Carol:
Hi, I’m Carol White, and today I’m joined by Lliam Holmes, CEO and founder of MIS Solutions. We’re talking about risk assessments. Welcome, Lliam.
Lliam:
Thank you, Carol.
Carol:
With so many cyber threats and security tools out there, how can businesses make sense of it all?
Lliam:
The short answer is—it’s really hard. As you mentioned, there are so many tools and vendors out there, and everyone claims their solution will solve all your problems. As business owners, we’re focused on protecting our company and stakeholders, so we often go looking for that one perfect solution.
But the reality is, before jumping into tools and technologies, companies should first step back and really understand what they’re trying to protect. Once you know that, then you can move into how to protect it.
A lot of businesses jump straight to buying tools—often because of pressure from customers, vendors, or cyber insurance requirements—without taking the time to assess what actually needs protecting.
Carol:
Why do you think companies often miss the mark?
Lliam:
Because on one hand, leaders feel a deep sense of responsibility—to protect the business, client data, and their employees. On the other hand, they’re constantly being bombarded by vendors, all making the same promises.
That creates a lot of noise. Companies know they need to do something but aren’t sure what. Some respond by buying a little of everything, hoping something will work. Others buy one solution, check the box, and assume they’re protected.
Unfortunately, those are often the companies that end up in trouble.
Carol:
When it comes to addressing risk, how should companies prioritize what to protect? What practical steps do you recommend?
Lliam:
Start by using the same business problem-solving skills you already have. Forget about the tech at first. Ask yourself:
Then categorize your systems:
There’s no one-size-fits-all. Once you’ve mapped out your systems, assess how you’re protecting the most critical ones. From there, determine what’s less important and doesn’t need as much investment.
This process takes effort—but it leads to alignment. You start identifying real risks and develop shared expectations across your leadership team. That way, you know what risks you’re willing to live with and what you can’t afford.
Carol:
Many companies treat risk assessments as a checkbox. What’s the real return on investment?
Lliam:
That’s a great question. First, let’s address compliance—it often gets a bad reputation. People think, “I’m only doing this because I’m required to.” But if you look at frameworks like HIPAA or PCI, there’s nothing in them that you shouldn’t already be doing. Compliance is simply a set of minimum standards.
As for ROI—sure, the obvious benefits are fewer data losses, fewer outages, and reduced chances of ransomware attacks or insurance claims. But the real, often overlooked return is clarity.
You start to understand:
It also opens up team collaboration. A risk assessment done with your leadership team brings everyone into the conversation and builds alignment.
Carol:
For a business that’s unsure where to begin, what’s your advice?
Lliam:
That’s a common challenge. If you’ve never done a risk assessment, it’s hard to know where to start—or whether you’re doing it right.
To help, we’ve put together a nine-step checklist. It’s not exhaustive, but it gives businesses a clear starting point. It walks you through the basics—from step one to step nine—so you can begin building that “risk assessment muscle.”
As you go through it, you’ll start identifying systems you might have overlooked. It’s an iterative process. Each time you revisit it, your understanding deepens—and so does your team’s. That shared understanding is incredibly valuable when it comes to deciding where to allocate resources and how to protect the business.
Carol:
Great. Thank you so much, Lliam. We appreciate your time.
Lliam:
You’re very welcome. If you have questions about risk assessments, feel free to reach out.
Share:
