How to Tell If It’s a Threat or a Risk

Risk-based thinking is not just a feature[1] of ISO 9001:2015. Risk-based thinking is a business tool since shortly after the Public Company Accounting Reform and Investor Protection Act of 2002 (or “Sarbanes-Oxley”, or just “SOX”) was enacted.

Before the SEC issued guidance on risk control in 2007, public companies feared they might have to show they could control every possible accounting/financial risk they faced. The guidance was that these companies could implement a risk hierarchy – address the greatest risks first, then the next-greatest, and so on.

ISO defines risk as “the effect of uncertainty on objectives”. To me, it reads as if the author meant to confuse us. (What do you mean by “uncertainty”? What objectives and whose are they?) In my mind, that definition muddies the waters. It creates confusion. It certainly doesn’t help the average person make the distinction between risks and threats.

Philippe Petit between WTC towers 1974
What are the risks? What are the threats? (iStockPhoto)

I’ll try to help you make that distinction. Basically, I see it like this…

Threats exist. They are not “likely” or “probable”; they simply are. For instance, there is “the threat of expulsion” if we egregiously violate school policy. There is “the threat of termination” if we flout company policy, like copying confidential or secret company information for use outside the company[2]. There is the “threat of a fine and possible jail time” for violating the law.

Threats pose risks; risks are possibilities. Threats may materialize – become real – if conditions are met, inadvertently or purposely. Threats materialize when causes materialize and converge. Table 1 illustrates the relationship between certain threats and risks:

Threat Risks Causes Probabilities Impacts (Effects)
Thunderstorm Large amounts of rain; wind; flash flooding; hail; lightning Humidity; unstable air masses; lift Fair-to-low Death; homelessness; illness, injury; disruption of services
Terrorist attack Death/ destruction; overreaction; feeding prejudices; perpetuation of terrorism; isolation; losing freedoms; being caught or killed People; social conditions; perceptions Fair-to-low Psychological trauma; death; injury; property destruction; disruption of services; disruption of social order
Cyberattack Data loss/ corruption; denial of service; becoming part of a botnet; legal action Malware; poor cybersecurity; untrained, unaware users; human nature Excellent-to-low Slowed system throughput/ response; lost business; loss of reputation; increased expenses; added security measures

Table 1

Consider this a “starter kit”, or a tool to prompt discussion of threats and risk management in your organization. What risks does your company face, now and in the future? Should you attempt to control these risks? What threatens your company’s well-being? Which risks should you address first? What would you add to the Risks, Causes, or Impacts in Table 1?

I look forward to your comments.


[1] Risk-based thinking is not an “add-on” or “enhancement”; instead, it reflects a major change in philosophy.

[2] I leave the question of whether certain company policies are ethical or justifiable for another time.


We help small businesses improve their efficiency and effectiveness. Whether you're selling a product or a service, we'll show you how you can improve product and service quality, effectively and affordably. If you need quality, environmental, or health & safety management but can't afford a full-time manager or staff, call on Q9C and we'll pick up the slack. For information or a quote, call or write. Subscribe to the Q9C blog while you're at it.

Tagged with: , , ,
Posted in risk assessment, Risk Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: