This series explores the three stages that marketers and IT professionals will work through to assess potential threats and vulnerabilities and, in the end, establish a solid risk management protocol. Each post focuses on one of the following stages:
Part I) Understanding the damage that potential threats can do to your data
Part II) Creating the best risk assessment model for your company
Part III) Turning risk assessment into risk management
What Kind of Risk Assessment Is Best for Your Team?
Assessment never sleeps. Whether you already have a risk mitigation policy or you’re just starting to create one, you have to constantly be on the lookout for new threats that pop up and how they may impact your vulnerabilities.
So where should you start?
First, you’ll want to look at all your risks, both the general ones that affect all businesses and the ones specific to marketing. Based on your research, you’ll decide (and perhaps create) the risk assessment model that will serve you best.
Risks We All Have
No matter what your special niche is, some forces of uncertainty affect all companies. Common risks that apply to us all are:
- Strategic risk: There will always be uncertainty around a company’s strategy, especially in an unproven area with little to no historical data to support strategic decisions, whether it’s a company-wide objective or a particular marketing campaign.
- Operational risk: These are risks that you are most likely to encounter within your own company, ranging from all the hardware and software you must update and maintain to staffing and leadership issues that negatively impact revenue.
- Financial risk: This includes anything that involves unpredictability and your bottom line, like interest rates, currency exchange, and any other financial investments your company makes.
- Pure, unforeseeable risk: Think natural disasters, flooding, wildfires, and earthquakes, but this includes man-made catastrophes as well, such as war or a data breach.
Clearly risk is everywhere, but we are going to focus on the operational risks associated with big data and the strategic and operational risks associated with marketing.
Risks Specific to Marketing
Marketing has its own set of risks, so you will need to create a risk assessment framework that everyone can agree on, from senior management and the directors on down to the marketing team doing the tactical work.
Using this framework, you will identify the threats you already anticipate as well as the possible solutions for protecting your data and launching successful campaigns. Your marketing risk management framework should address the following four areas:
- Business objectives: What are your company-wide goals that are supported by marketing efforts? Marketing needs to manage risk for these goals.
- Key Performance Indicators: Marketing uses these metrics to measure their own success. If a risk impacts marketing, these KPIs may be where the damage shows up first.
- Key Risk Indicators: These are the events that can impact the KPIs, and the analysis of KRIs will determine the controls you put in place. The areas where something might go wrong could include:
- Data: Any change in customer preference and behavior could throw off your targeting.
- Strategy: Any disconnect between the strategy originally planned and how the campaign actually performed jeopardizes success.
- Operations: Chief risks in this area include having the wrong people in key marketing positions, flawed processes, and hard-to-integrate technologies.
- Key Control Indicators: Keeping your business objectives in mind, you will create control indicators to respond to negative KPIs and KRIs. The type of control will determine the kind of mitigation you’ll apply.
Choose a Risk Assessment System for Your Database
The simplest formula for evaluating threats is the risk assessment matrix: Risk = Probability X Impact. The first important choice you’ll need to make is how you will rate probability and impact. The two main models are:
- Quantitative: In this model, you would quantify each threat using a numeric scale of 1 to 10. Often this is built off statistics and is mostly used for predicting future risks. Quantitative is the faster model, but it can leave out the context around the threat.
- Qualitative: This model gives you a general idea of what each risk is before subjectively ranking them low to medium to high. In general, leadership prefers a qualitative assessment simply because you have to research each threat before you rank them.
Data Assessment Must-Haves
Most companies maintain a database of some kind, and with first-party data being the most valuable asset a brand can have, protecting it from catastrophe is a high priority. Here are a few of the key areas your marketing team and IT should be thinking about:
- System characterization: Document all information about every piece of hardware and software you have running, how they’re interconnected, and who is responsible for each piece. Documentation should also include security and backup policies, even climate control considerations where applicable.
- Threat identification: This would include every possible threat under the sun, from natural disasters to hackers, terrorists, and even employees who might harm your database either accidentally or with malicious intent.
- Vulnerability identification: Once you identify a threat, the next logical step is to match it up with the most likely vulnerability. Though you will need to update this list over time, it should provide a good look at your weak spots.
- Control analysis: What are the tools and checkpoints you can implement that will block or minimize a threat exploiting a weakness in your system? For example, two-factor authentication and antivirus software are common control tools.
- Likelihood determination: Create a simple grading system (low, medium, high) to evaluate the probability that an identified threat could exploit an identified vulnerability.
- Impact analysis: Here you would establish the extent of damage that could be caused by exploiting a vulnerability. Generally, you would grade each impact low, medium, or high based on one of three things:
- Loss of assets or resources
- Damage to the brand’s reputation
- Things that would cause injury or death
- Risk determination: This combines likelihood, impact and control analyses for each risk you have identified. How probable is the risk? What damage can it do? And what safeguards can you put in place to eliminate or minimize the threat?
- Results documentation: This is the final step in the assessment process where you report on how your risk assessment process has performed. Use this documentation to improve your controls and re-evaluate your security policies.
Apply the Assessment to Your Campaign
Marketing needs its own set of assessment goals as well. To revisit the campaign stages from Part I of this series, think about what your assessment needs to do at each step along the way.
- Initial planning: At the very least, you want to include risk assessment early on as the project is being put together so that decisions about budget and scope will be as realistic as possible.
- Opportunities: As you identify the most typical potential risks – the ones that keep popping up in most opportunities – find an assessment model that will best calculate the probability of achieving your campaign goal, whether it’s increasing ROI, market share, or customer engagement.
- Campaign development: Among the other things in your assessment, have you accounted for all the costs associated with launching your campaign and have you taken any third parties into account for your scheduling? What will you risk if you’re late? How might that affect other projects afterward?
- Campaign launch: Are you accounting for internal threats from inside your own company? For example, maybe the social media advertising budget gets cut, and you have to pull your campaign from Facebook and Google Ads. A champion of your original idea may also leave the company while the campaign’s performing, and suddenly you don’t have support from leadership anymore.
- Campaign success: To achieve your objectives, you absolutely should evaluate your assessment policy at the end of the campaign’s timeframe. Here you’ll ask a bunch of assessment questions: Did your email make it to the intended inbox? Was your subject line yawn-inducing? Was there a dead link or non-functioning CTA button in the email? Were there typos? Did you offer too great of an incentive? Has it sparked a public relations fiasco? Is your messaging resonating in the way you intended?
In Part III of this series, we’ll discuss mitigation responses for threats identified by the assessment.