Friday, 09 March 2018

The Critical Importance of Documented Risk Assessment

Written by

In April of 1912, Captain E.J. Smith said, “Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!” This quote went on to become synonymous with one of history’s greatest failures to adequately assess risk: the sinking of the Titanic. A contemporary example of a poorly documented risk assessment process is the current water crisis in Cape Town, South Africa. With conversations into the longevity of Cape Town’s water beginning from as early as 2012, how is it possible that Cape Town has become the first city in the world to run out of water? The simple answer to an incredibly complex problem is this: The strategy to prevent such a crisis was insufficient and poorly documented.

According to Warren Green, a GRC Expert at CURA Software Solutions, the importance of diligence in your risk control strategy cannot be understated. “Risk assessments are done to calculate or understand the probability of a risk materialising and the potential impact it may have. This is not just a once-off process: as your project develops and adapts, so should your assessment of potential risk and documentation of the applicable controls. Failure to do so could have catastrophic consequences.” In the case of the Cape Town water crisis, inadequate assessment of risk was multi-level: assessments failed to project increases in human water demands due to changing lifestyles and a growing population, to project changes in hydro-climatic conditions and to effectively monitor the variables in probability and impact. Most importantly, they failed to detail which steps and mitigating controls needed to be put in place should such risks materialise.

This natural disaster acts as a cautionary tale for a detailed and properly documented risk assessments: airtight mitigation plans and ongoing assessments could prevent massive economic loss, reputational damage, organisational hazards or stakeholder risks.

Another recent example of inadequately documented risk assessments was the 2012 cyber attack on Saudi Aramco, one of the world’s largest oil companies. In a matter of hours, 35,000 computers were partially wiped or totally destroyed. It is believed that one of the organisation’s computer technicians on their information technology team opened a scam email and clicked on a bad link. This saw an oil conglomerate brought to its knees and plunged into 1970s technology, all because of an insufficient strategy to mitigate the risk.

Green believes that forewarned is forearmed. “The implementation of risk management software within your organisation revolutionises your risk documentation to mitigate the potential crisis of any incident. To create a holistic view of potential risk, a fragmented and siloed approach simply will not do. We are living in 2018, shouldn’t our GRC solutions, too? You need a single source of the truth.”