Responding to risk

Written By Brett Randall

How are you responding to your risks today?

There are four acceptable responses (and one unacceptable response) to business risks such as cybersecurity. So, what are they?

  1. Mitigation - This is overly simplified, but if it costs LESS to implement a safeguard than the losses you would incur if a reasonable risk eventuated, then it may make financial sense to go ahead and implement that safeguard. For example, if the lock on the front door of a house breaks, it may be cheaper to replace the lock than suffer a theft.

  2. Acceptance - Keeping it simple again, if it costs MORE to implement a safeguard than the loss you would expect if that risk eventuated (including fines, reputational damage, etc.), then it may make financial sense just to accept the risk. In the above scenario, the house may be empty, in which case it may be justifiable to leave the broken lock, accepting that the house may be burgled.

  3. Transference - If there is a cost-effective way to transfer risk to someone else, such as an insurer, then this may be the most sensible approach. Insurers will want to know the existing protections around the assets they're covering (for example, if there are any faulty locks), which may result in larger premiums.

  4. Avoidance - If every other option is cost-prohibitive, then avoiding (which is different to ignoring) the cause of the risk altogether may be the most appropriate response. In our example, avoiding the risk may mean offloading or destroying the house, so that the risk no longer exists. Drastic, but effective!

  5. Ignorance - The "head in the sand" approach. It's not an acceptable risk response, yet sadly is very common, and the one most likely to get businesses into trouble. Courts, whether legal or just the court of public opinion, will generally not look favourably upon organisations that suffered a loss but didn't execute due diligence in assessing and reducing their risk profiles. Taking the ignorance approach to risks (“it will never happen to us” or “I don’t even want to think about what the risks may be”) can be perceived as negligence.

So, a quick health check:

  1. Has your organisation identified its key risks across all areas of the business?

  2. Do you know where your biggest exposures are?

  3. What would your losses be if they eventuated?

  4. Do you know the likelihood of each risk you face?

  5. Which response are you applying to each risk?

If you're unsure where your technology and cybersecurity risks are at, or looking at a risk mitigation proposal with astronomical figures that you don't feel are justified, then reach out to us! We’d love to help you.

Brett Randall
Previous

Who bears the responsibility for cybersecurity?
Next

What is a vCIO? Should I engage my MSP to provide this service?