The ultimate failure of risk management

Today Vox published a video called “Why the Titanic didn't have enough lifeboats” and I encourage everyone to watch it! The video can be found here (https://www.youtube.com/watch?v=K64wRD8eaus). In the video, Vox highlights how outdated British regulations allowed the Titanic to leave port with an insufficient number of lifeboats. There are two very important takeaways from the sinking of the Titanic that all business leaders need to recognize.

The first takeaway; risk management is not optional or notional. Done right, it is a defined process based on quantitative (or semi-quantitative) metrics. Calculating risk can be done in many ways but the most common is “Risk = Severity x Likelihood”. The Titanic serves as the ultimate failure of risk management. The builders of the Titanic (Harland & Wolff) properly calculated that the likelihood of the ship sinking was low, given many of the mitigations in place. Even if the ship did start sinking, they assumed the telegraph could be used to call for rescue before lives were put in danger. However, they failed to properly calculate the severity. Since the ultimate cost of a sinking ship needs to be measured in human lives, the severity metric should have been of the highest magnitude. If Harland & Wolff had properly assessed the risk, they would have ended up realizing that despite the low likelihood of the ship sinking, the very high severity would have resulted in a High risk (High = Low x Very High). Once they realized the risk was still high, they would have implemented additional mitigating controls…like adding more lifeboats, which they did to the Titanic’s sister ship, right after the Titanic sank. For clarification, different groups use different risk calculation tables but when lives are at play, the calculation tables tend to assign greater risk values. For example, the US Army’s Deliberate Risk Management (DRM) process uses the risk calculation table above. Please note I’ve oversimplified this whole process, and this should not be used as an example of effective risk management but rather a primer. I encourage you to learn more at https://www.fairinstitute.org/

The second takeaway is that being compliant does not mean you are secure or safe. Speaking in terms of cybersecurity, compliance can often represent a subset of security and risk mitigation, but regulations often fail to account for all scenarios or stay up-to-date. While some compliance frameworks mandate risk management programs, these requirements are often overlooked or underdeveloped. Compliance should be seen as an additional requirement on top of minimal viable security and risk management, and not an alternative. Next time someone tells you their product is HIPAA or PCI compliant, ask them if they know how well being compliant worked out for the passengers of the Titanic.

To summarize, a good risk management program would have likely saved the lives of many on that ship. It's too late to fix the Titanic but it's not too late to fix your organization.