It is easy to say that you need to evaluate your risks, control and mitigate them and, if anything bad happens, perform damage control, overview the situation and make appropriate changes. All that sounds great, but what is “risk” exactly? And how do you make risk management a part of your value-based managed IT offering?
In this article, we will define several areas for MSP risk management and discuss how you can create a framework and embed it into your existing offer in order to reduce your operational and your clients’ IT-related risks.
Where to Start
So, how can you make use of risk management as an MSP? The answer is simple: you should focus on your clients’ IT-related risks - more specifically, their cybersecurity and downtime risks. MSP risk management won't become one of the offerings in your bundle; however, if correctly implemented, it will add value to your proposition.
If you don't know how to begin the risk evaluation process, try using some popular risk-management models: risk prioritization matrix or failure mode and effects (FMEA) analysis. These models will allow you to create a step-by-step approach in order to identify the risk of the given service or workflow:
- Define risks and group them.
- Evaluate the risks by their severity.
- Establish risk management goals on a per-customer basis.
Remember that some risks might be more important for the given clients than for others. For example, your customers who are located in areas with high chances of floods or hurricanes should be prepared for full-on disaster recovery. If, however, you are working with customers falling under some sort of compliance, you should evaluate both data breach risks and the legal risks in the event of a successful breach.
Further reading How Do You Limit Liability as an MSP?
Creating a Risk Management Workflow
Below, we will overview five main steps that your MSP risk management workflow should contain, regardless of the exact risk group:
- Identification. First, you need to identify the exact risks for the given area, such as a ransomware attack, phishing breach, or downtime due to a natural disaster.
- Analysis. During analysis, you should evaluate the severity and the probability of the risk, define which business function could be harmed in which case, and prioritize the risks. This step is essential, since it's not possible to focus on all the risks.
- Mitigation. Once the risks have been identified and prioritized, you need to create a set of policies and frameworks to reduce their probability. For example, if your risks are in the IT-security area, you should prepare for possible breach scenarios, including malware attacks, human error, or hardware failures.
- Treatment and damage control. Sometimes it's not possible to evade the unwanted, and then the risk becomes reality. Treatment and damage control, from your customers’ perspective, is just as important as risk mitigation. Develop your disaster recovery and data breach response plans with care, discuss and verify them with your clients and review them regularly. Remember that only by acting correctly during a disaster or other unwanted situation can you avoid losing a client.
- Monitoring. Once you have created workflows and frameworks around possible risks, you should constantly monitor those risks from your priority list, and review and recheck your plans.
MSP Risk Management Best Practices
We've already discussed the theory behind MSP risk management. However, to start off on the right foot, you need some practical advice:
- Pay attention to the top 5. While defining your risks, try not to fall victim to overplanning. For example, the most common IT-security risks for all clients in all verticals are backup loss, hardware failure, end-user error, ransomware and phishing attacks. These risks are both common and complex, and you should first create a workflow to mitigate them and only then turn your attention to more exotic ones.
- Start with yourself. Some managed service providers keep forgetting about their own security while pursuing that of their clients. However, no matter how secure the premises of your clients are, if you get breached, their data will no longer be secure.
Further reading Why Are Cybercriminals Targeting MSPs?
- Create end-user training programs. You should create both internal and client-oriented training programs. Your team should understand the whole concept of MSP risk management. Your clients, in turn, should at least know how to avoid the most common issues and how to contact your support team.
- Check your backups. No, seriously. Some managed IT providers don't verify their backups and, as a result, lose their clients during a disaster in which they cannot recover the data. That is a huge reputational loss.
- Create documentation. Don't rely on your own knowledge or your team's expertise. You should create and update your documentation regularly.
Document each successful attack or breach. The post-mortem process is especially helpful in mitigating future unwanted events.
- Legal risks. If you have clients that fall under compliance, discuss that with your attorney. You need to be sure that, if they fall victim to a data breach, you are safe from prosecution. Also, review all your SLAs, MSAs, and SOWs with your attorney. This will secure you in the event of a lawsuit by an unhappy customer. The final thing you need to do to mitigate the legal risks is to invest in general and cybersecurity insurance. This is essential, since any lawsuit is expensive and the insurance will cover the expenses.
Risk management is an approach, a mindset that you should support with actions. If you embed it into your organizational structure and the strategy of your managed IT services, it might become one of your distinctive competitive advantages in the highly saturated MSP market.