The Ethics of Risk Assessment

Wes Bucey

Quite Involved in Discussions
#1
Among things I contemplate as sit with a consulting client in working out the scope of an assignment is how much to tell him [them] about the scary things which may arise in Risk Assessment which they had NEVER even considered previously without:

  1. embarrassing him/them for their omission
  2. scaring him/them and simultaneously making myself a horrible version of Doomsayer
  3. leaving myself open to complaint of "Why didn't you tell us this at the beginning?"
A legal item came to my attention today that an "anonymous" organization is suing the IRS for illegally exceeding the scope of a search warrant and seizing the protected health records of 10 million individuals, including EVERY state judge in California as well as countless actors, actresses, film executives, politicians, etc. in violation of the Health Insurance Portability and Accountability Act of 1996.
"This is an action involving the corruption and abuse of power by several Internal Revenue Service ('IRS') agents (collectively referred to as 'defendants' herein) during a raid of John Doe Company, in the Southern District of California, on March 11, 2011," the complaint states. "In a case involving solely a tax matter involving a former employee of the company, these agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians.
"No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court's search warrant authorization, seizing the records under threat of destroying company property."
Plaintiff's attorney Robert E. Barnes declined to elaborate on the complaint's allegations, saying he will have more information "in a few months."
"I had to file to protect against the statute of limitations being an issue, but am still investigating all facts," Barnes told Courthouse News in an email.
The putative class claims the IRS agents' seizure of medical records violated the 4th Amendment.
I came across this as I was researching for helping a client perform a Gap Analysis of its record keeping and overall Document Management.

From my interested, but uninvolved viewpoint, the situation seems to have been avoidable if the organization in question had done a better job of segregating types of records and maintaining clear and obvious "Chinese Walls" between them.

If the personnel on site when the IRS agents executed their raid (ironically - they were only looking for records of ONE INDIVIDUAL) had been able to clearly and obviously demonstrate to the IRS that their method of retrieval of the electronic records of ANY or ALL records of a single individual were competent and essentially "mistake proof," then the IRS agents would not have been able to make much argument.

The entire lawsuit is available to read as a public record in the San Diego Superior Court as Case #37-2013-00038750-CU-CR-CTL
(It's a bit of a chore to get to, no direct url seems available to post)

In this case, the IRS agents are accused of willfully ignoring ANY such offers of help from IT or other personnel and making a direct threat to "rip the servers out of the building" and "making no effort to segregate [the wanted from the unwanted records]"

I LOVE this one description of one of the IRS agents involved
A special agent involved in the matter has a known and legally documented history of misconduct, ethical breaches, and criminal activity, including, but not limited to, making false statements to a grand jury, making false statements to prospective witnesses in his investigations, misleading prospective witnesses about their rights in his investigations, obstructing independent investigations into his conduct or the matter at hand, disclosing without authorization grand jury secret material in violation and contempt of federal court orders, invading and abusing search warrants and subpoenas for privileged information, including patient privileged information, attorney-client privileged records, and marital privileged information.
(sounds like a description for bad guy federal agent in a movie, doesn't it?)


It is a case that may take YEARS to unfold, but fascinating. However, I STILL face the worry of TMI (too much information) while negotiating an assignment versus too little information only to have the client scream when the ghosts start moaning and rattling chains.
 
Elsmar Forum Sponsor
S

sjared

#5
Do you think the federal agents would have used deadly force to seize the computers if the techs and bosses had refused to give them up?
Only if the techs and bosses had refused in a manner which would have put the agents or others in harm's way. Otherwise, I don't think they are justified in using deadly force. They could probably have arrested them for obstruction of justice or similar charges.

:2cents:
 

Wes Bucey

Quite Involved in Discussions
#7
The title of your post is: "The Ethics of Risk Assessment."

Am I missing something?? :confused:
Consultants, usually by virtue of experience with a wide variety of businesses and business cultures, constantly juggle "worst case" with "best case" scenarios as possible outcomes with their clients.

Of necessity, consultants learn that, despite Deming's admonition to REMOVE FEAR, many clients are not motivated to part with a check for a consultant's fee to achieve a rosy future unless there is more than a hint of fear as to what may happen if they don't hire "some" consultant, preferably THIS consultant.

For those consultants limiting their practice to narrow fields (meeting Standards, implementing Lean, etc.), there aren't a lot of horror stories except a possible [probable?] shrinkage of market share because competitors DO have certifications.

The ethics involved for the consultant center around "fear mongering" as a marketing tactic to get assignments. On the other side of the coin, a consultant who doesn't alert customers to "risks" in advance is often deemed incompetent for not being ahead of the risks or, worse, raising chimeras after the assignment begins to milk an assignment for more fees once he's on the job.

One aspect of negotiating for consulting assignments arises when the consultant realizes BEFORE, sometimes AFTER, the consulting agreement is signed that the client is really FUBAR (google the term!)

In the past, I've written that taking on a FUBAR client and failing can really tarnish a consultant's reputation. The consultant willing to take on a FUBAR client ought to be frank in pointing out a higher probability of failure than of success, but many aren't, sometimes hastening the death spiral of an organization which may have generated more value by being broken up and sold off piecemeal instead of destroying all value in a failed salvage attempt.

Mostly, these risk assessments for the consultant fall into two broad categories:

  1. risks the client faces of success or failure after the consultant leaves
  2. risks the consultant faces in scaring off a client or getting bad word-of-mouth for waiting until the contract is signed and check in hand before disclosing the downside risks,
The third risk is minor - is the consultant not savvy enough to recognize an assignment he is incapable of bringing to a successful conclusion? (Most consultants have big egos and are reluctant to admit a shortcoming, but the truly successful ones are savvy enough to make ego subordinate to business practicality.)

The ethics attached to these risks are not cut and dried, but very gray and foggy:

  1. If the consultant lives to the letter of his contract and the client fails a short time later, was the consultant ethical in declaring the client "good to go" if he knew (suspected strongly) the top management was not committed and would soon let things slide back to a mess? (What could the consultant do or say to make the situation more ethical?)
  2. If the consultant recognizes his assignment is merely putting lipstick on the pig and there will be no material change because of the limited nature of the assignment scope, is the consultant ethical in accepting the limited scope of the assignment?
Without trying to be controversial, my experience is that agents for regulatory agencies and law enforcement agencies OFTEN engage in "mission creep" to wander around and snoop beyond the scope of the visit or search. I don't necessarily believe mission creep is systemic, but certainly a small number of individuals engage in it. Organizations and individuals within those target organizations need to be aware of the possibility of encountering such an intrusion by an agent as a tangent to some other investigation and have systems and processes in place to anticipate and ameliorate the effect of such intrusion. Often the preparation and amelioration measures require the input of legal advice.



There is a lot of buzz about cyber attacks, but often the most devastating attack to documents and records can walk in the front door with a warrant and the resultant disruption can be very costly and often uncompensated by insurance. What are the ethics of a consultant scaring the pants off a client who thinks he's only signing up to "modernize" a document management system?
 

Jim Wynne

Staff member
Admin
#8
<Snippage>
There is a lot of buzz about cyber attacks, but often the most devastating attack to documents and records can walk in the front door with a warrant and the resultant disruption can be very costly and often uncompensated by insurance. What are the ethics of a consultant scaring the pants off a client who thinks he's only signing up to "modernize" a document management system?
If would-be clients are frightened by reality, that's hardly the would-be consultant's fault. We should be able to assume that a consultant knows things that his clients don't know or there would probably be no need for a consultant. By the same token, one would think that an experienced consultant would understand the difference between honest disclosure of observations and gratuitous hyperbole.
 

Stijloor

Staff member
Super Moderator
#9
I have been in the consulting business for over 26 years and I found my Clients overall very receptive. I have never encountered the issues that were described in Wes' posts. Something must be OK because 85% of my business is by referral. :agree1:
 

Wes Bucey

Quite Involved in Discussions
#10
I have been in the consulting business for over 26 years and I found my Clients overall very receptive. I have never encountered the issues that were described in Wes' posts. Something must be OK because 85% of my business is by referral. :agree1:
Good for you!
 
Thread starter Similar threads Forum Replies Date
M Ethics and Legality AS9100 AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 4
S What is Ethics Escalation (“Whistle-Blowing”) Policy - Corporate Responsibility IATF 16949 - Automotive Quality Systems Standard 7
L Audit Ethics and Practices regarding Evidence Internal Auditing 18
L Ethics Question in regard to a Regulatory Authority CAR Misc. Quality Assurance and Business Systems Related Topics 2
I Code of Ethics and Conduct wanted Document Control Systems, Procedures, Forms and Templates 3
E Test Data Accuracy Usage - Ethics Capability, Accuracy and Stability - Processes, Machines, etc. 6
A Tool Capability vs. Customers Requirements and Specifications (Ethics) Quality Assurance and Compliance Software Tools and Solutions 6
J Ethics Training and Policy appropriate for an ISO 17025 Testing Laboratory ISO 17025 related Discussions 4
C Your position and ethics on your job - Unqualified Personnel Career and Occupation Discussions 19
C REDACTED Harassment Module: Ethics - Training Materials Career and Occupation Discussions 2
C Workplace Ethics PowerPoint .ppt presentation or other format wanted Training - Internal, External, Online and Distance Learning 9
G Ethics and Quality Management Coffee Break and Water Cooler Discussions 36
K Clinical Trials of Medical Devices in China - Ethics Commision ISO 13485:2016 - Medical Device Quality Management Systems 9
Tim Folkerts Change in ASQ Code of Ethics ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 11
K Ethics - Tooling drawings and controls passed on to another supplier by the Customer Supplier Quality Assurance and other Supplier Issues 12
D Auditing Ethics - Lead Auditor solicited client for training General Auditing Discussions 6
Wes Bucey Ethics - Moral law vs. Criminal law Philosophy, Gurus, Innovation and Evolution 123
Wes Bucey Corporate ethics revisited - Comments about the concept of corporate ethics Coffee Break and Water Cooler Discussions 22
R Ethics: A Discussion of Company Ethics Philosophy, Gurus, Innovation and Evolution 18
R Ethics: Ethical Question - Knowingly Violating a Regulatory Requirement Philosophy, Gurus, Innovation and Evolution 20
R Ethics: Audit Question points auditor to a possible nonconformance General Auditing Discussions 73
N Ethics: Failure to File Regulatory Reports Philosophy, Gurus, Innovation and Evolution 4
A Ethics: Ethical Decisions Philosophy, Gurus, Innovation and Evolution 4
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 7
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 5
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 14
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
DuncanGibbons Classification of aerospace parts depending on their risk and criticality etc. Federal Aviation Administration (FAA) Standards and Requirements 3
Similar threads


















































Top Bottom