American View: Are executive bodyguards a cost-effective risk mitigation measure?

Risk Management10 Dec 2024

Let’s talk about strategic risk mitigation. The functional security controls we’re responsible for in the security field are deliberate, continuous operations conducted to accomplish one of four responses to mitigate an identified risk: avoid it, reduce it, transfer it, or accept it. At a high level, this is what your CSO and their army of boffins are doing all day every day: assessing what unmitigated risks exist in your organization, then working out how best to address them. Each resulting control is a balancing act that requires an accurate understanding of likelihood and impact, followed by an analysis that dispassionately evaluates costs, labour, difficulty, and effectiveness, to create one or more protocols that – if executed correctly – will reduce the probability and effect of an exploited risk to within acceptable levels.

This thing is no one can fully manage every risk. There’s no such thing as “perfect safety.” That’s why strategic governance dictates that there are some vulnerabilities you can and must address, while most others are open for debate. Some can be partially addressed, some can be bought off, and some must be ignored (that is, hope that they never manifest).

That’s what I wanted to discuss today. For my readers outside the USA, you might not have heard about our latest high-profile gun violence incident … Don’t feel bad; why would you? We have so many that they tend to blur together. This specific incident caught the American public’s attention since it violated one of our most sacred cultural norms: instead of the murder victim being a roomful of elementary school students or a random person of colour, this violence was directed at someone important in America: a wealthy white male executive!

Early in the morning of 4th December, Mr. Brian Thompson — the CEO of the reviled American mega-corporation UnitedHealthcare Group’s insurance arm — was gunned down on the streets of New York City while strolling to a conference. The esteemed gentleman’s sudden passing from rapid-onset lead poisoning was met with delight among the proles and horror among our monied elites. 

The fact our oligarchs were surprised by the nation’s collective lack of compassion is as hilarious as it is inexcusable. As Arwa Mahdawi explained in The Guardian: “ It doesn’t matter how great a guy [Brian Thompson] might have been to his friends and family; he was a top executive at a company that has treated millions of people very poorly. Health insurance in the US is a racket that is more focused on increasing profits than providing care. And UnitedHealthcare is particularly egregious when it comes to getting its customers to pay enormous premiums, then turning around and denying them care when they desperately need it. … In short: Thompson was the face of an unfair system that has screwed millions of people over. … Whatever the motive, many people seem to think Thompson got what he deserved.”

Since we know that rich businessmen rarely ever go to jail for their crimes in America. That’s just not how it’s done, hon!

I’m not here to pile on the recently unemployed with more snarky quips and I’m certainly not interested in defending a corpo overlord who implemented a shoddy AI tool to accelerate the denial of dying people’s desperately-needed medical care reimbursement claims. I can’t imagine any sane human being defending such an objectively sadistic Lex Luthor wannabe. Rather, I want to look at Mr. Thompson’s unpremeditated resignation from a corporate risk management perspective. 

For reference, physical security controls are typically limited by both the planners’ and the attackers’ imaginations. We guard against what we expect our adversaries can and are inclined to attempt. No corpo outside of Ukraine is planning how best to avoid or recover from a Russian ballistic missile strike during the normal course of business. The idea is to consider what’s possible and likely, then go from there. For decades, the American white collar world has been more concerned with workplace shootings (15 so far in 2024) than extracurricular assassination attempts.

If we’re going to look at Mr. Thompson’s recent receipt of the ultimate pink slip as the start of a horrifying trend, then we need remember that the four outcomes for a mitigated risk include avoidance, reduction, transfer, or acceptance. If your risk model includes upset customers expressing their discontent through gunfire – a Proud American Tradition!™ -- then you might plan your controls thusly:

Avoidance: don’t let the armed customer into your office. Lock your doors!
Reduction: screen out firearms on entry. Put metal detectors at all entrances!
Transfer: get someone else to keep the armed customers away. Hire private security guards!
Acceptance: It’s every man for himself! Allow your workers to come to the office strapped!

Notice, though, that all those mitigation outcomes can only protect your workers while they’re physically inside your facility. None of them provide your workers any protection once they exit your building. You know … where the rest of the world is. That’s probably why a dissatisfied mystery shopper lodged their complaint with Mr. Thompson on a city street rather than in the ex-executive’s luxurious corner office. Bypass all those pesky impediments.

This change in the usual threat model gives your security team’s quite a challenge. It’s a lot easier to lock down one office building than an entire planet. If we want to discuss how to actively and effectively mitigate the risk of executive elimination, we’re required to think outside the box … er, office. I think this is necessary, now more than ever. 

The recent vote-of-no-confidence that abruptly halted Mr. Thompson tenure as CEO left a significant hole in in UnitedHealthcare’s org chart (among other things). As “impact” goes, it doesn’t get much irreversibly disruptive than that. Sure, a mega-corp the size of UHC probably had both a comprehensive continuity of operations plan and a leadership succession plan on the books. No doubt both were executed (ahem) immediately upon hearing the news of Mr. Thompson stepping (or, rather, falling) down from his position. That’s what they’re there for.

You buy a fire truck to put out fires. You draft a leadership succession plan to mitigate the damage of suddenly losing a key leader. It’s all in the name.

That said, simply relying on a rapid replacement protocol to mitigate the negative effects of the premature unnegotiated departure of a key leader isn’t going to sit well with the other 499 CEOs still active in the FORTUNE 500. I’d wager that a fair number of those top executives have already summoned their CSO and demanded to know what the plan is for preventing a Liberty Valance style involuntary redundancy. What, they’re asking, are you and your staff doing to keep this sort of unhappy customer from doing to me what they did to my analogue in New York?

Honestly, I think this is an excellent question to pose because it forces a company’s key leaders to participate in some very uncomfortable negotiations. What does it take to keep a single human alive, especially in a world chock full of people that actively despise them? Even the best bodyguards in the business — the US Secret Service — find it difficult to keep their charge completely bullet-free these days. If they can’t guarantee a single VIP’s safety, how “safe” is your CEO? If I were one, I’d want to know what my company is able to do … and, of the available options, what my company is willing to do for me. That’s the most important question.

There are service providers who offer this sort of round-the-clock, close protection for VIPs. They are, as you’d expect, rather expensive. That’s fair; It sounds like a gruelling, dangerous job. Pay the experts what they’re worth! UHC’s parent company posted $371.6 billion in revenue and $8.9 billion in profits in FY2023, so I’m sure they can easily afford it. Their shareholders might not appreciate the 0.05% reduction in dividends and share growth, though …

Still, we need to ask how much “protection” a company should pay for? Is contracting bodyguards to shadow their CEO while he’s out in public enough protection? A lucky shooter can hit their target with a surprise attack even when bodyguards are everywhere (just ask Ronald Reagan). What about removing the VIP from public streets altogether? Should the board of directors buy their CEO a $20 million armoured limo? Or a private helicopter to bypass the proles protesting in the streets? Or a private jet to bypass the ship-killing orcas patrolling the ocean? Those measures would definitely reduce the probability of a bitter customer successfully challenging their denied claim … but not the impact assuming the cards when their way.

Speaking of claims, since all of these possible mitigation measures exist, it’s certain that they’ll be demanded by some of our least popular corporate oligarchs. Once one millionaire trendsetter appears in public surrounded by mooks, executives everywhere are going to start demanding the same perquisites. Just wait …

That’s when things will get really heated. Remember that it’s the board’s responsibility to determine if any of these proposed risk mitigation expenses are worth it. As a United Healthcare claims adjuster might say, “it depends.” When a health insurance customer files a claim for a medical procedure, there are requirements that must be met before the insurance company will pay some or all of the expense. For example, does the customer’s insurance policy cover the required treatment? is the procedure “medically necessary”? Has the customer paid all of their “fair share” for the year? Was the treatment authorized by the insurance company before it was delivered? If the consumer fails to meet all the requirements, they’ll find themselves on the hook for all the hospital’s charges.

Over 100 million Americans are fighting medical debt and medical bills account for about 40% of all bankruptcy filings in the USA. It’s the 11th Old Testament plague, modernized and re-sold for profit.

Of course, the arrangement between an employer and an employee is markedly different than that between an insurance provider and a customer. I’m sure that corporate executives perceive themselves to be Very Important and, therefore, should be protected from all harm no matter the cost. From the executive’s seat, it’s self-evident that their board should spend whatever it takes to preserve their brilliance. Ego is a helluva drug.

One’s employer, however, holds a markedly different perspective. To be blunt, executives are a dime-a-dozen. Sure, competent executives cost more, but let’s face it … there is no shortage of people willing to do Brian Thompson’s former job for a fraction of his $10.2 million annual earnings. It’s a common joke in American corpo life that everyone is replaceable. Additionally, spending $20 million armoured car to protect a $10 million/year asset simply isn’t good business … especially if they have an understudy waiting in the wings (like all good business continuity plans require).

If anything, corporations are highly unlikely to invest in the sort of close protection measures that would reasonably protect one of their key employees from an assassination attempt … especially while outside company facilities. Improving the defences of an entire office makes fiscal sense, since the more casualties prevented the less work must be done to recover following an incident. But investing in extraordinary protection for any one person? No matter who they are? That’s not a defensible ROI when you can always get another one.

That, I submit, is going to come as quite a shock to a lot of people who use the word “yacht” as a verb. When your CEO demands that their board of directors provide them with a small army of bodyguards and an armoured car and a private jet … and the board denies their claim … it’ll come as a cataclysmic emotional shock. How can these people not see how their petty focus on mere money will jeopardise the life of the most important person to them in the world? Don’t you people realize that if I don’t get this necessary measure paid for, I might die?!?

Uh huh. There’s a beautiful, sick irony to this. I’d enjoy being a fly on the wall when a bunch of rich egomaniacs discover that their lives are worth less to their employer than they believe it should be. Far less. Like, “rounding error” less. Feels great, doesn’t it?

Risk Management