We’ve all heard that phrase, right? It’s a question that usually precedes a very poor decision in the movies. That’s because it’s being asked by someone who is either grossly underestimating the risk associated with some type of activity or by someone who is fully aware of the risk, but wants to inflict harm to an individual being pressured into doing something they fear. In the movies, it’s pretty much always funny.

In business, when asked for the right reasons, it is a fantastic question! Indeed, it is at the core of the business process of Risk Management. Let’s unpack it.

“What is…” The “what” is some type of negative event. Though it is not an exact analogue to a classic definition, we can think of the “what” as a realized threat or negative outcome.

“The worst…” The “worst” goes straight to the heart of what in risk analysis we call, impact or magnitude of loss. In this case, using our movie catchphrase, what threat would cause the greatest impact?

“Could happen…” I think you are probably with me here. With this part of the question, we are dealing with likelihood or probability. Could happen, doesn’t necessarily mean will happen, but as you can understand from your own life experience, our decision on whether to “take the risk” considers both how bad it is, and how likely it is. Some things are perceived to be so bad, we really don’t care how unlikely they are, we will avoid that threat to the degree that we possibly can. Sometimes those judgements are sound. Sometimes our biases or fears keep us from taking on risk and missing out on an opportunity.

In life, the consequences of miscalculating your evaluation of “what’s the worst that could happen?” can range from simple embarrassment to death. That’s a pretty big continuum. In business, the range is similarly broad and may involve anything from slight reputational damage to bankruptcy.

The truth is, often we don’t know how to answer the simple question “what’s the worst that could happen?” Whether in life or business, we usually lack the data we need to make a truly informed decision about either the impact (also known as magnitude of loss) or probability (likelihood). It’s not that we can’t get the data, it’s more we often just resort to our intuition. Exactly how and when to trust our intuition is the subject of some debate. As a case in point, I give you several titles from Harvard Business Review articles over the years.

If you read these articles (which by the way, I suggest you do), you will see they are not advocating a one-size-fits-all solution – there is and must be a role for judgment and the single best factor for developing good instincts is experience. That experience over time allows for testing and reflection on whether that instinct was good or bad. Unfortunately, as the saying goes, we typically gain experience just after we need it. In other words, very few of us has enough historical perspective on the problem at hand to develop firm conclusions on risk without additional data points.

This is why a structured approach to risk management that includes a quality analysis of the value of our assets, actual threats, areas where we are collectively or uniquely vulnerable, the probability we will experience some loss and the nature of that loss, along with the likely quantity of that loss is so important. Even armed with this data, there is still a range of uncertainty. That range however, should be much smaller.

If your business, whether it be for cyber, financial, regulatory, or operational risks has not adopted such a structured approach, you may be allocating scarce resources chasing the wrong “worst” things that can go wrong. You don’t have to be a large enterprise to operationalize these practices. The best businesses, large and small, are the ones that can manage those risks in order to take advantage of opportunities to grow and prosper.

In our next post, we will dig deep into the “what” to figure out how we can identify the potential things out there in the universe of bad things and hone in on the ones that really matter.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.