Enter the Risk Matrix

Thursday, October 3rd, 2013

In a blog post two weeks ago I wrote about our customers best reasons for backing up SaaS data. I mentioned the business risk calculated as Risk = Probability x Consequence

To break it down and create a reasonable amount of scenarios, the matrix below is pretty useful for SaaS application usage:

a risk matrix

If we are (un)lucky, we have metrics for the probability and consequence, such as e.g.

– A single email is lost in the service we are using, which if not restored will take 2 hours to reproduce or work around. This happens on average once per day.

– A user deletes a large number of emails or files in a SaaS application, which if not restored will take on average 2 business days to reproduce or work around. This happens on average once every month.

The further to the left of the matrix we get, the harder it usually is to have perfect metrics, which is where we turn to estimates instead.

– Shared information related to a particular project is lost because of a user mistake or a disgruntled employee, and can not be reproduced in time, so a sales opportunity worth $X is lost. Depending on how the company works and close calls in the past, we may need to consider the average probability once per year.

– A massive amount of information is lost through system related issues, eventually forcing the company out of business. This may not have happened to any company using the particular SaaS service, so it may be very unlikely and hard to gauge in our matrix.

But, when we think about risk, we instinctively understand that “very unlikely” is not exactly zero, and that an event with a very high impact, even if very unlikely, is still a factor we may want to consider.

If we didn’t, there would be very few lotteries or fire insurance policies around.

Off topic: If you are reading this and don’t have fire insurance, you may be interested to know that there is a structure fire reported every 65 seconds in the US alone. For thousands of people every year, the difference in risk between zero and “very unlikely”, literally means life or death.

At the other end of the spectrum, we know that “very likely” isn’t exactly the same as always.

If it was, the crumpled paper would always hit the paper bin. I know for a fact mine don’t.

So, one approach to making business decisions about protective efforts such as SaaS data backup, could be the risk matrix above, either with real metrics or estimates. If nothing else, I find it a great tool for structuring the thought process.

Seacrest Out.

Please email me at marcus.nyman@cloudfinder.com if you want to discuss your business risk with or without SaaS backup.

Comments are closed.