Expert Risk Articles

The Inside Job: internal vs. external risks

Which risks will be more dangerous in the future: internal or external risks? Michael Bruch and Dr Rudolf Kreutzer of AGCS take a closer look.

Article orginally printed in 2009 10-year anniversary issue of Strategic Risk. Reproduced by permission.

Human beings have always wanted to know what is in store for them and have developed various hopes and fears. Back in the mists of time, they were afraid of ghosts, gods and demons; in later eras, of devils or witches; and today of viruses, climate change and terrorists. These all share one common trait: they are threats from outside, so-called external risks.

But there are also internal risks, something that many people overlook – possibly because they are risks for which they themselves are responsible. If they do not identify them, or underestimate them, the result will be failures or distress such as, for example, loss of credibility, mismanagement or burnout. In this case, looking for external culprits does little but exacerbate the damage.

Allianz Global Corporate & Specialty (AGCS), the industrial arm of the Allianz Group, carried out a series of analyses in its research and development division to find out what the greatest risks for its customers will be in the future. These customers include not only large companies, but particularly their employees and executives. We have detailed the key findings here.


"Many people overlook inside risks ? possibly because they are risks for which they themselves are responsible."

Best-known global risks

With the aid of an international group of experts, the World Economic Forum identified and published the major risks in the Global Risk Network Report in 20091.

Risks are assessed according to likelihood of occurrence, loss expenses and human casualties. According to the analyses, the greatest risks include food price volatility, asset price collapse, fiscal crisis, a slowing Chinese economy, chronic disease, international terrorism, extreme climate change-related weather, pandemics and critical infrastructure breakdown.

These are the typical risks seen in an industrialised country from the viewpoint of an objective observer and which – should they be affected personally – impact on them from outside. The risks all bear the characteristics of external risk; risks caused outside individuals' own sphere of responsibility. They attract the largest portion of public attention and today appear to be the major risks for the individual, for companies and for society as a whole.

Our own analysis of the most important global developments and the risks and opportunities they entail revealed the following topics:

  • further population increases (competition for resources, migration, urbanisation);
  • climate change (space weather, holocene/ice age transition);
  • increase of intangible needs (demand for health, wellness, love, knowledge);
  • widening gap between rich and poor (expansion of the security economy, change in the function of money); and
  • accelerating technology development (scarcity of classical resources and energy, development of new forms of energy).

External risks that could gain significance in the future therefore include:

  • geomagnetic storms during the next period of maximum solar activity in 2012, resulting in potential blackouts in critical infrastructures;
  • monopoly risks for hardware and software in information technology, which also lead to ongoing blackouts;
  • vaccination disasters during preparation for pandemics because of increased time pressure in production; and
  • loss of data security in internet traffic, despite encryption.

Internal risks – those for which the observer himself can be accountable – include egotism, ambition, resistance to change and pessimism. Additional risks arise within companies as well, including, for example, blind faith in figures, lack of checks and balances, tunnel vision or short-term thinking. Usually, the internal risks are pushed to the background in light of the apparent portent of the external risks.

Many employees and executives find it relatively easy to manage external risks, but quite difficult to address internal risks openly. They find it easier not to deal with them or to classify them as less important. Plus, people never compare which risks – internal or external – cause the greatest damage, particularly because there are no simple benchmarks for comparative risk evaluation.

Sum of all fears


"Many employees and executives find it easier not to deal with internal risks or to classify them as less important."

The simplest answer to the question about the greatest risk facing human beings would be "death". But while humans can live up to about 120 years, the lifespan of a company is not necessarily limited. Many reach multiples of this life span, with some more than 1,000 years old.

This gives rise to the following questions: 'What gives these companies their longevity?' and 'What risks are life-threatening for companies?'

As part of a survey of risk awareness in German conglomerates, AZT Risk & Technology GmbH, the leading consulting entity of AGCS for risk engineering, safety, and technology, asked some 300 respondents to list the risks they regarded as particularly threatening to the survival of their company. The following were the most common, starting with the answer most frequently given:

  • competition;
  • changes in consumption and consumer behaviour;
  • employee demands;
  • state regulatory policy;
  • US mortgage-lending risks and financial market turbulence;
  • US dollar exchange rate;
  • developments in raw material and energy prices;
  • ratings; and
  • shareholder behaviour.

It's striking that almost all of these responses are external threats, affecting the company from outside. Only about 1% of respondents regarded an internal risk as being a threat. These included:

  • sabotage of data protection by adept insiders;
  • loss of expertise through inability to maintain key competencies; and
  • if I make a wrong decision as chief executive.

This low response rate could be explained by the fact that disclosing internal risks in a survey carried out by an insurance company is not desirable under corporate policy.

There is another possible explanation, however: top management could have only limited knowledge of internal risks. In a survey we took among middle management and lower levels of corporate hierarchy at the same time, internal risks were mentioned in 30% of responses.

We also discovered that the flow of information, particularly in the direction of higher levels of hierarchy, does not function so well for these risks as it does for external risks.

In the same survey, the various levels of hierarchy were also asked about the reasons for any failures they experienced and any set goals they did not achieve. The qualitative and quantitative distribution of these responses was identical across all levels – that is, external reasons were named primarily.

External attribution

In psychology, this allocation of blame is termed ‘external attribution’. This thought pattern is widespread in professional and private life and is often expressed when people talk about workplace conflicts, road traffic accidents or marriage crises: the other party is almost always at fault. It is also expressed in most annual reports when the reasons for failures or losses are described.

And it can be found with similar regularity within the pages of the risk report listing the possible reasons for not reaching set targets. For example, the risks foreseen for the future by the 30 DAX companies in 2008 and 2009 were almost exclusively external risks:

  • losses due to global recession;
  • disruptions in the supply chain;
  • product imitations; and
  • price volatility among raw materials.

It was only recognised in a few cases, particularly in the financial services sector where risk awareness is better developed, that internal risks can also have serious effects, such as the negative effects of management’s business strategy decisions and the limits of our own risk models.

Many global players do not mention any internal risk factors in their annual reports. The willingness to address this issue openly and self-critically is greater in many companies in the USA, for example, than in Europe. These risks are then typically presented in a generic manner2:

  • if we are not able to achieve our overall long-term goals, the value of an investment in our company could be negatively affected;
  • if we are unable to maintain our brand image and corporate reputation, our business may suffer;
  • our risk management and loss mitigation efforts may not effectively mitigate the risks we seek to manage; and
  • the integration of X may not be successful.

Based on analyses about the successes and failures of 50 top managers (primarily in Germany and the USA), we examined how the thought pattern of attribution differed among more or less successful people.

The results are clear:

  • The more frequent and the larger the failures are, particularly at the end of a person’s working career, the more frequently only external attribution is used in any explanations. In contrast, these people use internal attribution only when giving reasons for their few personal successes. Managers who fail do the opposite when explaining the success and failure of other managers.
  • People who are constantly success-oriented behave completely differently. They look for and recognise both internal and external attributions for every success and for every failure. They also apply this behaviour when explaining the successes and failures of other people.

Causes of worst cases

As an AGCS analysis of companies’ most spectacular major loss events over the last decades shows (by which oil tankers, nuclear power stations, oil rigs, skyscrapers, chemical factories and aircraft were particularly affected), the companies survived loss events, despite the financial loss reaching several billion dollars. This might be due in no small amount to their good insurance cover.

However, in the same period, a raft of other well-known companies also suffered spectacular losses and subsequently ceased to exist (for example, from the automotive, aeronautic, banking, insurance and energy sectors). What is significant is that no externally influencing or physical events preceded any of these failures. This shows that internal risks can cause financial damages that are many times greater than the external ones.


"Internal risks can cause financial damages that are many times greater than the external ones."

Internal risks could be summarised under 'management failure' or 'mismanagement'. The following causes, for example, could fit under these headings:

  • wrong strategic decisions (short-term thinking, overcapacity, overdiversification, selection of unsuitable advisers, monocausal thinking);
  • lack of leadership (technical incompetence, hubris, lack of credibility, negative role model behaviour, lack of self-criticism);
  • lack of separation of powers (dependencies between supervisory
  • board, management board and auditors);
  • corporate crime (corruption, embezzlement, personal gain, creative accounting, fraud); and
  • lack of innovation.

But attempting to lay the blame solely at the feet of management points to a lack of systemic thinking, as ultimately the quality of management depends not only on the people carrying out the function, but is always the result of the interplay between them and the owners, employees, the market and society as a whole.

The greatest threats facing companies are not related to unforeseeable external events, but to ongoing, observable conditions existing within the companies themselves. In a nutshell, companies are at risk when they ignore or underestimate their internal risks.

To prevent this, a company’s owners or shareholders, as well as its management and employees, must ensure that the risk management system (click here to read more on this) values internal risks at least as highly as external risks. This will not only reduce losses, but boost the number of successes.