Does the term Risk Management appear anywhere in your job description? I never seen it anywhere when I read one, and yet there’s a good chance you do a lot of risk management in your job if you run a computer network.
Wikipedia says “Risk Management can be considered the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events.”
What could that have to do with running a computer network or managing data? In fact, the entire practice of backup, replication, snapshots, raid, even UPS and redundant power supplies are reactions to risks. Every bit of company data you manage needs to be analyzed for it’s risk potential, every system you implement needs to be protected against risk at a level equal to it’s value. And there’s the rub.
There’s an old joke in engineering circles about installing a $5 fuse to protect a $1 device. Another has something to do with, “fifty million dollars worth of rocket depending on a five cent transistor.” You get the idea I’m sure.
The jokes are based on real experience. The lesson learned illustrates my whole point. The real challenge in risk management for computer information is in striking the right balance of costs versus consequence. There’s no hard and fast rules about it. There’s some science to it and some art as well.
When it comes to computer data, using risk analysis means developing and understanding of the values of the data you have. Not value mind you, but values – plural. That’s what that joke means. Different types of information have differing values to your organization. That says to me that you should develop different methods of protecting the information you have. Managing risks means finding the appropriate responses to risks to minimize their effects on the organization.
While some companies have unlimited funds (please give them my number if you find one) most of the companies I work with have to take a nuanced approach to their data protection. Yes it would be great if they could use realtime replication, continuous data protection, completely redundant system , backup to the cloud or time travel to restore data many of these feature are out of their budget.
The whole idea of ‘right tool for the job’ is quite applicable to data risk management. You have to develop scenarios for threats from which you need to protect your data. You need to know the value of having that data if – at some point in the future – risks turn into events. You also need to know how long you can be without some data, and exactly what data you can’t do without. In the backup world you might hear recovery point objective (RPO) and recovery time objective (RTO).
This is the backup people’s way of asking, “What can you afford to lose?” and “If you had to go back to the last good backup, how long can you wait to have your data back again?” Sounds simple? There’s a whole bunch of complexity and a few billion dollars worth of products rolled into those 2 little terms.
In discovering your RTO and RPO, you’ll also have to define the types of risks you potentially need to plan against. Catastrophic events come in all shapes, sizes and jurisdictions. I mean, there’s the big one like a quake that takes out the city in which you store data, and a little one like the power goes out on your block due to a bad transformer that blows up in a heat wave. In one event, business is disrupted for what could be a large percentage of your customers; in the other, it’s just you that’s off line. Makes you stop and think a little now?
In summary, we use risk management techniques to define the right response to threats to our data and by extension our organization’s productivity.
In a future posting I’ll be going through the ways to evaluate risks and developing appropriate responses to data risks.