Ignoring Risk (At Your Peril).........................................................................
If you reallywanted to ignore risk, you probably wouldn’t be reading this
chapter. Because you are reading it, we assume you’re at least a little willing
to think about it. There are two approaches to handling risk: You can think
about risk and try to reduce the chances of the risk becoming reality, or you
can choose to not think about risk and just let things happen.
If you notice that the wiring in your house is starting to be a little unreliable,
you might call an electrician. For example, if you’re in the basement and the
children run upstairs, and you see sparks fly, you call an electrician. If you
didn’t pay attention to that risk, when your house catches on fire, you call
the fire department. The risk became a reality — “a loss event.” You might
call this approach firefighting. But wouldn’t it be better to call an electrician
before the situation got to that point? Of course it would. In order for that to
happen, you have to notice the problem and do something about it. You can
prevent that risk and avoid going into firefighting mode.
Many people — and companies — find themselves in a similar type of fire-
fighting, or crisis, mode. Crisis mode is expensive, and depending what the
crisis is, you might have losses from which you can’t recover (old family pic-
tures burned in the fire, for example). An electrician’s bill is lower than the
loss associated with losing your photo albums and other treasures, not to
mention the potential harm to family members and the cost of rebuilding
after the fire. It’s clear that while an electrician’s bill might be high, it’s nowhere
near as high as the cost of the house burning down. In other words, the elec-
trician’s bill offers a good return on investment relative to the risk, which is
an important consideration when evaluating responses to risks.
An effective risk management program helps you foresee problems and pre-
vent or mitigate them. But without effective risk management, the financial
impact can be severe when risks become reality; that is, when incidents or
loss events occur. A recent Deloitte Research study found that in the past
decade, nearly half of all Fortune 1000 companies experienced a loss event
that caused their stock price to decline by 20 percent in one month. Recovery
took a long time — more than a year for half of those affected. Another 22
percent of the companies never recovered their stock value.
Upon further examination, Deloitte found that the loss of stock value was not
the result of a single incident; rather, 80 percent of the losses occurred when
two (or more) risks in different areas of the company turned into loss events
at the same time. Here are some examples of these types of situations:
�A new competitor enters the market at the same time that your supplier
can’t deliver
�A sharp rise in customer returns and complaints occurs at the same
time a competitor introduces a product upgrade
42 Part I: Governance, Risk, and Compliance Demystified
