Planning for threats and managing risk. There’s that word again…planning. Avoiding…mitigating. As Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” Deep down we know that when we’re managing large project engagements for our organizations and/or our customers, it’s critical that we spend the proper amount of up front project planning time assessing the risks that could potentially derail our project. These risks, if realized, can cost our project thousands of dollars, weeks of time, and possibly doom our project altogether. And with it, our careers – if the project is critical enough.
What is a risk?
A risk is the loss potential that exists as the result of threat and vulnerability pairs. Below is a list of a number of potential threat areas that need to be fully assessed at the beginning of any IT undertaking. A threat is "any force or phenomenon that could degrade the availability, integrity or confidentiality of an Information Systems resource, system or network. One definition is "any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of use."
For each threat, an individual needs to estimate the loss if the threat were to occur. Therefore, an individual needs to know:
- What is the real cost of replacement?
- What will it cost to recreate intellectual property?
- What is the value of an hour of computing time?
- What are the costs of the resources on our projects?
- What are the indirect costs – loss of referrals, project failures, hit on reputation, etc.?
Let’s consider further what some of the key threats and risks are that we face on our projects and to our IT systems regularly…
Records and files. How safe is the storage of the media? Could they become lost or damaged? If the media is lost or stolen, consider the impact of not only the missing media but the information on it.
Facilities. Environmental risks cover things such as floods, lightening, earthquakes, tornadoes, etc. Also consider flooding from such things a fire main leaks, fire extinguisher sprays, fires, contamination, traffic coming through the front of the building or hitting power poles and even bombs - real or even threatened.
Equipment. Power surges can come over the power lines and damage the equipment, fire extinguishers and plumbing leaks which are very bad for electronics, some equipment may be dependent upon air conditioning and some may even "develop legs and walk away"! Additionally, care should be taken that equipment is not used for unauthorized purposes.
Software. Programming can be accidentally (or intentionally) modified or destroyed by programmers or even users. Interrupting the power to an operating system is one method by which the programs which are running may be corrupted. There is also the risk when installing or upgrading programs that the new code is itself corrupted.
Data and Information. This is where hackers become a concern – and today that is a real, daily concern. Data and identity theft is an ever-present possibility and the more sensitive the data, the higher the risk.
Personnel. Your project and company personnel are always at risk. Personal injury that could mean you lose them for an extended period of time needs to be a concern. What processes do you have in place for onboarding a replacement fast? What if they jump to a competitor for more money? Plan for these and have policies in place.
Summary / call for input
Risk management and risk planning on our projects may seem like one of those necessary evils…sort of like buying and owning and maintaining a car (unless you’re really in to car collecting and have that much extra time and money on your hands). Well, yes, it is. It’s critical to our project’s success and also too often overlooked.
What about our readers? How much emphasis do you place on risk management? Do you have repeatable process you go through for every project? Is it something you incorporate and consider for every project? Do you get pushback from the customer when setting aside any significant time to plan for an manage risks early on and on an ongoing basis?