Leadership & Management Column

The Titanic: Risk Management vs. Compliance

Next month will mark the 100th anniversary of the sinking of the Titanic, and plans abound to memorialize or capitalize on the tragedy, including the re-release of the 1997 movie Titanic in 3D, the production of a commemorative coin, and – believe it or not – a series of Titanic memorial cruises. Some members of the security community recently chose to remember the event in a more constructive way. 

Members of the Next Generation Security Leader (NGSL) LinkedIn Group, which exists to provide participants in the Security Executive Council’s Next Generation Security Leader Development program with an opportunity to discuss course material with their peers and instructors, compared the risk management focus of the Titanic’s parent company and some organizations today. 

Will McCann, director of Security Training and Communications at Capital One, began the thread: “In [the first session of the NGSL program], I was struck by the critical distinction one of the speakers made between compliance and risk mitigation. I immediately thought of the Titanic, which, though it carried enough lifeboats to comply with the law, had far fewer than necessary to save everyone on board.

“In 1912, UK lifeboat requirements were based on tonnage rather than passenger load. And since White Star’s leaders were focused on legal compliance rather than mitigation of risk, they simply bought enough boats to keep the authorities at bay and went to sea. One hundred years later, I wonder how many companies really make the distinction.”

As other members chimed in, the analogy deepened. White Star’s engineers and advisors reinforced a faulty perception that there was zero probability of the ship sinking; therefore, the company based their mitigation decisions on inaccurate data. Decision makers did not believe a risk existed. Participants pointed out that companies act based on similar erroneous assumptions today when they dismiss the importance of fire drills, for example. They perform drills because they are required by law, but they don’t believe they could ever have a fire. While compliance helps – without it they may neglect drills altogether – it is less desirable than invested risk assessment and risk mitigation.

McCann concluded, “Now here’s what I think is really interesting: They chose to install top-of-the-line Welin davits, each of which was capable of holding and deploying up to four lifeboats. They could have purchased much cheaper davits to save money, but they spent the money to get the very best. This was likely done in the “nothing but the finest” spirit with which the ship was designed and marketed. And yet they didn’t buy more than one lifeboat per davit, because that’s all the law required.

“Now imagine if they’d had a Security team that acted as true business partners. Imagine they’d said to the executives at White Star, ‘Look, we’ve already spent the money on high-volume davits. Let’s buy enough lifeboats for everyone onboard, passengers and crew. They’re a relatively low, fixed cost; a one-time purchase with minimal upkeep. Even if they’re never needed, having them onboard will allow us to differentiate ourselves from our competitors and provide a whole other angle with which to market the ship: It’s not only the largest, fastest and most luxurious ship afloat, it’s also the safest.’ But they didn’t. They thought of lifeboats only as a compliance checkbox, not as a potential way to add value to the enterprise. In all likelihood, the Security team – and their executives – saw safety/security as an obstacle to profitability, rather than a lever for building customer delight, generating revenue and avoiding unnecessary expense and reputational damage.”

For security to act as a true business partner in the manner McCann describes, they must have influence with other business units and senior management at multiple levels and stages of organizational strategic planning, added another participant. This can be gained through participation in an enterprise risk management model.

As many companies have learned the hard way, complying with federal or industry rules doesn’t necessarily adequately protect the organization from harm or loss. It can be difficult to demonstrate to management the need to assess mitigation strategies that extend beyond regulatory requirements, but the security leader must often do just that in order to help avoid another Titanic.   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Marleah Blades

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security June 2015 issue cover

2015 June

In this June 2015 issue of SecurityIs the security director business’s new “corporate rock star?” Find out how CSOs can become the new leaders of their enterprises through mentorships, partnerships and creatively adding business value. Also, learn how security professionals are training employees in cyber security through games. And why are deterrence and detection so important when it comes to thwarting metal thieves? Find out in this issue.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive

THE SECURITY STORE

Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.