Watching the evening news, we are constantly reminded of how dangerous the world is. Stories about terrorism in particular dominate the headlines at the moment, but anything to do with political controversy or instability, significant changes in the financial markets, corporate scandals, cyber crime, natural disaster, public health emergencies, and so on, also tend to get prime-time coverage. 

Against this background, we might assume that the average organisation is sitting there constantly worrying about the risks that arise from all of these potential threats to their business. But in a recent Freeform Dynamics study looking at business attitudes and practices in the area of risk management across Europe and the Middle East, we found that some of the more prominent threats highlighted by the media are not given that much consideration at all. In fact, businesses are generally much more concerned about information loss and downtime of IT systems than they are about terrorist activity, bird flu, earthquakes, floods or the antics of stock market investors or politicians (see chart below).

Of course it could be argued that some of the potential problems at the top of this list can be caused by those at the bottom, but it is interesting that organisations are generally not explicitly considering the latter that much during the business planning process.

But should they?

Well, that depends. When considering any particular risk, it is necessary to assess three things – the probability of an incident occurring, the impact of an incident if it does occur, and the cost of either preventing an incident or dealing with its consequences. When we think in these terms, the above picture starts to make a lot of sense. While natural disaster in a particular geographic area can have a devastating impact on the local business community, the majority of businesses across Europe and the Middle East are just not located in high-risk areas. Similarly, while we all hear and read so much about terrorism, few regard the probability of being directly affected as significant. And, how sensitive is your business, really, to the ebb and flow of the financial markets, short of a major recession that you can do little about anyway?

Clearly most businesses figure that these things are not worth losing sleep over because they are so unlikely to be touched by them.

At the other extreme, the chances of very damaging IT-related issues occurring if you neglect to pay proper attention to operations, security, and so on are very high. Furthermore, the impact of critical data loss and downtime of key operational systems is potentially very significant in terms of damage to the business, which is clearly why these items are at the top of the risk consideration list.

We do, however, need to be careful not to generalise too much, as both perceived and actual risks are highly dependent on specific situations and scenarios. Looking behind the overall view of priorities we have been discussing, for example, we find that financial services organisations not surprisingly take the performance of financial markets and potential regulatory exposure very seriously from a risk management perspective. Oil and gas companies, on the other hand, with the nature and diverse geographic spread of their activity, pay a lot more attention to accidental damage (think fire) and natural disaster related risks.

These are a couple of high-level industry examples, but if we drill down again, we can get even more specific, for example financial services companies based in the City of London stand out in the degree to which they worry about terrorism, and any organisation that interacts electronically with the general public tends to be quite jumpy about the risk of IT systems downtime.

Beyond this, there is the question of balancing the three dimensions of probability, potential impact and cost of mitigation, which plays out not just at a macro level, but when, for example you are assessing very specific security or operational risks, considering how much time, resource and money it is worth spending trying to deal with a particular threat. We’ll be picking up on this balancing act during future discussions as we revisit the area of risk management in the context of different domains, particularly looking at how technology advances can open up new ways of dealing with some of the same old threats as time goes on.

In the meantime, if you are interested in more details of the risk study mentioned in the above discussion, the report is available for download here .