Fresh Thoughts #75: Your Policy is a Collection of Experiences

Child in water

What decides your risk tolerance?
Your risk assessment, policies, and processes?
Or the actions of your staff?

Your Policy is a Collection of Experiences

Last week - I spent a few days at Centre Parcs with my family. It was over a year in the planning - as my daughter had a mission…. to descend the rapids.

On our last holiday - her brother got to go on the rapids for the first time. A mythical place where only strong swimmers could go. Sadly - aged 3 - there was no way she was strong enough...

"Maybe next year."
Challenge accepted.

And so, for the past 12 months, she has been swimming at least twice every week. Once for a lesson and once for extra practice. Her focus and dedication have been astounding.

The result - she progressed to the Stage 3 class in the spring. And - like a fish - she's found a love of swimming underwater. Seemingly only popping up to breathe… occasionally.

Last week was her week.
And so - still aged four - she went down the Centre Parcs rapids for the first time.

We took extra care of her, ensuring she didn't get stuck in the stoppers or eddies.
Her reaction? "Again. Again"
On the first two days of the holiday - she managed to go down the rapids four times.

I'm Not Comfortable...

And then came day 3.
Another swimming session - and we were immediately heading for the rapids.

A large group of teenagers dashed in front - so we held back a moment.
Then came the piercing whistle and the fateful words, "You can't go down the rapids. I'm not comfortable."
On Day 3, we were banned from the rapids.

Not for a lack of ability.
She met every criterion.
And it was acknowledged that she had done it four times before without incident.
It was because the lifeguard wasn't comfortable.

With one simple action, the comfort of an individual overrode the policies and processes of a business. This made me pause.

Comfort or Policy and Process

I've written previously that risk is part of business and everyday life. And risks should be analysed and mitigated where possible - and accepted or transferred where not.

Understanding the risks your business faces is non-trivial. It takes time and consideration.

But once the risk mitigations are decided, policies are created and processes implemented to enforce a business-wide understanding. In risk-orientated industries - like financial asset management and water parks - those policies and procedures are published to customers as well as staff.

This ensures that everyone understands what they need to do to be safe.

Staff must be aligned with business risk. Being more conservative and deviating from accepted risk will hurt the business objectives, customer expectations and experiences.

Others may disagree. The counter-argument is staff should be empowered to make risk-based decisions.
But in what scope?
And under what parameters?

Indeed - if something is dangerous or out of control - stop it. It may not have been foreseen in the risk management process.
But then log the situation as a near miss and change policies and processes to ensure it can't happen again.

Your policy is a collection of experiences and near misses.
One person's comfort doesn't override this.

July 18, 2023
3 Minutes Read

Related Reads

swiss cheese plant

Fresh Thoughts #42: My Security Is Like Swiss Cheese

Your security is like Swiss cheese. Is that an insult or a good thing?

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868