McDonald’s founder Ray Kroc once said, “If you’re not a risk taker, you should get the hell out of business.”
In a way, he was right. You can’t succeed in business without taking risks, but that doesn’t mean ignoring the existence of risk. It means making an authentic, realistic assessment of the risks inherent in any business decision, weighing those against the possible benefits and deciding what actions to take to minimize the first while maximizing the latter.
In other words, don’t be timid — but don’t be reckless, either.
Don’t Confuse Easy with Risk-Free
Unfortunately, far too many businesses close their eyes, cross their fingers and hope for the best when it comes to the digital realm. After all, it has become so easy to publish a blog post or even set up an online store that it becomes easy to assume that the risk of getting ignored represents the biggest worry in the digital space.
And that assumption turns out to be the very definition of recklessness.
Calculating Your Risks
I want to emphasize that I’m not telling businesses to just unplug and stick to pen, paper and brick-and-mortar. Rather, I advise my clients to be intentional about taking on risks. If it were a math equation, it might look something like this:
(Opportunity - Risk) / Organizational tolerance for risk
In other words, you must understand how much you stand to gain, how much you stand to lose, and how much risk you’re willing to tolerate.
(Editor's Note: Learn more about the power of digital standards during Kristina's DX Summit 2017 workshop on Nov. 13)
Big Ignorance of Big Risks
Now, that’s all well and good in theory, but how do such calculations translate to real-life scenarios? I’ve found that many people I’ve worked with don’t really know. It’s not that they aren’t excellent at what they do. It’s just that a lot of the biggest risks are ones that don’t even occur to most people:
For example, did you know that the Americans with Disabilities Act (ADA) requires that websites be accessible to the visually and hearing impaired? That means any images on your website should be associated with ‘alt text’ that clearly describes the content of the image to render it accessible to visually impaired visitors using screen readers.
Does your website do that?
Within the US, there are both federal and state laws regarding the collection, use and storage of customer data. Companies that operate globally must also comply with the privacy regulations for each country in which they do business.
Some countries prohibit citizens’ data from being transferred to servers outside of their national borders. So, if you operate a cloud service, for example, you could be in violation if you don’t have a separate server physically located in each country where you do business.
Businesses are also required to protect customers’ personally identifiable information. That’s especially important when it comes to payment processing and healthcare. For example, there are laws that limit how much payment information you can store, where you can store it, who has access to it, etc. What’s more, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires you to make sure that there is no unauthorized access to patients’ medical information.
Even More Risks to Consider
Those are some of the biggest issues, but they’re not the only ones. Some — such as libel, copyright infringement, harassment and sharing of privileged information — are especially relevant for businesses that rely on user-generated content.
Other risks include:
- Brand Integrity — From the brand voice used in your blog posts, to the colors used in your logo, lax standards can weaken your brand integrity
- Transparency — The Federal Trade Commission regulations require that bloggers who review products must disclose any affiliate relationships. For instance, a blogger who reviews Company A’s latest gadget must reveal whether the company provided the gadget free of charge. But what if that blogger posts a comment in response to one of the business’s own blog posts?
- Accuracy — The sheer volume of content available online suggests that some pieces of content may contain errors. What is your liability if your content gives users incorrect advice and taking that bad advice causes harm?
Creating a Risk Management Action Plan
You’ve already taken the first step, which involves opening your eyes and staring digital risks right in the face. The next steps require doing some virtual math:
Quantify your digital opportunities
Each of your digital efforts should be associated with an expected ROI, which quantifies the value associated with each of your forays into the digital realm.
In a perfect world, what would that potential ROI be? What is the value, for instance, of each piece of customer data that you collect and store? What opportunities might you miss out on by not collecting and storing each of those data points?
Quantify the risks associated with those opportunities
Quantifying risks includes assessing potential damages, as well as the likelihood of incurring those damages. For example, it’s unlikely that a small mom-and-pop restaurant would be fined for failing to comply with website accessibility requirements. However, an enterprise-level organization must carefully consider the possibility that its visibility could lead to fines and being held up as an example.
Determine your organization’s tolerance for risk
While a huge organization might be more likely to suffer damages, it probably also has a greater ability to absorb the associated costs. How much is your organization willing to gamble? And are you able to cover your bets?
Develop your digital policies
The word ‘policies’ usually generates a collective groan, often accompanied by eye-rolling. I attribute that to the five-year-old who lingers within each of our psyches and automatically rebels against any type of rule.
However, in the grown-up world — and the business world, in particular — policies are more about freedom than constraint.
Think about the questions you ask yourself every time you start a new digital project:
- Why am I doing this? What business benefit will be realized?
- Do I have the authority to do this? If not, who does?
- Does my organization have a standard ‘voice’ for our content? If so, where is that information available?
- Would implementing this digital project violate any laws or regulations, whether here or abroad?
- Does my organization ever delete a piece of user-generated content? If so, what criteria do we use to make that decision? And who makes that decision?
For Every Policy, a Purpose
Rather than being restrictive, digital policies allow you to skip the initial questions that slow you down because they’ve already been asked and answered. That way, all you need to do is refer to the applicable policies and move on.
The policy-making process will be a lot simpler if you remind yourself that every policy should have a purpose. Don’t create policies just for the sake of having policies, or to address some vice president’s pet peeve.
Instead, focus on the big-picture reason: maximizing opportunity while minimizing risk. If you have a hard time explaining the rationale to yourself, you’re going to have a hard time explaining it to the employees who will have to follow the policy.
Creating and implementing digital policies is a big task and the more jurisdictions involved, the bigger and tougher the job gets. Obtaining legal counsel is always advisable when you’re talking about regulatory compliance, liability, etc. And for the bigger picture and a balanced digital policy foundation, consider partnering with a digital policy expert who can guide you through the process.