How to define “a risk”?

Similarly as to an individual, “a risk” to a company represents a future uncertain event with probable negative consequence. People see, or notice those risks, that have a negative impact on their physical health that can result in a death (such as cancer, stroke, traffic accident). For companies, such events represent all risks that negatively impact the company`s financial health, causing its financial death. Remember: people need blood the same way as companies need money to survive.

The key mistake we usually identify with those who attend our workshops is the perception of the employees on the key risks for their company. This is mainly due to the general misunderstanding of the risks the companies actively deal with.

In general, we divide risks into four large categories: firstly, by the size of the negative impact, and secondly, by the likelihood of the occurrence. Looking at them, we can conclude that from the company`s point of view, the biggest exposure is in the categories C or D, which carry a potentially high or extreme negative financial impact. Group D defines the risks that occur frequently, and group C those that are rare.

It is only natural that companies concentrate on category D due the fact it defines risks with high negative impact, and high likelihood of the occurrence. However, such risks rarely (or don’t even) exists.

A) low financial impact – low likelihood of the occurrence
B) low financial impact – high likelihood of the occurrence
C) high financial impact – low likelihood of the occurrence
D) high financial impact – high likelihood of the occurrence


The reason is simple: those companies that were exposed to such risks no longer exist. Why? According to the law of statistics, risks with frequent high impact are deadly to all companies, no matter their general financial health. It is similar with people: we survive several colds or strokes, but rarely a cancer.

This is why companies need to focus on the risks that might result in high loss (the value of “high loss” varies, but for Slovenian companies this means 1 million EUR or more), even if such risks are less probable.

The given starting point is also a good basis for analyzing the other two risk categories. Usually, companies and employees don’t even notice the risks that occur rarely and have low financial impact, as they don’t disrupt the workflow nor the financial health of the company. Crashed windows, or broken computers don’t represent a serious threat.

On the other hand, employees usually pay the most attention to the risk category B: a low financial impact, high likelihood of occurrence. This includes frequent personnel changes in non-key jobs, deterioration of non-key hardware and software, etc. An example of this type of risk would be a frequent change of a tenant or a business secretary. From company`s perspective, the event is undoubtedly not crucial, however it disturbs the working process of the employees. This is the reason such events represent the core of risk management for majority, even though they are not crucial. In other words, we deal with colds, while letting cancer to spread.

Regardless of the likelihood of occurrence, the risks that are crucial for a company are those that can cause a serious financial loss. This is the reason we recommend you to make an exposure test within your yearly regular new and potential risk assessment, and mark the risks that can cause you a high operating profit, or a big hole in the balance sheet.


Contact our team if you want to identify risks adequately.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.