By Mark Kirstein, GMI Advisory Services

A “business-centric risk assessment” starts by identifying 3-4 critical functions and processes that drive your business. Functions such as the following:

·        How you generate new clients

·        How you service your clients

·        How you pay employees and suppliers

Map these out in a flow diagram identifying the people, process, and technology behind each priority function. Then move into a Business Impact Assessment to quantify what would happen if these priority functions were disrupted. Consider the impact of exposing confidential information, or if the function simply wasn’t available for 2 hours, 2 days or more. Consider if the data associated with these functions was corrupted and unreliable.

How much would the downtime cost you in lost productivity? Would you lose revenue, or clients? What would the impact be on your brand and reputation if you had to notify each of your clients that their data was compromised and exposed? How long could your operations be down before the viability of the business was at risk? Quantify each of these impacts in dollars and time.

The combination of your risk assessment and business impact assessment establishes your priorities. But there’s one more vital question we need to ask before we move to the next step. What is your risk tolerance? This will vary based on both the scale of your business as well as you and your stakeholder’s personal perspectives. Start by quantifying what a material risk is for you. What cost in dollars would be catastrophic, threatening the business’s very existence? One hundred thousand? One million? Ten million? These are your critical risks. Now step down to bracket the costs associated with high, medium and low risk. 

Let’s step back to the business-centric risk assessment. With the flow diagram that identifies the people, process, and technology for each critical business function, the next step is to identify the associated vulnerabilities. This is where we cross-over from the business perspective into process and technology. If you’re not technical, you may want to seek outside assistance. Identify the specific software and technology that enables each function and identify the potential threats that could compromise these systems. Similarly, consider how your people and processes may be exploited. Now we’re prepared to identify which security controls could be put in place to reduce your risk to acceptable levels. 

When we identify the cost associated with each control, we can align the costs with our prioritization and risk tolerance to make deliberate risk decisions. Which risks am I prepared to accept? Which risks can I avoid or create compensating controls? What level of risk transfer (cyber insurance) do I need?  Now you’re ready to implement an information security program.

The business-centric risk assessment approach is not exclusive. You’ll find many different approaches, with the most notable ones based on evaluating your business and IT infrastructure relative to an industry-standard set of security controls. For the foundational controls (firewalls, anti-virus, passwords, etc.) this a sound approach and is typically required when you’re seeking a compliance program such as SOC 2 or ISO 27001. However, these control-centric risk assessments start with a technology focus that lacks prioritization based on your business dynamics. In addition to controls that may orient to lower priority risks, some unidentified software or system that supports a critical business function may get overlooked. 

Ultimately, your priority is to make sound business decisions about how to grow your business and protect your stakeholders. The business success is your priority, not the underlying technology that enables it. Your business-centric risk assessment will enable risk-based decisions based on deliberate priorities and considerations for return on investment and risk tolerance.