Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Leadership & Management Column

The Titanic: Risk Management vs. Compliance

March 5, 2012
/ Print / Reprints /
ShareMore
/ Text Size+

Next month will mark the 100th anniversary of the sinking of the Titanic, and plans abound to memorialize or capitalize on the tragedy, including the re-release of the 1997 movie Titanic in 3D, the production of a commemorative coin, and – believe it or not – a series of Titanic memorial cruises. Some members of the security community recently chose to remember the event in a more constructive way. 

Members of the Next Generation Security Leader (NGSL) LinkedIn Group, which exists to provide participants in the Security Executive Council’s Next Generation Security Leader Development program with an opportunity to discuss course material with their peers and instructors, compared the risk management focus of the Titanic’s parent company and some organizations today. 

Will McCann, director of Security Training and Communications at Capital One, began the thread: “In [the first session of the NGSL program], I was struck by the critical distinction one of the speakers made between compliance and risk mitigation. I immediately thought of the Titanic, which, though it carried enough lifeboats to comply with the law, had far fewer than necessary to save everyone on board.

“In 1912, UK lifeboat requirements were based on tonnage rather than passenger load. And since White Star’s leaders were focused on legal compliance rather than mitigation of risk, they simply bought enough boats to keep the authorities at bay and went to sea. One hundred years later, I wonder how many companies really make the distinction.”

As other members chimed in, the analogy deepened. White Star’s engineers and advisors reinforced a faulty perception that there was zero probability of the ship sinking; therefore, the company based their mitigation decisions on inaccurate data. Decision makers did not believe a risk existed. Participants pointed out that companies act based on similar erroneous assumptions today when they dismiss the importance of fire drills, for example. They perform drills because they are required by law, but they don’t believe they could ever have a fire. While compliance helps – without it they may neglect drills altogether – it is less desirable than invested risk assessment and risk mitigation.

McCann concluded, “Now here’s what I think is really interesting: They chose to install top-of-the-line Welin davits, each of which was capable of holding and deploying up to four lifeboats. They could have purchased much cheaper davits to save money, but they spent the money to get the very best. This was likely done in the “nothing but the finest” spirit with which the ship was designed and marketed. And yet they didn’t buy more than one lifeboat per davit, because that’s all the law required.

“Now imagine if they’d had a Security team that acted as true business partners. Imagine they’d said to the executives at White Star, ‘Look, we’ve already spent the money on high-volume davits. Let’s buy enough lifeboats for everyone onboard, passengers and crew. They’re a relatively low, fixed cost; a one-time purchase with minimal upkeep. Even if they’re never needed, having them onboard will allow us to differentiate ourselves from our competitors and provide a whole other angle with which to market the ship: It’s not only the largest, fastest and most luxurious ship afloat, it’s also the safest.’ But they didn’t. They thought of lifeboats only as a compliance checkbox, not as a potential way to add value to the enterprise. In all likelihood, the Security team – and their executives – saw safety/security as an obstacle to profitability, rather than a lever for building customer delight, generating revenue and avoiding unnecessary expense and reputational damage.”

For security to act as a true business partner in the manner McCann describes, they must have influence with other business units and senior management at multiple levels and stages of organizational strategic planning, added another participant. This can be gained through participation in an enterprise risk management model.

As many companies have learned the hard way, complying with federal or industry rules doesn’t necessarily adequately protect the organization from harm or loss. It can be difficult to demonstrate to management the need to assess mitigation strategies that extend beyond regulatory requirements, but the security leader must often do just that in order to help avoid another Titanic.   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Marleah Blades

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

2014 November cover of Security Magazine

2014 November

Don't miss our 2014 Security 500 issue, with rankings, data on sectors, and other security benchmarkings, all contained within this November 2014 edition of Security magazine. Also, (re)learn the basics of lobby security and how to make the highest impact retrofit for your budget.
Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.