Measuring Business Impact: The Essence of Risk Mitigation
Often the process of reducing risk will bring with it some sort of cost, perhaps for backups, system redundancy, and so on. As a result, a business cannot always eliminate all technology risks. Instead, the IT staff must evaluate which risks are most likely and which risks have the greatest potential impact on the company and its ability to continue operations. The risk mitigation process requires that the IT staff balance risks and potential impacts.
To start the risk mitigation process, make a list of the company’s potential technology risks. Then estimate each risk’s potential for occurrence and its business continuity impact, as shown in TABLE 10-1.
TABLE 10-1 Risk occurrence probability and business continuity impact.
| Risk | Occurrence Probability | Business Continuity Impact |
|---|---|---|
| User disk failure | Medium | Low |
| Server disk failure | Low | High |
| Network failure | Low | High |
| Database failure | Medium | High |
| Phone system failure | Low | Medium |
| Server power failure | High | High |
| Desktop power failure | High | Low |
| Desktop failure | Low | Low |
| Fire | Low | High |
| Flood | Low | High |
You may want to add a column that estimates the cost to reduce the risk. In this way, you can provide management with the key factors they should consider as they invest in resources to reduce the company’s technology risks.