The Ethics of Risk Assessment

Among things I contemplate as sit with a consulting client in working out the scope of an assignment is how much to tell him [them] about the scary things which may arise in Risk Assessment which they had NEVER even considered previously without:

1. embarrassing him/them for their omission
2. scaring him/them and simultaneously making myself a horrible version of Doomsayer
3. leaving myself open to complaint of "Why didn't you tell us this at the beginning?"

A legal item came to my attention today that an "anonymous" organization is suing the IRS for illegally exceeding the scope of a search warrant and seizing the protected health records of 10 million individuals, including EVERY state judge in California as well as countless actors, actresses, film executives, politicians, etc. in violation of the Health Insurance Portability and Accountability Act of 1996.

"This is an action involving the corruption and abuse of power by several Internal Revenue Service ('IRS') agents (collectively referred to as 'defendants' herein) during a raid of John Doe Company, in the Southern District of California, on March 11, 2011," the complaint states. "In a case involving solely a tax matter involving a former employee of the company, these agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians.
"No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court's search warrant authorization, seizing the records under threat of destroying company property."
Plaintiff's attorney Robert E. Barnes declined to elaborate on the complaint's allegations, saying he will have more information "in a few months."
"I had to file to protect against the statute of limitations being an issue, but am still investigating all facts," Barnes told Courthouse News in an email.
The putative class claims the IRS agents' seizure of medical records violated the 4th Amendment.

Click to expand...

I came across this as I was researching for helping a client perform a Gap Analysis of its record keeping and overall Document Management.

From my interested, but uninvolved viewpoint, the situation seems to have been avoidable if the organization in question had done a better job of segregating types of records and maintaining clear and obvious "Chinese Walls" between them.

If the personnel on site when the IRS agents executed their raid (ironically - they were only looking for records of ONE INDIVIDUAL) had been able to clearly and obviously demonstrate to the IRS that their method of retrieval of the electronic records of ANY or ALL records of a single individual were competent and essentially "mistake proof," then the IRS agents would not have been able to make much argument.

The entire lawsuit is available to read as a public record in the San Diego Superior Court as Case #37-2013-00038750-CU-CR-CTL
(It's a bit of a chore to get to, no direct url seems available to post)

In this case, the IRS agents are accused of willfully ignoring ANY such offers of help from IT or other personnel and making a direct threat to "rip the servers out of the building" and "making no effort to segregate [the wanted from the unwanted records]"

I LOVE this one description of one of the IRS agents involved

A special agent involved in the matter has a known and legally documented history of misconduct, ethical breaches, and criminal activity, including, but not limited to, making false statements to a grand jury, making false statements to prospective witnesses in his investigations, misleading prospective witnesses about their rights in his investigations, obstructing independent investigations into his conduct or the matter at hand, disclosing without authorization grand jury secret material in violation and contempt of federal court orders, invading and abusing search warrants and subpoenas for privileged information, including patient privileged information, attorney-client privileged records, and marital privileged information.

Click to expand...

(sounds like a description for bad guy federal agent in a movie, doesn't it?)


It is a case that may take YEARS to unfold, but fascinating. However, I STILL face the worry of TMI (too much information) while negotiating an assignment versus too little information only to have the client scream when the ghosts start moaning and rattling chains.

save human life & prevent Assets loss

Dr.chnadra said:

save human life & prevent Assets loss

Click to expand...

Do you think the federal agents would have used deadly force to seize the computers if the techs and bosses had refused to give them up?

Dr.chnadra said:

save human life & prevent Assets loss

Click to expand...

Wes Bucey said:

Do you think the federal agents would have used deadly force to seize the computers if the techs and bosses had refused to give them up?

Click to expand...

Not speaking for Dr.chnadra, but I think his observation was directed at your post title, which seems to bear only a tangential relationship to the post itself.

Wes Bucey said:

Do you think the federal agents would have used deadly force to seize the computers if the techs and bosses had refused to give them up?

Click to expand...

Only if the techs and bosses had refused in a manner which would have put the agents or others in harm's way. Otherwise, I don't think they are justified in using deadly force. They could probably have arrested them for obstruction of justice or similar charges.

Wes Bucey said:

Do you think the federal agents would have used deadly force to seize the computers if the techs and bosses had refused to give them up?

Click to expand...

The title of your post is: "The Ethics of Risk Assessment."

Am I missing something??

Stijloor said:

The title of your post is: "The Ethics of Risk Assessment."

Am I missing something??

Click to expand...

Consultants, usually by virtue of experience with a wide variety of businesses and business cultures, constantly juggle "worst case" with "best case" scenarios as possible outcomes with their clients.

Of necessity, consultants learn that, despite Deming's admonition to REMOVE FEAR, many clients are not motivated to part with a check for a consultant's fee to achieve a rosy future unless there is more than a hint of fear as to what may happen if they don't hire "some" consultant, preferably THIS consultant.

For those consultants limiting their practice to narrow fields (meeting Standards, implementing Lean, etc.), there aren't a lot of horror stories except a possible [probable?] shrinkage of market share because competitors DO have certifications.

The ethics involved for the consultant center around "fear mongering" as a marketing tactic to get assignments. On the other side of the coin, a consultant who doesn't alert customers to "risks" in advance is often deemed incompetent for not being ahead of the risks or, worse, raising chimeras after the assignment begins to milk an assignment for more fees once he's on the job.

One aspect of negotiating for consulting assignments arises when the consultant realizes BEFORE, sometimes AFTER, the consulting agreement is signed that the client is really FUBAR (google the term!)

In the past, I've written that taking on a FUBAR client and failing can really tarnish a consultant's reputation. The consultant willing to take on a FUBAR client ought to be frank in pointing out a higher probability of failure than of success, but many aren't, sometimes hastening the death spiral of an organization which may have generated more value by being broken up and sold off piecemeal instead of destroying all value in a failed salvage attempt.

Mostly, these risk assessments for the consultant fall into two broad categories:

1. risks the client faces of success or failure after the consultant leaves
2. risks the consultant faces in scaring off a client or getting bad word-of-mouth for waiting until the contract is signed and check in hand before disclosing the downside risks,

The third risk is minor - is the consultant not savvy enough to recognize an assignment he is incapable of bringing to a successful conclusion? (Most consultants have big egos and are reluctant to admit a shortcoming, but the truly successful ones are savvy enough to make ego subordinate to business practicality.)

The ethics attached to these risks are not cut and dried, but very gray and foggy:

1. If the consultant lives to the letter of his contract and the client fails a short time later, was the consultant ethical in declaring the client "good to go" if he knew (suspected strongly) the top management was not committed and would soon let things slide back to a mess? (What could the consultant do or say to make the situation more ethical?)
2. If the consultant recognizes his assignment is merely putting lipstick on the pig and there will be no material change because of the limited nature of the assignment scope, is the consultant ethical in accepting the limited scope of the assignment?

Without trying to be controversial, my experience is that agents for regulatory agencies and law enforcement agencies OFTEN engage in "mission creep" to wander around and snoop beyond the scope of the visit or search. I don't necessarily believe mission creep is systemic, but certainly a small number of individuals engage in it. Organizations and individuals within those target organizations need to be aware of the possibility of encountering such an intrusion by an agent as a tangent to some other investigation and have systems and processes in place to anticipate and ameliorate the effect of such intrusion. Often the preparation and amelioration measures require the input of legal advice.



There is a lot of buzz about cyber attacks, but often the most devastating attack to documents and records can walk in the front door with a warrant and the resultant disruption can be very costly and often uncompensated by insurance. What are the ethics of a consultant scaring the pants off a client who thinks he's only signing up to "modernize" a document management system?

Wes Bucey said:

<Snippage>
There is a lot of buzz about cyber attacks, but often the most devastating attack to documents and records can walk in the front door with a warrant and the resultant disruption can be very costly and often uncompensated by insurance. What are the ethics of a consultant scaring the pants off a client who thinks he's only signing up to "modernize" a document management system?

Click to expand...

If would-be clients are frightened by reality, that's hardly the would-be consultant's fault. We should be able to assume that a consultant knows things that his clients don't know or there would probably be no need for a consultant. By the same token, one would think that an experienced consultant would understand the difference between honest disclosure of observations and gratuitous hyperbole.

I have been in the consulting business for over 26 years and I found my Clients overall very receptive. I have never encountered the issues that were described in Wes' posts. Something must be OK because 85% of my business is by referral.

Stijloor said:

I have been in the consulting business for over 26 years and I found my Clients overall very receptive. I have never encountered the issues that were described in Wes' posts. Something must be OK because 85% of my business is by referral.

Click to expand...

Good for you!