, especially if we are telling you to monitor them regularly? Your business should create and maintain a Risk Register that tracks all the risks that have been identified and provides a very easy way to stay on top of the impacts and likelihoods of those risks. And, since you asked so nicely, we have a very easy-to-use and customizable (and not to mention totally free) Risk Register template just for you! Just download and start populating right away.
4. How often should I be monitoring and reviewing risks?
Here's where you decide how often you'll be checking in on all those items in the Risk Register, monitoring your environment and re-assessing risks. This process serves both to help you stay on top of (and adjust strategy as necessary) risks that have already been identified and provide means to identify risks you haven't thought of yet. Here are our recommendations for how often you should monitor and review at minimum.
- 3rd Party High-level Risk Assessment
- Security Policy Review
- Penetration testing
- Vulnerability and configuration assessments
- Personnel security awareness testing
- Security assessments of 3rd parties
- Full review of Risk Register
- System checks
- Review of security logs and events on all systems
- Add any newly-identified risks to the Risk Register