In our recent Navigator Spotlight feature with Compliance Expert Mark Jennings, we explored why MSPs should stop selling fear and start having structured, professional risk conversations. It’s a shift in mindset that moves you from a tactical vendor to a trusted strategic advisor.
Now, let’s walk through how to do it.
Here is a five-step MSP risk management framework, based on Mark's process, that helps you do just that. This is a structured approach designed to build client trust through clarity and consistency.
You don’t want to scare your clients, you need to guide them confidently from risk to resilience.
If you want to go right ahead to the complete guide, check out Mark's course Introduction to Risk Management on Empath.
You can’t protect what you haven’t defined. The first step of any professional risk management process is simple awareness.
This is where you begin to document and define the potential risks across your client's entire environment. This includes their infrastructure, their data, their daily operations, and even their user behavior. What could go wrong? What would the business impact be?
For a new client, you don't just list server as an asset. You identify the business risk, "A ransomware attack on their primary server would halt all operations, making it impossible to process payroll or client orders."
The goal isn't to create panic but to create a shared understanding with the client of what's at stake. This documented inventory is the foundation for every strategic conversation that follows.
Once you have a high-level view of the risks, your next step is to find out what you're actually protecting. You can’t manage what you don’t see.
This discovery phase is all about mapping where sensitive and business-critical data lives, on servers, on endpoints, in cloud storage, and in backups. You must identify what types of data exist, paying close attention to PII (personally identifiable information), financial records, or protected intellectual property.
In practice for the same client, your discovery process might reveal that their sensitive database (full of PII) isn't just on the encrypted server. You find it's also being synced to an unauthorized cloud account on an unmanaged home laptop. The risk is now clearly visible.
After you've discovered the assets, you must assess them against the current threat landscape (like ransomware, unauthorized access, or business email compromise).
A common mistake is to treat all risks equally, which overwhelms the client. The professional approach is to rank each risk based on two simple factors:
Continuing with our sample situation, the impact of a data breach from that unmanaged laptop is "Critical" and the likelihood, given the lack of controls, is "High." This simple ranking immediately elevates the issue above, say, a "Low Impact / Low Likelihood" printer failure. You can now guide the client's focus to what truly matters.
This is the bridge from analysis to strategy. A gap analysis is where you compare the client's current security controls and processes to an established best practice or compliance standard.
This step identifies the missing controls, outdated policies, or procedural weaknesses.This is what turns your abstract risk data into a set of clear, actionable findings.
In practice: Your assessment reveals a major gap: the client has no multi-factor authentication (MFA) for their remote access. Your recommendation is no longer a vague "you should get MFA"; it's an objective, factual finding: "We have a critical gap against the industry standard that leaves sensitive data vulnerable."
Risk management only matters if you do something about it. The final step is to use the findings from your gap analysis to build a collaborative remediation plan.
This plan should prioritize fixes based on the risk assessment you just did. It’s crucial to assign clear ownership for each item (MSP vs. client), create realistic timelines, and establish regular checkpoints to review progress. This is the beginning of a continuous process of improvement. Your role as the vCIO or advisor is to guide this process, follow up relentlessly, and measure the results.
And once again, in practice, your remediation plan now has a clear, top-priority item: "Q1 Project: Implement MFA for all remote access and enforce a Data Loss Prevention (DLP) policy to block unauthorized cloud syncs." You've successfully moved from a vague fear-based pitch to a collaborative, data-driven plan to fix a specific, high-impact business risk.
This five-step MSP risk management framework is how you turn an abstract concept into an actionable, repeatable service that delivers real value. It provides the structure, consistency, and repeatable process you need to build client trust. No scare tactics required.
But if you're serious about giving your team the full toolkit to implement it, the complete guide is waiting for you.
In his full course, Introduction to Risk Management, Empath Navigator Mark Jennings provides the complete execution guide. He dives deeper into the strategies for assessing likelihood, walks through how to conduct a gap analysis step-by-step, and shows how to present your findings in a professional, trust-building way.
And that's just one piece of the puzzle. Empath is a complete learning platform with a large catalog of courses designed for your entire team.
Schedule a personalized demo to see this framework in action or start your 14-day free trial to get immediate access to his courses and the entire library.