This series explores the three stages that marketers and IT professionals will work through to assess potential threats and vulnerabilities and, in the end, establish a solid risk management protocol. Each post focuses on one of the following stages:
- Part I) Understanding the damage that potential threats can do to your data
- Part II) Creating the best risk assessment model for your company
- Part III) Turning risk assessment into risk management
The Mitigation and Risk Management Plan
You’re tracking how objective-centric your strategic deployment is. After completing competitive research, you’ve got your threat and vulnerability identification in place. Now you need to choose a management response for each of the threats your company has identified as being the most likely to affect you.
Though you should assess all potential risks, you will not necessarily need to address every single risk, as shown in these four basic types of risk mitigation:
- Risk acceptance: No mitigation. Here a company decides it would be too expensive to fight a particular risk, and they accept it as a cost of doing business.
- Risk avoidance: Total mitigation. The most expensive of the four mitigation types, avoidance involves software, hardware, and policies that will make every effort to thwart chaos.
- Risk limitation: Also called risk reduction or control, this is the most commonly applied risk strategy, a combination of acceptance and avoidance. For example, you accept that a server could fail and have backup servers to avoid a total website crash.
- Risk transference: The pass-the-buck option. Here a brand hires a third party to mitigate the risk.
Marketing Responses to Campaign Risks
In Parts I and II of this series, we talked about the most common risks marketers have to deal with from the initial planning stage of a campaign all the way to post-campaign reporting. Now with all your assessment and mitigation policies in place, let’s take a look at those campaign stages again and make sure everything is being taken into account:
- Initial planning stage: Risk mitigation would include not only making sure that all marketing stakeholders are on the same page in terms of project scope and objectives, but it would also benefit from identifying all roadblocks and threats that could get in the way of successfully completing the project, whether it be a financial threat or a time-to-completion risk.
- Opportunity assessment: During the vetting process, this assessment is what will project the most likely outcomes, and what you want to see is how much ROI each opportunity could bring in. Low-risk, low-reward opps generally win out, but this process will also identify the high-risk, high-reward opps that are most likely to succeed.
- Campaign development: You now take all the risk analysis you’ve done on an opportunity and use it as a guide to keep you on track throughout the campaign planning and development stages, because one of the bigger marketing risks you have to be looking for is going off plan, which can drive up costs and still not give you what you want in the end.
- Campaign launch: You release your campaign into the wild where all sorts of risks lie in wait. You will certainly be managing the internal risks, the uncertainties that could pop up within your own company, like slashed budgets or lack of support from leadership or the sales team. But you also need to watch for the risks in the marketplace. At the very least, your risk assessment should identify the most likely threats you might have to deal with.
- Campaign success: ROI is your ultimate goal, but you should also use this stage to critique your own risk assessment. Did you identify all the risks that affected the campaign? Were the controls you put in place effective at mitigation? Were there any new vulnerabilities that you had not thought about? You’ll take the answers to these questions and apply this risk intelligence to your process documentation and all the campaigns to follow.
What You Can Do Now
Sure, you can’t predict everything that could threaten your marketing efforts, but there are things you can do to make sure you’re never caught completely off-guard and that you have a system of processes in place to get to the solution to a risk as fast as possible.
Perform a Business Impact Analysis
Business Impact Analysis goes hand and hand with your risk assessment. In fact, the BIA will inform your risk assessment (as well as your Disaster Recovery plan) as to what are the most valuable, operations-critical, and vulnerable areas in your company. Then for each of these critical areas you would project the potential damage that would come from a disruption of service, including financial cost, how long recovery might take, and which countermeasures are in place or need to be applied to mitigate these risks.
Doing a BIA will help you come up with the best response for each risk, as shown in the following examples of BIA-identified risks:
- Physical access to your data: Establish protective measures to prevent a threat from happening, like requiring employees to have an access card so that only appropriate people have access to your physical servers.
- Power outage: Develop mitigation responses, things that will limit the amount of damage that this threat can do, such as using an uninterruptible power supply to prevent real-time system failure from an electrical outage.
- Business continuity: Create a process for data recovery. Perhaps you have redundant warehouse sites or servers that would become integral to getting your network and all of its data back online.
Align with Your Disaster Recovery Plan
Review (or establish) your Disaster Recovery (DR) plan to make sure you’ve addressed how to protect your business continuity should something terrible happen to your database. Risk assessment and mitigation directly support your DR plan.
Come Up with Responses to Potential Threats
At the very least, a risk assessment should allow you to create a list of likely risks and the best response to mitigate each.
For example, let’s say your marketing team is continually having trouble giving the director exactly what she asked for in a new campaign. She sent the team an email with a bullet list of what she thinks is important to cover, but perhaps she didn’t include audience information, specific incentive details, or the ultimate goal of the campaign. To mitigate the risk of campaign failure, a logical response would be to establish a system using Creative Briefs that would standardize the information your director communicates and would answer the most important questions the team might have.
Here are a few other possible responses to risk:
Risk isn’t something we marketers like to consider very often. We already have a bunch of potential threats that we can control (like typos in an email). So it’s not much of a surprise that we don’t like to worry about all the stuff we have no control over (like weather). Yet if you avoid risk assessment, you are gambling and dependent on luck.
Do your research, recommend mitigation controls, and do all you can to foresee threats and protect your data. Now. Because data is never going away, and it truly is the most valuable asset your company has.