29
Risk Management
On March 25, 1911, approximately 146 people, many in their teens, died or jumped to their deaths in the Triangle Shirtwaist Company fire. The fire engines at the scene did not have ladders that reached to the ninth floor where the blaze was raging. The fire escape, which did not reach to the street and was not built to accommodate more than a few people at a time, collapsed. The stairwell that led to the roof was burning. The one that led down to the street was padlocked from the outside so that the workers would be prevented from eluding inspection or making off with leftover scraps of cloth. Triangle’s owners rebuffed the union’s demand for sprinklers and unlocked stairwells. They were later tried for manslaughter, but acquitted in the absence of any laws that set workplace safety standards.1 One hundred years later, we not only have workplace safety standards, but we have safety included in organizations’ values.
Concerns about employee health and safety have evolved into risk management systems that also include concerns about individual and organizational security and privacy.
The Legal Landscape of Safety and Health Occupational Safety and Health Act, 1970
Congress enacted the Occupational Safety and Health Act to ensure safe and healthful working conditions for working men and women by setting and enforcing standards, and by providing training, outreach, education, and assistance. The Act is enforced by the Occupational Safety and Health Administration (OSHA) within the Department of Labor.
The Act’s General Duty clause requires employers to provide jobs and a workplace free from recognized hazards that are causing or are likely to cause death or serious physical harm. Both employers and employees are required to comply with OSHA standards, rules, and regulations.
Employees have a right to:
Demand safety and health on the job.
Request inspections.
Have an authorized employee representative accompany an inspection.
File a complaint.
Be informed of workplace hazards.
Receive training.
Employers must keep employees informed by:
Displaying the OSHA poster.
See www.osha.gov/publications/poster.html.
Providing copies of rules and regulations.
Posting OSHA citations.
Notifying employees exposed to hazardous agents at levels exceeding OSHA standards and informing them of corrective actions.
Maintaining accurate records.
Permitting authorized employee representation during an OSHA inspection.
Employers must keep employees safe by:
Correcting violations.
Allowing employees to refuse abnormally dangerous work.
Providing personal protective equipment.
Providing medical surveillance.
Providing training.
Enforcing safety rules and regulations.
OSHA has defined additional general industry standards that include, but are not limited to:
Emergency Exit Procedures require an emergency action plan for continuous and unobstructed means of exit from any point in a building and requires maintenance of emergency systems.
Occupational Noise Exposure established permissible noise levels and measurement procedures, and requires hearing conservation programs and audiometric testing for employees in environments with noise above permissible levels.
Machine Guarding requires point of operation guards on certain machinery.
Hazard Communication requires that information about the hazards of chemicals in the workplace is disseminated. Chemical manufacturers and importers must evaluate the hazards, prepare labels, and make material safety data sheets (MSDSs) available to employees to convey their hazards. Employees must be trained to handle the chemicals properly.
Control of Hazardous Energy—Lockout/Tagout requires affixing devices to machines and equipment to prevent unexpected start up or release of stored energy during maintenance.
Bloodborne Pathogens requires employers to take steps to prevent exposure to pathogenic microorganisms in human blood that can cause disease. This includes written exposure control plans informing employees of preventive steps, post-exposure evaluation and follow-up, record-keeping, and incident evaluation procedures. The Needlestick Safety and Protection Act (passed in 2000) revised this standard to require employers to minimize workers’ exposure to blood through needlesticks.
Confined Space Entry requires permits for employees to enter spaces that may be filled with a hazardous atmosphere that is immediately dangerous to life and health.
Personal Protective Equipment requires protection to be used if employees come in contact with hazardous materials.
Process Safety Management requires processes to prevent or minimize the effect of catastrophic releases of toxic, reactive, flammable, or explosive chemicals.
OSHA Inspections
OSHA has the authority to inspect workplaces. It priorities the need for inspection in the following order:
Imminent danger, a reasonable certainty that death or serious harm from an existing hazard will occur before the danger can be eliminated through normal enforcement procedures.
Catastrophes and fatal accidents that resulted in a death or hospitalization of three or more employees as reported to OSHA within eight hours of the event to determine whether existing standards were violated.
Complaints from employees of unsafe or unhealthful conditions and referrals from any source about a workplace hazard.
Programmed inspections targeting high-hazard industries, workplaces, occupations with high injury/illness rates, and severe violators.
Follow-ups on previously issued citations to ensure corrective action has been taken.
The following approach is used for conducting safety inspections:
Opening conference, which discusses the purpose and scope of the inspection and the OSHA standards likely to be applied.
Physical inspection of work areas for compliance with OSHA standards. If a complaint was filed, the specific area named in the complaint is inspected. Compliance with postings and recordkeeping requirements can also be reviewed.
Closing conference, in which observations and corrective actions, along with possible violations, are discussed.
Enforcement of OSHA Standards
OSHA’s success results from its strong enforcement of its standards. It has established fines and penalties that it can assess against organizations that violate the required standards. The categories of OSHA violations and penalties are:
Willful. An intentional violation that the employer knowingly commits. Penalty up to $70,000 for each willful violation.
Serious. A violation in which there is a substantial probability that death or serious physical harm could result. Penalty up to $7,000 depending on the gravity of the violation.
Other-Than-Serious. A violation that has a direct and immediate effect on job safety and health, but probably would not cause death or serious physical harm. Penalty up to $7,000 for each violation.
Repeat. A violation where OSHA previously issued a citation for a substantially similar violation. Penalties up to $70,000 for each such violation within the previous three years.
Failure-to-Abate. Failure to correct a prior violation. Penalty of up to $7,000 for each day past the abatement date.
DeMinimus. A violation with no direct or immediate effect on safety or health. No penalty.
OSHA Injury and Illness Reporting and Record-Keeping
Employers with more than 10 employees must report employee occupational injury and illness data. An occupational injury results from a work-related accident or exposure involving a single incident. An occupational illness is a medical condition or disorder caused by exposure to environmental factors associated with employment.
Employers are required to record work-related illnesses and injuries if they result in:
Death.
Days away from work.
Restricted work or transfer to another job.
Loss of consciousness.
Diagnosis by a licensed healthcare professional.
Medical treatment beyond first aid.
OSHA Form 300 is a log of work-related injuries and illnesses that records specific details about what happened and how it happened.
OSHA Form 301, Injury and Illness Incident Report, includes more data about how the injury or illness occurred. It must be prepared within seven days for each recordable injury or illness and kept on file for five years.
OSHA Form 300A, Summary of Work-Related Injuries and Illnesses, shows the total injuries and illnesses by categories. Employers must post the log in a visible location in the workplace from February through April each year.
Starting in 2017, many employers will be required to electronically submit injury and illness data to OSHA. Establishments with 250 or more employees in industries covered by the record-keeping regulation will have to electronically submit injury and illness information from OSHA Forms 300, 300A, and 301 while establishments with 20–249 employees in certain high-risk industries will have to electronically submit only the information from OSHA Form 300A. This electronic reporting requirement will be phased in over two years.
For additional information on OSHA recordkeeping, visit www.osha.gov/recordkeeping/index.html and www.osha.gov/recordkeeping/finalrule/index.html.
All employers covered by the Occupational Safety and Health Act of 1970 must report to OSHA any workplace incident resulting in a fatality or the in-patient hospitalization of three or more employees within eight hours.
For additional information on OSHA, visit www.osha.gov and www.dol.gov/compliance/guide/osha.htm.
Workplace Safety and Health
Workplace safety is the absence from hazard, risk, or injury on the job, whereas workplace health focuses on environmental health hazards and infectious diseases that can affect the workplace. In addition, employers also incorporate employee wellness and fitness programs and employee assistance programs into their overall risk management in order to improve employee well-being, motivation, and productivity.
Safety Management Programs
Common characteristics of safety management programs include:
Management commitment to safety and employee involvement.
Ongoing worksite analysis to identify potential safety and health hazards, and prevent accidents.
Hazard prevention and control programs.
Corrective action.
Ongoing safety and health programs.
Systems to report and investigate accidents.
Safety committees comprised of employees and management representatives can encourage safety awareness, motivate peers, and identify and correct hazards. Employees doing the job know best about safe practices. Working with management, they must be involved in developing safe operating procedures.
Information on safety and accident prevention may be found at the National Institute for Occupational Safety’s website: www.cdc.gov/niosh.
Appendix: Safety Checklist.
Health Hazards
Environmental health hazards can be physical (heat, noise, ventilation, smoking), chemical (dust, fumes, gases, toxic materials, carcinogens, smoke), or biological (bacteria, fungi, insects, sanitary conditions).
Ergonomics addresses the way a physical environment is designed for the safety and efficiency of people. Poor design can cause musculoskeletal disorders including repetitive stress injuries, such as carpel tunnel syndrome, computer vision syndrome, or lower back pain. Ergonomics programs include:
Work-site analysis.
Job redesign.
Surveys/monitoring/feedback.
Training.
On-site exercise programs.
Additional information can be found at www.osha.gov/dts/osta/oshasoft/index.html#etool.
Biological health hazards include infectious diseases such as the Hepatitis B and Hepatitis C viruses and HIV/AIDS, which are blood-borne pathogens, and tuberculosis, which is an airborne contagious disease caused by bacterial infection spread through casual workplace contact. Also included are future pandemics, communicable diseases new to the population that spread easily, infect humans, and cause serious illness, such as the Severe Acute Respiratory Syndrome (SARS). Employees with infectious diseases who do not pose a threat to coworkers are protected by the ADA’s requirement for reasonable accommodation.
Additional information on pandemics and preparedness plans can be found at www.pandemicflu.gov and www.who.int/en.
Health and Wellness Programs
Many organizations provide employee wellness programs, including nutrition and weight control, smoking cessation, stress reduction, and fitness. These programs yield healthier and more productive employees, which translates into savings on health insurance for the employer and employee. Motivating employees and their family members through information and incentives that are tied to wellness program participation and behavioral change also pays off. Although well-designed programs can benefit the organization and its employees, employers should assure that they comply with federal laws including the Employee Retirement Income Security Act (ERISA), Health Insurance Portability and Accountability Act (HIPAA), Americans With Disabilities Act (ADA), and Genetic Information Nondiscrimination Act (GINA), as well as any state or local laws.
Substance Abuse and Drug Testing
Substance abuse costs employers through reduced productivity, increased errors and accidents, and increased costs related to healthcare, workers compensation, tardiness, and absenteeism. Many organizations offer substance abuse programs that can include any and all of the following:
A written policy.
See Chapter 27 (Employee and Labor Relations).
Management training to understand all related policies, to recognize signs of substance abuse, to understand the importance of documenting performance and conduct issues, and to advise of the steps to take to deal with substance abuse in the workplace.
Education programs for employees.
Drug testing programs.
Interventions and referrals to Employee Assistance Programs.
The Drug-Free Workplace Act, 1988
The Drug-Free Workplace Act requires federal contractors with contracts of $100,000 or more and recipients of grants to:
Develop a policy that maintains a drug-free workplace.
Specify penalties for policy violations.
Provide a copy of the policy to employees.
Establish a drug-awareness program
Types of drug testing include:
Pre-employment, which must occur after an offer of employment has been made.
Reasonable suspicion or for cause based on behavioral indicators.
Post-accident or when an employee is involved in an unsafe practice.
Post-treatment following rehabilitation.
Random or unannounced testing, usually for specific employees for security or safety reasons.
Before implementing any type of drug-testing programs, organizations should seek advice from legal counselors as well as healthcare professionals, including EAP professionals.
Intervention strategies include:
Constructive confrontation by management focusing on job performance.
Counseling by Employee Assistance and other healthcare professionals, focusing on the cause and treatment of the problem.
Appendix: Indicators of a Troubled Employee.
Access to EAP services are generally through a referral. Common types of referrals include:
Self-referrals, in which an employee voluntarily seeks assistance for an issue affecting his or her life, either at work or away from work.
Management referrals, which are voluntary referrals based on tangible, observed, and documented indicators of deteriorating job performance or behavior. If an employee fails to take advantage of the EAP, no direct management action should be taken, but the organization should continue to hold the employee accountable for performance and conduct, and take appropriate action if there is further deterioration.
Mandatory referrals generally occur as the result of a positive drug test or when violent or potentially violent behavior is exhibited. Unlike management referrals, employees can be subject to management action, including termination, for failure to contact the EAP. Employees are often placed on leave until they contact the EAP, comply with a course of treatment, and receive an appropriate fitness for duty.
In developing policies and programs regarding EAPs, it is wise to seek professional advice. Making referrals to the EAP, whether management or mandatory, can be uncomfortable and difficult for managers, and they should receive appropriate training. Professional advisors can assist with the design and delivery of training.
Employee Assistance Programs are also discussed in Chapter 21 (Employee Benefits).
Workplace Security
Workplace security covers a broad range of topics designed to protect an organization from a variety of threats including natural disasters, manmade threats, computer hackers, loss or theft of property and proprietary information, and workplace violence. Security programs require an integrated approach involving organizational entities such as human resources, facilities, security, finance, legal and public relations, as well as outside consultants specializing in risk management and Employee Assistance Programs.
A risk analysis and assessment should be conducted to identify the external forces or threats and internal weaknesses or vulnerabilities that the organization faces. This will determine how likely it is a loss will occur, the severity or impact of the loss on the organization, and the costs should a loss occur. Identifying and ranking risk (fatal, very serious, moderately serious, or negligible) provide the opportunity to be proactive and implement programs and controls to prevent damage to business assets.
Protecting physical assets generally includes the use of security guards, identification and external control systems (fingerprints or magnetic cards), structural barriers (gates or fences), and security hardware such as alarms, sensors, or video surveillance. Organizations also have practices to protect assets, including financial assets, against theft and fraud. These practices include sound auditing procedures, inventory and internal controls, fraud hotlines, and video surveillance.
Protecting confidential information is often accomplished with non-disclosure agreements and intellectual property agreements. These agreements should identify what information the organization considers confidential, how its use is limited, and for how long it will remain confidential. Such agreements are specific to every organization and legal advice should be sought in developing them. Additional protections that employers can take include:
Developing a policy prohibiting inappropriate use/disclosure of proprietary information.
Restricting the discussion or display of sensitive information.
Restricting access to computer information and employee data.
Cybersecurity, or information technology security, focuses on the need for organizations to protect computers, networks, programs, and data from unintended or unauthorized access, change, or destruction from hackers or cyber criminals. Sensitive business information, as well as personal information about employees, is confidential, yet that data is often transmitted within the organization or across networks to other firms. Mobile computing devices are increasingly used for reviewing payroll information, performing shift-scheduling duties, processing approvals, and/or handling back-end HR tasks, and public networks are often used to connect to corporate networks to access and transmit data. Cyber risk assessments should be performed to determine what information needs to be protected, to identify threats to this data, and to forecast the consequences of successful cyber-attacks.
For additional information, The National Cyber Security Alliance has information about conducting a cyber risk assessment at staysafeonline.org.
Identity theft, the nation’s number-one consumer fraud issue, occurs when someone fraudulently obtains and uses another person’s personal information, such as name, Social Security number, or credit card number, without authorization, consent, or knowledge. Employers must understand the risks and implement the necessary systems and precautions to protect the security of their employees’ personal and confidential information so that employees do not become the victims of identity theft and employers are at minimal risk of liability for unauthorized access, breach, or theft of such information.
The Federal Trade Commission has issued guidance, which can be found at business.ftc.gov/documents/bus59-information-compromise and-risk-id-theft-guidance-your-business.
Protecting human assets involves not only the protections in place for physical assets and safety training, but also guidelines for protecting employees who travel or work outside the United States where issues of political stability and animosity toward American companies may exist. Another security issue involves special needs for preventing the kidnapping of executives.
Workplace violence presents the largest threat to workers and employers. Some of the leading causes of violence include stress, domestic violence, and mental illness. Perpetrators can include strangers, coworkers, and former employees. Violence can take the form of homicide, stalking, verbal and physical threats and harassment, inappropriate communication, and defacing of property.
Organizations can take a proactive approach to reduce the risk of workplace violence by:
Checking references and monitoring employee behavior.
Giving employees a vehicle to express concerns, such as an EAP.
Maintaining a zero-tolerance policy for violence.
See Chapter 27 (Employee and Labor Relations).
Educating and training managers and staff.
Conducting threat assessments that include identifying early warning signs, reporting all threats, developing a threat assessment team and management plan, and documenting all threat incidents, responses, and outcomes.
Troubled employees exhibit similar signs and symptoms regardless of the root cause of their problem (substance abuse, mental illness, stress). It is important to work with EAP or other healthcare professionals in addressing these issues.
Additional resources can be found at the National Institute of Occupational Safety and Health website: www.cdc.gov/niosh/topics/violence; and the OSHA website: www.osha.gov.
Emergency Preparedness and Response
Emergency preparedness and response programs should include procedures that define the steps an employer will take during and immediately after a violent incident occurs in the workplace. Senior management should be involved to set priorities, identify resources including team members, and communicate the program.
A crisis management plan should be tested, be kept up-to-date, and include the following elements:
Emergency notification procedures (police, fire, ambulance, internal security, employee assistance program);
Initiation of an internal crisis management team;
Assessment of the immediate safety of the workplace;
Proper notification to those in danger;
Counseling for those involved;
Employer investigation of the incident; and
Public relations concerns.
Finally, organizations should have continuity plans that in addition to identifying threats and impacts, provides a framework for ensuring that the organization is able to withstand disruption, interruption, or loss of normal business functions/operations.
Information on emergency preparedness and response can be found at NIOSH’S website: www.cdc.gov/niosh; and at the National Institute of Environmental Health Sciences website: tools.niehs.nih.gov/wetp.
The Legal Landscape Continues
In addition to the laws discussed earlier, the following affect risk management:
Sarbanes-Oxley Act has substantially impacted the procedures for financial reporting, internal controls, and accountability. There are also provisions for whistleblower protections and prohibitions for destroying, altering, or falsifying any document or record relative to a federal investigation.
See Chapter 20 (The Legal Landscape of Employee Benefits).
Health Insurance Portability and Accountability Act includes standards to protect the privacy of individually identifiable information that include the authorization and required use and disclosure of information. It applies to group health plans, healthcare providers, and healthcare clearing houses.
See Chapter 20 (The Legal Landscape of Employee Benefits).
The Electronic Communications Privacy Act, 1986 is comprised of the Wiretap Act, 1968, and its amendments, which prohibit interception of emails in transmission, and the Stored Communications Act, 1986, which protects email in storage.
Discussion Questions
1. What are some of the current risk management issues facing your organization today?
2. What has your organization done to address emerging risk management issues?
3. If an organization makes a strategic decision to stress employee health and wellness, what can it do to assure that employees participate in the programs and that the programs are compliant with all the relevant legal requirements?
4. Safety programs are often associated with industrial environments. Why are they important for all employers? If you were to design an employee health and safety program for your organization, what would it include?
5. In designing management briefings and employee training regarding risk management, what topics would you include for each audience? How would you deploy the training?