Technology risk management is not just about protecting sensitive financial or healthcare data. It is about keeping your business in business, by protecting what is yours from people with malicious intent.

What exactly is technology risk management? I define it as the management of risk as it relates to the technology utilized in your business. You could probably get away with calling some of this cyber security or information security. In my opinion many different disciplines fall under the auspices of what can be identified as technology risk management.

Keep in mind, technology is not just high-tech. It can be low-tech, such as proper lighting around the outside perimeter of your building. Proper and sufficient outside lighting could possibly reduce the chance that someone will try to break into the door or window of your business, which reduces the chance of the technology within your place of business being stolen. Again, management of risk as it relates to the technology in your business.

Process for managing risk

Regardless of what buzzword is used, one tenant holds true. Every business contains manageable risk factors. After the known risks are identified, safeguards are recommended to mitigate the risks. Then a recommendation is made how to best move forward with the risks, i.e. to implement or not implement the safeguard(s) for each identified risk. No less than four recommendation types exist for managing risk, with the following five being very common.

  • Acceptance
  • Avoidance
  • Reduction
  • Transference
  • Ignore

Using an analogy most of us can relate to, I will describe each of these from the perspective of a car with tires that need to be replaced.

Acceptance

Acceptance, or retention, is the identification of a risk and the deliberate decision to accept it, with the possibility of implementing a safeguard in the future. At times acceptance is a valid strategy if the cost of implementing a safeguard to mitigate the risk is either cost prohibitive or too burdensome. This is similar to, but different from ignoring, which is described further below.

Car analogy: you accept the risk that your tires have very little tread on them, but you have a plan to save money and replace them in the future.

Avoidance

Avoidance, or elimination, is the complete removal of a risk. Unfortunately, sometimes the removal of a risk is more costly than accepting or mitigating the risk.

Car analogy: you avoid the risk by replacing the tires.

Reduction

Reduction, or mitigation, is knowing the risk exists in your business and putting into place safeguard(s) that will bring the risk to an acceptable level.

Car analogy: you reduce the risk by driving less and only when the road is dry.

Transference

Transference is transferring the risk to another entity, organization, or business. This is typically done through outsourcing to a third-party vendor or to an insurance agency.

Car analogy: you transfer the risk by using a rideshare or taxi service.

Ignore

Ignore is somewhat similar to acceptance. With either method, a risk has been identified and will remain in its present form. The difference is the approach in which it is managed long-term. To ignore is to put your head in the sand, perhaps willfully neglecting to recognize the risk exists in your business. Contrast this with acceptance, as described above.

Car analogy: you ignore the tires with minimal tread and keep driving as you would normally with no plan to replace the tires.

Tip of the umbrella

Technology risk management is more than protecting your business from hackers or trying to avoid the most recent piece of malware or not falling victim to an email phishing campaign. It is about creating a computer usage agreement for your employees. It is about having a data backup and restore plan. It is about having a business continuity and disaster recovery plan if one of your employees spills a cup of coffee on the one server your business has.

The sad truth is that convenience and security oppose each other. On top of that a business has to weigh the cost versus value of managing risk by choosing to implement, or not implement, recommended safeguards. Thus the end goal for managing risk in your business is not about striving for zero risk. That is simply not possible. The goal is to advance and increase your risk posture as much as possible by implementing safeguards that provide the best value based on actionable mitigation strategies. In turn these measures will reduce the amount of residual risk that remains in your business.