What should a risk assessment look like? Risk assessments are a critical part of risk management. After all, you can’t manage what you don’t know about. What should a risk assessment look like? But there’s a lot of different ways to structure a risk assessment, but at the end of the day some methods deliver more value than others. In this second part of our series of risk management, I Thought You Were Taking Care of That, we discuss how to structure risk assessments so that you can get the most value possible from them.
The Four Pillars
There are four pieces of information that should be included in every risk assessment. They are importance, category, RPO/RTO and impact.
Pillar #1: Importance
The best way to define importance is by the amount of time lost if the event occurs. The reason is simple – the biggest cost your clients is downtime. Downtime affects your clients’ capacity to sell, market, and run their operations. If your client loses its system for taking credit card payments online, and it has a major e-commerce business, then any downtime to the credit card payment system is critical. Other systems may not be as important. Prioritize risks by how important the affected item is to the business.
Pillar #2: Category
Category reflects the functional line of the business. If possible, risks should be broken down by functional line, and the functional lines should be confirmed with your clients’ management. This helps you guide the conversation so you can talk to the right manager about the risks that they, specifically, face.
Pillar #3: RPO/RTO
Recovery point objective (RPO) and recovery time objective (RTO) should be included in every risk assessment. As the service provider, you need to know what standards the client is going to judge your performance by. If those standards are not realistic, knowing ahead of time gives you an opportunity to get in front of that conversation. But more important, having RPO and RTO standards documented means that your techs understand the client’s business from the client’s perspective, and can act accordingly.
Pillar #4: Business Impact
The final piece of the risk assessment structure is the business impact. Again, this is a matter of asking your client this question, and listening to their answer. They know better than anybody what the business impact of something might be. Losing Salesforce or 365 for an hour could cripple one client, and not matter that much to another. Understanding the business impact allows you to put your clients’ reactions to problems into proper perspective.
Documenting Risk Assessments
This simple four-part structure can be documented easily in IT Glue, or in Excel should you prefer the old school approach. But no matter how you document it, ensuring that your risk assessments are easy to find, easy to understand, and have been written with substantial input from key stakeholders at your clients makes all the difference in the world in terms of optimizing your risk management program.
To learn more about how IT Glue can help streamline risk management at your MSP or internal IT team, we invite you to demo our full documentation platform. Are you in?
IT Glue is an award-winning documentation platform that allows for efficient storage and retrieval of all the documentation you need to help your MSP run better. By integrating PSA and RMM data, we can help increase your efficiency, and reduce onboarding times by even more. By eliminating wasted time from your business, IT Glue gives you more time to focus on what matters – growing your business.