Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How do I evaluate a third-party data center risk assessment?

Are you working with a security consultant on a risk assessment plan for your data center? Here are some basics to consider.

The rule of thumb when reviewing risk assessment recommendations is to compare what is being recommended with the likelihood of the event occurring. This is called risk frequency. A consultant performing a risk assessment is retained to identify all potential risks and then measure the likelihood of the risk occurring, how much damage will be incurred, what that damage will do to your company, and how much will the damage cost you both at onset and after repairs are made. This is called risk cost. This is what you pay the consultant to identify.

The trick is to balance the likelihood of an event happening with the cost of the recommended solution. If the frequency of occurrence is low or non-existent, then you may elect to eliminate the recommendation. If the likelihood that the identified risk will occur is high, then you need to either spend the budget dollars on the recommended solution or avoid the cost in lieu of accepting the risk by increasing your insurance coverage/premium for the identified risk. If the consultant you have hired is not providing you with this type of risk versus likelihood comparison and is expecting you to decide merely on his/her expertise, then I would say it is time to reconsider your business relationship with your consultant.

ABOUT THE AUTHOR: Thor A. Mollung, CHSII, Managing Director, Security Consultant, has over 20 years of experience in the industrial security industry with companies such as Fidelity Investments, Mellon Bank and State Street Corporation. Mollung is a member in good standing of the American Society for Industrial Security (ASIS-International), the National Fire Protection Association International (NFPAI), and the American College of Forensic Examiners Institute.

Dig Deeper on Data center design and facilities

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

In my profession the most frequent definition of risk is
risk = probability * damage
Thus the likelihood part of the risk is by definition included in the assessment. You may be tempted to find a statistical "once a year" damage of $ 10000 worse than a damage of $ 500000 with a probability of once every 50 years, but the risks are the same in both cases.