Risk management with reference to Liebeck vs McDonalds lawsuit
Risk management is a discipline that enables customers and organizations to cope with uncertainty by taking steps to protect its vital assets and resources (2001: 121). Risk management as so defined involves two things: (a) insuring that the risks to which people and businesses expose themselves are the risks that they are prepared to take; and (b) such risks are minimized.
Culp (2001) argues that risk management is not necessarily the same as risk reduction. This is for two reasons. First, one cannot eliminate all risks. Second, some risks are greater than others. It is insufficient-indeed, pointless-for an individual or organization to make a “laundry list” of all conceivable risks and treat them as being the same. One has to prioritize risks, and take action accordingly. This brings one to the notion of key risk management decisions.
What are the key risk management decisions
The literature (e.g., Culp, 2001) suggests that, prior to managing risk, organizations must make four key decisions. Table 1 lists them.
Table . Key risk management decisions.
Identify those dangers that could conceivably occur
Prioritize risks in terms of probability
Distinguish between those risks that are more probable than others.
Prioritize risks in terms of the damage they may cause
Determine how much damage the danger, if it is realized, will occur
Determine what is practicable
Determine which of the important (i.e., probable and expensive if realized) risks can, in practice, be reduced.
These four decisions contain subtleties. There is a trade-off between probability and damage, for example. A risk that is highly probable of occurring but which causes little damage may be more important than a risk that is improbable of occurring but which may cause much damage.
There is also a subtlety in determining what is practicable. First, those risks that are impracticable to resolve may be so, not only because there might be nothing people can do to reduce them, but also because it might be too expensive to reduce them (i.e., the cost of risk-avoidance might be more expensive than the potential damage).
The need for a cost-benefit analysis relates to the precautionary principle. This is the principle that states that one should try to remove all risks. However, many argue that the precautionary principle is absurd, and counter-productive (see, e.g., Wildavsky, 1995). Such critics claim that the huge costs of some risk-management exercises are more harmful-in that they involve money that would be better spent elsewhere-than the risks they are said to contain.
Risks to organizations
Risks to organizations are of four types: financial, strategic, operational, and hazard. Risks come from two sources: external and internal. Figure 1 shows the Institute of Risk Management’s (IRM) (2002) examples of external risks.
Figure . Examples of external risks. Source: adapted from IRM (2002).
There may be much that organizations can do to manage some of these risks. Hedging operations, for example, may help diminish financial risks from currency violations, for example. Insurance and modern architecture can help diminish hazards such as earthquakes.
Figure 2 shows IRM (20002) examples of internal risks.
Figure . Examples of internal risks. Source: adapted from IRM (2002).
There are no internal hazards-individuals do not cause earthquakes, but there are internal risks of the other three types. Many organizations must, for example, invest heavily in research and development-itself a risky activity, because it is expensive and may yield no results-and, having done so, protect their intellectual property rights. Whelan (1993) reports, for instance, that pharmaceutical companies invest heavily on research-which may take years-and that the quality of the research is often better than that sponsored by government organizations.
The costs of risks are of two sorts: direct and indirect (Culp, 2002).
The direct costs of risks, realized or not, are those that can easily be entered into a organization’s balance sheet. When risks are realized, for example, the costs include damage to property-the organization’s or that of an injured third party-compensation to people injured by the organization’s/products, legal fees to lawyers in fighting litigations, punitive damages awarded by courts of law, and so on. When risks are not realized, direct costs remain. Organizations bear the direct costs of paying insurance, and, in the case of larger organizations, of employing lawyers and risk avoidance experts, health and safety experts, and so on. In employing such experts, the organizations take the risk that the huge sums they pay in avoiding risk do not cost more than any damage caused by the putative risks. They also take the risk that such experts will correctly identify and mitigate putative risks.
Indirect costs only come into play when risks are realized. In such cases, they may be vastly greater than direct costs. Thus, for example, when Gerald Ratner stated in public that the reason he could sell jewelry at low prices was that the jewelry was “crap”, his business empire-comprising a nationwide chain of jewelry shops-collapsed. The cost of this gaffe was an estimated £500 million (The Sunday Times, 2007).
Organizations can do much to manage risks, and much is common sense. Hospitals, for example, can ensure standard procedures for the administration of drugs; banks can ensure cash is stored in secure vaults; institutions for the criminally insane can ensure that knives are kept away from inmates; governments can ensure that sensitive telephone conversations are encrypted (“scrambled”); and so on. Such obvious measures are standard, and doubtless ensure that many dangers are rarely, if ever, realized. Moreover, to a large extent, organizations can reduce risk of acts of God by taking out insurance.
A key consideration in this is to have a risk management strategy. See Figure 3.
Figure . Risk management cycle. Source: adapted from IRM (2002)
The figure shows the risk management cycle. The most important feature of the figure is its structure. Everything in the figure flows round the organizations strategic objectives. Thus risk management should be part of an organisation’s strategic planning. From the organisation’s strategy the subsidiary features of the figure flow down-from risk assessment to monitoring. However, this does not imply risk management by management diktat. The figure shows that all stages of the cycle receive constant input from formal audits and all stages are constantly modified. Thus the risk management cycle involves all an organisation’s employees, all the time. This implies that risk management evolves, and is holistic.
This is made plainer by the IRM’s (2002) advice on management and employee responsibilities as regards risk. See Table 2.
Table . Responsibilities of organization staff as regards risk. Source: adapted from IRM (2002). Quotation is direct (p. 9).
know about the most significant risks facing the organization
be aware of risks which fall into their area of responsibility, the possible impacts these may have on other areas and the consequences other areas may have on them
understand their accountability for individual risks
know the possible effects on shareholder value of deviations to expected performance ranges
have performance indicators which allow them to monitor the key business and financial activities, progress towards objectives and identify developments which require intervention (e.g. forecasts and budgets)
understand how they can enable continuous improvement of risk management response
ensure appropriate levels of awareness throughout the organization
have systems which communicate variances in budgets and forecasts at appropriate frequency to allow action to be taken
understand that risk management and risk awareness are a key part of the organization’s culture
know how the organization will manage a crisis
report systematically and promptly to senior management any perceived new risks or failures of existing control measures
report systematically and promptly to senior management any perceived new risks or failures of existing control measures
know the importance of stakeholder confidence in the organization
know how to manage communications with the investment community where applicable
be assured that the risk management process is working effectively
publish a clear risk management policy covering risk management philosophy and responsibilities
The burden of responsibility on the directors reflects the strategic importance of managing risks. The responsibilities of business units and individual employees reflect the critical nature of risk identification and the need for all employees to be aware of it.
When one speaks of risks, one usually thinks of threats. However, it is clear from Figure 3 that risk analysis also involves identifying opportunities. These vary. A car manufacturer, for instance, that notices that its cars are more dangerous than those of its rivals could see this as an opportunity to improve its cars and then advertise them for their safety features.
Risk analysis in the risk management cycle
Table 3 shows the IRM’s (2002) recommendations for risk analysis.
Table . Risk identification and analysis. Source: adapted from IRM (2002). Quotation is direct (p. 14).
Risk identification techniques
Risk analysis methods and techniques
Business studies which look at each business process and describe both the internal processes and external factors which can influence those processes
Research and Development
Business impact analysis
Risk assessment workshops
Auditing and inspection
The table shows that there are many techniques for identifying risk, both formal (e.g., comparing industry standards) and informal (e.g., brainstorming). By implication, an organization should use, not just one of these techniques, but several. The priority of brainstorming (people discussing the unthinkable) is also suggestive. It suggests that employees must be encouraged to think and speak freely about potential risks.
The same is true of the risk analysis techniques. They are diverse, and, by implication, necessarily so.
Liebeck vs McDonald’s
This case involved a Ms Liebeck, who, when aged 79, burned herself after spilling a beaker of coffee she had bought at a McDonald’s takeaway. The spilled it while sitting in a car outside the fast-food chain. The burning was serious. The Consumer Attorneys of California (1995) report:
A vascular surgeon determined that Liebeck suffered full thickness burns (or third-degree burns) over 6 percent of her body, including her inner thighs, perineum, buttocks, and genital and groin areas. She was hospitalized for eight days, during which time she underwent skin grafting. (paragraph 4)
In the initial hearing the jury ordered McDonald’s to pay almost $3 million to Ms Liebeck, of which $2.7million were in punitive damages. The judge at the hearing called McDonald’s behavior “reckless, callous, and willful”. The punitive damages were later reduced to $480,000.
Although the case received much media coverage concerning frivolous lawsuits, there can be little doubt that Ms Liebeck was seriously injured. Moreover, there can be little doubt that McDonald’s was culpable. Five things stand out about this incident (Consumer Attorneys of California, 1995).
McDonald’s at the time typically sold coffee at 180-190ËšF. This was company policy. The temperature was substantially higher that coffee served in rival takeaways, and much higher than coffee served at home (about 135ËšF).
McDonald’s were aware at the time that any food served at over 140ËšF constitutes a burn hazard.
In the period 1982-1992 more than 700 people complained to McDonald’s of burns from its coffee.
McDonald’s were aware that the majority of its takeaway customers wished to consume their coffee immediately on purchase.
Ms Liebeck initially offered to settle for $20,000, but McDonald’s refused.
Notice that there were two risks to the company prior to the incident. There was a external strategic risk of changes in customer demand in the wake of any customer being harmed by McDonald’s foodstuffs. There was an external operational risk of changes in culture in the wake of any such incident. The costs involved were both direct (punitive damages, court costs, etc.) and indirect (loss of public goodwill). The latter were plausibly much the higher.
The risks to the company were foreseeable. The company knew that the temperature at which it served its coffee was higher than industry standards. It knew the temperature was hot enough to cause severe burns. It knew that most of its takeaway customers consumed their coffee as soon as possible, and that many, as had Ms Lieback, had done so in a car. It is commonsense that old people, like Ms Liebeck, can easily spill drinks when sitting in a car. Worst of all, the company knew that hundreds of people were burning themselves with McDonald’s coffee. One may surmise that the company’s first error was not to instigate a culture of risk analysis. Any company employee could have reasoned that the coffee was too hot, but, if any brought this to senior management’s attention-as indicated by the IRM’s (2002) standards-nobody appears to have acted on it.
The company’s next mistake was to proceed with the court case. It could have had a damage-limitation exercise-paid Ms Liebeck what she wanted (and more), announced an immediate cooling of their coffee, donated money to hospices, and so on. This was a lost opportunity for the company. McDonald’s could have benefitted from the case, not lost it. Instead, it insisted on taking the case to court, with the consequent embarrassment.
In terms of the risk management cycle, McDonald’s performed as follows:
Strategic objectives. The company failed to see where its interests lay.
Risk assessment. The company failed to properly evaluate and assess the risk.
Risk reporting. McDonald’s knew of the risks.
Risk treatment and residual risk treatment. The company did nothing.
Monitoring. The company monitored the risk of customers being burned.
Decision. McDonald’s made the wrong decision, twice: first by continuing to serve hot coffee, second by not settling out of court.
Most important, the company failed to modify its policy in the light of repeated incidents of customers burning themselves. This suggests a lack of risk awareness in the company.
Risk management is crucial to organisational performance. It involves monitoring all known risks and investigating potential ones. Most important, it involves all employees in a company, and therefore suggests companies employ a relatively holistic management structure.
The McDonald’s case is especially illustrative. It took needless risks, even though it knew of them. It does not appear to had risk management, in the form of the risk management cycle, in operation at the time of the incident. The company then compounded its error by failing to see the additional risks involved in fighting the litigation. In this way, the case illustrates that, although nobody can avoid all risks, bad management compounds risks.