3 ways users address IT risks (and the hidden cost of doing nothing)

a macro shot of a LEGO figurine sitting at a LEGO office desk and computer. The figurine is facing the camera and wears a worried expression.

When selecting IT investments, it can be difficult to choose when and how to make wise purchasing decisions. You don’t want to spend too much on a poor investment, nor do you want to fail to act and lose money.

Regarding IT system and security risks, failure to decide could have disastrous consequences. These can range from a slight inconvenience (i.e., a slow computer) to a crisis (i.e., data theft or a downed IT system, knocking your business offline, costing time and money).

But how do you know when to make an IT-related change and when to stay the course? When facing an IT investment decision, you must ask, “What happens if I do nothing, and am I okay with that result?”

Our goal for this article is to help you answer that question.

For over 25 years, WEBIT Services has helped hundreds of clients build IT strategies and create effective solutions to IT risks and problems.

By the end of this article, you will learn an introduction to the different It risks and their possible consequences, three different response styles, their reasoning, and how to discuss risks and resolutions with your IT team.

 

Discovering IT risk

Each quarter, your IT provider or internal IT team should perform a risk assessment. This assessment will show any risks at your organization ranked by a combined score of level of damage and likelihood.

These scores are then organized into four levels of risk: critical, high, medium, and low. A critical risk is highly likely to occur, and when it does, the damage to an IT system will be severe. On the opposite end of the spectrum, low risk will have little effect on systems.

Risks can include:

  • Cybersecurity incidents
  • Viruses and malware
  • Software updates and patches
  • Hardware performance degradation or failure due to age
  • Back-up systems that take a long time to recover or are unable to recover

A hardware risk example

For example, a server’s age could be a hardware-related risk.

If the server is new and under warranty, it would be considered low-risk. It is improbable that a new server will suddenly fail due to wear and tear, and the manufacturer will repair the server or send a replacement parts if a defect is discovered.

However, if the server is seven years old and has been deemed “end of life” by the manufacturer, it would be deemed a critical risk. In this situation, it’s not a question of “if” the server fails but “when” it fails.

Once the risk assessment is performed and presented, it is up to the client to determine whether the server should be replaced or wait and see what happens.

In the case of a low-risk server, the client will likely wait because damage is currently unlikely.

However, a critical-risk server crash will take the whole IT system down. If a backup server is not waiting in the wings, getting a replacement server can take days or even weeks.

If the IT system goes down without a replacement, it will halt productivity and cost the company profits for every hour it’s down, not to mention damage to its reputation.

 

3 ways to address IT risk

When a risk is presented, it is up to the client to choose how to address it. Of course, IT providers and internal IT teams are there to offer their expertise and recommend next steps, but the final say rests with company leadership.

This is when you must ask the question, “What happens if I do nothing? Am I okay with that result?”

Your IT specialist can present possible outcomes based on the risk assessment. From there, generally, there are three reactions:

  1. Act (usually, by purchasing new technology)
  2. Stay the course, and do nothing
  3. Decision paralysis

For each option, both the client and IT provider must understand possible outcomes and expectations. Expectations should include:

  • What the client hopes will happen through this decision
  • The budget available
  • The budget needed to address the decision

Once these are aligned, the client and provider can make educated next steps toward risk resolution.

1.     Act (usually, by buying new technology)

The risk of not doing anything can be greater than the cost of purchasing new technology.

In our previous example, an old server needed to be replaced. If the client chose to do nothing, the server would inevitably fail, and its failure would take all connected technology offline. The organization could also lose any data stored on that server.

In this case, the organization must choose between the cost of a new server or the cost of downtime and lost information.

Each hour that its technology is offline, the business is losing money.

If they haven’t created a backup plan and system, data is lost and likely unrecoverable. Hours, months, or years of work could be gone instantly.

Is the cost of new technology worth preventing this kind of loss?

In this situation, many would answer, “yes.”

If a risk assessment presents a high likelihood of enormous losses, these risks require action. Before taking next steps, the client and IT provider must discuss possible outcomes, technology that can bring desired results, and budget accordingly.

2.   Stay the course

Sometimes, the cost of purchasing new technology is greater than the risk.

In our previous example, this would be the case with the new server. The server is unlikely to fail due to age and is also covered under a manufacturer’s warranty. The risk is very low for the time being.

In this circumstance, it’s more financially responsible to wait and not make immediate changes.

The same could be said for making significant IT system changes. Here, you must choose between trying something new or staying with the familiar system and processes, even if it’s not as fast or efficient as the new system.

In this case, choosing not to change (or not to choose) might be the wiser decision depending on your company, budget, and definition of “return on investment.” Again, the choice comes down to cost vs. risk (potential loss). If the price to update is greater than the potential losses of not updating, many choose not to do so.

However, there are times when a client may feel that a change is too expensive, regardless of the risk. If that’s the case, they then must choose to accept the risk and understand that they may lose information, system functionality, and profits. In critical risk situations, the likelihood of system failure increases over time.

 

3.   Decision paralysis

And then, there are times when there are too many options to research and wade through to determine the cost of change vs. the cost of risk.

In these circumstances, clients are usually presented with too many options and too little information. This leads to a “paradox of choice,” which creates decision paralysis. A client ends up not choosing a path forward because there are too many paths to take.

If you are facing decision paralysis, talk to your IT provider or internal IT department. Ask your IT specialist the following questions:

  • “What is the exact risk? What happens if I do nothing?”
  • “What are the possible outcomes?”
  • “What are the best two or three options for my business?”
  • “What is the estimated cost for each of these options?”

Narrowing down the information and possibilities can help you better evaluate the situation and choose whether to address the risk or not. Once you have more specific options and clarity about the case, you can make your choice.

However, it’s essential to understand that refusing to choose a response is actually a choice to stay the course. You are not actively making changes, so the choice has been made to maintain the status quo, even if the words were never spoken.

 

Next steps for addressing risk

When an organization faces potential risk, business leaders must ask, “What happens if I do nothing, and am I okay with that result?”

When faced with this question, organizations generally react one of three ways:

  1. They find the risk more costly than investing in new technology, so they make purchases and changes.
  2. They find the cost of new technology more expensive than the risk, and they choose to stay the course and make no new purchases or changes.
  3. They are overwhelmed by possible choices, expectations, and outcomes and cannot choose (unconsciously committing not to change).

You can speak with your IT provider or internal IT team to learn more about possible outcomes, solutions, and budgets. Once this information is shared, your IT specialist can partner with you to make positive changes and reduce risk.

WEBIT Services has specialized in managed IT services, IT strategy, and cybersecurity for over 25 years. It has helped hundreds of clients improve their IT systems, efficiencies, and functionality in that time.

Schedule a free 30-minute consultation to see how WEBIT Services can help your organization.

If you are not ready to make a commitment but would like to learn more about IT risk and IT strategy, we recommend the following articles: