Preparing Clients For Potential Risks

As the self-proclaimed OG of the statement "Ask Your Client How They Make Money" I'm compelled to remind you that asking the question is just the beginning. It’s now mainstream for MSPs to say, “Ask your client how they make money.” Which is awesome! If you're an MSP, you’ve heard it by now because it resonates. It’s the starting point for aligning risk assessments with your client's core business drivers, helping you shrink their risk to revenue. But, from my observation, you need help on the next (and most important) steps. Asking the question is just step one. If you're not doing anything with the insight, you're just having a conversation. ->You need to know what to do next to make it actionable. Here’s how to actually follow through: 1-When you ask how they make money, focus on what directly impacts their revenue. Is it a proprietary platform? Sensitive customer data? These are your golden nuggets. 2-Now that you know what drives revenue, follow the bouncing ball. Where does this data live? How’s it processed, shared, stored? Protecting these data flows is your top priority. Start mapping your threat models here. 3-Dive into who has access to systems, what security measures exist, and where shadow IT hides. Don’t overlook potential vulnerabilities in their tech stack. This is where the real risk is...human and technical. 4-Don’t treat all risks the same. If the client’s revenue hinges on a specific app, assess the risks to that app. If it’s a customer database, focus on data protection. If it's phones, focus on the phone system. Make it specific to their needs. 5-Your report needs to speak THEIR specific language. Focus on how each risk impacts revenue. Don’t drown them in technical jargon. Use clear, relatable language to show how mitigating these risks will directly protect their income. 6-Identifying risk isn’t enough. Offer specific, actionable recommendations, whether it’s additional security measures, better access controls, or employee training. Ensure the solutions align with their business goals. ->Asking about how your client makes money is smart, but if you’re not following up with a tailored, actionable risk assessment, you're missing opportunities. The real value lives in understanding those business drivers, mapping risks to them, and providing clear steps to mitigate exposure. MSPs who execute this well will stand out, build trust, and win long-term client relationships. The next time you ask the question, have your actionable steps ready and ensure your recommendations directly protect their revenue. #msp #business #risk #security #OG

Advisers – please don’t mass email all of your clients about current market volatility. Some clients have been through this before and are quite relaxed - and some don’t pay much attention to financial news. Don’t add to the ‘noise.’ Instead: Segment your clients: 1. Have they been clients for 5 years or less? If they’re relatively new to financial planning and investment, the current volatility may be concerning. 2. Have they indicated via your onboarding process, risk profiling and conversations that they feel uncomfortable with temporary portfolio declines? Clients that tick both boxes deserve your personal attention - not a generic email. 1. Call them. 2. Ask them how they’re feeling. 3. Listen to them. 4. Don’t judge - empathise. 5. Don’t send charts and graphs. Confirm to them that your own family’s life savings are invested in exactly the same way as theirs. Reassure them that we will get through this and that you’ve got their back. “This too shall pass” and in the meantime you’re with them every step of the way. Onwards…

Effective client management begins with proactive engagement, anticipating needs and potential hurdles. Mastering the art of listening plays a crucial role in this approach, allowing us to gain deep insights into our clients' operations and strategic objectives. Imagine setting the stage at the beginning of a project by discussing with your client: Dependency Exploration: 'Can we discuss any dependencies your team has on this project’s milestones? Understanding these can help us ensure alignment and timely delivery.' Impact Assessment Question: 'Should unforeseen delays occur, what impacts would be most critical to your operations? This will help us prioritize our project management and contingency strategies.' Preventive Planning Query: 'What preemptive steps can we take together to minimize potential disruptions to critical milestones?' Success Criteria Definition: 'How do you define success for this project? Understanding your criteria for success will guide our efforts and help us focus on achieving the specific outcomes you expect.' These discussions are essential for building a roadmap that not only aligns with the client’s expectations but also prepares both sides for potential challenges, reinforcing trust through transparency and commitment. By adopting a listening approach that seeks comprehensive understanding from the onset, we can better manage projects and enhance client satisfaction. Let’s encourage our teams to integrate these listening strategies into their initial client engagements. How have proactive discussions influenced your project outcomes? Share your experiences and insights. #ClientRelationships #AdvancedListening #BusinessStrategy #ProfessionalGrowth

My observation as an auditor to the client: the firewall management login page is accessible to everyone. I recommended restricting access so that only specific IP addresses or VPN users could reach it, pointing out the risk that attackers could exploit any existing vulnerabilities to gain unauthorized access. Client’s response: The client dismissed this as a false positive, stating, “We have a strong password. This is not a credible observation.” Today, a popular firewall vendor released a critical security bulletin due to observed threat activity actively exploiting an unauthenticated, remote command execution vulnerability on firewall management interfaces in certain instances. This incident underscores the importance of addressing observations made during audits. Auditors, equipped with industry knowledge and a proactive approach to emerging threats, aim to protect organizations from potential breaches. Our recommendations are designed to reduce risk, not based on isolated concerns but grounded in evolving threat landscapes. When clients take preemptive measures, they reinforce their security posture. In cybersecurity, a layered approach, rather than reliance on single defenses, is essential for long-term resilience.

I often ask at the start of a mediation session: "What outcomes are you looking for here today?" The pause that often follows is very telling.  Client preparation is a commonly overlooked part of mediation readiness. When clients walk in expecting another litigation fight  — and suddenly find themselves being asked to compromise and discuss outcomes and solutions — it can derail even the most promising mediation. Before mediation, consider: ✅ Having an honest conversation about litigation risk — not just best-case outcomes - and include appeals, because anyone dissatisfied with a verdict/judgment may appeal ✅ Explain the process to minimize surprises - especially discussing confidentiality and how that plays into communication during mediation ✅ Help your client separate their positions from their underlying interests ✅ Discuss settlement ranges and possibilities in advance ✅ Prepare your client to discuss desired outcomes A well-prepared client doesn't just make our job easier. It makes resolution possible by getting parties thinking about solutions for resolution instead of fight points for more litigation. What's the most important thing you do to prep your clients before mediation? I'd love to hear below. #Mediation #LitigationStrategy #AttorneyTips #DisputeResolution #ClientManagement

AI Compliance: The Legal Goldmine Lawyers Are Overlooking AI is changing everything, but is your client’s compliance keeping up? Most companies are diving into AI without guardrails—no policies, no employee training, and no clarity on what data is safe to share. It’s a lawsuit waiting to happen. And that’s where you come in. AI Compliance Checklist: What Your Clients Need 1. Internal AI Usage Policies: • Clearly define which AI tools employees can use, distinguishing between Open AI (like ChatGPT) and Closed AI (proprietary models). • Set strict rules for handling client data—no confidential information should be processed by external AI without approval. • Train employees on the risks of AI misuse, data privacy, and responsible usage. 2. External Data Protection: • Review and update all vendor contracts to ensure they cannot share your client’s data with Open AI or third-party AI systems. • Require third-party vendors to maintain secure, compliant AI practices, including clear data security standards. • Establish a third-party risk assessment process focused on AI use, and demand indemnification for unauthorized data sharing. 3. AI Insurance Review: • Evaluate Cyber Liability policies to ensure they cover AI-related data breaches and unauthorized disclosures. • Confirm Errors & Omissions (E&O) coverage includes mistakes caused by AI-driven services, like flawed automated advice. • Add Specialized AI Endorsements to cover unique risks (e.g., deepfakes, AI-generated misinformation). • Make sure your firm’s Legal Malpractice policy covers AI-related errors, from misused client data to flawed AI-driven legal advice. But First—Check Your Own Coverage Before you advise clients on AI compliance, make sure your own house is in order. Does your malpractice policy protect you against AI-related mistakes? Are there hidden exclusions for AI misuse? If you’re not covered, you’re exposed. AI is your client’s biggest opportunity—and their biggest risk. Make sure you’re the one they trust to handle both.

When it comes to risk, the common denominator is always the same: you can’t protect what you don’t see. Whether it’s a C-suite exec stepping into a protest hotspot, an insider threat quietly broadcasting red flags online, or a law firm with a darker history than their courtroom reputation suggests—the issue isn’t what happened. The issue is what wasn’t known ahead of time. Case 1: Executive Travel & the Hidden Optics Risk A client’s executive was set to attend a major international event. Nothing unusual—until protests began erupting outside the venue. The target? Not the executive, but another high-profile attendee. Still, in the age of social media, perception is reality. The client’s brand was suddenly associated with the controversy, and they were blindsided. What would’ve helped? Pre-event protective intelligence and digital sentiment monitoring. That executive could’ve pivoted, planned, or paused—with the right intel in hand. Case 2: The Insider Who Raised Every Digital Red Flag This one still stings. An employee—later found to have shared troubling content and hostile sentiments on social media—became the source of a costly internal breach. The warning signs? Public. Missed. What would’ve helped? Behavioral risk profiling using open-source intelligence (OSINT). The signs weren’t subtle. They just weren’t seen. Case 3: The Law Firm That Shouldn’t Be Practicing Law A client facing litigation asked us to conduct background on the opposing counsel. On paper: a niche boutique firm. Behind the scenes? A web of past sanctions, abusive tactics, and behavior that raised serious ethical red flags. What would’ve helped? Well, in this case, our client did ask the right questions. And that early insight helped them shape their legal strategy—and win more than just the case. In every case, the core need was the same: Actionable intelligence. Situational awareness. Visibility into the risks before they escalate. If you’re relying on static risk assessments or security that starts when the crisis does—you’re already behind. Protective Intelligence isn’t optional anymore. It’s foundational. ZFIS | ZFISolutions.com #ZFIS #ProtectiveIntelligence #SituationalAwareness #CorporateSecurity #InsiderThreat #DueDiligence #RiskManagement #OSINT #ExecutiveProtection #SecurityIntelligence

I am co-author of CIS RAM 2.0. I initiated dialog at CIS about improvements to the standard. Here is my post to the community. I am looking for comments in LinkedIn as well: Suggested additions to RAM I wanted to start this discussion about risk assessment because there are lots of questions flying around. People want concrete suggestions, but we are still (as a community) hazy on a few fundamental things. But can we talk about the simple things that are not clearly defined? When consulting clients on risk assessment and treatment, we see three trends: 1. Take a controls from a standard (CIS, ISO, NIST, etc) and create a risk registry based on the controls. The thought - smart people created controls, there must be a risk. Primitive, works for compliance. 2. Take a library of risks from other smart guys and select applicable. 3. Do a real tabletop exercise and figure out what really is our risks. Those people understand and don't ask for suggestions on prioritization. Some additional opinion You must start with Information Classification and a Catalog. You need to know what you are protecting. We defend the business by protecting information. Duty of care is the principle, and and the driver. Too broad vs too narrow problem. We also see that people go either too broad or too narrow. The first group defines something like: - “We can be hacked.” - “We can be nuked.” The second group creates so many risks that they can’t manage them. So defining risks is an art in itself. If an SMB defines more than 50 risks, it will not be managing them effectively — unless it is a team of dedicated compliance bureaucrats. Risks evolve with experience Risk and risk management has to be done based on the organization’s experience and history. If an organization never had an incident, it may not be aware of a risk. That is why risk re-assessment is important. We teach our clients: If there is an incident, during the postmortem you need to assign the incident to one of your risks in your risk registry. If you don’t have a risk, you need to create a new one. Once a year you need to re-assess risks. Identify the risks with the most incidents and re-evaluate risk treatment — controls assigned to it, budgets allocated. Cybersecurity budgets need to be driven by risks, not by marketing of cybersecurity products. ⸻ Some practical advice for RAM: 1. I think we should create a CIS library of risks: wider risks and “sub” risks, so people can select what they want. 2. We should clarify how to define likelihood and impact. We as a community have to think through some kind of questionnaire or a model to assess it. Something like: • “Did it happen before? If yes, how long ago? How many times?” • If an incident (in relation to the defined risk) happened, would you: a) lose money b) receive a penalty c) damage reputation resulting in possible money loss etc. 3. We need to include risk re-evaluation in a standard.

If it's about to go down, and you reasonably anticipate you or the other side might file a lawsuit, you may want to be mindful of: 1. The statute of limitations for the claims that may be brought; 2. All potential parties to the lawsuit, including parties that the other side may implead; 3. Whether the entities, if any, that may be party to the lawsuit are up-to-date on applicable corporate formalities; 4. Whether any insurance or indemnity obligations may cover the claims or expand the scope of liability; 5. Which courts or arbitration tribunals may be proper venues that have jurisdiction over the dispute; 6. The identity and location of the fact witnesses; 7. The parties likely to be subpoenaed for testimony or documents; 8. Whether an expert is likely necessary; 9. Your document retention policies; and 10. The public relations and business operations impact of potential litigation. The foregoing list is not all-inclusive. It focuses on: -- doing what you can to disarm your adversary of technical defenses and advantages; -- understanding which fora might hear the dispute and whether they might favor one side or the other; -- understanding whether you will have the witnesses and subpoena powers necessary to prove your claims or defenses; -- understanding some of the expenses of the case; -- understanding which third-parties might get caught in the blast radius of the litigation (either as parties or subpoenaed witnesses) including your allies and business partners; -- understanding the scope of each side's potential liability; and -- understanding the indirect costs of litigation that result from potential publicity and diverting personnel away from operations and towards litigation support. Of course, if you are locked in a dispute where you reasonably anticipate litigation, you should contact an attorney. But some generalities apply broadly. You don't want to harm your position through technical mistakes. You want to get a handle on the scope of your risks--financial, operational, reputational, and relationships. And you want to get a handle on potential costs.

“We think we’re ready. We've done our due diligence.” That’s what most business executives will say before making a significant investment, whether it's a senior hire, an acquisition, or any number of consequential decisions involving the deployment of capital. Chances are that more than a few things have, in fact, not received the appropriate level of scrutiny to have this level of confidence. Akin to googling one's symptoms when something feels off, you still want to be armed with more relevant data. Maybe you're using services that track your health, maybe you're quite knowledgeable on medicine itself, but you still want to check in with your physician. If you’re about to make a big move - for example, relocating manufacturing or acquiring a company in a new market - you probably see a few “symptoms”: A potential privacy issue, a physical security concern, a compliance requirement. Chances are they're identified and on the table for discussion or mitigation down the road. Maybe even in the agreement to be addressed. But symptoms don’t reveal the underlying conditions that could derail your plans: - Political instability that disrupts operations. - Local regulations that change how you handle data or payroll. - Insider threats from cultural or operational differences. - Infrastructure or environmental risks that delay production. At Presage Global, we take the “doctor’s visit” approach — running a full work-up using our "Ten Domains of Risk" to see how all systems connect. That means on-the-ground surveys, cyber assessment, compliance reviews, and pertinent intelligence - leading to a clear, prioritized “treatment plan.” Last year, we met with a prospective client who had experienced a threat. In the initial conversation, we asked them about their business and then shifted towards their investments. The client planned to acquire a manufacturing site abroad, in their country of origin. Their team had clearly put in the work and reviewed every aspect of the acquisition they considered risky. The business case was strong. The financial assumptions appeared correct. Nothing created any major red flags standing in the way of the purchase. After asking a few questions surrounding the location of the plant, the client decided to engage us to see if there was anything they may have overlooked. We uncovered a pending labor dispute, a major data privacy law change taking effect, and some concerns around two of the people involved in the local operation. Addressing these before the deal closed saved time, money, and potential litigation. The payoff: - Fewer surprises. - Faster, compliant market entry. - Reduced delays and reputational risk. - Increased confidence from investors and partners. In both health and business, the cost of assumption can be extraordinarily high. Getting a professional outside perspective, devoid of organizational influence, can help shine light on blind spots. #riskassessment #eta #duediligence