Category Archives: Risk

TSA – Why pat-downs are ridiculous and after 9 years – they still can’t spell R*I*S*K management. Follow the money.

Posted on by 0 Comments

Every fifteen minutes, the media is full of images of children being patted down at the airports. The media is stirring up the porridge on this story.  But think for a moment – TSA is spending 90% of it’s budget, resources and energy on passengers who are not and will never be a threat.  And that leaves only 10% to spend on legitimate and potentially dangerous travelers.  This raises several questions.

First – why?  When the DHS espouses it’s emphasis on RISK MANAGEMENT – it’s clear that they don’t follow it.  The private company that runs the screening programs makes substantially more money by screening everyone, if they only had to screen real suspects – their income (which is over $8 Billion per year) could be cut in half!

By applying the risk management principles that are in their charter – they would be able to spare the poor traveling public and spend more time and more resources on checking and double-checking the potential terrorists. 

Most rational people can watch an airport scanner line for two hours and realize it is an enormous waste of resources for very little results and testers can routinely smuggle in knives, lighters and whatever else they want.

The inability of TSA to adopt a rational approach to airport screening – and remember – they still don’t’ screen the cargo riding on the same plane – is just lining pockets including the lobbyists who have been pushing the extra-expensive full body scanners.

The justification for this big expenditure is that is avoids the dreaded “profiling”.  We should be profiling – we should be checking people who like to visit Yemen for Easter.  We should be doing intense screening of young men between the ages of 18 and 30 who have recently traveled in or out of Pakistan.

 Here’s a partial list of who we shouldn’t waste time and resources screening:

 Children under 10
Active and Retired Military
Civilian Federal Employees
Civilian Federal Partners
Members of a ‘Preferred Traveler Program’
Individuals who opt for an intensive background check
Senior Citizens over 70

But you know what they say – Money Talks… and it’s talking to me this Thanksgiving week.

JOHNS HOPKINS HOSPITAL MURDER/SUICIDE IS TOO CLOSE TO HOME!

Posted on by 0 Comments

My summer vacation is over so I jumped right back into work by doing four webinars on workplace violence in the last four days.   I have been very concerned about the trend toward violence toward healthcare and hospital workers.

Having just researched and presented on this subject two days ago, I was greatly saddened to see it AGAIN, 30 miles from my home, at the prestigious Johns Hopkins Hospital.   Local media and CNN covered it extensively because the man shot his mother’s doctor in the stomach, apparently after his mother was paralyzed as a result of spinal surgery.  He then barricaded himself into his mother’s hospital room and eventually shot and killed her and then shot himself.

With a staff of over 30,000,  this was a major incident.  I would love to calculate how much the hospital might have lost from having the staff vacate the building for at least two hours.

This incident once again opens the debate about how to ‘secure’ hospitals, or at least to have a better way to ensure the safety and security of both the staff and the patients.  Hospital administrators continue to maintain an ‘open environment’, and don’t seem to understand that this problem will continue to increase, if there is not way to better manage access in hospitals.

On the radio today, I heard that Baltimore City Council President Bernard C. “Jack” Young said that John Hopkins security is adequate and that using metal detectors would create a hazardous situation for patients entering the building.   “Why would they want metal detectors going into the hospital?” Young said. “People go to the hospital because they got shot. People wouldn’t go to the hospital because of the metal detectors. They would stay away and die rather go through metal detectors.”  He also mentioned during the same interview that the hospital has over 80 entrances.

This exact problem is raging at hospitals all over the country, because violence is dramatically increasing in healthcare.  The NIOSH study from 2004 reported that  violence in hospitals was over four times the national average for non-healthcare workplaces.  Of course, it is now 2010 and that is a long way from 2004 – AND – we have had a terrible recession raging since 2008….

The results of an Emergency Nurses Association survey released in 2009 found that more than 50% of ER nurses had experienced violence by patients on the job and more than 25% had experienced 20 or more violent incidents in the past three years. Research showed long wait times, a shortage of nurses, drug and alcohol use by patients, and treatment of psychiatric patients all contributed to violence in the ER. 

There has been only sporadic interest in this phenomenon and no standard has emerged.  For example, a NIOSH (National Institute for Occupational Safety and Health) Publication in 2004 is called Guidelines for Preventing Workplace Violence for Health Care and Social Services . OSHA Publication 3148-01R (2004). This guide describes the special considerations surrounding workplace violence in the environments of health care and social services.

After my last column on Workplace Violence issues in healthcare, I got a few angry letters from associations and organizations saying they had been working on creating standards for this – FOR THE LAST FOUR YEARS… but amazing, they have not been published.  

There is NO standard or requirement for preventing workplace violence, only the vague requirement for employers to maintain a safe workplace.   Twenty-seven states have come up with their own ‘guidelines’.  Remember – standards are Required, guidelines are only recommended.  That means if the incident happens, the management has no liability because they did not disregard a requirement.

My regular readers will remember that I recently visited a hospital that had a murder about two years ago and even two years later, it was still having a traumatic impact on the staff who witnessed the incident. 

I am a big believer in risk assessments and I think having a workplace violence assessment REQUIRED of every hospital, and having that information aggregated nationwide and studied, would be a big step that improve our knowledge of why this continues to increase, and would also point to more effective solutions to safeguarding our hospitals.

Maybe people will start to press hospitals on this issue – after all – they may end up in a hospital some day, and probably would like to be safe and secure during their visit.

Maybe the aging baby boomers will finally demand more security in their hospitals.  I hope so.

Thinking about a Model for Workplace Violence Prevention

Posted on by 0 Comments

Since I posted my blog yesterday – I got a big reaction, which ranged from those who thought there was no need for any standards on workplace violence prevention and believes that people will should help each other.  “Work place violence cannot be stopped by legislation! Good feelings cannot be legislated!  They are stopped by a community who cares!”, one reader commented.  

Obviously, people like Omar up in Manchester, Connecticut might have been treated in a more caring manner, with as much dignity as you can give to someone stealing beer on camera, but I could not disagree more with this statement.   I’m hot on standards – and these days, more than ever, people need lots of direction on how to do their job and how to apply security-related concepts.

Have you done any hiring lately?  Some people we’ve interviewed need to have every part of their job written down for them.  There seems to be less incentive to solve a problem that is not directly in the job description.   That’s one argument for setting some kind of minimum standard for companies, to assist them in dealing with the workplace violence increase. 

Standards make life easier for everyone because you don’t have to constantly reinvent the wheel – wheels now come in standard sizes, too.   

One of the reasons it is an attractive idea to create a standardized program for WV is because it is usually totally preventable.  Many of these people leave an enormous trail of clues that they are considering something drastic – including detailed plans in writing on Facebook.   Another reader pointed out that California does have a workplace violence prevention standard.  I checked and found it here:  http://www.dir.ca.gov/dosh/dosh_publications/worksecurity.html

The Cal/OSHA policy includes this little nugget, “The demographic profile of victims of fatal workplace assaults indicate that the majority are male. However, even though the overall fatal workplace injury rate for women is substantially lower than it is for men, homicides represent the leading cause of death for women in the workplace.”  WOW.

Cal/OSHA also offers a resource guide – The Model Injury and Illness Prevention Program for Workplace Security (a nice term).     Like everything else related to security, the actual workplace violence incident is usually a slow escalation over time.  That’s exactly why it is possible to deter, or prevent it – because there are signs everywhere, and lots of coping strategies you can learn.

I worked on a project in Thailand where a manager from a big box store had been fired and humiliated.  His revenge was to call in bomb threats – FOR A YEAR.  Only when those were totally ignored did he actually bring a bomb into the facility and yes, it went off, and yes, it killed a young security guard.

But, they had ONE YEAR to take him seriously and get help for him.  Many of these incidents also have a long wind up before the actual incident is triggered.

WHY SHOULD WE CARE?  I totally buy the argument that more people are killed from industrial injuries and lightning and car accidents, than in a WV incident, but these things are usually hard to predict or detect in advance.  Think about it – the fall off the ladder, the accidental electrocution, the surprise car crash — all more random and UN-preventable.

Workplace violence IS usually preventable, in all the stages.  From the first stage when the employee starts to feel that they have been unfairly treated, right through to how to handle an insanely angry person who happens to be packing.

That’s why training is so important, because it can prepared employees to deal with an incident, and it may even help them recognize and deal with their own issues.  Here’s another note from Cal/OSHA,The cornerstone of an effective workplace security plan is appropriate training of all employees, supervisors and managers. Employers with employees at risk for workplace violence must educate them about the risk factors associated with the various types of workplace violence and provide appropriate training in crime awareness, assault and rape prevention and defusing hostile situations. Also, employers must instruct their employees about what steps to take during an emergency incident.”

Who wants to write me and help develop a National Standard for Workplace Violence Prevention?   Let me know at caroline.r.hamilton@gmail.com.

Return of the Sea Monster as a Force of Nature

Posted on by 0 Comments

Last week I wrote about the oil spill in the Gulf and today I was looking at my Loch Ness model of a sea monster with a cute little red beret.  I thought about the concept of a SEA MONSTER. Any terrible  sea monster worth its salt would:

     1.  Kill things indiscriminately

     2.  Hide under the water until it is unleashed on an unsuspecting world.

     3.  Be very hard to kill or subdue.

Sound familiar?  Because the gulf oil spill IS a Sea Monster – probably worse because the Spill Monster doesn’t just kill virgins and itinerant fishermen – it kills everything.  Kills grass and insects and crustaceans (like shrimp) and also sucks the oxygen right out of the water so it doesn’t just kill everything now and then go about its business, but it makes recovery impossible.

If I was a senator or congressman I would be drafting up a bill requiring drilling AND mining companies to not only do a complete and comprehensive risk assessment PRIOR to exploration or drilling activity, but also to publish their contingency plans, disaster recovery plans and emergency plans.

Somewhere along the way – the phrase “disaster recovery” planning got pinned to the information technology recovery but it really applies to everything and certainly to risky endeavors like mining and drilling.

It would be tempting to say that the risk assessment and disaster recovery planning (in the broad sense) should be required on everything that has the potential to adversely affect the planet.   Who would administer it?   This is where the U.S. is again trapped into a corner by the responsibilities of each federal agency.  

In a perfect world, you’d like to think that the EPA (Environmental Protection Agency) would be in charge, but that, under the present structure, would exclude deep sea drilling and agribusiness concerns.   Because the EPA is regulating toxic substances like chemicals, and air quality, but not everything that affects the ‘natural environment’.

We need an ENVIRONMENTAL OMBUDSMAN to protect the citizens of the United States, and maybe of the whole world.   This position would cut across the current agency lines to include oil drilling/extraction; mining as in strip mining;  use of pesticides in agribusiness; industrial pollution of rivers, lakes and oceans; and deforestation.

Over-fishing belongs in the same category.  I have heard that Blue Fin Tuna is now endangered and the United Nations is going to vote this year on protective measures. 

Basically all these kind of industries, mining, drilling, fishing are all scooping raw material up out of the earth and selling it.  The companies involved seem intent on drilling, fishing or scooping up as much as they can get of FREE STUFF from the planet, and then selling it for enormous amounts of money.  Again, you would think that old self-preservation gene would kick in, but instead, it may be that when one of these industries hears that whatever they are taking could be limited, or managed, or made less easy to get, they rush to get every more before the limit or ban goes into effect. 

This behavior accelerates the underlying diminishing supply problem, drives up prices, making industries want to get even more of their oil, minerals, diamonds, fish, whales, or whatever and so the cycle becomes maximally destructive to the environment on even a shorter time line.

One of the biggest aggravating factors of the current SPILL MONSTER is that we, the taxpayers, basically financed it and now we are going to get to pay to clean it up, and the paying includes providing services for all the damaged parties.  Do you really think that BP is going to cover the entire costs by the end of the day?  I am highly skeptical.

We keep hoping that man’s (and woman’s) survival instinct is going to kick in at some point and people will think, “If we don’t keep the earth clean, it is going to negatively affect MY health, or MY business, or MY customers”, but we, as a country, are not quite a that tipping point yet.   I hope we get there sooner instead of later.

All about the HIPAA Risk Analysis — from the Department of Health & Human Services Office of Civil Rights (OCR).

Posted on by 0 Comments

An amazing development in HIPAA compliance took place on May 7th.  What a great surprise for a Risk Analysis/Risk Assessment Person!  The Department of Health and Human Services, Office of Civil Rights finally came out with their draft guideline for the HIPAA Risk Analysis on May 7th!

While hospitals and health plans, business associates, technical service providers and physicians have struggled to understand the original HIPAA risk analysis requirement, the Health & Human Services Department finally published the draft guidance to help healthcare providers understand what is expected of them in doing a risk analysis of their protected patient health information (ePHI).

This is a critical part of the HIPAA Security Rule, but there was never any ‘official’ guidance of exactly what was expected and how they should accomplish the risk analysis. 

Why the Office of Civil Rights?  Because the new HITECH Act (February 2010) directed that OCR oversee health information privacy including the enforcement of the HIPAA requirement.   And the guidance is long overdue.  I have had dozens of conversations with individuals at hospital and, discussing what a risk analysis is, what are the basic elements, and I am THRILLED to report that the OCR agrees with my methodology.

 The draft guideline on risk analysis also takes the same track that the financial institutions have given as guidance to banks and credit unions.  That is risk analysis is a foundational document that should be used (and referenced) as the organization evaluates and implements appropriate controls.

OCR refers to the risk analysis, not as a one-time drill, but instead, as an ongoing process to help organizations evaluate their risk focusing on the confidentiality, integrity and availability of protected health information.  The Risk Analysis Report, creates the blueprint that an organization will follow as they improve their compliance – for example, deciding what data should be authenticated in particular situations, deciding, when, if or how to use data.

A risk analysis is also the basis for an understanding by organizations of the technologies they will need to secure protected health information, OCR said in the draft guidance May 7. 

To quote directly:  “We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).  Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

Among the basic elements of a risk analysis, OCR said, organizations must identify data collections, document threats to information that could create a potential for inappropriate disclosure and assess current security measures the organization uses to protect patient information. This was great to read because it follows the elements I have built our solutions around.

Those elements, which were reinforced by the draft guideline include the following five elements of risk analysis (and risk assessment).

1.     Identify and characterize the assets that need protection,  including the databases, the applications, etc.

2.    Analyzing the relevant threat data – focusing on what could adversely affect the assets (ePHI) in this case.

3.    Modeling the potential losses that could result from the threat actually materializing.

4.    Finding the existing vulnerabilities in the current security situation that would increase the odds of the loss actually occurring.

5.   Developing appropriate controls to reduce potential loss, reduce existing vulnerabilities and make sure the controls are cost effective.

 The OCR also referenced the NIST 800-66 to show sample questions that need to be part of the risk analysis.  Luckily – we totally agree with them and have included the NIST 800-66 Guidance in every HIPAA Risk Analysis software solution.

 Here’s another short excerpt from the OCR:

 “Risk Analysis Requirements under the Security Rule

 The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)  

Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

OCR went on to cite NIST 800-66:  “The following questions adapted from NIST Special Publication (SP) 800-66  are examples  organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:    Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.    What are the external sources of e-PHI?

The publication of this first draft guideline gives healthcare organizations and other affected organizations a hint about which direction the OCR enforcement is going to go.  As I mentioned previously, the regulators are likely to follow the example of financial audits and ask for the current copy of the organization’s risk analysis and use that as the blueprint to measure how well the organization used the risk analysis to prescribe and dictate all other actions which were taken to protection the organization’s protected health information.

In the words of the OCR –

In Summary, Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

For a complete copy of the 8 page OCR guideline, please send an email to chamilton@riskwatch.com.

.

BLUES ON THE BORDER – WILL SECURITY FINALLY GET A BREAK?

Posted on by 0 Comments

Arizona finally did it.  They called DHS’s bluff, and actually DID SOMETHING about the US-Mexican border.  it has nothing to do with racial profiling and nothing to do with discrimination — it has everything to do with America’s security against terrorism.

Everyone who is so shocked, appalled and worried – shouldn’t be.   Everyone wants to prevent the next 911, they want to keep out drug traffickers….. and you cannot get that done with an open border to our south. 

I say it over and over – PLEASE QUOTE ME – you can’t have homeland security with an open border!  You can NEVER have homeland security unless you have security at the border first. This is a key risk assessment vulnerability that anyone doing a formal assessment would spot immediately. 

What good is having a checkpoint on the I-5 interstate in San Ysidro if illegals can avoid the border crossings and run right into the U.S.? 

Look at strictly as a cost issue – looking at the real numbers helps… 

  • Cost of maintaining our phony border controls   $100 Million Dollars for 2010

(from the total ICE (U.S. Immigration & Customs Enforcement) budget of  $5.7 Billion Dollars). 

  • The Drug Enforcement Agency (DEA) says that since 2005, 15% of domestic arrests are arrest of illegal aliens!
     
  • Budget for DEA to combat Drug Traffic from Mexico   – over $25 Million Dollars (just to add an additional 128 agents along the southwest border). 
     
  • The Southwest Border Initiative Virtual Fence Project – $800 Million dollars
  •  The Secure Fence Act – over $7 Billion dollars 

AND OUR BORDER is still wide open.    Federal agents trying to police the border do not have the proper support and are discouraging from killing murderous drug dealers and human trafficking mules.   

If you look even farther – take the entire budget of the Department of Homeland Security, which is  $55 Billion dollars.   This money can largely be considered as wasted, if there is no control over our border with Mexico.  

You see it all the time at companies out in rural areas – they have a chain link fence around the back of the property, but the fence has a 14 foot gap in it, and all it does is concentrate the intrusions right through the gap in the fence.  It does not deter crime, it cannot prevent theft – because the fence is not secure, there is an open gap.  

That analogy works with our borders, too.  If you wanted to get into the U.S. illegally, would you choose to drive thru the checkpoint at El Paso?  Through San Ysidro?  Fly in from Mexico City and have to show a passport?   NO – you would breach the border and just walk across someone along the thousands of miles of unsecured border. It is a no-brainer, even for a terrorist.

As a risk assessment expert, I am personally thrilled that Arizona has pushed the envelope and passed a bill that at least attempts to find a solution to our horribly expensive and totally ineffective southwest border controls.  It might galvanize enough people to actually get something done about this open border policy. 

Remember, you cannot have a secure country without securing the borders.

Risk Assessment: Too much emphasis on PROCESS hampers rescue efforts in Haiti

Posted on by 0 Comments

From the night that CNN showed Dr. Sanjay Gupta staying up all night to attend to patients in a field hospital, because the UN thought it was unsafe for their doctors and medical staff, you can’t help but feel like the security threat there has been used to avoid taking any chances — while the Haitian people are having to absorb all the risk!

Even Anderson Cooper said, from his position in the ground, that the security fears were overblown and other doctors have corroborated this! So why is the UN using security as a cover….

The UN is an organization that often favors PROCESS over ACTION. I can understand that they are used to having convoys attacked in dangerous areas like Cambodia and Ethiopia — but this is Haiti…. we know Haiti… no rocket launchers in Haiti — no political goals on display in Haiti. Just poor, starving, sick people with no homes, no resources, no medical facilities, no food, and no water.

As a risk person, I just wonder if they actually did a quick 1 hour risk assessment on this disaster which would have pointed out that the risk of slow, un-action is much worse in this case – than the risk of a security incident.

Fireworks Ignite After Latest Airline Terrorism Incident

Posted on by 0 Comments

It was a surprise to see the biggest news on Christmas was that a Nigerian terrorist managed to get on a plane coming to Detroit from Amsterdam with some sort of explosive strapped to his leg.

AND – the alleged terrorist was on the NO-FLY LIST. Just think about this for a moment. A recent paper from the Naval Postgraduate School on Homeland Security estimated that the costs of the no-fly list, since 2002, range from approximately $300 million (a conservative estimate) to $966 million! And after spending over $300 million, the terrorist is able to get right on the plane, WITH EXPLOSIVES STRAPPED ON, and fly to the U.S.

Besides being a risk expert, I was mom who didn’t let her boys have toy guns. So imagine my shock at THINKING (to myself) that maybe we should let certain
Cleared passengers fly PACKING.

The passengers on the flight under discussion are the ones who subdued the perp, and I have a feeling that US airlines passengers would all be happy to take over their own security while flying the un-friendly skies.

Despite spending billions on patting down the grannies and business travelers along with 9 year old girls – someone can still board a plane and fly right into the U.S. with
explosives strapped on.

A simple risk formula applied to this entire passenger screening program shows that the entire TSA passenger screening program is too expensive for the results they are getting. The biggest cost waster is the idea that every single air traveler is treated exactly the same way. This is the elephant in TSA’s conference room. Every traveler is NOT the same. The most simplistic metrics show that:

1) Terrorists are more likely to be men.

2) Women over 60 are not likely to blow anything up.

3) Small children and federal employees are unlikely to be
Smuggling in explosive devices.

As the noted expert, Stephen Flynn, pointed in his book, America the Vulnerable, this policy creates huge cost, creates inefficiency and does not stop the dedicated terrorist.

Instead of being run as a gigantic stimulus program for the underemployed, TSA should sharpen it’s focus and began to start a true profiling program. A profiling program doesn’t have to target certain groups or type of individuals, but it should work towards automatically EXCLUDING the large groups of people who are unlikely to be a threat; let them opt for “cleared” status by completing a background check, and if these many individuals were automatically cleared, it would leave the TSA screeners more time to MORE RIGOROUS checks on potentially dangerous individuals, and ENSURE THAT PEOPLE ON THE NO-FLY LIST — DO NOT FLY!

Sounds obvious doesn’t it, but instead, the U.S. budget is being squandered on thousands of unnecessary screens, while the potential targets are not getting the indepth, and in-airport screenings they need to have.

These inane policies are not just indefensible – they are dangerous – and the latest incident just proves the point.

How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

Posted on by 0 Comments

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.

Take a Valentine Risk Assessment

Posted on by 0 Comments

I think they should make people do a risk assessment on their proposal relationship and turn it into the city office when they go to get a marriage license — I thought it would be appropriate to introduce it on Valentine’s Day!

So to design our risk assessment, first we need to create a list of assets — joint assets.  How about the 2 houses, the 2 cars, the children from the former marriage, the inlaws — actually all the relatives on both sides, and pets (dogs, horses, etc.) any cash including stocks, bonds and salaries.  Probably also insurance policies, household goods, jewelry, musical instruments and collections.

Now we can model the potential losses we could suffer if the relationship fails:  Death or personal injury, divorce, alienation of affection, compromise and loss of assets.    Now we can add in the threats that could cause one of the projected losses to occur.  Threats could include things like:   children, relatives, job loss, illness, death, affairs, theft, business travel, alienation, depression, substance abuse. 

Next are the vulnerabilites in the relationship that could sabotage the whole thing — here are some of the questions we might make the prospective marital participants ask:

Do you work out of town more than 1 month a year?

Do you have more than four children?

Will one spouse be staying at home?

Do you have two incomes?

Does each partner have a healthy asset to debt ratio?

Do the partners have the same religion?

Do the partners have more than two common interests?

Are the partners equal in education?

Are the partners equal in life experience?

Is there a history of mental illness in your family?

Is there  family history of major medical problems, i.e.,
       diabetes, cancer, respiratory problems, cardiac issues, etc.

Do the partners have the same political parties?

Do the partners have a shared vision for the future?

So once the questions are all answered — and possibly weighted for importance — for example, I would put higher weight on questions about family medical history and financial health.  

We link the elements together according to a pre-set algorithm and then we give the couple risk rating:

80 – 100% – chance for a healthy relationship

50 – 79%    – possibility of healthy relationship if vulnerabilities are fixed

30- 49%      – possibility of healthy relationship is doubtful

1 – 29%        – healthy relationship unlikely to be successful.

The answer would also indicate outstanding vulnerabilities (think of a
vulnerability as a window of opportunity for a threat to materialize),
for example, health, financial assets, illness, mental illness, alcohol abuse, drug abuse, obsessive compulsive disorder, responsibility, accountability, policies, romance, weight control etc.

Based on the outcome of the assessments — say the score comes in at
70%, then counteracting controls are recommended such as:

Start Exercise Program
See psychologist for extensive analysis
Schedule a date night once a week
Hire a financial counselor
Take yoga classes
Reduce stress
Quit your second job
Take a real vacation once a year

I think that using quantitative tools at the beginning of a marriage or serious relationship might be a great idea!  The city could charge another $20 for rating the assessment so it would not only save relationships but serve as a revenue generator for city and county government!

That’s your risk assessment for Valentine’s Day.  Please let me know if you’d like to fill out one of my prototype questionnaires, or maybe contribute to the model.   Enjoy the day!