The Titanic: Risk Management vs. Compliance
Next month will mark the 100th anniversary of the sinking of the Titanic, and plans abound to memorialize or capitalize on the tragedy, including the re-release of the 1997 movie Titanic in 3D, the production of a commemorative coin, and – believe it or not – a series of Titanic memorial cruises. Some members of the security community recently chose to remember the event in a more constructive way.
Members of the Next Generation Security Leader (NGSL) LinkedIn Group, which exists to provide participants in the Security Executive Council’s Next Generation Security Leader Development program with an opportunity to discuss course material with their peers and instructors, compared the risk management focus of the Titanic’s parent company and some organizations today.
Will McCann, director of Security Training and Communications at Capital One, began the thread: “In [the first session of the NGSL program], I was struck by the critical distinction one of the speakers made between compliance and risk mitigation. I immediately thought of the Titanic, which, though it carried enough lifeboats to comply with the law, had far fewer than necessary to save everyone on board.
“In 1912, UK lifeboat requirements were based on tonnage rather than passenger load. And since White Star’s leaders were focused on legal compliance rather than mitigation of risk, they simply bought enough boats to keep the authorities at bay and went to sea. One hundred years later, I wonder how many companies really make the distinction.”
As other members chimed in, the analogy deepened. White Star’s engineers and advisors reinforced a faulty perception that there was zero probability of the ship sinking; therefore, the company based their mitigation decisions on inaccurate data. Decision makers did not believe a risk existed. Participants pointed out that companies act based on similar erroneous assumptions today when they dismiss the importance of fire drills, for example. They perform drills because they are required by law, but they don’t believe they could ever have a fire. While compliance helps – without it they may neglect drills altogether – it is less desirable than invested risk assessment and risk mitigation.
McCann concluded, “Now here’s what I think is really interesting: They chose to install top-of-the-line Welin davits, each of which was capable of holding and deploying up to four lifeboats. They could have purchased much cheaper davits to save money, but they spent the money to get the very best. This was likely done in the “nothing but the finest” spirit with which the ship was designed and marketed. And yet they didn’t buy more than one lifeboat per davit, because that’s all the law required.
“Now imagine if they’d had a Security team that acted as true business partners. Imagine they’d said to the executives at White Star, ‘Look, we’ve already spent the money on high-volume davits. Let’s buy enough lifeboats for everyone onboard, passengers and crew. They’re a relatively low, fixed cost; a one-time purchase with minimal upkeep. Even if they’re never needed, having them onboard will allow us to differentiate ourselves from our competitors and provide a whole other angle with which to market the ship: It’s not only the largest, fastest and most luxurious ship afloat, it’s also the safest.’ But they didn’t. They thought of lifeboats only as a compliance checkbox, not as a potential way to add value to the enterprise. In all likelihood, the Security team – and their executives – saw safety/security as an obstacle to profitability, rather than a lever for building customer delight, generating revenue and avoiding unnecessary expense and reputational damage.”
For security to act as a true business partner in the manner McCann describes, they must have influence with other business units and senior management at multiple levels and stages of organizational strategic planning, added another participant. This can be gained through participation in an enterprise risk management model.
As many companies have learned the hard way, complying with federal or industry rules doesn’t necessarily adequately protect the organization from harm or loss. It can be difficult to demonstrate to management the need to assess mitigation strategies that extend beyond regulatory requirements, but the security leader must often do just that in order to help avoid another Titanic.