top of page

Weighing in on the Cost-Benefit Analysis of Effective Crisis Management

Have you as a business owner or corporate executive ever wondered what was the legal and financial risks are of insufficient security protocols? How do you support organizational spending for security assessments, updates, and improvements? Is it better to determine organizational liability pre or post crisis? Let's have a discussion.

Organizational liability will depend on three questions:

  • Was there a duty to implement security protocols?

  • If there was a duty, was there a breach of said duties?

  • If there was a breach, did the breach cause the harm?

The General Duty Clause Section 5(a)(1) of the Occupational Safety and Health Act (OSHA) of 1970, employers are required to provide their employees with a place of employment that is “free from recognized hazards that are causing or are likely to cause death or serious physical harm." The courts have interpreted OSHA's general duty clause to mean that an employer has a legal obligation to provide a workplace free of conditions or activities that either the employer or industry recognizes as hazardous and that cause, or are likely to cause, death or serious physical harm to employees when there is a feasible method to abate the hazard. OSHA has developed Enforcement Procedures and Scheduling for Occupational Exposure to Workplace Violence, which provides guidance and procedures to be followed when conducting inspections and issuing citations related to the occupational exposure to workplace violence. What the courts may look at is if the crisis in question was unlikely or was it foreseeable?

In 1984, San Ysidro, California a gunman opened fire in McDonalds killing 22 patrons of the fast-food chain. There was a court case called Lopez v. McDonalds Corp. (1987) at that time the courts deemed the incident unforeseeable. Fast forward to present day where there seems to be a lot more workplace violence in one way or another.

In 2018, a current employee of the Rite-Aid Distribution Center, in Aberdeen Maryland, reported to work. The employee opened fire inside and outside the building killing four people including themselves. Haissaun Mitchell v. Rite Aid is a case that originates from this incident. Mitchell was a temporary work at the location but was unable to prove to the courts that the incident was foreseeable. Organizations must understand that there is ALWAYS a lawsuit following a tragic outcome.

Piazza v. Kellim (2016) is one such wrongful death lawsuit in which the courts found that the defendant was held liable. The plaintiff was waiting in line at an underage nightclub when she was fatally shot. The Oregon Supreme Court ruled that the nightclub should have foreseen a risk of violent assault on the public sidewalk outside the nightclub.

Foreseeable depends on what an organization "knows or reasonably should have known." Willful ignorance doesn't necessarily protect an organization. Whether an organization has a duty to protect the victims depends on the efficacy of the organizations security protocols before, during, or after an incident.

How do you satisfy the duty of care before an incident?

  • Risk assessment/ Independent security study.

  • Protocols for security related information sharing.

  • Dedicated security staff.

  • Mental health assessments with staff.

  • Controlled access to facility.

Plus an organization may be eligible for certain tax fringe benefits for certain security measures. Refer to U.S. Code Title 26 USC 132.

During the incident the timeliness of the response and the effectiveness of the response will matter. That may satisfy an organizations duty of care.

How do you satisfy a duty of care after a crisis has occurred? Well you try your best to continue your efforts to mitigate harm. Conduct an internal investigation and a debrief of the incident. You must evaluate the tragedy that has unfolded. Then immediately proceed with improvements based on lessons learned from the incident. Did the breach in security procedures cause the harm?

Look at cases such as:

  1. Axelrod v. Cinemark Holdings, Inc. (Aurora Colorado Theater Shooting.)

  2. In Re Walmart Inc. (El Paso Walmart Shooting)

  3. MGM Resorts (Approximately 64 law suits, $800M Settlement to victims, Route 91 Harvest Music Festival Massacre.)

The point is there is ALWAYS a lawsuit in these tragedies. Litigation is expensive, even if successful. Continued litigation can cause harm to an organization's reputation. The MGM Resorts covered approximately $751M which still means there was $49M to spend.

It is better to have security protocols than not. As always stay safe, and stay vigilant.

Recent Posts

See All


bottom of page