Every business faces risk, writes Nick Harmer, vice president of channel and sales development Europe, The Neverfail Group.
Even though risks may be vastly different from company to company, they must be continually identified, assessed and responded to for a company to remain viable. Risk management is about finding cost effective ways to minimise or mitigate threats as well as the risk associated with each.
There are many types of risk that a business can encounter, but arguably one of the most important to consider is intangible risk. Intangible risk is defined as a risk that has a 100 percent probability of occurring but is ignored by the organisation because it can not be identified. These risks reduce the productivity of workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value and earnings.
Intangible risk often occurs in the technology arena where indefinite amounts of valuable data are kept in applications and databases. With so many processes supported by technology it is often very difficult for an organisation to identify the risk associated with threats to their technical infrastructure. This has caused businesses worldwide to place more emphasis on how they manage risk associated with their infrastructure, applications and data.
Security software was once thought of as "nice to have." At that time, the internet was not very widely used, computers were not seen as the lifeblood of a business, and computer security breaches were not forceful enough to stop operations.
Today, the internet and e-business models have redefined the way business is transacted. Even the most viable brick and mortar companies have adopted technology or seen their market share diminish. Email has marginalised the handwritten letter, the fax and the 10-minute phone call in one fell swoop, and applications are not only accessed by internal users, but by customers, partners and every part of a businesses supply chain.
Today, security breaches often not only stop operations, but also can close down an entire business. In a 24/7/365 world, not meeting the needs of on-demand customers means those customers are only a mouse click away from the competition. Not having security technology in place also means the fiduciary responsibilities of the company are not effectively being addressed and the company is not managing their risk. Security technology is now a must have.
Yet, planning, execution and managing alone are not enough. Even with the best security technology in place, companies can not completely avoid or mitigate risk. There are too many limitations including knowledge, cost, time, people and even technology. Security breaches will still occur and all organisations have to accept some level of risk.
Recent studies have found that the level of risk an organisation has to accept can be greatly reduced by focusing on business continuity. At the front end, security technology provides a proactive response to identify and analyse emails, documents and other web-based messages. However, the realisation of a threat is not the only impact of risk. One of the greatest impacts of a realised threat is downtime. Since no security system is 100 per cent safe, organisations must have a cost-effective response strategy in place to address downtime and continue operations as efficiently and effectively as possible when a breach does occur. Without continuity, businesses do not have an effective response to downtime. Staff is scrambling to recover as fast as possible, realising every second that goes by means an increase in the overall negative impact. To manage risk effectively, companies must address both security and continuity.
A comprehensive and successful business continuity plan includes data, applications, people and processes. The basis of a business continuity plan is a company’s data – a primary asset of any organisation. Data is a company’s historical efforts: it is every business transaction, confidential material, financial information and many other forms of vital company communication. However, data alone is not sufficient to continue operations in the event of disaster or planned or unplanned downtime. To be considered information, data must be accessible, usable and analysed through applications which transform the data from a line of 1s and 0s into useable information. Applications need to be available and people need to have access to them for this transformation to be possible.
People are needed to utilise information and form the third part of our business continuity plan. If people do not have access to the applications and data, whether due to data loss, application downtime, failure, or lack of infrastructure, operations can not continue. This also assumes the processes and technology are in place to enable these things to occur.
Companies must identify the processes in their business that are exposed to the most risk, and develop a plan to protect the data, applications, and people, associated with those processes.
Traditional risk management calls for a prioritisation of risk sources, by degree of probability and loss, with the highest risk items being dealt with first. The same process applies to business continuity as part of a risk management plan. According to Introduction to Risk Management and Insurance by Mark Dorfman, risk can be classified into one of four categories:
Avoidance: Not performing activities that could carry risk
Reduction: Implementing methods that reduce the severity of the loss
Retention: Accepting the loss when it occurs
Transfer: Causing another party to accept the risk (such as insurance)
Technology that supports critical business processes is an intangible risk and is best not handled by avoidance or retention. While transfer is possible (insurance, outsourcing, hosting), it does not lessen the chances a loss might occur and the company may experience downtime. The only viable option for managing risk associated with technology is reduction.
Although security software can be implemented to reduce the frequency of a loss, it does not address the severity. Business continuity applications address both the frequency and impact of such occurrences. Having data protected by replication or backup reduces the negative ramifications of data loss, as does having a process in place to allow people to access the applications necessary to continue working. The primary function therefore is the ability to bring together both data and people. This is done through applications.
Applications transform data into information and allow users to utilize that information to perform their job. Not only do applications need to be highly available regardless of the cause of downtime, but users must have continual access to those applications with minimal to no disruption. This level of user continuity leads to increased business continuity, which coupled with security, gives an organisation a dramatically increased response to risk management.
Expo show
The Neverfail Group are exhibiting at the Business Continuity Expo and Conference at EXCEL Docklands on March 28 and 29th March, covering risk, resilience and recovery. For further information:
