Data Centre Risk Management
Looking at Risk Identification

In this Viewpoint we set out our views on some of the factors organisations may consider during the identification phase of their risk management process. This has always been an important issue to Elcern, as we believe that effective risk identification is critical to successful risk management processes. It should be in mind that the risks, and their impacts, can be somewhat unique to each organisation, such that each entity should not rely on overarching briefs, and instead design and implement their own risk management processes.

A robust risk identification …. Is key to an effective risk management process in any sector, not least the data centre industry. The fast pace of change in technology, geopolitics and cyber, just to name a few, are risks that can’t be ignored by UK data centre operators. Daily we see important risk factors that might disrupt or even damage a data centre operator and their clients. Further still, slower, pervasive and persistently changing factors like climate change remain constant risk factors and may be significant considerations on risk assessments.

Engaging stakeholders … both internal and even external is one way for an organisation to get a great view of such risks they face. Internal stakeholders, such as procurement, operations, engineering, and maintenance, can bring key insights. External stakeholder engagement could be as simple as keeping up to date with industry risk reviews, but the insights gained are still inevitable. More detailed external stakeholder engagement can come from areas like the data centre planning application process and discussions with key suppliers. 

The scope …. Can focus on an individual entity such as a major data centre campus. Alternatively, the scope could focus more on the organisation as a whole, with the data centre campus being just one of a number of revenue generating assets. Risk management is needed at both levels. It may be possible to aggregate individual asset risk assessments. However, an entity-wide assessment is needed and will be likely be more than the sum of its assets, because of cross portfolio activities like financing, workforce management and procurement. This paper will focus primarily on the more individual entity level.

The frequency…. may ideally be continuous, as this may trigger the rest of the risk management process when defined triggers are met. A major change in the business context might be one such trigger. The sheer number of new risks may be another trigger, warranting an earlier full review that might otherwise happen. Either way, we consider a formal risk identification refresh should be at least annual to keep an organisation resilient. Often, annual risk assessments can be aligned with the organisation’s wider planning process.

Using structured tools …. can be beneficial to try to ensure a comprehensive first screening. The tools can be as simple as listing factors in a spreadsheet during risk identification workshops. Other tools organisations might deploy are risk horizon scanning and radar processes (See Figure 1). Bigger organisations may immediately record identified risks within their Governance, Risk and Control (GRC) tool such as ServiceNow and Archer. Smaller organisations may prefer to do some aggregation or simplification prior to running the remainder of the risk process. In our view, care is warranted when aggregating risks into a very short list to avoid loss of important components. Remember that at some point the organisation will need to start documenting the risks by title and description, with cause and impact assessments, all of which can become resource intensive and prone to mistakes. So, its key to remain focussed.

Figure 1 Visualising and Organising Identified Risks

Looking at fire …. can range from the risk of partial or total loss of a facility as there are a plethora of possible sources of fire on a data centre sight. Given the high availability of guarantees offered by some facilities to their customers of minimal downtime and high security, the consequences of fire can be extreme and impact the entity as a whole. Fire is a very real risk - in recent years a major fire occurred to one of the largest European data centres operators, and substation fires in the UK are quite common. We typically consider such fires under "Electricity" as they are typically outside the control of a data centre operator. 

Safety …. is always a risk on any facility, being primarily the potential for life changing accidents to workers when on sight. During the project stage, such as during an expansion, the risk is more acute due both to the types and amounts of activities and the sheer numbers of people on site. Whilst the number of safety risks endure during operations, the staff proximity to electricity is another key source of risk to consider. At entity level, the risk may be more around the impact of a loss of life incident in terms of stakeholder reaction and the ‘license to operate’ concept determining if an entity can continue operating after a safety investigation.

Floods … in the UK are becoming ever more pervasive while the climate changes, and therefore a much more prevalent risk. The risk is more at the entity level as it may be unlikely an organisation's entire portfolio would be at risk, because flooding could be limited to a single region a most. If both a data centre and its backup are within a flood affected area, a flood could have more devastating impact to the organisation and is therefore a much more significant risk. 

Technology ….. change seems inexhaustible. From new chips and AI to optical networks to small modular nuclear reactors, technology advances almost daily. The daily number of tech start-ups again highlights this persistent drive towards change. Technology is a great example of the two sides to a risk: those of threat and opportunity. For example, the threat side might include backing the wrong cooling technology which is realised over time as growth gets stunted and efficiency drops, leaving the business trailing behind its peers and competitors. Opportunity classically could be exemplified by the benefits brought by applying AI to the energy management of the data centre, bringing a leg up in the continuous race towards efficiency.

Supply chain …. is actually a massive area that can encompass factors such as failure of critical suppliers, excessive component pricing, and breakdowns in component supplies. Other factors can include counterparty risks like banned suppliers, and unethical suppliers. So overall, this risk area may best be structured as a risk category, with its individual components identified for further assessment in an organisation’s risk assessment. Some of the global events that have kept this in focus include the 2022 global chip supply crisis. 

Trespass …. is a form of proxy for any type of unauthorised access to the data centre, along with any actions conducted by the trespasser. Given that the data managed within a data centre could be the most sensitive, and the volumes of data are huge, the impact of a trespass could be immense. Components of that risk are addressed by stringent access controls and security. Awareness of government and other contemporary monitoring data and guidance can be vital to assigning an adequate level of resource to this category. 

Customers …. for data centre are the key revenue driver – no customers = no revenue. There can be many customer factors to consider during the data centre lifecycle. For example, failing to attract, retain and grow financially attractive customers. Customer failure, and competitor actions are further examples of risk components to consider.

Cyber …. is a many-faceted risk. Given digital dependencies and interconnectivity are core to data centres, this is a severe risk area. Given that UK data centres are now designated as critical national infrastructure there is lots of government support. So, awareness of government and other contemporary monitoring data and guidance can be vital to assigning an adequate level of resource to this category. A further important factor is data privacy.

Equipment …. reliability is always a key risk factor for a data centre. Customers typically rely on the data centre for close to 100% uptime to enable their businesses to operate 24 x 7. In response, a whole control frameworks exists for operators to mitigate the reliability risk. And one of the key responses is preventative maintenance, which is an area crossing over into Supply Chain risk and the Technology AI risk area. Further factors to consider in equipment may be purchase costs, failures, parts availability, maintenance agreements with third parties etc.

Electricity …. is probably one of the more acute and even fascinating risks for data centres. There are many components to consider here. During the planning phase of a new facility, the availability and price of a sufficient volume can be key. Also the connection agreement to get that electricity to site on the date required can be a key risk area in the planning phase in the UK where such agreements can currently take many years to win. During the operations phase, the risk can certainly include pricing terms. In the UK the cost of electricity is currently the highest seen across Europe, and given the UK’s generation depends on gas there remains a risk of price shocks.

Getting involved …. is key. It's so important to get started on risk management. And once in place, it can be vital to keep refining that risk management to keep the organisation resilient. Our outline above of some of the risks that could be considered either directly or implicitly suggests the importance of involving stakeholders. Those stakeholders may provide their own insights into the risks. Stakeholders like the UK government for UK data centres provide key risk information as well as control insights.

Overall, the risk landscape is somewhat complicated and inter-related, and can be difficult and potentially confusing for businesses to research and respond to. And without finding ways to benchmark and validate the approach, risk management can be an onerous duty rather than a value-generating way to take decisions within the organisation. But, despite this it is still a vital duty to undertake.

We can help …. At Elcern we dedicate a significant amount of time to risks, checking on existing and new risks, incident tracking for insights on impact and frequencies, as well as refining control frameworks, risk monitoring and reporting. We review and examine a multitude of organisation publications, sector and geographic reviews to forge a deep understanding of how organisations can assess and respond to key risks to their existence. Our risk listing above hopefully indicates our aim to make risk management easier and our ability to help and add value to your risk assessment.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.