“You are clearly out of compliance with a federal law.” When you, as a risk management professional, hear this, what is your first reaction?
A. “Yikes! We better fix that immediately!”
B. “That sounds like a problem for the Compliance Department?”
C. “So what? The government has it’s hand in everything, let us run our business!”
D. “Hmm…let’s perform a risk analysis and see if we should be concerned.”
In the first few months of my career in operational risk management, my answer would have been A.
I quickly realized that if I recommended every issue of non-compliance be fixed, my organization would be spending orders of magnitude more money than the amount of risk being reduced. Without the logical framework for analyzing risk that FAIR provides, I never would have reached that conclusion.
Analyzing risk in forecasted dollars of expected loss allows you to more easily recognize when you’re spending too much money fixing an inconsequential “problem.”
This post was adapted from David Musselwhite's provocative talk at FAIR Conference 2017, "Case Study: Managing Operational Risk with FAIR". See the complete video of David's talk and his slides on the FAIR Member Resources Page. Here's a preview of the video:
Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?
Any other details or context?
Let's look at an example where focusing on compliance may be a misstep.
The Occupational Safety and Health Administration (OSHA) exists to ensure safe and healthful working conditions by setting and enforcing standards with which employers must comply. One of those standards relates to the presence of hazardous chemicals in the workplace.
In any workplace where hazardous chemicals are present, employers must provide safety training to employees, post OSHA-approved posters in the work area, clearly label all hazardous chemicals, make Materials Safety Data Sheets (MSDSs) and safety equipment readily available to employees, and implement a written hazard communication program.
Compliance with OSHA’s Hazard Communication standard is serious business: in fiscal year 2015, the Hazard Communication was the second most frequently cited standard across all OSHA enforcement actions.
And for good reason! Fuming sulfuric acid, nerve agents like sarin gas, and crystalline silica that can be inhaled into the deepest parts of our lungs are just a few examples of the highly hazardous materials present in American workplaces.
But there’s one hazardous material (present, I would venture to guess, in every office building you’ve ever set foot in) that frequently gets overlooked and makes many large organizations non-compliant with OSHA standards: printing ink.
In small quantities printing ink is not likely to be harmful to humans, but most companies of a certain size have a print shop outfitted with large industrial printers used to print internal documents or client statements. Those printers have larger cartridges or ink banks than your desktop printers.
For some machines ink can be purchased in 1 liter bottles or larger containers, and ink in that quantity poses a number of hazards. It is highly flammable, harmful if swallowed, and may cause allergic skin reactions, as well as serious eye or respiratory irritation.
Most well-documented cases of these negative effects come from workers involved in the manufacturing of ink, but low-level exposure still triggers the requirements of the Hazard Communication standard.
Given the dangers printing ink poses, why don’t more companies comply with the Hazard Communication standard? Simply put, because the forecasted loss associated with non-compliance is smaller than the cost of compliance. Conducting a FAIR analysis from the perspective of a typical office-based company that has no obvious workplace hazard concerns can demonstrate that this is true.
The FAIR model can help you prove when compliance might not be worth the cost... so you can focus on what matters the most.
In FAIR, risk has two factors: loss event frequency (how many times over a given timespan is a bad thing likely to occur) and loss magnitude (how much is it likely to cost each time it occurs.)
In this scenario the loss event we’re concerned about is the Department of Labor issuing a fine against our organization for a failure to comply with the Hazard Communication standard. (Note: in some states OSHA standards are enforced by state-level agencies; for the purposes of this example analysis you can think of whatever regulatory body is relevant to your organization.)
How frequently are we likely to receive a citation?
Considering that their inspectors are busy with construction, mining, manufacturing, factory farming, and other hazardous industries, an inspection of our facilities is likely to occur infrequently. Some large companies are known to have gone 30+ years without an OSHA examination.
Even if an examination happens, we may be able to avoid a citation by arguing that exposure levels are so low that non-compliance is understandable, or that leniency is warranted since this may be our first infraction.
Given a probable frequency of examinations of between once every 30 years and once every 2 years, with a most likely value of once every decade, and a percentage of those examinations that will result in a citation of between 0% and 100% with a most likely value of 20%, we can derive through Monte Carlo simulation that the frequency with which we can expect citations to occur is between once every 100 years and once every 14 years, with a most likely frequency of once every 50 years.
How much are we likely to lose each time a citation is issued?
Some productivity loss will be incurred from taking print shop workers off the floor for safety training. Response costs will include the costs incurred from developing the written hazard communication plan, delivering the training, and responding to the citation itself. And it’s possible that we may be fined as a result of the citation.
Further losses, though unlikely, could occur from the reactions of secondary stakeholders like labor rights activists, the media, former team members who come out of the woodwork with dubious claims of injury, etc., all of which will require a response from the organization.
Adding up all of these costs brings us to a reasonable estimate of loss magnitude of between $20,000 and $100,000 of primary loss, and between $1,000 and $250,000 of secondary losses, which we estimate will be incurred no more than 20% (most likely 10%) of the time a citation is issued.
How much risk is associated with this scenario?
Having made or derived estimates of loss event frequency and loss magnitude, we can run a FAIR analysis to understand why our organization has spent $0 on OSHA compliance up until this point: the annualized loss exposure from this scenario is, at most, roughly $3,500. Even taking the time to create and deliver a training session about the hazards of the ink is likely to cost more than the maximum exposure we forecast for any given year.
Only by understanding loss event frequency and loss magnitude can we determine if a response to a risk scenario makes economic sense.
It's clear from our analysis that the cost of compliance in this scenario far outweighs the risk associated with non-compliance. Until citations become more frequent or fines become far larger, there is no incentive for companies in a similar situation to invest in mitigating this risk. (Sound familiar from the cyber risk space, where many argue that fines are levied too infrequently and are too small to force companies to adequately invest in proper security?)
The big idea here is that not every “problem” warrants a solution. Risk management is about limiting future losses to a tolerable amount in the most cost-effective way; it’s an optimization problem of how to deploy limited organizational resources to mitigate a desired amount of loss.
Risk management professionals or business leaders who argue for correcting every control deficiency and rushing to respond to every audit finding and allegation of non-compliance without having conducted a quantitative risk analysis may be sinking precious organizational resources into efforts for which the juice just isn’t worth the squeeze.
The logical and defensible nature of analysis conducted with FAIR allowed me to see that not every instance of non-compliance needs to be fixed or be fixed right away. While that statement may in some cases contravene the letter of the law, I believe it so strongly that I’d sign it in hazardous ink.