Drivers like compliance and cyber liability are influencing the way companies think about risk management, and their reliance on trusted partners like MSPs to help them manage it. In this episode of the Insider Series I sat down with Ben Tercha, VP of Operations at Omega Systems to dig into industry-specific drivers, insurance requirements and how formalizing an internal risk committee can help risk management processes run smoothly.
James Mignacca (JM): What are the trends that you're seeing currently when it comes to risk management and how MSPs play a role in that?
Ben Tercha (BT): The volume of inquiries around risk management and the level of detail that customers and clients are asking for has increased over the years. Our clients, especially in vertical markets that have a lot of regulatory requirements are becoming more sophisticated. They're required to ask these questions when they're partnering with a vendor like an MSP who has access to the network.
Risk management has elevated to a level where companies are asking process-related questions of their vendors. They’re asking their vendors about their risk management policies; their risk register and how often they’re evaluating risk. This happens frequently with our financial institutions and banking customers - they ask us questions regularly because they want to follow some type of process themselves, but and also perform some type of vendor due diligence and vendor management.
JM: What are the drivers you’re seeing that affect risk management? Is it compliance? Is it due diligence?
BT: Risk management is more of a compliance activity. It's a bank examiner or insurance agent prompting the conversations. Cyber liability renewals are a significant driver behind these questions and discussions.
We aren't seeing a lot of customers looking to do what I call risk transference, or where the customer wants us to take over their entire risk management strategy. They’re continuing to run internal processes and have committees to support them. We've sat on committees for customers to ensure they’re evaluating risks with software, how they’ll mitigate risk and address what they’ll do if the software goes down. It's kind of like your BCDR (business continuity and disaster recovery) strategy, but instead you're focusing on the risk side of the business.
JM: That’s interesting because obviously, different verticals have different drivers, especially in finance and government. Do you find customer risk profiles vary depending on their industry or what they’re trying to get out of a risk management exercise?
BT: There is a common theme across customers - it's probably a gradient scale. Financial institutions and large, potentially publicly traded companies have their own regulatory requirements, so there’s a high interest in risk management.
Large insurance providers have a vested interest in risk management and particularly how we as an MSP are supporting the customer. They want to understand the services we're providing and what happens in the event our services or staff are unavailable – what kind of risk do those situations create? They want to know if our shared customer is calling our service desk and phone system is down or our staff aren't available, what does that mean? How does that impact the business?
JM: If a client comes to you and is (arguably) doing nothing on the risk management side, what does their starting point look like? How do you guide them?
BT: It's a continuous process. In terms of guidance, customers who don't have a risk management framework in place today are asking how and where to start. That process begins by creating a risk management policy that’s unique to the business and outlines anything that could interrupt business operations. The next step is to develop a risk committee.
JM: Does the risk committee include different individuals inside the organization?
BT: Board members don’t participate in risk committee meetings, but you may have an executive who's on the board and who reports to the board that then partakes in the process by managing the risk committee or managing the process itself.
The committee includes individuals with different perspective and business knowledge to ensure the company can widely identify physical, software, supplier and people risk. It involves a lot of brainstorming to closely examine likelihoods and consequences or risks across the spectrum.
Some risks can't be prevented. It's about being prepared to respond when an event does happen. You're never 100% secure, and that's the reality. So as a business leader you have to pick a threshold which the company has deemed acceptable when it comes to risk, and the mitigation steps to take if and when an event happens.
The key is to ensure quarterly cadence. There are always new ways to better protect and insulate ourselves. That's the constant evolution of risk management - it never stops.