In April of 1912, Captain E.J. Smith said, “Never in all history have we harnessed such
formidable technology. Every scientific advancement known to man has been incorporated into
its design. The operational controls are sound and foolproof!” This quote went on to become
synonymous with one of history’s greatest failures to adequately assess risk: the sinking of the
Titanic. A contemporary example of a poorly documented risk assessment process is the
current water crisis in Cape Town, South Africa. With conversations into the longevity of Cape
Town’s water beginning from as early as 2012, how is it possible that Cape Town has become
the first city in the world to run out of water? The simple answer to an incredibly complex
problem is this: The strategy to prevent such a crisis was insufficient and poorly documented.
According to Warren Green, a GRC Expert at CURA Software Solutions, the importance of
diligence in your risk control strategy cannot be understated. “Risk assessments are done to
calculate or understand the probability of a risk materialising and the potential impact it may
have. This is not just a once-off process: as your project develops and adapts, so should your
assessment of potential risk and documentation of the applicable controls. Failure to do so
could have catastrophic consequences.” In the case of the Cape Town water crisis, inadequate
assessment of risk was multi-level: assessments failed to project increases in human water
demands due to changing lifestyles and a growing population, to project changes in
hydro-climatic conditions and to effectively monitor the variables in probability and impact. Most
importantly, they failed to detail which steps and mitigating controls needed to be put in place
should such risks materialise.
This natural disaster acts as a cautionary tale for a detailed and properly documented risk
assessments: airtight mitigation plans and ongoing assessments could prevent massive
economic loss, reputational damage, organisational hazards or stakeholder risks.
Another recent example of inadequately documented risk assessments was the 2012 cyber
attack on Saudi Aramco, one of the world’s largest oil companies. In a matter of hours, 35,000
computers were partially wiped or totally destroyed. It is believed that one of the organisation’s
computer technicians on their information technology team opened a scam email and clicked on
a bad link. This saw an oil conglomerate brought to its knees and plunged into 1970s
technology, all because of an insufficient strategy to mitigate the risk.
Green believes that forewarned is forearmed. “The implementation of risk management software
within your organisation revolutionises your risk documentation to mitigate the potential crisis of
any incident. To create a holistic view of potential risk, a fragmented and siloed approach simply
will not do. We are living in 2018, shouldn’t our GRC solutions, too? You need a single source of
the truth.”