Effective risk management: a Titanic challenge
The RMS Titanic sank because numerous small risk failures combined to create a massive disaster. If business is to avoid a similar fate, it needs both a ‘big picture’ view and granular detail of its risks.
The speed of information exchange and the interconnectedness of technologies, businesses and people today is making the area of risk management – already one fraught with concern – even more worrying for IT and security professionals.
Michael Rasmussen, a US-based governance, risk and compliance (GRC) research analyst and pundit, suggests there is more to effective risk management than meets the eye.
He was speaking to delegates at a recent risk management seminar, sponsored by GRC specialists Intdev Internet Technologies, along with Unisa’s Department of Finance, Risk Management & Banking and the Institute of Risk Management SA.
“The first question you should ask is whether your business is truly aware of its risks? Most organisations still operate within silos, which means that it is nearly impossible to obtain the full risk picture across the organisation. It is much like an iceberg, where what you can see on the surface is dwarfed by the larger part, which remains hidden under water,” he says.
“Continuing the iceberg analogy, risk management can be likened to the RMS Titanic, which was described as ‘unsinkable’ on launch, only to disappear beneath the waves on her maiden voyage. In the same way, how often do enterprises have overconfidence in their design? A good example is the numerous large banks that have adopted the approach of considering themselves ‘too big to fail’, yet are now facing significant threats from digital start-up fintechs.”
When it comes to risk, he adds, one must be aware of the external environmental factors that can impact on this. In the case of the Titanic, an earlier Arctic spring than usual caused an increase in the number of icebergs for that time of year.
“Furthermore, part of the ship’s goal was to attempt an Atlantic crossing in record time. This meant that speed was critical, but sailing at speed into waters filled with icebergs was clearly dangerous – with businesses too, how often do we press ahead at speed, even in very risky circumstances?”
“There are numerous other risks that business needs to take into account, such as geopolitical, economic, regulatory and political risks. In addition, there are health and safety risks that one must be concerned with. In the Titanic’s case, health and safety was a risk they failed to account for, as demonstrated by the fact that the ship had too few lifeboats. Moreover, the rudder and propeller were undersized for the size of the vessel – the risk here in business terms could equate to whether or not you have enough capital to navigate the oceans of business.”
Yet another business risk, continues Rasmussen, is that since it is difficult to define where the organisation starts and ends in this digital world, you open yourself up to risks created by third parties like suppliers or contractors. In the case of the Titanic, its rivets were made from an inferior iron ore, which meant they were of sub-standard quality.
“Ignorance is also a significant risk. If you are ignorant about a particular threat, you will be in a similar situation as the Titanic was – numerous other vessels warned them of the icebergs, but the ship’s response was simply: ‘we are tired of hearing about them’.
“The point I am leading up to with this analogy is that you need to take care of all the risks you can identify, because otherwise you may face a cavalcade of small ones that combine to destroy your business, as they did with the Titanic. Here, multiple small risks worked in concert to create the disaster.
“I have been told that if the ship had hit the iceberg head-on, only two compartments would have flooded. However, because they tried to miss it, but the ship was underpowered, it scraped its side against the ice, which caused the brittle rivets to give way, flooding multiple compartments instead. Furthermore, even though the Titanic actually sank quite slowly, most people couldn’t get off because there were not enough boats. It is this perfect storm of minor risks that can combine to create a major disaster.”
His advice then, states Rasmussen, is to ensure your risk management approach not only focuses on the big picture, but more crucially, on how all the various possible risks might combine. In essence, it is not only about seeing the wood, but also the individual trees and – ideally – being able to drill down granularly enough to view individual branches and leaves.
“Of course, you cannot avoid all risk either, as real business success requires risk-taking. However, this risk must be carefully managed. As former US president Teddy Roosevelt put it: ‘Risk is like fire – if controlled it will help you; if uncontrolled, it will rise up and destroy you’," he concludes.