From Theory to Practice: Managing Risks in an ICT company

Content on risk management often seems theoretical and something that has little to do with the reality. This is why this time I am presenting a practical example of how we identified the main risks and took measures to prevent their realization, that could in a worst-case scenario jeopardize the very existence of our company.

It happened years ago, when I was working in an information technology company. In the scope of our preparations for obtaining the ISO 27001 Certificate we also needed to assess the risks. Our approach wasn’t just a formality to meet the requirements of the standard, but very practical to prevent the risks we identified.

We soon agreed the sole heart of our activity were the servers and their equipment. If anything affected our infrastructure, we wouldn’t be able to perform most of our services. This is why we solved this issue firstly.

We identified two main risks for the server room, namely the unauthorized access and fire hazard.

To protect the space against unauthorized access or burglary, we installed an anti-theft door and significantly restricted entry with the access control system. To protect the room from fire, we started to follow the room temperature and installed an automatic fire alarm system, which was then extended to other areas too. We have also agreed to store backups outside of the company and coordinated a protocol of quick information and intervention with the security service in the event of triggering an alarm.

Among the measures, we also considered the installation of a stable automatic fire extinguisher system and the possibility of running servers at other location, however we decided not to follow them through.

Another crucial factor for our business was the Internet, because we performed the majority of our services on remote. And when, for example, during construction work the main optical connection was carelessly interrupted, we ended up without having access to the web for almost a day.

Besides the fact that we were unable to offer support to our customers, this seemingly small error had severe financial implication for us. Each hour without Internet meant a revenue loss of between 500 to 1000 euros.

To increase our network reliability, we arranged Internet access through two operators, assuring we had physically separated network connections.

These are just a few of the measures we have taken on the basis of a risk assessment. In a similar way, we analyzed all the processes in the company, from the treatment of employees, to the sale, procurement, development and execution of orders, and took measures for each department separately.

P.S.: If you find this article interesting, you can learn more here:

How to identify risks?
How to manage risks systematically?
How to define “a risk”?


Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.