- Hana Skoupá
In companies, cybersecurity risks are often discussed only when something goes wrong. Data leaks, a project is delayed, technology fails. But risk management is not about crisis management – it is about prevention. And surprisingly, it is not complicated at all. It is more about the ability to name things, evaluate them, and decide what to do with them. Just common sense. The only challenge is to put it down on paper.
What should be protected?
In risk management, we first look at assets – everything that has value for the company and could be threatened. And it is not just IT systems. On the contrary, assets include:
- People – employees, management, know-how in their heads
- Data – contracts, databases, business documentation
- Technology and equipment production machines, servers, cars
- Processes – the way you deliver services or manufacture products
- Suppliers and partners – because dependencies are risks on their own
The loss of any of these assets (or an outage in their functioning) has consequences – financial, reputational, or operational. That is why we need to treat them as something vulnerable.
What is a risk?
The word “risk” may sound intimidating, but in practice it is simple: the probability that something goes wrong. To have a risk, three things must come together – an asset, a threat, and a vulnerability. Then risk can be roughly calculated, for example, like this:
Risk = value of asset x threat x vulnerability
Example: You store important contracts (asset) only on one server. But nobody backs it up (vulnerability). If the server fails (threat), the contracts are gone because the system was vulnerable.
How does risk manifest itself? Usually in very ordinary ways. A server crashes on Friday evening when everyone has gone home. A key person falls ill and the project stops. A supplier changes its pricing and your budget suddenly collapses. None of this is an “unexpected catastrophe” but rather situations every company will face sooner or later. The difference is whether it catches you unprepared or whether you already have a plan B.
Risk management means identifying these connections and deciding what to do with them:
- some risks we accept (because they are small or too costly to address),
- some we mitigate (e.g., with training, backups, supplier control),
- and some we eliminate completely (e.g., by discontinuing a risky service).
In practice, risks are often recorded in a “risk matrix” – a table or graph where the X-axis is probability and the Y-axis is impact. Suddenly you see which risks are minor and tolerable, and which ones flash red because they are both frequent and costly. This helps you decide where to start. The greatest added value is not in the table itself, but in the fact that it forces people to sit down together and discuss risks.
Examples of corporate risks
- Do you rely on a single IT specialist who knows the whole system?
- Risk of personnel dependency
- Do you make offers in Excel, which is only on one computer?
- Risk of data loss
- Do you manufacture something for one key customer?
- Risk of excessive dependency
- Do you have servers in the basement, where water has leaked before?
- Risk of physical damage
How to manage corporate risks?
Risks are not black and white
When you hear the term "security risk," you may think mainly of security hackers and sophisticated cyberattacks. However, most losses and problems in organizations do not originate in IT, but in people, processes, misunderstandings, and simply uncontrolled chaos.
Example: One company had a well-configured firewall, but they didn't know that one of their suppliers still had access to their server even after the contract had ended. There was no attack or data leak, but it was still a serious risk.
It is also often forgotten that risks do not have to be negative. The same process you use to assess threats can also be used to look for opportunities. If you notice that you are too dependent on one customer, it is not only a risk – it is also a signal that it would be worthwhile to expand your market. Risk management can thus also be the basis for business decisions.
Continuity and consistency? Extremely important
When risk management is done on a one-off or formal basis (just because someone wants it in the ISO documentation), it usually has no effect. Why? Because risks change. What was essential yesterday may be negligible today – and vice versa. The pandemic has shown that even companies with well-managed technology have have faced the human factor: working from home, employee availability, remote communication. Those who had risk management as a living process adapted quickly. Those who had a "file with a table" on the shelf were in trouble.
A good approach is where risks naturally enter into decision-making – when introducing a new system, changing suppliers, or revising budgets. And that's why we say: common sense on paper. Things that employees have often long been aware of but are not recorded anywhere. And when they leave, circumstances change, or a crisis occurs, there is nothing to go on.
That is why it is important that risk management is not done only "from above." When you ask people in operations, at the front desk, or on the support team, they often point out weaknesses that management is completely unaware of. One IT administrator will tell you that the disks are not encrypted. An accountant will remind you that invoices are only stored locally. A production technician will mention that the machines are restarted manually, and when there is no one experienced on shift, production stops. Only when these pieces are put together you get a realistic picture.
Risk management is a business tool
However, risk management is not just an Excel spreadsheet or a mandatory add-on to an audit. It is a practical way to limit unnecessary losses and keep control of what your company really stands on. At its core, it is the ability to look ahead, anticipate different scenarios, and have a plan in place to protect what is most valuable to you – people, data, processes, and reputation.
