Wednesday, March 26, 2014


Companies fined while
Executives unpunished

The Boston Globe headlines an AP article by Eric Tucker Toyota case shows it’s hard to prosecute execs that basically tells readers what they already suspected: organizations are fined for misdeeds while the organizations' executives are unscathed by any penalties.

Or, put another way, the stockholders and - in the case of merchandise, future purchasers - pay for the executives' folly. In many cases, the executives who headed the organization while it failed its customers are rewarded by the organization's board with often extravagant bonuses.

While the AP article focuses on Toyota, it could be almost any major corporation.

According to the article, the Justice Department socked the car company with a $1.2 billion penalty but brought no criminal charges against individual executives, an unsatisfying resolution for consumer activists who say prison is the best deterrence for corporate malfeasance.

Prosecutors say they had little choice, in part because of constraints with evidence and the challenge of gathering testimony and information from witnesses abroad.

Still, court documents accuse Toyota of intentionally withholding information about problems.

Toyota, however, is an organization. It is an organization managed by real people, people who made the decision to put other people at risk and who, in Toyota's case, KNEW their product could - and did - kill.

True, guns also kill, but that is their purpose. An automobile's purpose is to move people from Point A to Point B, not to kill is occupants.

The American Lawyer Web site notes that Sen. Arlen Specter recently drafted legislation that may become the next battleground in the tort reform wars. The bill would impose criminal penalties on employees who "knowingly and recklessly" allow defective products into the marketplace, imposing up to 15 years if a death results. Larry Fineran, VP of the National Association of Manufacturers, says business leaders are "appalled" that they could face jail time for making fundamentally subjective decisions about risk. (Unfortunately the former senator from Pennsylvania died in 2012.)

A search of the WWW for executives who were jailed for faulty products turns up only a few cases where any jail time was ordered.

The most notable is that of a breast implant company. According to an NPR article titled French Court Sentences Executive For Selling Faulty Breast Implants, states that A French court has sentenced Jean-Claude Mas, the founder of Poly Implant Prothese (PIP), and three colleagues for the sale implants found to have a high rupture rate.

Mas was sentenced to four years

A U.S. Justice Department release bragged that Thomas Higgins, 55, of Berwyn, PA, Michael Huggins, 54, of West Chester, PA, and John Walsh, 48, of Coatesville, PA, all former executives with Synthes, Inc., and its subsidiary Norian Corporation, were each sentenced to prison today for charges related to illegal clinical trials of a medical device without the authorization of the Food and Drug Administration.

Higgins and Huggins were each sentenced to nine months in prison; Walsh was sentenced to five months.

In another DoJ case, Marc S. Hermelin, the former chairman of the board and chief executive officer of St. Louis-based KV Pharmaceutical Company, pleaded guilty and was sentenced today in a case involving KV’s production and distribution of oversized morphine sulfate tablets, the Justice Department announced. U.S. District Judge E. Richard Webber of the Eastern District of Missouri ordered Hermelin to pay a $1 million fine, forfeit $900,000 and serve a sentence of 30 days in jail.

With picayunish incarceration penalties - from 30 days to nine months - there is little to encourage executives to actually do "due diligence" on the products for which they have responsibility.

Harry S Truman, the U.S.' 33rd president, accepted the responsibility of his office and reminded visitors of this with a desk plaque reading "The Buck Stops Here."

We need more executives with Truman's mentality.

Wednesday, March 12, 2014

Consider this

Flight 370 on ground?

Updated Monday, March 17, 2014; new copy added at bottom.

Rescue operations are launched from a number of countries, combing the seas for Malaysia Airlines Flight 370.

All the talking heads are claiming the Boeing 777-200 went into the water.


But maybe not.

According to the tv talking heads, Flight 370 set off from Kuala Lumpur headed north-northeast toward is Beijing destination. But it diverted from its flight plan and turned westward, crossing over Malaysia or southern Thailand on a mostly westerly course where it dropped off the radar; contract was lost.

Searchers have been looking in the South China Sea where the aircraft might have gone down, if it went down over water and had it stayed on course to Beijing; an oil slick was reported, but no debris was found and no "black box" signals were detected.

Searchers also started looking in the Indian Ocean on the west side of Malaysia and Thailand. As with the China Sea effort, so far (as of 8 p.m. EST, Tuesday, March 11, 2014) with no positive results.

We are told that there were several passengers on board Flight 370 with false passports; more, it has been suggested that these passengers may be Moslems. The aircraft's co-pilot has a typically Moslem name.

Beijing is approximately 2,700-mile (4,350-kilometer) from Kuala Lumpur.

That is roughly the same distance as from Kuala Lumpur to Moslem Pakistan.

Commercial aircraft always carry more fuel than needed to reach the flight plan's destination, so the initial duration of the flight in the north-northeast direction may not prevent the aircraft from reaching Pakistan.

Malaysia Flight 370 Destination options

If the airplane flies fairly close to the earth's surface, and if the aircraft's transponder - the device that shows the plane's location to special receivers around the world - is turned off, the airplane effectively "disappears" from contact.

While it is possible that the flight went down over a land mass - Thailand, Burma, or India - given the lack of transponder signals, that seems less than likely.

There were no Mayday calls from the Flight 370 flight deck; that coupled with the absence of transponder signals suggests that the aircraft's destination was altered; the question is: To where? A second question must be: Was Flight 370 skyjacked or was it willingly redirected by the pilot and/or co-pilot.

At this point, it's all speculation, but as a risk management practitioner, I think the authorities need to look at all possibilities, including the plane being redirected to a new destination.

Wednesday, March 12, 2014

According to an Arutz Sheva report titled Missing Malaysian Flight's Ringing Phone Mystery "Families of passengers on missing plane report calls to cell phones ringing through, terrorism 'not ruled out.'"

The article commences with The mysterious disappearance of Malaysia Airlines Flight 370 on Saturday along with its 239 passengers has deepened, with new reports that families of the missing travelers have gotten ringing tones while calling their missing loved ones.

While waiting at Beijing's Metropark Lido Hotel for news on Monday, several relatives of the missing reported they were able to contact their disappeared family members' cellphone, while others saw them appear online on the Chinese instant messenger service QQ, reports The Washington Post.

Monday, March 17, 2004

The Independent of England headlines the question: "Missing Malaysia Airlines Flight MH370: Did jetliner fly into area controlled by Taliban?"

Sunday, March 9, 2014

Our government at work

In an email hededcq "County Government Settles Potential HIPAA Violations, Health and Human Services brags about fining a small northwest Washington state county $215,000 for violating HIPAA's privacy law.

The email was excerpted from a press release posted to the HHS web site at

Skagit County, Washington, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. Skagit County agreed to a $215,000 monetary settlement and to work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance program. Skagit County is located in Northwest Washington, and is home to approximately 118,000 residents. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. Emphasis mine

Note: The following paragraph was omitted from the emailed HHS release but appears on the HHS web site.

“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR). “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. OCR's investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases. OCR's investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.

Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. This corrective action plan also requires Skagit County to provide regular status reports to OCR.


    (a) A rural county with only "approximately 118,000 residents" (Release paragraph 1) How many of those residents are children? How many non-working spouses? How many under or unemployed? How many on welfare or other public assistance? How many in prison? (The county's demographics for 2012 are available at

    (b) "The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care." (Release paragraph 1). The median household income in the county waas $56,475 (roughtly $3,00 less than the state median income)) and there were, during the same 2008-2012 period, 12.6% population below the poverty level. (Source: County demographics, ibid.)

HHS now adds another $215,000 burden on the taxpayers as a penalty for lacking proper data security. Add to the penalty the costs of upgading the county's data security practices to comply with HIPAA. The HHS fails to even estimate that cost.

While protecting patient records is proper and investigating security breaches is well within HHA's purview, my question to HHS is: How does fining Skagit County $215,000 improve the county's data security?

Had HHS come in and shown the county (1) that there was a breach of security and (2) had HHS experts tell the county how to close those security gaps, then HHS would have done its job to the benefit of all concerned. If it charged the county a fee for services rendered, that, too, would have been in order.

However, HHS makes no claim that it did either. The PR release does state that Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. This corrective action plan also requires Skagit County to provide regular status reports to OCR.

I'm confident that the county has insurance to cover at least part of the HHS penalty, but because insurance companies are in business to make money, I'm eqqually confident that the county will have increased insurance premiums for the next several years.

Bottom line:

  • Skagit County must pay the U.S. government $215,000 from a limited budget to satisfy an HHS penalty and then
  • Skagit County must pay to determine how to improve data security to HHS' Office of Civil Rights basic requirements and pay to implement those changes.

HHS penalties would seem to be a revenue generator for the federal agency.

In the end, the Skagit County taxpayer is stuck - twice.

Sunday, March 2, 2014

For what does a planner plan?

Risk vs. Impact


The Risk

Hundreds of thousands of religious extremists are set to march on Jerusalem. Whether or not "hundreds of thousands" will descend on the Israeli capital is to be seen. My guess is that the turnout will be less than expected, but still there will be a sea of black hats.

In preparation for this event, Israel has ordered streets closed, trains to stop running, and buses to stay at the bus station.

The Impact

Whether or not the risk of the mass demonstration occurs - in any volume - the risk already is impacting the capital.

The impact is that people won't be able to

*    Go to work

*    Go to school

*    Go shopping for essentials (bread, milk, etc.)

*    Get to a hospital or clinic if necessary

Essentially they are trapped in their neighborhoods, if not their homes.

My Question

So how is this different that the impact of a

*    Snow storm

*    General strike

*    Flood

Or any other event that closes the roads?

Not only in Israel

Israel is not the only country to see "million man" marches.

Ask the folks in Washington D.C.

Israel is not the only country to see transportation disrupted.

Ask the folks who were stranded by a volcano's ash.

Two-part planning

Risk management is basically a two-part process.

Part One: Identify the threats and ways to avoid or mitigate them.

Part Two: Identify ways to respond to the threats when, despite our best efforts, they occur.

In Jerusalem's case, the threat - not hundreds of thousands descending on the capital, but the State's accommodation of these people - is the same as if the city had been snowed in. It's the same as if sections of the city were blocked off for a parade or a fire or any number of other "it can happen anywhere" scenarios.

In Israel, most people work on Sunday. Government offices and schools are open. Banks are open. Mail is delivered. Sunday is Israel's Monday.

In Jerusalem - and it could be New York, London, Madrid, Tokyo, any large city even if it is not a nation's capital - business is disrupted.

The Question

As a planner, should you plan

   a: For the specific risk

  b: For the impact

From my perspective, planning for the SPECIFIC risk is a waste of energy.

Rather than planning for "a million man march on the capital," plan for a disruption of movement. The bottom line is it really doesn't matter WHAT caused the disruption, there is a disruption.

Granted, considering the sundry causes of the disruption is useful in considering means to avoid or mitigate the risk; e.g., having snow removal equipment on hand or having additional buses to accommodate rail passengers and having alternate routes for those buses, and planning corridors for emergency services.

Plan for the impact. Find the work arounds, and not just for the business interruption's anticipated duration but beyond that.

In the case of the march on Israel's capital, expect some debris; anticipate some police follow-up (in the event someone takes criminal advantage of the situation)

Again, Jerusalem is only the "example du jour." The venue could be anywhere -including where you live and work.

Bottom Line

Consider the risks and the ways to avoid or mitigate them.

Plan for the impact and how people - businesses and individuals - can survive it.