What Could Possibly Go Wrong?

Over the last couple of years I’ve worked through two different compliance projects, one for HIPAA and one for defense department clearance. In each case, as the company was preparing for the upcoming audits they had to prepare a risk assessment. This is something that most small technology companies never think about, but can be incredibly useful.

Let’s explore what a risk assessment is and how doing a very lightweight version of this simple process can head off potential disaster.

What’s a Risk Assessment?

A risk assessment is an exercise that you conduct with everyone in your company to identify four things:

  • What can go wrong?
  • How likely is it that it will happen?
  • What are the consequences if it does happen?
  • How do you protect from it happening?

This can be a simple roundtable exercise that you do in one hour over a lunch at your company by filling out a simple spreadsheet (fortunately for you I’ve already created a template for you to use. Excuse removed!).

How Does It Work?

The idea here is to get as many risks to your company explicitly identified as possible and then prioritize your defense against them over time. Here are some broad buckets of things you’ll want to include:

  • System risks such as loss of data, corruption of data, or hardware / machine failure
  • Security risks such as theft of personal information of your customers, malware, ransomware
  • Personnel risks such as key team members leaving the team or having unplanned absences
  • Customer risks such as major customers leaving your company

Once you’ve identified a risk, work through the process of identifying the likelihood, consequence and mitigation. I’ve included a few examples in my template so you get a feel for the level of detail you want in the initial pass.

You can of course adjust the categories to make it work for you.

It’s a good idea to revisit this exercise every 3-6 months to identify what’s changed and assess how you’ll address those changes.

Just Remember

The purpose of a risk assessment isn’t to make you depressed (which it will) by all of the things that might happen to your fledgling enterprise. The simple fact is the more you know about what can go wrong, the more you can ensure that it won’t. You won’t be able to afford the time or money to address all of the issues you identify, which is perfectly fine.

Focus on those risks that pose significant threat to your ability to operate and deal with the rest later.

Your Assignment

Schedule an all-hands lunch sometime in the next few weeks and conduct your first risk assessment using my template. You can even ask people to prepare a list ahead of time, rather than everyone having to come up with risks while you’re sitting in your meeting. Put it on your calendar now, and then schedule a follow up risk assessment for three months from now.

This may seem like big company stuff but this simple exercise will give you a clear picture of where your risks are and how you might deal with them as they arise.