The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/163881
FACE THE FACTS ABOUT RISK Before attempting to convince others that taking on a new IT system or practice is worthwhile, it is important to clearly define the problem and the general parameters of the solution. To quantify the financial impact of the problem, it is best to break out the data and do the math. Risks can be quantified and their costs calculated. The basic risk/cost calculation is as follows: C x L = S, where "C" is cost of the adverse event, "L" is the likelihood it will happen in any given year, and "S" is the maximum amount you should spend annually on a solution that completely eliminates the risk. The equation requires assumptions and must be modified when the mitigating activities reduce but do not eliminate the risk. For many of the most important IT practices and projects, the damage that can be caused by the adverse event and its risk of occurring is high enough that the amount spent to mitigate the risk is substantially lower than the maximum rational amount. For example, enforcing strong passwords has a very low cost in training and inconvenience, and it avoids the moderate risk and very high cost of a hacker entering your system and destroying/stealing/ modifying your data. It can be much harder to justify purchasing an expensive and complicated legal data management system simply due to the complexity involved. However, analyzing the problem and researching solutions is not enough to convince most leaders. When making the case for change in your organization, engaging leadership and influential parties early on in the process is one of the first keys to success. SHOW YOU CARE We have all seen solid, rational arguments get ignored. There is more to making decisions than looking at the facts. Even when the value is recognized, implementation can be thwarted by apathy and passive resistance. Positive relationships and solid groundwork will help your proposals be welcomed for reasons beyond their inherent value. In order for your opinion to be valued, the decision makers not only need to like you, they need to feel you have the business's best interests at heart. To be successful, it is necessary to be seen as really caring about the success of the enterprise and the leadership, and that means you must genuinely care. You must also demonstrate diligence in understanding the needs of the organization and show how those needs can be met. By taking your work seriously and understanding the value it adds, you can help your organization avoid problems, increase efficiencies and gain a clear view of your performance. BUILD TRUST With the right balance of effective communication and ensuring everyone feels they are being heard, sufficient buy-in can be achieved. It is essential to gather reliable data on risk, such as the prevalence of different kinds of attacks as well as realistic assessments of the different ways an adverse event could result in direct and indirect damages. Doing so can be challenging, but there are good reference reports available from a variety of sources. For example, the Federal Reserve Bank of Atlanta's report on "Mitigating Online Account Takeovers" showcased data on the dramatic rise in bank account takeover attacks and how the risk of such events are increasing. Coupled with some estimates of direct financial costs and the reputation and relationship costs of an adverse event, one should be able to determine how much is reasonable to spend to avoid such an event. 86 Peer to Peer When it comes to big IT changes, building trust within your organization can be challenging, but it is an essential component to getting everyone, from leadership to the working ranks, on board. Trust from all levels affected by a new system or practice can mean the difference between success and failure, even when a firm's leadership supports it. Part of working with the decision makers in your organization is helping them understand how your approach fits with theirs and how your thinking on the issues is aligned with theirs. Leaders want to lead. Most people don't want to feel like they have no input in how they do things. When addressing problems or seeking improvements within the IT system of an organization, it can be very helpful to present the information in such a way that the leadership and all those affected can help choose the right solution with you. Rather than presenting a new system or process as a fait accompli, sharing the problem to be solved as well as the general parameters of the solution can allow everyone to have input. On the other hand, allowing too much input or trying to reach a unanimous agreement may paralyze any progress. With the right balance of effective communication and ensuring everyone feels they are being heard, sufficient buy-in can be achieved. CREATE AWARENESS People need to be informed about upcoming changes and why they're being made. When it comes to IT security, news and internal