Skip to Content
Enterprise Risk Management

Balancing Risk Probability and Vulnerability

Mark Layton | May 1, 2007

On This Page
Businessman with a suitcase on a tightrope

Credit worthiness and life expectancy are examples of well-understood risks whose probabilities can be quantified and whose ability to create loss can be modeled. On the other hand, "acts of God" and the machinations of business competitors will, in many instances, defy probability analysis and standard forms of risk assessment because they are often atypical events whose causes are the function of circumstances beyond both the awareness and control of those responsible for an organization's risk management.

The ability to address routine and predictable risk based on an evaluation of a hazard's frequency falters in the face of improbable and unpredictable risk. Be it the die-off of pollinating North American honey bees or the meltdown of a nuclear power plant, standard risk management theory fails to adequately encompass such extraordinary events.

Nonetheless, conventional risk management policy assumes risk managers in any industry can identify relevant risks and prioritize an organization's risk response in relation to the probability of the perceived risk. In this idealized management scenario, those risks that may create the greatest loss and have the greatest probability of occurring are immediately dealt with, while risks capable of only limited loss and whose probability is lower can safely receive much less attention and concern.

Dealing with the Increase in Rare Risks

Despite such tidy notions, an increase in "improbable" events characterizes risk in the 21st century global business environment. This new level of uncertainty is testament to the failure of probability analysis alone to adequately inform and support optimal risk management. According to a recent Deloitte research study, Disarming the Value Killers, "Some of the greatest value losses were caused by exceptional events such as the Asian financial crisis, the bursting of the technology bubble, and the September 11, 2001, terrorist attacks. Yet many firms apparently fail to plan for these rare but high-impact risks."

What conventional probability modeling ignores is vulnerability, a measure of susceptibility to human, financial, competitive, or numerous other measurements of loss. Knowledge of what makes an organization vulnerable to risks determines the steps that can be taken to reduce that risk. For too long, vulnerability assessment has been ignored and unappreciated in the Parthenon of risk management values.

Risk managers can no longer dismiss an organization's vulnerability simply because a relevant and high impact risk is considered to be highly improbable. As has become painfully clear in recent years, yesterday's improbable science fiction all too often becomes today's improbable realities that define the business environment.

The Risk Intelligent Enterprise understands the need to balance reliance on probability modeling with a renewed appreciation of vulnerability analysis in order to address high-impact events no matter how improbable they may be.

What kind of low probability/high impact events are we talking about? News reports provide plenty of examples of seemingly unthinkable occurrences:

  • A charitable organization is victimized by wide-scale fraud.
  • An information technology company suffers a major computer security breach.
  • A food manufacturer distributes contaminated products.

Each of these cases runs counter to expectations:

  • Who would expect a charity to have corrupt employees?
  • Likewise, who would anticipate an IT company having lax computer controls?
  • Who would think a foods company that built its reputation on purity would distribute an impure product?

A risk intelligent executive—that's who! Risk intelligent executives realize that sometimes improbable events do occur with devastating effect, while other times probable events fail to materialize. They understand the possible, not just the probable, and respond accordingly.

Nonetheless, do not make the mistake of assuming that understanding and addressing high-impact but improbable risks is equivalent to putting in place a program to mitigate those risks. No organization can allocate its limited resources to managing and mitigating a high-impact but low likelihood risk such as a meteor impact while discounting higher probability/lower impact threats such as a weather-related disruption in the supply chain.

Instead, risk intelligent managers should consider vulnerability alongside probability as determined by a reasonable assessment of the particular circumstances they face to initiate informed and strategic risk management options. The actual steps to address vulnerability might entail extensive preparation, or may involve nothing more than closely monitoring particular risks, tracking changes in relevance and severity without initiating further action. Availability of resources and other internal bandwidth should be considered in determining the best course forward.

When severe disruptions occur—be they power outages, natural disasters, industrial accidents, financial crises, or other events—companies that are prepared to rapidly recover—and help others to do so—will yield positive results for their organization and the community. The Risk Intelligent Enterprise is characterized by a well-developed sense of social responsibility as well as finely honed business savvy.

Steve Ross is the national and global leader for business continuity management services at Deloitte & Touche LLP.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.