Why Small Business Struggles with Risk Management
Small business owners across the country have heard the term “Risk Management”, but how many have invoked an overall strategy that limits their exposure to financial, reputation, operational, and information technology (IT) vulnerabilities? While the financial and reputation aspect may be high on the priority list, the operational and IT dilemma is often overlooked.
Whenever we have provided our security services to small businesses, the operational risk management seems to have been placed on the back burner. While excuses range from lack of funding and resources, to leadership feeling a particular risk is “outside” the realm of possibility, the bottom line is managing the risk at an operational level is crucial to the longevity of any business large or small. With operational risk it is important to focus on four key areas:
- Process & Policy – These need to be structured clearly and concisely so that employees and customers alike are not only aware of their existence, but also assured they are followed.
- Chain of Command – Often used as a military term, the chain of command (or organizational structure) needs to be in place and followed. While every employee’s talents are different, each needs to have clearly defined roles and responsibilities.
- Separation/Segregation of Duties – Often the most difficult to apply in a small business setting due to resource constraints, the ability for small businesses to separate job functions and responsibilities is a key ingredient to the overall success of a risk management plan.
- Management of the Plan – Implementing a risk management plan to oversee the day-to-day operations is only half the battle. Organizations need to ensure they structure their plan with proper monitoring and metrics to measure the effectiveness of the plan once it is in place.
Is the Firewall On?
If I had a dollar for every time a small business owner has told me that they manage the risk and overall security of their organization with firewalls, I would be writing blogs about the next golf course I intend to tackle. Unfortunately for them (and for me — I am an avid golfer), firewalls are not the security savior many make them out to be, nor are they the ONE answer to managing risk on a technical level. IT Risk Management is a very in-depth study of an organizations environment and should be treated very seriously. In order for an IT risk management program to be initiated, there are several aspects that need to be considered:
- Understand the equation – Risk = Threat x Vulnerability x Asset Value.
- What model is for us? – IT Risk Management has several different avenues that could be approached for the adoption of a particular framework. ISO, NIST, and CNSS seem to be the most popular among American businesses, and typically they prove to be the easiest to measure against once implemented.
- Does Compliance play a role? – Many organizations today are faced with meeting regulatory compliance requirements and the majority of these mandates require that an effective IT Risk Management program is in place.
- Risk Assessments – An important piece of the overall IT Risk Management puzzle is the periodic risk assessment of the environment. Usually conducted by a third-party vendor, the risk assessment should help identify potential vulnerabilities, demonstrate areas of concern, measure the effectiveness of the risk management program, and provide recommendations for the areas requiring mitigation and/or remediation.
Keep Your Eyes on the Enterprise
When implemented and managed correctly, the financial, reputational, operational and IT risk management silos should fall under the umbrella of an Enterprise Risk Management program. While the costs associated with initially developing an Enterprise Risk Management program may seem daunting, the investment provides an added insurance policy for your business and ultimately the peace-of-mind that your business will survive a crisis on any level.
Praetorian Secure provides Enterprise Risk Management services and Risk Assessment services to our clients across a wide-variety of industries. From financial and healthcare, to retail and educational, Praetorian Secure can tailor a solution that is right for you and your organization. To learn more about our Enterprise Risk Management services please visit http://www.praetoriansecure.com/enterprise-risk-management/ or call us at 855.519.7328 to schedule a meeting.