Risk: Protect What Matters Most

Written By John Germain

A 15-minute exercise to find your Top Five risks—and fix what actually matters.

One of the best ways to protect your business is to adopt a strategic approach to identifying risks. Why? Because if you know what the most significant risks to your business are, you know where to apply your precious resources most effectively.

My goal here is to give you a simple way to focus on what’s important so that when something does go sideways (and it will), you’re not starting from zero. This initial effort only takes 15 minutes, a pen, and a little honesty about how your business really runs.

TL;DR: List what you can’t live without, note what could go wrong, rate the likelihood and impact of something wrong actually happening, pick your Top Five, and try to knock out one fix a week.

Before we start (plain talk)

  • Risk is part art, part common sense. Your business is unique; your priorities will be too.

  • You set the comfort level. Decide what you can live with, and what you really need to protect.

  • As a business owner, at the end of the day you own all risk to your business. You are accountable.

  • Risk is measured by Impact and Likelihood. Each rated as High, Medium, or Low.

    • Impact means how badly would an event related to this risk affect your business (High, Medium or Low)

    • Likelihood means how likely is it for that event to occur (High, Medium, or Low)

    • As an example, A tornado hitting your building would have a High impact, but the Likelihood of that happening is Low.

    • Your goal is to try to identify all of your High Impact, High Likelihood risks, and make those your focus.

  • Once you identify your risks, you need to do something about them. You need to have a risk treatment plan.

WHAT IS RISK TREATMENT?

There are basically four options to deal with any risk you identify:

  • Mitigate it - the most common approach. Try and reduce the risk to an acceptable level. For instance, Cybersecurity Training and Awareness is a low-cost way to mitigate the likelihood and impact of staff falling for phishing emails.

  • Accept it - don’t do anything and hope nothing bad happens. This option is usually taken when the cost to reduce the risk exceeds the benefit. For instance, you identify that losing Internet access for a short period of time is a risk. This is pretty likely to happen at some point, but it might not have a huge impact. So you can decide to just accept this risk instead of spending extra money to mitigate it.

  • Avoid it - do everything you can to eliminate the risk. If the likelihood of something bad happening is high, and the impact would devastate your business, your best option may be not to do that thing. Privacy is a huge risk for all businesses, both from a regulatory and reputational perspective. If you don’t need to store customer birth dates, then don’t. Risk avoided.

  • Transfer it - think of Cyber Insurance as a way to transfer your risk so you can recover from any financial impact of a cyber event. But keep in mind, you still ultimately own the risk and the impact. You can transfer some of the risk, but you cannot transfer all of it.

THE 15-MINUTE RISK FOCUS

Step 1 — List your “crown jewels” (3 min)
Write the handful of things you’d miss today if they vanished. For example:
Devices (laptop/phone/POS) • Apps (email, accounting, CRM, Social Media) • Data (customer/payment/files) • Vendors (bank, processor, IT).

Step 2 — What could go wrong? (4 min)
Next to each, jot down (in plain language) something that could go wrong that would have an impact to your business: laptop stolen, staff clicked on a phishing email, money stolen from your bank account, website defaced, customer data leaked, etc.

Step 3 — Rate it (3 min)
For each, mark Impact (High/Med/Low) and Likelihood (High/Med/Low). Work first on High × High = PRIORITY for the next 30–60 days.

Step 4 — Decide (3 min)
Give each priority a one-word decision: Mitigate / Accept / Avoid / Transfer.
Then write one next action with an owner and a due date.

Step 5 — Track it (2 min)
Keep a tiny list (Asset • Risk • Impact • Likelihood • Decision • Owner • Due). Review monthly. One fix per week. Don’t focus on perfection, just progress. Try and make yourself and your business a little bit more secure today than you were yesterday.

A full risk assessment is of course a more detailed effort. The best way to make sure you have identified your most critical risks is to have a comprehensive cyber risk assessment done by a qualified professional. Although his can be relatively expensive and will take an investment of time, in the end you will be well prepared.

HOW CAN SECUITY MOMENTS HELP?

If you are unable to afford a full assessment or are unable to commit the necessary resources, Security Moments offers a low cost ($99) self-help guide that walks you through the steps necessary to perform your own assessment. This allows you to take this 15-minute effort and build on it. It is a great next step as you continue to grow your business.

Security Moments also offers an affordable Training and Awareness program designed specifically for small businesses. Short, engaging videos, quizzes, and quarterly cyber challenges, all for less than $10 a month. You can also visit our YouTube channel, where we post our FREE monthly Practical Moments episodes that highlight real-world situations that we all face, taking the mystery out of security. Keeping your staff educated and informed is one of the least expensive and most beneficial ways to keep your business Safe and Secure.

NEXT UP:

Cybersecurity Training and Awareness. Ugh, I know, but you are going to have to trust me. Right now, this is one of the least costly and most effective ways small businesses can deal with cyber threats.

John Germain
Next

Culture: Making Security Normal