A Typical Journey with Risk
When I think about how risk assessment looks at each stage of your business journey, it can take different forms. I think about our own company. When we first were operating and we had built our online audit manager, it was running on a web server and a database server with a fire wall, and it was actually sitting on top of a cubicle. I was the only person in the office – I was the only person with a key to that office, and I watched it like a hawk. I was personally responsible for it, and I looked out for the different risks that could physically as well as electronically effect that application. Once we started growing and had more resources, it became for feasible to think about, “well I don’t have the necessary environmental controls in this room. What if the air conditioner goes out and these servers are damaged?” I started thinking about redundancy, “Well what if the power goes out in the building?” We didn’t have the money, at that point, to pay for a data server and all of the controls that are sophisticated in an environment like that, but we did start spending money on additional controls in our office to lock up the environment so that within the walls of our office nobody could get to that. And we put money into backups and batteries and things like that that protected the environment. But finally, as we grew a little bit more, we had the resources to put the application into a data center. We did that because of the risks we were facing. All of our eggs were in that one physical location. We didn’t have generators; we didn’t have 24/7 personnel and we couldn’t afford to do that. But, once we moved it into a data center, we were then addressing some additional risks that we, previously, were willing to accept. And then, finally, it was our journey to the cloud that allowed us to shift our risk once again. We addressed some of the risks that we faced by having our application hosted at a data center that was running on a dedicated server in that environment and we moved it to the cloud. Did we eliminate risk along the way? No. With every change that we made, the risk just shifted, it changed. Now that our application is in the cloud, we’ve been able to access a lot of really great, sophisticated, advanced controls to minimize our risk, but we have different risks now that we’re in the cloud as opposed to where we were in the early days. And so, your risk assessment will look different. You will make different decisions based on the resources that you have available to you, and you will continue to mature and grow as you go through, what is a great process known as risk assessment.