Atlassian Risk Management Program

What is it?

When considering the term “risk,” most people usually associate it with “What could go wrong?”. While generally true and rooted in evolutionary cognitive bias, this is only part of the definition. According to ISO31000, risk is “effect of uncertainty on objectives”. Therefore, when we talk about risk we should consider it as uncertainty that carries both hazard and opportunity.

So why are we concerned with risk? Isn’t that some corporate/bureaucracy exercise? To answer this we need to appreciate the other side of the coin - trust - which is the opposite of risk. Therefore, the focus of Risk Management programs is ultimately to increase trust, including:

• The trust that customers have in our products, services, corporate behavior, etc. - which leads to higher revenue; and
• The trust that the regulators have that we follow the rules - which reduces regulatory and market cost; and
• The trust our employees have in Atlassian - which leads to high moral and lower churn.

In a 2013 study conducted by the Boston Consulting Group, customers identified trustworthiness as one of the top qualities that would attract them to a brand.

Taking risks is part of life and we continuously assess risks against the benefits we enjoy by taking those risks. The risk profile of a company includes many different types of risks - financial, marketing, legal/regulatory, fraud, security, operational, etc. - that need to be balanced. The goal of the Enterprise Risk Management (ERM) program is to:

1. Identify and analyze risks;
2. Decide what actions should be taken;
3. Operationalize the actions; and
4. Report on the effectiveness of those actions.

Why do we do it?

Building trust through the removal of uncertainties (i.e. managing risk) relies on two fundamental principles: being open and being predictable. Being transparent about our philosophy, practices and procedures means that customers know exactly what they are getting. Being predictable conveys that we are a reliable partner and is the reason behind our periodic audits.

There are two primary purposes in managing risk at Atlassian:

• It minimises the number of things we can’t control. There will always be things that are outside of our control. What matters is that we’re prepared to handle them. We want to minimise the odds of unexpected events whilst preparing ourselves to handle others.
• It gives us breathing room to take on risks of our choosing. When there are a lot of risks in the organisation, taking on another risk seems daunting, even if that risk holds great opportunity. On the other hand, if we have those background risks under control, taking on a new risk seems to have less downside, making it worth considering.

It is helpful to think of risk like debt - a limited capacity asset that an organization can deploy. It is best to maximize its expenditure for areas where we could receive maximum ROI - which is the goal of the balanced company risk portfolio. For example, we would have very little benefit of having high risks in our cloud operations because that would lead to more incidents and customers dissatisfaction. On the other hand, we could benefit greatly if we could experiment with new uses of our products. Hence, we should minimize the former, which will give us the ability to increase the latter. Certainly, ‘paying risks down’ to zero is quite costly (in most cases even impossible) and may not be worth the investment - every other 9 after 99.9% availability is progressively harder to obtain. That is another factor in balancing the risk portfolio.

Having a functional ERM program is:

• Considered a good business practice. It is a consolidated view of our top risks and what we do about it. It allows us to periodically check and make sure we are addressing those risks in a manner we intended to. Similarly to how we go to a doctor to confirm that we have a broken bone and need a rest to heal, ERM confirms the implicit view of risks that executives have and the appropriateness of the risk management strategies. Sometimes the process may also discover new risks that may need to be addressed.
• Required to fulfill our current and future compliance obligations. Our certifications help us build trust with customers which results in higher revenue and reduces sales friction. SOX, SOC2 and ISO27001 require that we maintain an ERM program, periodically confirm top risks and risk management strategies with the executives, and report to the oversight body. As we begin to enter more regulated industries and obtain more certifications like HIPAA, FedRAMP, etc. we will have to become even more trustworthy and the scrutiny around our ERM program will increase.
• Evidence of maturity. As we grow we need to formalise practices in order to drive operational efficiencies and remove uncertainties (i.e. risks). Such operational efficiency will contribute to our ability to scale. Put simply, we want fewer surprises and we want to validate the health of the company is in fact what we know and feel it is.

At Atlassian, we have a risk framework in place to manage both strategic enterprise risks as well as day-to-day risks at the team level. We do this because there is clear evidence that companies with risk management processes facilitate better operational and strategic decision-making, which generates higher revenue and lower operating margins.

How do we do it?

The Enterprise Risk Assessment is a comprehensive process that we perform annually and update regularly throughout the year. There are many inputs into the analysis:

• There are many different types of specific risk assessments - Fraud, multiple security risk assessments, various operational risk assessments, including Business Impact Assessments (part of the BC/DR program), individual business units assessments (e.g. InfoSec and Finance), etc.
• Realized risks, i.e. incidents, “close calls”, post-mortems of large/important projects and deliverables
• Internal and external audits and assessments;
• External analyses of global trends and markets, e.g. economic slowdown, industry trends, competition, etc.
• Customers, business partners and suppliers feedback and data;
• Enterprise and individual business units business objectives and OKRs;
• Extensive interviews with people across Atlassian.

We aggregate the data we receive, analyze it to determine the risks and score them based on likelihood, impact, velocity, benefit, and risk management effectiveness. If necessary, we check with business leaders for clarification and alignment.

While we track enterprise risks, our focus is on high risks without corresponding high benefits and areas that require additional attention.

How does it fit into the “Big Picture”?

While the Risk & Compliance function runs the program - collects and analyzes the data, reports and tracks execution - the periodic risk assessment report is the consolidated view of the executive team around our most significant risks and how we are addressing them. The Risk & Compliance team can opine and advise but it is ultimately the executive team that decides what our optimum portfolio will look like - which risks we would like to decrease, which risks we would like to increase, and where we would like to direct our efforts and resources.

Therefore, the risk assessment report is usually factored into operational and strategic planning to aid investments and resource allocation (but it is not the sole driver). It is also factored into the Internal Audit annual planning. We have been timing our ERM program in such a way to complete the report around the end of the calendar year. Additionally, that aligns with the requirement to update the Audit Committee twice per year (June and December.)

It is used as another checkpoint for the health of the business and the company. It helps validate or disprove how we “feel” about things. It is also an additional point of alignment around goals and objectives.

In closing

We want to provide our customers with confidence that risks are being managed appropriately. While there are many risks that are well managed, we want to focus on the ones where the risk we are accepting (implicitly or explicitly) is too high without a corresponding high benefit. It is this strategy that keeps Atlassian lean and agile in a complex environment where managing risk and time to market play a critical role in the development of the company.