"How long can a company survive without a functioning IT system?"

Digital risks have been on the corporate agenda for years. Nowadays, the issue is getting more and more important because more and more business is being done digitally – whether its basic communication, data processing or payment systems. This leads to increasing opportunities for intrusion, meaning that the exposure to external attacks like viruses or espionage is growing rapidly.

Or think about it this way: when a new software program like an operating system comes out, 2000 testers will have examined its robustness. Great. But the moment it's public, there are 20 million more potential testers out there conducting destructive tests. And that's just the "security" side. On top of that come human error, fire and other age-old, everyday dangers that can disrupt this increasingly critical IT infrastructure.

What are the typical risks a business faces?

Business interruption is certainly the first risk that comes to mind. However, it's often difficult to define the losses a company has, when its customers don't have access to their service. If, say, a mobile phone provider's network is down for six hours and no one can phone, that doesn't necessarily mean the company has simply lost the revenue of those six hours. Lots of people just call later when the network is back up.

Loss of data is another, growing risk. Data has a material business value, and a company is also liable if it loses third-party information. As an insurer we measure the value of our corporate customers using "Enterprise IT Process Value Engineering". This means that we examine the role the data plays in the company's value-adding chain, like the kind of analysis common for other areas of a business but specifically designed for IT.

How does the hype around cloud computing fit into this context?

The term is rather inflationary, but the phenomenon is certainly relevant. It's just like any other kind of outsourcing: If you're a company and can save money or optimize your IT by giving your data to someone else to keep on their server, that's certainly worth thinking about.

But once you've handed over your data, it is physically located somewhere else. In the event of a breakdown, the question is who has the control over your data? Not you. But who is liable for your customer data, you or your cloud vendor? That answer is different in each case - and a lot of people don't realize that.

When you meet with risk managers at companies, what you do talk about?

We look primarily at their value-adding chain. How long can a company survive without a functioning IT system? How critical is it for cash flow? At the same time, it's just as important to identify which data and which knowledge in general could be lost and what that would mean for the business.

We also discuss reputational risk, what kind of damage an IT breakdown would do to their image among their customers and vendors. Finally, we go over their protective measures, everything from virus protection to fire protection. A company might be able to detect and stop a malware attack in seconds, but is their server really safe from burglars?

This is our approach for structuring the risk dialogue with our business customers. We have categorized IT-specific tasks according to particular risks. The foundation is the actual IT infrastructure. Building on that are the business processes, and the roof consists of various industrial quality-assurance standards.

We look at how these elements are lived and how they interconnect to develop an overall picture of the company's IT liability risks. It needs to be comprehensible for everyone because the customer and the insurance underwriter are both putting themselves in the hands of a risk consultant like me, and no one wants to risk their money on something they don't understand.