Monday, June 8, 2015

The Value of Reducing Risk – Difficult Deltas

What is the value, to a customer, of software tools that help reduce risk?  This is often difficult to uncover and convey, but the good news is that organizations need to manage and reduce risk.  Interestingly, the higher the level of the job title, the more clearly this is understood. 

Software that helps to manage and reduce risk is often equated to buying insurance – we’d rather pay a small amount each year to make sure we are protected against accidents, malicious acts and natural disasters rather than risking the full cost of replacement or repair of our house, car, or our health.  Typical business risks include, along with the costs:

-          Risk of data breach:  costs of suits and damage to corporate image
-          Risk of non-compliance:  fines, additional audits (often costly), possible damage to corporate image
-          Risk of natural or man-made disaster:  lost records (compliance risks), loss of productivity, costs of rework
-          Risk of human resources or customer interaction errors (another form of non-compliance, really):  costs of suits and damage to corporate image
-          Risk of project failure or delay:  loss of investment and/or rework costs, possible suits

One simple way (a good starting point) to assign a value to these risks is to research what has happened to other, similar organizations to your customer and use those specific fines and costs as real-world examples.   I did a quick Google search using “cost of data breach” and found the following:

1.    “The risk and cost of a data breach continue to grow. The recent Ponemon Institute Cost of a Data Breach study found the average cost of a data breach to be $5.5 million with average cost per compromised record more than $194.”

That’s from (Ponemon Institute/Symantec).   

Other thoughts on this?


Musa Blog - About Everything said...


Adrian Amariei said...

Risk is part of Governance, Risk, and Compliance. GRC has board scrutiny; it is guaranteed to ring many bells with an executive attending a demo. Obviously, of no interest to an IT technician.