My Italian holiday was a cornucopia of risk management material. On Sunday morning I was woken up by the bed, whole hotel and indeed city, shaking violently, in what I instantly recognised was an Earthquake (at this point I want to express my concern, condolences and thoughts for those more badly affected by the quake). I instantly recognised it, because as a child I went to the Natural History Museum in London and experienced their earthquake simulator.

I want to draw a parallel between this event, my response and organisational risk management. Whilst I recognised the risk and the issue my response was not to run under the table, but more to freeze and wonder if it was really happening. So relating this to organisational risk management it was an understood, but unplanned for, risk with no contingency plan. I had not modelled the risk or prepared any specific or series of options of response.

Events such as earthquakes are, therefore, in the category of high impact, low likelihood events. As such, the type least likely to be managed in most organisations. The one most often dealt with by insurance only. Most organisations though, fail to undertake disaster recovery or business continuity risk management actions, much like me for the earthquake. To be fair to me, earthquakes are rare in the UK and in areas where they are more likely, like Japan and California, training and plans are in place for the general populace and embedded within building controls.

There is, however, in my view a point here. It is that these categories of risk are difficult to get adequate audit and management focus on. They are risks that can be managed though, through scenario modelling, contingency planning and, where appropriate and no other alternative exists, insurance.

These risks are things that can be managed and can also be audited. It is something that internal audit in particular can make a contribution to putting on the board and management agenda. So look to the bottom right hand corner of your risk map and consider whether insurance is playing a disproportionate role. Is there a business ‘earthquake’ in your clients’ risk maps?