No longer is IT simply something that makes life easier for all. II underpins the functioning of almost every sector of the economy and is integral to our professional and personal lives. IT is big business and as such you need to know how to mitigate any IT risks involved. In a nutshell, this is what you need to know and do for IT risk mitigation.
What is Risk?
As a child, you might have associated risk with grazing a knee when falling off your bicycle. When you were a teenager, the magnitude of risk becomes greater – being grounded for not doing your homework, for instance. As an adult, risk comes at us from all directions – the risk of becoming unemployed or the risk of an investment failing. What about the risk of losing all your precious data? The data on your phone and the data on your IT infrastructure at work.
All these things are risks and uncertainties. But the risk does not equate to uncertainty. An uncertainty, such as tomorrow’s weather, isn’t a risk. Uncertainty is a broad category, or which risk is a subset. In essence, risk in business can be seen as:
“an uncertain or unexpected event that prevents or hinders the achievement of business objectives”
Risk Management
Effective risk management finds a balance between threat and opportunity. Put simply, it optimizes achievement with minimal threat and maximum opportunity. Minimizing threat or reducing risk can be done through risk acceptance, avoidance, transference or migration. Which practice is most proactive? Risk mitigation speaks for itself. Unlike risk acceptance, with its low cost but low return, risk mitigation has a medium cost but will give you the best ROI or achievement.
Risk Mitigation Plan
A sound risk mitigation plan follows three straightforward steps:
- identify the risk
- evaluate the risk
- treat the risk
Identification
You will need to analyse and deliberate any risks that will negatively impact on your business, your IT or a project. A tried-and-tested means of identification is to use the task-risk approach. This means what risks are associated with a particular task. Look at these examples:
| Task | Risk |
| Employing an experienced salesperson | The candidate is too expensiveUnable to find the right person |
| Taking a client out for dinner on the spur of the moment | Restaurants are all fully booked the client has a special dietary need |
| Preventing a ransomware attack | Employees download attachments from suspicious emails employees use weak passwords |
| Regularly backing up business data | Employee negligence External drives used for backups get corrupted |
You can use this task-risk approach to decide which risks are the most threatening and have the highest priority. Clearly, this method will not disclose any unknown risks.
Evaluation
Risk evaluation has two components:
- risk probability
- risk impact
These two components essentially speak for themselves – how likely is the risk and how much damage will it cause. Think about employees downloading dangerous email attachments. If your staff are well-trained in cybersecurity, what is the probability of this happening? If someone does open an email attachment, how secure are your systems in preventing a malware attack?
You can identify critical risks using this matrix:
| High Risk x High Impact | High Risk x Low Impact |
| Low Risk x High Impact | Low Risk x Low Impact |
Treatment
After an appropriate evaluation, you can apply the best risk migration strategy using one of the four risk management principles:
- accept – low cost and low return
- avoid – high cost and high return
- transfer – average cost and high return
- mitigate – low cost and high return
Put simply, if the risk has a low probability and a low impact, you might consider accepting it as the financial ramifications will be negligible. If the risk is highly likely with a high impact, you would be wise to avoid the risk at all costs.
If the risk is high impact but with a low probability, risk mitigation would be an option. Risk mitigation gives you the ability to manage a situation of low risk but with damaging consequences and not spend too much money.
Risk Mitigation and Data Protection
Now let’s return to risk mitigation in the world of IT. As mentioned earlier, business today is IT-dependent and data is the oil of that dependence. Consequently, data loss is a risk that cannot be ignored. In other words, you must manage the risk of data loss, as any loss will cost you time and money. This is where IT risk mitigation comes into play.
You can apply IT risk mitigation to the type of data backup that you use.
| Type of Backup | Downtime | Risk Management | Cost |
| Continuous | Zhero | Avoidance and Mitigation | High |
| Hourly | 1 hour | Mitigation | Moderate |
| Daily | Up to 8 hours | Mitigation | Low |
| Weekly | 12 hours with 5 days data loss | Acceptance | Low |
Your type of backup will depend on how critical your data is, how much downtime you can afford, and how much money you have in the budget. A bank, for example, that cannot afford to be offline and that has a lot of money, will pot for continuous backup. A small operation such as a family-owned restaurant, for which data isn’t critical, may backup weekly and use manual processes.
Probably the most cost-effective is an hourly semi-automated backup which mitigates the risk but doesn’t cost a fortune. That’s IT risk mitigation for you.
