The Cutter Consortium has a brief interview with one of their own consultants about risk management. It took me a little effort to get beyond the awkward context, but I found this nugget. It is supposedly based on real data:
I would say that the external drivers of risk management were much stronger than I had expected. In 2002, organizations responding to our survey indicated that neither Y2K nor 9/11 pushed them to take on risk management.
However, in our 2006 survey, it seems pretty clear that the changes in corporate governance requirements like Sarbanes-Oxley as well as changes in the external risk environment have strongly influenced organizations to practice risk management. I would guess that the events of the past four years, as well as future risks like the possibility of a pandemic have been traumatic enough to convince organizations that they need to actively manage their risks.
So it is not the catastrophe itself that becomes a driver to mitigate risks, but regulation created as a result of the catastrophe. That makes a lot of sense, especially when you consider that much of the risk from a lack of regulation does not directly impact the companies themselves but the citizens that live near the meadows and waterways filled with waste or to the shareholders left holding the bag when a CEO/President is a crook…