A lot of things didn’t happen at the Olympics this year, all of which were extensively prepared for. A terrorist incident, a breakdown of the London rail system, power blackouts, volcanic ash clouds, flooding, an outbreak of infectious disease—the London organizing committee (LOCOG) and the International Olympic Committee (IOC) spent years thinking about every scenario they could imagine. Simulations of security incidents were rehearsed, and contingency plans for mass evacuations or emergency situations were put in place.

Risk management is now at the heart of the governance model for the Olympic Games and the Olympic movement, and not only because of their growing scale and complexity. There is also the time horizon involved, which can be up to twenty years from the genesis of a host city’s bid to the conclusion of the actual event. Long timelines mean greater vulnerability to emerging risks—that is, dangers with a large potential impact that are not well understood or easily quantified, or which emerge as the unanticipated result of disparate causal processes interacting. These risks can emanate from the realm of security, public health, natural ecology, technology, or economics. In the run-up to the London 2012 Olympics, for example, the global financial crisis caused private developers for the Olympic Village project to withdraw, requiring a refinancing package backed by government.

Consider, too, that when threats materialize at large-scale events, the damage often spills over to other parties. Even before the official opening of London 2012, a mix-up with the flag for the North Korean women’s football team had organizers scrambling to resolve a diplomatic spat. Other mega-events have sometimes taken their toll in business disruption, by interrupting supply chains, altering consumption, or giving rise to workforce absenteeism. The Olympics can bring a halt to “business as usual” for the host government as well, as it diverts resources to support and police the event. Higher than normal volumes of population movements can create hazards for public health and cause traffic congestion. The influx of spectators offers a target for petty crime, and the symbolism of the Olympics presents a temptation for terrorists.

One key to effective risk management is the ability to distinguish between phenomena that cannot reasonably be foreseen and dangers that are “self-inflicted” because they could be avoided by thorough planning and careful execution. At the start of the Atlanta 1996 Olympics, it was a catalog of minor operational and logistical problems that led journalists to start reporting on “the glitch Games.” The truth is that risk is often organizational in its origins, created through poor decision-making, misjudgements in planning assumptions, or human error in operations (such as in monitoring or enforcement activities). Many threats are not unforeseeable, but lie just beyond the edge of current knowledge. In planning for the Olympics, warning signals can be imperceptible amidst the noise, due to the relative scarcity of local experience, as organizers tread an unknown path (although there is a growing Olympic professional services complex made up of firms and consultants contracted to advise on bid teams and organising committees).

Managing risk involves a judicious mix of preventing the risks that can reasonably be controlled, learning to recognize the ones that can’t be prevented, being prepared to react to limit damage, and having the resources to recover from the problems that do occur. Olympics organizers traditionally focused on reaction and recovery, using tools such as insurance (taken out for personal injury and property coverage), safety plans, and command and control structures. Since the 1980s, however, Games organizing committees have increasingly invested in teams and systems dedicated to the management of risk through internal controls. Risk mitigation is now integrated into decision-making and operations, and no longer treated as just an input into the calculation of insurance premiums.

Ensuring readiness for Games-time (in Olympic-speak) now involves strategic pre-emption through stress-testing and scenario planning. Table-top ‘gaming’ exercises at the top of the chain of command and practical training of personnel through rehearsals are routine across many of the diverse functions of Olympic operations. In the months leading up to London 2012, for example, visible military rehearsals were staged on the River Thames in addition to many test events performed on the main site. Ahead of Vancouver 2010, IT planning identified around six hundred scenarios for rehearsals in a formal playbook which also documented procedures to follow in the event of an incident.

The rise of Olympic risk management is certainly evident at the level of the IOC, the guardian of the Games. It is understandably preoccupied with financial risk, since the event is effectively its only commercial asset, and with reputational risk, given that the Olympic “halo” that derives from this is what makes that asset so valuable. Since the events of 9/11, the IOC has taken out insurance cover against event cancellation due to either terrorism or natural disaster (something which organizing committees had done for many years before). More significantly, though, since the 1990s it has increasingly formalized its process of evaluation of bids and its monitoring of the readiness of preparations of host cities.

Bids of applicant cities must now be presented according to a standardised template, with covenants of support from the relevant public authorities and political actors. The IOC’s Evaluation Commission then reports on the technical quality of the bid, prior to the vote of its membership to award the Games. After this, the monitoring of readiness is transferred to the Coordination Commission, with its inspection visits providing opportunities to identify risks in project management and operations.

The other crucial aspect in which the IOC has reshaped the way in which risk is understood by Olympic organizers is through its attempts to formalize learning between events under its Olympic Games Knowledge Management program. This integrated framework of services and documentation (made available to cities after a candidature fee has been paid) consists of an observer and secondment program for officials from future host cities, workshops, technical manuals, a Games evaluation process, and debriefing.

Olympics organizers and the IOC have wisely leveraged the business world’s growing understanding of risk management. “Risk-based” approaches to planning for the Vancouver 2010 Winter Olympics and the London 2012 Summer Olympics (confirmed through research interviews with senior officials) reveal the strong influence of the ideas and practice of risk management, for example in the creation of risk registers (i.e. databases) and monitoring systems put in place to spot issues that pose potential dangers further down the line. The rise of Olympic risk management has touched not only on the most visible fields of finance and security, but a wide range of activities, such as in procurement and contract management, health and safety, the assessment of environmental impacts, and public health planning.

In turn, as organizers of Olympic games have become more sophisticated in risk management over the past thirty years, the broader discipline and profession of risk management has benefited from its example. As the concept of risk itself has taken hold in modern societies and organizations, the Olympics provide a compelling case study in the evolution and promise of risk management.