Monthly Archives: March 2011

You and Risk

2 Replies

In the previous article, I promised you that I would talk about legal risk in a later article. Okay, this is the later article. I told you that risk is exposure to harm or damage. That harm can take many forms, including but not limited to legal, physical, reputation, emotional, and so on. In this article we focus on legal harm. The discussion will be based on the legal concept of negligence.

3 Parts to the Whole

There are three general elements of negligence: 1) Duty (of care) 2) Breach (of that duty), and 3) Harm (resulting from the breach). We can back into this idea by saying that the harm (or damage) must be quantifiable in dollars. Hence, if someone nearly ran over you while you were in a crosswalk, you cannot bring suit just because he scared the crap out of you. (That’s because crap and dollars do not equate.)

Duty

In our society, each person over the age of reason (usually considered to be seven) has an obligation toward society. That obligation requires each of us to act in a reasonable, prudent manner when dealing with others, or when alone, if that solitary behavior could impact other human beings. Our justice system establishes that obligation in so-called black-letter law. Our insurance policies follow the lead of our laws. Want some examples? Okay, here goes.

          A person gets her car inspected for safety. It fails inspection. The inspector tells her that the brakes are in such bad condition that the car is unsafe, and should not be driven off the premises. Notwithstanding, she drives away. There you are in the crosswalk, she draws a bead on you and accelerates, beause the light is about to go red, and she is in a hurry. You run, and now you are right in front of her, so she steps on the brake pedal — it goes to the floor!

          You are lying in the hospital bed, wondering if she will at least pay your hospital bills. Meanwhile, the prosecutor is drawing up charges against her, because she knew the brakes were defective, and could have known or should have known that the car was therefor unsafe on the highway. In legal terms, she failed the foreseeability test. If a reasonable, prudent person could have foreseen the danger to others (and they could have) then her behavior may be perceived by a court as criminally negligent. Criminal because she knowingly and willingly disregarded the lives of others. Negligent because she had a duty of care to the public, which she breached by operating that car on a public highway, and caused harm thereby. [Doesn't that sound lawyer-ish?] 

Proximate Cause

Yes, you were harmed as a direct result of her behavior — goodness, that’s why you’re in the hospital! Broken left leg, concussion, scratches and bruises. You will have her insurance claims person all over you in a heartbeat, looking to settle. But your lawyer advises you to put off filing a claim for awhile, to determine if any unforseen consequences of the accident arise.

          It is six months later. You now file a claim that includes the above-mentioned damages, plus a broken wrist that you sustained in your kitchen. You assert that it happened because you were not too steady on your left leg; it buckled, you fell and broke that wrist.

          Sorry about the wrist, but the insurance carrier will not pay for that break. It was not a direct (proximate) consequence of the accident. Well, how about the prolonged separation from your newly wedded husband, while you were in the hospital? Shouldn’t that be worth something for the emotional distress? Maybe, but probably not. You cannot express in dollars how much you missed your hubby while you were laid up.

          In summary, the driver of that car exposed herself to legal risk by operating a motor vehicle she knew was unsafe.

A Down Home Risk Assessment

You wake up one morning, go to the window, pull up the shade, and look outside. There are about 2 feet of snow on the ground (except at the end of your driveway, which has about 5 feet, thanks to the snowplow person), it is snowing so hard, you cannot see across the street. You turn on the TV weather and hear that there’s about 2 inches of ice under the snow, and the snow won’t stop until late afternoon.

          You pull down the shade, go back to bed, pull the covers over your head.

          You have just completed your very own risk assessment: You done good!

 

5 Steps to Risk Assessment

3 Replies

Do you know what Risk is? Well, if we are going to talk about it, we may as well define it. Risk is exposure to harm or damage. That harm could take various forms. It could be physical (as in a fire), it could be cyber (as in theft of automated information), it could be legal (as in, for example, negligence). In another article, I will talk more about exposure to legal risk. First, let’s get right into the Risk Assessment Algorithm. 

Risk is everywhere — jumping at you when you least expect it.

3 Key Features

This algorithm is a vital technique for protecting your assets, no matter what form they take. The technique has 3 Key Features:

(1) It is methodical. It provides a standard for laying a foundation of protection.
 
(2) It is objective. Risk is a scientific concept. As you go through the 5 steps, you will see that there are mandates for dispassionate guidelines, or metrics.
 
(3) It gets measurable results. Risk can be addressed, controlled, and measured in different ways. For example, it can be retained, transferred to a pool (like insurance), reduced or mitigated, or eliminated.
 
          Risk is an academic topic. I will talk to you about it in a later article. But now, let’s get to that algorithm of 5 steps.
 
The Risk Assessment
1. Asset Identification and Valuation
You must first and most importantly understand what you are trying to protect. You must prioritize. To do this, you ask questions like How much would it cost to replace this asset? Could we do without the asset? For how long? What would be the consequences of its loss? The first question is by far the most important — the answer will tell you whether or not you want to even include a given asset in your protection matrix.
 
          For example, you insure your automobile for replacement value. It is a 2011 Cadillac Escalade. You love it, but if it gets totaled, it can be replaced quickly and easily. Your neighbor insures his 1968 Red Corvette. What’s the replacement value of that car? Well, what are the replacement options of a ’68 Corvette? See what I mean? And how about that Picasso original you hung in your bathroom? You can bet that an insurance carrier would have an art dealer appraise it before offering you any coverage on it. The appraisal would be based on a standard in the art world for fixing a value on (“valuating”) a Picasso of a given vintage and medium.
 
          If you cannot valuate a given asset, then you will not know what to spend to protect it.
 
2. Threat Analysis
This concept can be called Protection With a Purpose. Once upon a time, when I was an active CPP (Certified Protection Professional), a client retained me for a consult on a warehouse he owned. His question:  How should I protect it? Well, let’s see. The building is in a decent area, low crime rate, well lighted. The shell is metallic, the building has a fire and smoke detection system with sprinklers. And one more thing. The building is empty.
 
          Now, Mr. Client, what exactly are you protecting against? What would be the consequences of someone breaking into the building? What is the probability that someone would break into the building?  The empty building.
 
          I will not labor the point. I think you picked up on how important this step is. “Ah,” you ask,”but would there not be a difference between filling the building with, say, lumber, and storing let’s say, little parts for aircraft navigation systems?”  Well, yes! But the protection you install would still depend upon a perceived threat. What is the probability (and risk is based on the statistics of probability) that someone would — or could — steal hundreds of thousands of dollars’ worth of 2 x 4′s? Now ask the same question about  little, specially designed and manufactured parts for the navigation system of the latest fighter aircraft.
 
3.Vulnerability Evaluation
Vulnerability is the susceptibility to injury or compromise. Humans, things, and information can be vulnerable. Let me point out, for clarity, some ideas with which you are already familiar. A human can suffer emotional trauma as well as physical trauma. So you do not make yourself vulnerable by getting out of bed in the morning and driving 20 miles to work in a driving blizzard, ice on the road, with the temperature at 9 degrees. (You really don’t — do you?)
 
          Your purse and your car would be vulnerable if you left that purse on the seat of your car with the windows open while you ran inside the building to bring lunch to your husband (or someone else’s husband).
 
          Information is knowledge. Knowledge is power. That’s why governments classify their sensitive information. That’s why you don’t tell the cable guy that you are going out of town for a couple of weeks, leaving no one at home. It’s why you don’t tell your husband that you’re having your car worked on for the third time this month by a really good-looking guy who happens to be a body builder….
 
          It is axiomatic that if there is no threat, then there is no vulnerability. But be careful: Each asset must be evaluated on its own merits. Remember that warehouse? Okay, suppose it’s empty, except for the little room in which that Picasso is stored.
 
4. Benefit-Cost Analysis
In business terms this would be the Return on Investment. Picasso’s and ’68 Corvettes are truly expensive, and really hard to replace, so you should not mind spending big bucks to protect them. (Remember Step 1!) But why would you spend $165,000 in alarm systems to protect an empty warehouse? Insurance would deal with any bona fide loss from fire or catastrophe. Ah, insurance — the epitome of risk management. So, is the asset you identify in Step 1 really worth protecting? If so, to what degree? What is the Break Even Point between the value of the asset and the cost of protection?
 
5. Recommendations for Improvement
There are two approaches to this: Security Management and Risk Management. If you adopt the SM approach, your recommendations — okay, my recommendations to you — would be broken down in roughly this manner.
 
          A. Physical Security Program
              a. Perimeter security
              b. Alarm systems
              c. Guard force
              d. CCTV system
         
          B. Personnel Security Program
              a. Background checks
              b. Access control
              c. Personnel Reliability sub-Program
              d. Internal Affairs (with HR)
 
          C. Information Security
            a. Logical protection
            b. Physical protection
            c. Periodic personnel review program
 
          D. Prepare your employees for change
 
 
From the Risk Management Perspective
          A. Examine the Feasibility of Alternative Risk Management Techniques
              a. Exposure Avoidance (make loss impossible: close your business during a blizzard)
             b. Loss Prevention  (shovel your sidewalks before opening your business, lowering your exposure to liability)
             c. Loss Reduction  (drive more slowly during bad weather)
            d. Separation of Elements Exposed to Loss  (if your business owns two vehicles, use the older, less expensive one during bad weather)
            e. Transfer the Risk (buy adequate insurance)
 
         B.  Establish a Risk Management Program
 
    Next time: Examples and explanations.