“I thought you were taking care of that!”
When a client tells you that, you know you’re going to have a fantastic conversation. That’s because something bad happened, and revealed a common disconnect between IT service providers and their clients. The client assumes that the IT service provider handles every single aspect of IT service, including everything security related. You, the IT service provider, probably have a more realistic view.
But in a way, the client has a point. It’s not their fault that if they are unaware of the risks. And how would they know what you are handling if you don’t tell them? This is where the risk assessment comes into play. The first stage of the risk assessment is identifying and tracking risk.
Not All Risk is Created Equal
To appropriately understand risk, examine the two dimensions – odds of it happening and outcomes if it does. Outcomes can be graded in terms of their impact on your client’s business or brand. Consider the following scale:
||Downtime of more than 1 hour begins to critically affect operation/brand
||Downtime of more than 4 hours begins to negatively affect operation/brand
||Downtime of more than 8 hours begins to negatively affect operation/brand
||Downtime of 24 hours or more does not negatively affect operation/brand
Once you’ve categorized each risk by its business impact, you can start to look at likelihoods. We know, for example, that a Datto survey found that 91% of MSPs had a client hit by ransomware in the prior 12 months, so those odds are, uh, not good. If the business impact is high or critical, then ransomware protection has to be a high priority item for that client.
There are a couple of ways to track risk. The old-fashioned way, of course, is the good ol’ Excel spreadsheet. It’s your spreadsheet is in O365 or Google Docs, you can share it with key stakeholders and everything. Right on.
We recommend using IT Glue. Risk can be tracked by organization, using a custom Flexible Asset. Here’s an example.
This can also be shared with key stakeholders, it’s easy to search, and it lives with the rest of your documentation. That’s important because it’s a lot easier to find a risk profile in IT Glue than a spreadsheet buried deep in some folder tree, and having it in the same place as all your other documentation means it’s only a click away.
Using a consistent format to track risk also makes it easier to have the risk conversation with your clients. Consistency means that if someone’s done it once, they can do it again. It’s a repeatable process.
So how do you have the risk conversation? We’ll talk about that next week.