Summer Fun? Try a Risk Assessment.

So let’s face it. Risk Assessments aren’t fun. Everything about fun, makes a risk assessment the opposite. It is, for the most part, backwards looking. It distracts from pressing issues of the day. Throughout the process, all the way to the result, it shines light on your weaknesses, gaps, and mistakes. And, most of all it just makes one feel defensive.

But it does not have to be that way.

How do I know? I’ve just spent the first two weeks of my summer doing IT risk assessments, thousands of miles from home.

My experience in the last two weeks is a case in point. Two very different financial institutions. Two very different weeks. One thing that was in common? It was pleasant. Even, dare I say it, enjoyable.

Don’t get me wrong. There were many, many questions to answer. The days were long. Reports and policies to read. But, work is work right?

What makes my reflection, written at 37,000 feet on a cramped Delta plane, lean on the side of fun? Well there were a few things.

First, it was the clients. The first client is a $1.2 billion dollar credit union that is a rocket ship to the future. They don’t talk about change, they live it. Compliance and anything less than best practices are an anchor dragging in the water behind a speedboat for them. In such an environment, there is no time to dwell on what did not work out. Only time to get your bearings, plan, move ahead, and repeat.

The client team is ready. All it requires is clarity of needs and direction, and the work gets done. Their assessment isn’t about the past, it is about positioning for the future. The match and performance of tools, processes and people is like a ticket to that future. It was a pleasure to be along for the ride, and I left with my creative juices flowing. And hope that I left some ideas behind to stir the pot on the way out.

The credit union continues their headlong run to the future.

The second client is a $50 million credit union reeling from the loss of their CEO, CFO and stymied by a poor CAMEL rating. There is no flexibilty and no money to spend. But there is a plan. There is an incredible optimism that reflects a working community of fisherman. The next catch WILL be the big one.

An IT risk assessment for this credit union is also about the future. Technology screams with ginormous complexity. Technology and the cloud offer the prospect of an equal playing field with national and international banks. But this organization has a total of 16 people and an uphill battle.

So, the IT risk assessment for the smaller credit union represents a door. Unless there is compliance, that door cannot open. The challenge is to understand the gaps and address them. Then, quick. Pivot and use technology to outcompete the regional and national players that have a foothold in a small town, but no loyalty from the locals.

In two days, we did exactly that. We used a new assessment that Think|Stack has built. We addressed 1,500 separate questions. We found footing and priority.

We began a walk down a path to the future.

So what is in common between the two experiences?

1. Both organizations left the past in the past and face the future head on and without fear.
2. Both teams saw an IT assessment as an opportunity not a chore.
3. Neither team was afraid to roll up their sleeves and go to work.
4. Both realized that “a finding” was a success because a finding in the light of day can be addressed head on.
5. Both realized that the assessment was theirs. An honest assessment with a plan to address findings is all the regulators want in the first place. Exams from regulators’ point of view will be a breeze.

Lastly, we at Think|Stack took responsibility for the experience. We built a tool that is 100% guaranteed to be used between assessments. The findings will not sit on a shelf. Up and down the organization, as items are addressed, progress will be communicated visually and effortlessly. Next year’s assessment will build, not repeat this one. Incidents that can interrupt plans will be tracked in one, secure place.

No, IT risk assessments are not the kind of fun that I will have this weekend playing football with my friends. Or, at a barbq after.

But, if we leave the past where it belongs — in history. If we focus less on the obstacles we can devote our effort to exploiting technology to open new worlds. Reflecting on two weeks of hard work and discovery, I know an IT risk assessment is not a burden. It is an opportunity to meet, get creative in terms of solutions, meet and occasionally laugh with new people. And, dare I say it?

Fun.