Complex IT systems used in various applications can pose risks to owners and the public, despite extensive risk assessments. Current methods do not effectively predict actual loss events. An alternative approach is suggested to offer a unified risk assessment across different domains and system properties. Observations from accident analysis support the need for future research in this area.