Category Archives: Legal

Immediate Vault Immediate Access

RIMS TechRisk/RiskTech: Emerging Risk AI Bias

Posted on by

On the second day of the RIMS virtual event TechRisk/RiskTech, CornerstoneAI founder and president Chantal Sathi and advisor Eric Barberio discussed the potential uses for artificial intelligence-based technologies and how risk managers can avoid the potential inherent biases in AI.

Explaining the current state of AI and machine learning, Sathi noted that this is “emerging technology and is here to stay,” making it even more imperative to understand and account for the associated risks. The algorithms that make up these technologies feed off data sets, Sathi explained, and these data sets can contain inherent bias in how they are collected and used. While it is a misconception that all algorithms have or can produce bias, the fundamental challenge is determining whether the AI and machine learning systems that a risk manager’s company uses do contain bias.

The risks of not rooting out bias in your company’s technology include:

  • Loss of trust: If or when it is revealed that the company’s products and services are based on biased technology or data, customers and others will lose faith in the company.
  • Punitive damage: Countries around the world have implemented or are in the process of implementing regulations governing AI, attempting to ensure human control of such technologies. These regulations (such as GDPR in the European Union) can include punitive damages for violations.
  • Social harm: The widespread use of AI and machine learning includes applications in legal sentencing, medical decisions, job applications and other business functions that have major impact on people’s lives and society at large.

Sathi and Barberio outlined five steps to assess these technologies for fairness and address bias:

  1. Clearly and specifically defining the scope of what the product is supposed to do.
  2. Interpreting and pre-processing the data, which involves gathering and cleaning the data to determine if it adequately represents the full scope of ethnic backgrounds and other demographics.
  3. Most importantly, the company should employ a bias detection framework. This can include a data audit tool to determine whether any output demonstrates unjustified differential bias.
  4. Validating the results the product produces using correlation open source toolkits, such as IBM AI Fairness 360 or MS Fairlearn.
  5. Producing a final assessment report.

Following these steps, risk professionals can help ensure their companies use AI and machine learning without perpetuating its inherent bias.

The session “Emerging Risk AI Bias” and others from RIMS TechRisk/RiskTech will be available on-demand for the next 60 days, and you can access the virtual event here.

RIMS TechRisk/RiskTech: Opportunities and Risks of AI

Posted on by

On the first day of the RIMS virtual event TechRisk/RiskTech, author and UCLA professor Dr. Ramesh Srinivasan gave a keynote titled “The Opportunities and Downside Risks of Using AI,” touching on the key flashpoints of current technological advancement, and what they mean for risk management. He noted that as data storage has become far cheaper, and computation quicker, this has allowed risk assessment technology to improve. But with these improvements come serious risks.

Srinivasan provided an overview of where artificial intelligence and machine learning stand, and how companies use these technologies. AI is “already here,” he said, and numerous companies are using the technology, including corporate giants Uber and Airbnb, whose business models depend on AI. He also stressed that AI is not the threat portrayed in movies, and that these portrayals have led to a kind of “generalized AI anxiety,” a fear of robotic takeover or the end of humanity—not a realistic scenario.

However, the algorithms that support them and govern many users’ online activities could end up being something akin to the “pre-cogs” from Minority Report that predict future crimes because the algorithms are collecting so much personal information. Companies are using these algorithms to make decisions about users, sometimes based on data sets that are skewed to reflect the biases of the people who collected that data in the first place.

Often, technology companies will sell products with little transparency into the algorithms and data sets that the product is built around. In terms of avoiding products that use AI and machine learning that are built with implicit bias guiding those technologies, Srinivasan suggested A/B testing new products, using them on a trial or short-term basis, and using them on a small subset of users or data to see what effect they have.

When deciding which AI/machine learning technology their companies should use, Srinivasan recommended that risk professionals should specifically consider mapping out what technology their company is using and weigh the benefits against the potential risks, and also examining those risks thoroughly and what short- and long-term threats they pose to the organization.

Specific risks of AI (as companies currently use it) that risk professionals should consider include:

  • Economic risk in the form of the gig economy, which, while making business more efficient, also leaves workers with unsustainable income
  • Increased automation in the form of the internet of things, driverless vehicles, wearable tech, and other ways of replacing workers with machines, risk making labor obsolete.
  • Users do not get benefits from people and companies using and profiting off of their data.
  • New technologies also have immense environmental impact, including the amount of power that cryptocurrencies require and the health risks of electronic waste.
  • Issues like cyberwarfare, intellectual property theft and disinformation are all exacerbated as these technologies advance.
  • The bias inherent in AI/machine learning have real world impacts. For example, court sentencing often relies on biased predictive algorithms, as do policing, health care facilities (AI giving cancer treatment recommendations, for example) and business functions like hiring.

Despite these potential pitfalls, Srinivasan was optimistic, noting that risk professionals “can guide this digital world as much as it guides you,” and that “AI can serve us all.”

RIMS TechRisk/RiskTech continues today, with sessions including:

  • Emerging Risk: AI Bias
  • Connected & Protected
  • Tips for Navigating the Cyber Market
  • Taking on Rising Temps: Tools and Techniques to Manage Extreme Weather Risks for Workers
  • Using Telematics to Give a Total Risk Picture

You can register and access the virtual event here, and sessions will be available on-demand for the next 60 days.

What Employers Need to Know About Federal COVID-19 Vaccine Mandates

Posted on by

In an effort to combat the COVID-19 virus and its subsequent variants, the Biden administration has instituted three important mandates that employers should be aware of as they may impact their business. First, the Emergency Temporary Standard (ETS), issued by the Occupational Health and Safety Administration (OSHA), requires that all employers with 100+ employees mandate vaccination or weekly testing. The second mandate involves federal workers and contractors and requires them to obtain a vaccination without any option for weekly testing. The final mandate was issued by the Centers for Medicare and Medicaid Services (CMS), and requires vaccination of all healthcare workers at CMS-covered facilities.

OSHA’s Emergency Temporary Standard

The mandate that has the most wide-ranging impact is Occupational Health and Safety Administration’s (OSHA) Emergency Temporary Standard (ETS) that calls for employers with 100 or more employees to either require employees to obtain a COVID-19 vaccination or to prove compliance with a weekly-testing program. This ETS is expected to affect over 80 million employees. 

On December 17, the Sixth Circuit Court of Appeals lifted the stay placed on OSHA’s ETS issued by the Fifth Circuit in November. The court held that OSHA does have statutory authority to mandate national vaccines and/or testing for employers with more than 100 employees. Specifically, it outlined that because COVID-19 is a virus that causes bodily harm, OSHA was well within its administrative authority to regulate the health and safety of employees. 

Since the Sixth Circuit’s decision to dissolve the stay, OSHA announced that it will not be issuing citations for noncompliance with the ETS requirements until January 10 and the testing requirements will not be enforced until February 9 with the caveat that the employer must make good faith efforts to come into compliance as soon as possible.

After this ruling by the Sixth Circuit, eight groups challenged the OSHA vaccine mandate and filed emergency applications with the U.S. Supreme Court asking it to stay the mandate again until the case can be heard in the highest court. On December 20, the Supreme Court requested a response from the federal government by December 30. And, on December 22, in an almost unprecedented move, the Supreme Court ordered oral argument on these emergency applications, which will take place on January 7.

Despite the fact that the validity of the ETS is now squarely before the Supreme Court, employers should still operate as if the ETS will go into immediate effect. OSHA has implemented new deadlines to reflect the current status of the ETS.

By January 10, employers should:

  • Track employee vaccination status
  • Create a database detailing vaccination information for each employee
  • Require unvaccinated employees to wear a mask
  • Provide paid time off for employees to get vaccinated and recover

As of February 9, 2022, employers must also require unvaccinated employees must start testing for COVID weekly. Self-administered or self-read tests would not comply. Employers must observe or use a proctor and have employees tested on site, or at a recognized testing facility.

The Mandate for Federal Employees and Contractors

The second mandate stems from President Biden’s executive order that requires most federal employees or contractors to get vaccinated. This mandate does not have a testing option.

On December 7, the U.S. District Court for the Southern Section of Georgia granted a preliminary injunction to temporarily halt the enforcement of the Biden’s administration’s vaccine mandate for federal contractors.The court found that the administration had overstepped the bounds of it authority under the Federal Property and Administrative Services Act 40 U.S.C. 101 et. seq. The injunction effectively prohibits enforcement of the federal contractor vaccine mandate in all 50 states and any territory of the United States. However, on December 17, the Eleventh Circuit, denied the government’s motion to stay. This effectively upheld the injunction. The court found that the government had failed to show that it “would be irreparably harmed absent a stay.”

The CMS Mandate

The third mandate is an interim file rule of the Centers for Medicare and Medicaid Services (CMS), which requires vaccination of all healthcare workers at CMS-covered facilities throughout the United States. The CMS mandate is currently enjoined by court order in 25 states and continues in full effect in 25 other states. After the ruling by the Fifth Circuit in November, however, CMS suspended implementation and enforcement of the mandate pending resolution of the challenges before the Supreme Court.

Grow Employee Engagement with a Strong Investigation Process

Posted on by

In a tight labor market, employers are seeking to gain or retain a workforce with more pay, work for home and other perks. They can also improve retention through a culture of trust and consideration. Improve how you listen and investigate when someone on your team speaks up about compliance. If you investigate with urgency and respond, then you’ll gain trust and build employee engagement.

Here is an anecdotal case, from the perspective of the business: An anonymous report comes in from a small foreign office, that says “It seems like there is something going on between the marketing lead and a partner. I suspect they are wasting marketing funds.” The seriousness of the issue is not entirely clear—maybe the person reporting the issue is questioning the quality of the marketing campaigns. It is a challenge to reach people overseas.  Some initial questions are asked, but the case sits for months before anyone starts reviewing the matter closely. 

After almost a dozen interviews, no one reveals anything useful. The answer has to be found by sifting through years of email. The investigation ultimately uncovers how the company is being taken advantage of. It is shocking how so many people in the office know the marketing lead is stealing company funds, but said nothing. 

After the late start, combined with actual wrong-doing that is festering, the person who reported the wrongdoing and the rest of the office have stopped caring. The business is left with a problem infecting the whole office, instead of having to deal with only one or two bad actors.

Compliance is a Retention Issue

A compliance report may raise questions about potentially uncomfortable topics: harassment, fraud, conflicts of interest or any number of issues highlighted in a typical code of conduct. When a report is substantiated, someone might be disciplined or fired—thus, colleagues may view the person who reported the issue as disloyal to the team. Those who come forward may also fear that their company may not care about the reported issue or try to cover it up, and maybe even retaliate against them.

With the risks reporting presents, it is likely to be the most engaged, loyal employees who report, so you risk losing your best if you fail to listen. This happens when you leave reported issues unaddressed, where you fail to rectify a substantiated report or when you let a report languish unresolved. But if you follow up and respond quickly, you will win trust. When a talented employee feels listened to, they will have higher morale, trust the boss more and be more committed.

Improving Investigations

Listening to a compliance reporter is about taking the issue seriously and expediciously running it to ground. The foreign office scenario above would have gone better had the investigators seen through the vagueness of the report to the potential seriousness of the underlying misconduct and then doggedly pursued a resolution from the start. With those in the office uncooperative in interviews, having access to past email made it possible for the investigation team to close the case.  

Here are five tips to improve and speed up how you investigate:

  1. Have a process: Implement a disciplined approach for following the routine steps in a compliance investigation—assessing the initial report; developing an investigation plan; finding, verifying and analyzing to formulate a decision; and resolving with discipline, prevention, and training.
  2. Be selective when choosing your investigators: Staff your investigative team with individuals who are not wired to let cases sit. Provide them investigation training and consider augmenting with outsourced external investigators if an issue is large or complex.
  3. Define objectives: Set a clear objective for the investigation at the outset to keep investigators on track. The investigation can move on when they have obtained sufficient facts about the objective—finding that “smoking gun” email, for example. When you learn something new that needs further review, flag it for later but do not let it interfere with your first objective.
  4. Use technology: Give your investigators direct access to the data. It is frustrating for an investigator to receive a report and then have to wait for IT to provide the relevant emails or other data, then wait for IT to provide additional materials when the investigator learnes something new. The team’s investigation times accelerate when it has direct access to email and other communications through archiving platforms and other technology.
  5. Track timing: The time to complete an investigation is dependent on the circumstances. The investigation team should set period of time to resolve the investigation when a compliance issue arises.

A business builds a strong culture when it supports those who speak up. Having a strong investigative team, defining objectives, using technology and being aware of completion timing will allow you to quickly learn what is going on. You will also demonstrate that you are not using a haphazard approach.  This will give your employees more confidence in your company and encourage them to stay around.