No one goes into business with the expectation of having it fail. Despite our aspirations, risk is a harsh business reality. As an MSP, it can be difficult to have the tough talk with clients. After all, telling a client “These are all the reasons you could fail” is not generally well received. Be that as it may, having the tough talk is essential to helping your clients build resilience, which is ultimately the test of withstanding tough times.
Risk is typically centered around people, processes and technology—in that order—and MSP/client conversations should reflect those priorities, according to Alex Spigel, COO of Choice Cyber Solutions and CompTIA’s 2023 Member of the Year.
“Your people always have to come first—always,” Spigel said. “People and process tend to go hand-in-hand, and technology has to come last. Companies often think they can fix problems with technology, but you can’t fix the problem if your people aren’t on board.”
Try these steps when talking to clients about risk, she said.
1. Start by Discussing What Risk Is: Set a Baseline
Before you can analyze or evaluate risk, your client first needs to understand what that entails. Start the discussion by helping your client understand what risk is and what possibilities they may be exposed to.
The best way to assess risk is to engage people from all teams across an organization and discover what risk means to them, Spigel said. As defined by The Hartford, risk is “anything that could impact your company’s finances.” This generally refers to a negative impact.
Risk can be broken down into two categories:
- Inherent risk: Risk that exists in the absence of controls
- Residual risk: Risk that remains after controls are applied
These distinctions are important because they expel the notion that you have no control over the risk your client faces. Try structuring your initial conversation like this:
- Start by talking about a common pain point that others often see, such as equipment damage.
- Discuss how that loss affects the client in business terms (not jargon!). You might say “that damage will cost you $10,000 to replace and may stall your operations until it’s fixed.” Make it real and tangible.
- Talk about the impact on things that don’t involve money. This might include the loss of critical staff or the need to find new facilities.
- Assure them that risk is inevitable but leave the conversation on a positive note regarding their future. “With the right planning, you can easily overcome these risks with little disruption!”
Practice active listening and document any fears and worries that come out of this conversation.
“It’s about more than just talking to them,” said Spigel. “You need to ask them questions, understand what’s important to them and prioritize their concerns because that’s what’s keeping them up at night.”
2. Talk About How Risk Will Affect Their Business: Conduct a Business Impact Analysis
The next natural question is what do those risks mean for my business? “You need to put structure around the risk,” said Spigel. “And you do that by conducting a business impact analysis.”
A business impact analysis (BIA) anticipates the consequences of risks to business functions and processes. This evaluation demonstrates the real influences that certain risks can have on day-to-day business functions. The BIA can take on many forms.
There are four parts to the BIA process:
- Consider the impact of your risks.
- Define the timing and duration of any disruption
- Conduct the BIA
- Produce and evaluate the BIA report
Understanding the impact of your risks helps you put structure to the conversation about resilience. Bring your own perspective to help your client see things from an outside viewpoint and make sure to draw attention to the areas of highest risk.
3. Talk About Their Assumptions: What Qualifies as Risk?
Many leaders have assumptions about what qualifies as risk for their business. Often these assumptions inhibit their ability to see the larger picture and truly understand what will disrupt their operations. Talk to your client about what they think are risks to their business.
Remember not to discount their perspectives but rather try to create a comprehensive picture of where all their risk lies when it comes to money, but also the areas not related to revenue. Also, remember not to look for blame, but identify paths for improvement.
Questions to ask:
- What keeps you up at night?
- What would cause disruption to your operations?
- What are your current processes?
- \What can be updated?
- What is your business continuity plan?
- How can we improve it?
- What would you do if the worst happens?
- What do you think others don’t know about your business?
4. Operationalize the Risks: Moving from Knowledge to Action
Once you have conducted your analysis, you need to take your client from knowledge to action. This is what Spigel suggests for that process:
- Break the BIA down into bite-sized chunks to make it manageable
- Take a pessimistic approach in the conversation to uncover the worst-case scenario.
- Consult an expert to bring in any critical knowledge or missing skills
- Seek employee feedback regularly and iterate on your processes and procedures
- Analyze customer complaints and identify trends in pain points
- Conduct internal and external research to build a strategy
5. Develop a Risk Strategy: Building Resilience
If Spigel has one primary goal she wants to impart when talking to clients about risk, it’s to build sustainable resilience. The entire point of developing a strategy is to make sure that your client can handle what comes their way.
In a working session, have your clients document the following:
- Prioritize your risk in order of severity, starting with top priorities first
- Identify mitigation activities for each risk
- Implement redundancy where possible
- Develop or update your business continuity plan
- Outline and test your incident response procedures
- Update and evolve over time
Spigel suggests that you approach all conversations with an open mind. Always be professional and seek ways to move forward without trying to lay responsibility on teams or people for what has already taken place. She also stresses MSPs should observe airline’s rule for oxygen masks—they need to make sure they take care of themselves before they take measures to help a client.
Raise Your Cyber Awareness.
Learn more about earning the CompTIA Cybersecurity Trustmark