Does Your Employer Have The Right To Select Your Physician And Review The Results Of Your Annual Checkup?

Have you been following the recent debate over President Donald Trump’s health? His personal physician recently summarized his annual checkup by declaring that the President is in “excellent health,” and is “absolutely … fit for duty.”

But others who reviewed the President’s lab results assert that he must “ … increase the dose of his cholesterol-lowering medication and make necessary lifestyle changes … (to reduce his) moderate risk of having a heart attack in the next three to five years …”

Embedded in this debate is the natural awkwardness of revealing any individual’s private health information to others. After all, wouldn’t you feel uncomfortable if the results of your annual checkup were revealed to others and then openly debated by them?

Even federal Senators, state Governors, and other high-ranking elected officials are not subjected to such personal scrutiny. Only the President has been required to submit to it.

In the private sector, though, similar debates have simmered for years about whether publicly traded companies should monitor and disclose the health risks that are faced by their Chief Executive Officers. Apple, for instance, was sharply criticized for keeping many of the details regarding Steve Jobs’ mortal illness confidential. And its Board never insisted on selecting Jobs’ primary care physician.

In contrast, the railroad transportation firm CSX is now opting for a policy of full transparency. Its Board of Directors, responding to the sudden death of its recently deceased CEO, recently decided to “ … require the railroad’s chief executive to submit to an annual physical exam that will be reviewed by the board … (to be performed by) a medical provider chosen by the board …”

This policy inevitably raises an important governance concern. Namely, are companies entitled to select their CEOs’ physicians, and then to review their private health information? The need for such transparency may be understandable, but is the policy itself appropriate?

After all, CEOs are not the only key employees within firms. There are undoubtedly dozens, or even hundreds, of workers within each company who may be deemed key members of the work force.

Should companies have the right to monitor all of their private health information? Where does an employee’s right to privacy outweigh a company’s need for information? And which employees, if any, should be subjected to such scrutiny?

Today, this question may only affect the President of the United States, the incoming Chief Executive Officer of CSX, and a few other key employees of various firms. In the near future, though, it may affect all of us.

Farewell, COSO Cube

Are you familiar with the COSO cube of Enterprise Risk Management? First released in 2004 by a consortium of five accounting trade associations, the framework has survived twelve long years of volatility by nature of its utility and simplicity.

As a three dimensional shape, the cube features three sides of guidance that describe how to develop a risk management plan. One side describes the functions that should engage in risk management work. A second side describes the organizational levels that should be responsible for doing so.

And a third side is the most valuable one of all. It lists the eight tasks that any entity should complete in order to prepare a comprehensive risk management plan. The middle four tasks are the stand-outs.

And what are they? The entity should begin by identifying as many potential problems as possible. Then it should “red flag” the highest priority problems. Then it should develop response activities to limit the damage that would occur if these problems are not prevented. Finally, it should develop preventive control capabilities to reduce the likelihood that these problems might occur in the first place.

Simple and yet useful, eh? That’s exactly why the cube has lasted as long as twelve years. So, last month, when COSO released an exposure draft of its new framework, accountants and risk managers around the world eagerly scrolled through it to view the new and improved cube.

And guess what they found? The cube has vanished! There is now a three-part arrow that appears to be piercing the open hole of a five-color doughnut. Each color represents a component of risk management activity. And there are 23 (yes, 23) principles that support the five components.

Got it? If you’re thinking “not exactly,” you might wish to compare the old 2004 executive summary with the new 2016 exposure draft summary. By all means, ask yourself whether the new version — in all its complexity — represents a step forward or a step backward. Either way, it does appear that our accounting profession is about to say farewell to the COSO cube.

Obama Care: All But Useless?

Two days ago, the New York Times published a story with the following provocative headline:

Many Say High Deductibles Make Their Health Law Insurance All but Useless

The ensuing story described certain health plans that are sold at extremely low rates, but that incorporate very high out-of-pocket deductibles. But how low is a low rate? And conversely, how high is a high deductible?

According to the article, in the 38 states that utilize the federal web site healthcare.gov, “8 out of 10 returning customers (can) buy a plan with premiums less than $100 a month …” However, such individuals may be on the hook for thousands of dollars of medical expenses, up front, before they reach their deductible limits and begin to receive claim reimbursements.

Less than $100 a month? That’s a very low rate. And thousands of dollars in expenses? That’s a very high deductible. So, on balance, are such policies worthwhile? Or are they truly all but useless?

Well, let’s think about an analogous example regarding property insurance. Suppose that you spend several thousand dollars to waterproof your beachfront home and fix some minor roof leaks this year, and that you also spend less than $100 a month on property insurance to cover the risk of severe hurricane induced flood damage. If no hurricanes strike your home, should you conclude that your flood insurance policy was all but useless this year?

On the one hand, if you believe that a property insurance policy should reimburse you for the costs of waterproofing and minor roof patching, then you might indeed conclude that the policy was worthless. And yet, if you held such expectations about your policy, you should probably expect to pay far more than $100 a month for your coverage.

On the other hand, if you believe that the purpose of your insurance policy is to protect you against the risk of a catastrophic hurricane induced flood, then you might conclude that the coverage is worthwhile even if there is no hurricane damage. In fact, you might indeed conclude that the purchase of insurance with no subsequent damage (or claim filing) represents an ideal outcome.

And if you scroll down towards the bottom of the New York Times article, that’s exactly what a health plan member with this type of coverage told the Times reporter. Josie Gibb of Albuquerque explained “It’s really just a catastrophic policy.”

Well, in reality, it’s probably a little better than that. When Josie pays for her services out of pocket, she probably pays the discounted rates that are negotiated by her health plan, as opposed to the standard rates that are charged by her medical providers to uninsured individuals.

Nevertheless, she is undoubtedly correct about the essential nature of her insurance policy. It is indeed designed to provide coverage against catastrophic illnesses and injuries, but it is not designed to reimburse her for non-catastrophic out of pocket expenditures.

Thus, it would only be reasonable to consider her plan “all but useless” if she were to suffer through a catastrophic medical event but then fail to obtain any benefits. With that in mind, what should we make of the fact that she has suffered through no such event this year?

It doesn’t mean that she wasted her money. Instead, it means that she’s been blessed with good fortune.

Fixing Government: Democracy In Action

Around the world last week, on the eastern and western coasts of the United States and in the Indian capital city of New Delhi, citizens were confronted with a trio of cases that collectively highlighted the very worst aspects of democratic government. In each case, individuals inside or outside of government felt compelled to take drastic action to remedy an embarrassing crisis.

In Newark, New Jersey, the city’s poorly performing school system gratefully accepted a financial bailout from Facebook founder and billionaire Mark Zuckerberg, who announced a mammoth donation of $100 million to finance critical improvements. In Bell, California, law enforcement officials announced the arrest of eight current and former city executives and managers on charges of gross corruption. And in New Delhi, India, government officials vowed to make emergency repairs to newly constructed sports facilities that are literally crumbling away in advance of next week’s Commonwealth Games.

Were these isolated incidents, or did they collectively represent a worrisome pattern of government neglect? And if so, what does it say about the capabilities of democratic governments in places like America and India to address their own internal problems?

Troublesome Patterns

Regrettably, none of these three events appeared to represent an isolated incident. Quite the contrary, all three constituted embarrassing culminations of years of government neglect and ineptitude across a wide range of circumstances and situations.

The public school system of New Jersey, for instance, has long been criticized for poor performance; in fact, it recently lost $400 million (i.e. an amount that is more than four times the size of Zuckerberg’s donation) in federal funding on an administrative application error. Likewise, government corruption has plagued California throughout the twentieth century; it served as the central theme for the plot of the 1974 film Chinatown, which won the Academy Award for best screenplay. And critics in India have complained for years about the nation’s inability to maintain its critical infrastructure.

Thus, these recent events were no freak occurrences that struck otherwise competent government administrations. Indeed, they drew public attention to typical, albeit unusually colorful, examples of governmental cultures of incompetence and corruption.

In a Word, Why?

Of course, any complex problem can be traced to a multitude of causes; malfunctioning governments are no exception to this rule. Nevertheless, when reviewing these three cases, one is struck by a sense that these problems were simply never considered priorities by citizens or their representatives. Instead, individuals appeared to be preoccupied by other matters, thereby allowing these problems to fester until they exploded in the news.

New Jersey and California voters, for instance, may have been far more interested in the rough house political style of Governor Chris Christie and the glamorous film star activities of Governor Arnold Schwarzenegger than in the policy debates that affect education funding and municipal oversight functions. And Indian citizens may have never exhibited the zeal for international showmanship that drove China’s focus on constructing first-class infrastructure for the Beijing Olympics and the Shanghai World Expo.

The key principle of enterprise risk management is the interplay between preventive, proactive functions and responsive, reactive functions. To put it simply, risk managers believe that it sometimes makes perfect sense to do everything possible to prevent a problem from occurring, and yet other times it makes more sense to allow a problem to happen and then deal with the consequences. American and Indian citizens may have chosen the latter option in these three cases, hoping for the best and then regrettably facing the worst.

Panetta’s Philosophy

From this perspective, one might take heart in the knowledge that government officials did belatedly take action to address this trio of problems. After all, charismatic Newark Mayor Cory Booker succeeded in obtaining the $100 million pledge from Mr. Zuckerberg. California Attorney General Jerry Brown moved against the infamous Bell Eight, vowing to prosecute them to the full extent of the law. And the Indian government now appears to be making critical repairs to the facilities of the Commonwealth Games.

Furthermore, public scrutiny over government performance in both nations is intensifying in dramatic ways. The American election season is now dominated by boisterous crowds that harken to the zealous Boston Tea Party revolutionaries of 1773. And Indian critics, free to voice their opinions in their nation’s open democratic system, are rallying public opinion to the side of clean and effective governance. Although disruptive, these demanding voices are focusing their citizenry on the activities of their own elected representatives.

CIA Director Leon Panetta recently told Politico that “Democracy can be ugly, depressing and frustrating but it is what determines our fate as a nation. We govern by leadership or crisis. Unfortunately, today, we largely govern by crisis.” Although one may wince in pain while watching developments unfold in Newark, Bell, and New Delhi, it might be helpful to keep in mind that we are, in fact, watching democratic governments in action.

Finally, An Oil Spill SWAT Team!

Whom do the police call when a bank robbery goes awry and the thieves threaten to begin shooting hostages? Or when an angry political protest spirals out of control and degenerates into a full blown riot?

Beginning in Los Angeles in 1967, law enforcement agencies across the United States have turned to SWAT teams, paramilitary forces that utilize Special Weapons And Tactics to handle such crisis situations. Television shows, films, and other entertainment media have explored and even glamorized these modern cavalry officers who ride to the rescue when the going gets tough.

Wouldn’t American Gulf Coast residents have been thrilled to see a SWAT team of engineers and environmentalists ride in and manage the Deepwater oil spill when BP experienced its own disaster a few months ago? Four of the world’s largest energy producers finally announced the development of such a force last week …

… but why didn’t BP, or any of these other producers, foresee that a Rapid Response team would be needed?

One For The Valdez

Interestingly, after the Exxon Valdez oil tanker spill, the energy industry created the Marine Spill Response Corporation to serve as a SWAT team for similar tanker related disasters. Although the MSRC remains poised to manage another Valdez style catastrophe, the energy industry has (until now) declined to invest in the development of a companion team for deep sea drilling platforms in the Gulf of Mexico.

Why has it not done so? It would be easy to accuse the industry of gross negligence, or of foolishly under investing in safety practices in order to boost short term profits. And yet the costs of such rapid response teams are quite affordable when shared by multiple organizations; the new Gulf team, for instance, will be financed by Exxon Mobil, Chevron, Shell, and Conoco Phillips. And, of course, the benefits of maintaining these teams are self-evident during times of crisis.

So why wasn’t there a response team in place to serve the Gulf of Mexico? It is, in fact, entirely possible that the energy industry rationally assessed the situation and reasonably concluded that a comprehensive system of Enterprise Risk Management (ERM) simply didn’t require one. Until, of course, the Deepwater spill itself convinced industry executives to rewrite their ERM business plans.

Probabilities and Damage Estimates

How could such a conclusion be considered rational? Well, according to the COSO model of enterprise risk management, organizations must complete four distinct steps of analysis in order to address the risks of failure. First, they must anticipate potential crises before they occur through a process of scenario identification. Then, they must assess each crisis and prioritize the worst potential scenarios, focusing on the events that: (a) are relatively likely to occur, and/or (b) are relatively likely to cause extensive damage if they cannot be prevented.

Third, for potential crises with occurrence probabilities that exceed tolerable levels, organizations must invest in prevention controls that are designed to reduce these likelihoods. And fourth, for potential crises with damage estimates that exceed tolerable levels, they must develop rapid response mechanisms that are designed to reduce these costs.

These four core steps are labeled by COSO as event identification, risk assessment, control activities, and response activities. When ever an organization declines to invest in control or response activities, one rational explanation — other than gross negligence or sheer mismanagement — is that the firm simply underestimated the likelihood or damage levels associated with the crisis, or that the firm established a threshold level of tolerability that was too low.

Thinking Outside The Box

Although BP’s internal risk management plans are proprietary documents, the sheer volume of public information about the Deepwater crisis makes it feasible to speculate about BP’s investment decisions in the Gulf of Mexico. In fact, the most speculative aspects of their decisions likely involved damage levels; after all, unlike their estimates of the probabilities of failure — which were technical engineering estimates involving the reliability of the equipment itself — their estimates of damage levels should have encompassed both quantitative business costs and qualitative social costs.

It is relatively easy to identify and estimate quantitative business costs; the costs of repairing leaking pipelines, of removing spilled oil from the Gulf waters, and of cleaning up soiled beaches and marshlands are simply functions of the location of the crisis and the amount of oil spilled. But the qualitative costs of such a spill, such as the loss of the livelihoods of local business owners and the loss of a treasured way of life for an entire culture, require a significant degree of outside the box creative thinking. BP’s engineers and fiscal analysts may not have been comfortable with that type of task.

It is, in fact, reasonable to suspect that BP’s risk management plan simply didn’t address these qualitative costs at all, or perhaps it under stated them to a significant degree. If BP under estimated the damage estimates of such a crisis, it would then inevitably under estimate the need to invest in the relevant response capabilities.

Editorial Note: Our sincere “thanks” to Albert Blok, Clinical Research Coordinator at the Association of American Universities, for identifying an obsolete link regarding the Deepwater oil spill and providing a suitable replacement link. For more in-depth information regarding this topic, Albert recommends The Deepwater Horizon Oil Spill and its Aftermath and The Gulf Spill. He contributed to these resources … and we certainly agree with his recommendation.

Introducing the Virtual Law Firm!

Would you hire a virtual law firm? If it only exists in a virtual office? And if it can only communicate with you by using virtual technologies?

Dell Computer once revolutionized the personal computer industry and rose briefly to the #1 spot in sales volume by pioneering the virtual extended enterprise. Did Dell need real factories to produce their products, real stores to showcase them, and real trucks to deliver them to customers? Not at all! Instead, a kid named Steven (“Dude, you got a Dell!”) advertised the brand on television, a toll-free call center collected orders, a chain of independent factories around the world produced and assembled the computers, and Fedex and UPS delivered the goods.

Did it work? For a while, it was the perfect business model. Every customer could order a uniquely customized unit, thus ensuring the receipt of exactly the product that was desired. And every buyer provided a credit number number at the time of each order, thereby eliminating accounts receivable collection concerns and reducing working capital requirements.

So what went wrong? Why is Dell no longer #1? And what’s all this buzz about virtual law firms?

Risky Business

Whenever we analyze risk, it’s helpful to use the fundamental principles of enterprise risk management as defined by COSO’s integrated framework. They’re really quite straightforward; they simply require analysts to focus on the most potentially damaging crises, and then to determine whether the organization is doing everything reasonably possible to prevent and/or mitigate them.

So what can go wrong with an extended enterprise strategy? Interesting, its Achilles Heel may well be a product of what is generally its greatest strength. On the one hand, a virtual enterprise doesn’t need to spend money on factories, stores, or trucks … on “bricks and mortar” infrastructure, if you will. That gives it an incredible cost advantage as long as nothing goes wrong.

But what happens if numerous laptop devices malfunction just days after consumers purchase them? The risk of customer dissatisfaction thus becomes a major concern. Whereas a firm like Apple, with Genius Bars in retail stores, can simply direct customers to visit local shopping malls for service, a virtual enterprise like Dell must struggle to communicate with their irate customers from remote call centers.

In other words, the problem with virtual enterprises isn’t a matter of business management, but rather of risk management. Costly infrastructure is an unnecessary burden when business goals are easily achieved; it’s only when things go wrong that the infrastructure is sorely missed.

The Virtual Private Law Firm

Nevertheless, the alluring benefits of cost elimination and product flexibility are simply too enticing for the concept of the extended enterprise to die. This month’s issue of the ABA Journal, for instance, features an article about Virtual Law Partners, an extended enterprise in the field of legal services.

The article notes that VLP has no physical office. Instead, attorneys use technology to interact with each other and with their clients; any in-person meetings are simply held in private homes. The revenue and cost models are fairly simple as well: 65% of all revenue billed by individual lawyers is paid to them as staff compensation, 20% is paid to the individual who manages the engagement, and 15% is allocated to corporate overhead expenses.

The article doesn’t address VLP’s service mix or growth ambitions in any great detail, but their own corporate website provides a few intriguing elaborations. Apparently, at the moment, the firm’s practice is focused on the receipt of relatively routine outsourced work from the in-house legal departments of major firms. And VLP plans to expand into a “worldwide distributed network.”

In other words, the firm is in the outsourcing business, accepting tasks that (unlike criminal cases, for instance) may not require complex and sensitive face-to-face conversations between attorneys and their clients. Although the firm’s web site touts the strength of its “advanced technology platform,” one might wonder whether its capacity might sag under the strain of intense and continuous interactions with temperamental clients, in much the same way that Dell’s call oriented warranty service might struggle to meet Apple’s Genius Bar standard of customer care.

Strong Headwinds

Before we dismiss virtual legal practices as tiny entities without the infrastructures that are required to handle complex engagements, we might pause a moment and check the atmospheric conditions. Strong headwinds are coursing through the global economy, and they all seem to be blowing in favor of virtual networks.

After all, in the 1950s, General Motors never dreamed that Toyota could ever compete in America via a tiny collection of threadbare dealerships. And throughout the twentieth century, many conservative governments never believed that civic protests could be organized if television stations were tightly regulated. And yet, if Toyota could evolve from Toyopet to Lexus, and if the broadcasting industry could shift from analog signals to YouTube, why couldn’t virtual law practices learn to manage more complex legal projects as well?

Let’s face facts. Daily commutes aren’t getting any faster. Mass transportation options aren’t getting any cheaper. And printers of paper based reference materials aren’t getting any busier. So the ability and need to congregate in any real world location for communication and research purposes is not getting any stronger.

In other words, though virtual law firms may not be ready to take over the profession just yet, the business trends are all moving in their direction. As long as they can manage the risk of failure, they will likely continue to grow.

Hooray for Hollywood: Risk Management Faves

In the spirit of the upcoming Annual Academy Awards, and as a public service to the banking industry titans of Wall Street who presided over what Risk Management has called the colossal risk management failure of the financial sector, we at Enterprise Man are proud to unveil our AQ/PQ “picks” for the twenty best (or worst) examples of risk management in film history.

We welcome your comments, your suggestions, and even your heated arguments. Please feel free to prepare your letters to the editor as we proceed through our list in chronological order.

The Envelope, Please …

The Great Train Robbery (1903). The first modern story in film history, bankrolled by Thomas Edison himself, was a twelve minute video about an attack on a “money car.” Risk managers, take note of the brave attempts of the employees to comply with the railroad’s requirements for information and communication during times of crisis!

The Sheik (1921). The first great love story in film history also featured the first tragic business culture clash, as Rudolph Valentino’s Arab Sheik comes face-to-face with Western womanhood. Luckily, the French soon arrive to defuse the tension with tactful diplomacy. Merci beaucoup!

Safety Last (1923). The film title alone is sufficient to make a risk manager cringe! The same can be said for the iconic image of Harold Lloyd’s department store clerk dangling from a giant clock on the side of a Los Angeles skyscraper; who on earth forgot to engage the window locks?

King Kong (1933). Can some one please check those giant ankle cuffs (at least once) before the paparazzi swarm the giant, resentful man-killing creature with their blinding flash cameras? Is that too much for a risk manager to ask?

Swing Time (1936). Over 70 years before President Obama encourages Americans to “pick ourselves up (and) dust ourselves off” in his inaugural speech, dance instructor Ginger Rogers sings the same lines of encouragement to a seemingly inept new dance student named Fred Astaire. Clearly, the admissions department fails to detect his natural ability; why is he in a remedial class?

Modern Times (1936)
. Charlie Chaplin defies the risk managers of his own movie studio by making the world’s last great silent film in an era of musical comedy. This counter-programming tour-de-force is a non-stop parade of nightmarish business practices, including video security cameras in employee bathrooms and an Automatic Feeding Machine run amok.

Casablanca (1942). Humphrey Bogart and Ingrid Bergman prevent the impending Nazi theft of their inventory of fine French champagne by drinking it all as rapidly as possible. To make matters worse, they fail to record the appropriate asset write-offs before fleeing to Morocco.

Double Indemnity (1944). The greatest insurance scam in film history features the complicit involvement of Fred MacMurray’s lovestruck insurance agent. Unfortunately for the insurance company, claims investigator Edward G. Robinson is more interested in imbibing three olive martinis than in investigating employee fraud.

It’s A Wonderful Life (1946). Paying off depositors with honeymoon vacation money is an early red flag. Entrusting the most consistently inebriated man in town with large sums of cash is another no-no. Urban planners and macro-economists, though, enjoy noting that the rollicking town of sin in George Bailey’s nightmare would have likely been strongly positioned to survive the subsequent implosion of America’s industrial base.

Singin’ In The Rain (1952). Hollywood’s first film about the perils of lip synching presages the era of karaoke and Ashlee Simpson. Fortunately, Gene Kelly and Debbie Reynolds find a happer ending than fans of live music do today.

The Apartment (1960). Fred Macmurray, the only double honoree on our list, confronts Jack Lemmon with the most blatant case of employee harrassment in the history of film. And yet, in true Hollywood fashion, the little guy ends up with the beautiful girl.

Yellow Submarine (1968). The good citizens of Pepperland may not have been able to stop a hostile take-over by the Blue Meanies, but they demonstrate a helluva risk response capability by traveling to Liverpool and enlisting the aid of the Beatles …. and the little Nowhere Man as well!

2001: A Space Odyssey (1968). Two honorees in one year! 1968 was a terrible year in world history, but a great one for films with risk management themes. Here we find the first great Hollywood story of a computer virus from hell, one that creates a subtle public relations crisis for IBM.

The Godfather II (1974). “Keep your friends close, but your enemies closer.” This tale of organized crime provides the business world with a parable of an organization with a terribly dysfunctional corporate culture and a “tone at the top” that could use a fair amount of team building activity.

Network (1976). A media network executive decides to eliminate a character on a television show by staging his assassination … in front of a live studio audience … with real bullets. Somehow, the script item slips past the sensors.

The Secret Of My Success (1987). Michael J. Fox rises from mail room assistant to chief executive officer by flirting with the boss’s wife and acting, well, incredibly precocious. The most distressing aspect of the film, from a risk management perspective, is the obvious message that his character is far better prepared to lead the firm than any of the oblivious senior officers or board members.

Titanic (1997). Perhaps the greatest example of poor risk management in film history is tragically based on the true story of the White Star line’s decision to furnish an ocean liner with 1,178 lifeboat seats for 3,547 people. Amazingly, the corporation survives their horrendous blunder and remains in business for over twenty years until merging with a rival line during the Great Depression.

The Truman Show (1998). Jim Carrey appears in an unusual serio-comic role as an insurance salesman who finds his life at the center of a wildly successful television reality show. Once again, though, the network bureaucrats goof by failing to obtain a liability waiver signature from Carrey. Come to think of it, the bureaucrats commit a more fundamental error; they neglect to inform Carrey that he is on television at all!

Sideways (2004). A tale of love and misery in the Napa Valley wine country of northern California, this sleeper hit features an extremely colorful example of a customer relationship dispute in a wine tasting facility, as well as a classic line that depresses merlot aficionados everywhere.

There Will Be Blood (2007). Daniel Day-Lewis portrays a violently psychotic oil executive whose arch-nemesis waits far too long before finalizing a real estate transaction. The film also depicts, in fairly graphic terms, why children and others should not be allowed to tour production sites without wearing protective goggles and hard hats.