What’s more important: how often you wash your hands or what you just did with your hands?

Why is it important not to conflate correlation and causation? . . . And why is this a problem for Operational Risk Management?

You have probably taken at least one statistics class at some point.  You were probably told that correlation does not imply causation. For most people however, the practical implications of that distinction are not necessarily clear:

But why is it so hard to tell the difference between correlation and causation?

The ability to tell the difference between causation and correlation is however intrinsic to what makes us human (despite our collective inability to take this in during a statistics class):

Imagine the daily routine of one of our proto-human cave dwelling ancestors. Every day our ancestor must leave the safety of the cave to hunt and gather. Leaving the cave is potentially hazardous because a predator may be laying in wait at the mouth of the cave. Our ancestor therefore is careful every time she leaves the cave to make sure that there isn’t a saber-toothed tiger waiting just around the corner.  

It is however possible that our ancestor has reached the ripe old age of her mid-teens which has allowed her to already pass on her genetic heritage to a more immediate ancestor of ours. It’s also possible that her caution is not the reason why she has reached this place.  She may have survived long enough to pass on her DNA to us because there never has been a saber-toothed tiger waiting at the mouth of the cave. If that’s the case, why does she keep checking every day? Is it just habit?  

She has left the cave hundreds, if not thousands of times, without ever encountering a predator.  There is therefore a strong correlation, actually a 100% correlation, between the action of leaving the cave and the absence of a predator at its mouth.  She keeps checking every day because of one of the things that distinguishes our protohuman ancestor from the other prey animals living on the savanna: She can reason in causal terms.  Our ancestor knows the following:

• Although there never has been a saber-toothed tiger waiting at the mouth of the cave, she knows saber-toothed tigers live and hunt nearby;
• She knows that other members of her protohuman community have been ambushed by predators when leaving the cave; 

And . . .

• She also knows that there is no physical barrier or other impediment that prevents a saber-toothed tiger from accessing a position near the entrance of the cave from which it can ambush her.  

The reason she will always check to make sure that saber-toothed kitty is not waiting for her in the morning is that she is reasoning in causal terms and not making decisions based on inferences obtained from statistical correlation.

One of our ancestor’s cousins may however have experimented with decision-making based on correlation-based inference. There is a reason why I am not referring to that cousin as an ancestor of ours: It is likely that, one morning, a waiting predator exploited the flaws in the cousin’s reasoning and removed that cousin’s DNA from our collective genetic inheritance. [See Endnote 1]

So why do we get it wrong?

If the distinction between causal reasoning and correlation-based inference is so core to what makes us human, then why do so many people have trouble internalizing the lesson of the statistics class?

Contemporary humans are members of complex societies in which products are created and services are delivered through the interactions of interdependent specialized organizations and between specialized sub-organizations within organizations. Workers can acquire highly specialized skill sets because they are able to rely upon process interdependencies that leverage specialized skill sets of other specialists to achieve organizational outcomes that no one specialist has the skill set to achieve on their own.  This is a paradigm that encourages the conflation of correlation with causation:

Almost all people who are employed on a full-time basis by at least a moderately sized business do not concern themselves with the immediate causality of how they receive their salary. If the business is doing well, they know they will continue to be employed, there are people whose job is to ensure receipt of payments from creditors.  There are other people whose job is to ensure that the company’s bank account has sufficient funds to cover payroll expenses on the date those funds need to be drawn and there are others who make sure those funds are drawn and that the net pay of each employee is deposited in their bank account on the due date [See Endnote 2].

The individual employee, if he or she is thinking at all about whether he or she will get paid on time, has the luxury of thinking in terms of correlation:  The business is doing well, I am performing well and my efforts are valued, therefore I will get paid like clockwork at the end of each month.  

The world inhabited by people employed by large institutions is therefore one that allows them to approximate causal reasoning with inference derived from correlation.  

Why is this a problem for operational risk management?

In the risk management world we normally think of the conflation of correlation with causation as a problem for financial risk management and other disciplines that rely upon models (epidemiology currently comes to mind):  Models are essentially correlation-based approximations of causal behavior and are only useful provided that their underlying assumptions are valid and relevant to current conditions.  It’s easy to forget to think in causal terms when you’re used to relying on a model.  The frequency with which this happens is why model risk is a distinct discipline in financial institutions.

The mistake of using correlation to imply causation is however also widespread in the execution of formal operational risk programs:

One of the purposes of a formal risk program is to account for all the risks across the full scope of a complex inter-dependent organization.   Categorization of risks, controls and actions using taxonomies of descriptive labels is essential to meaningful risk aggregation and analysis.  Risk doesn’t however arise because of correlations between categories of things.

Operational risks arise from instances of how a specific infrastructural vulnerability or control weakness / gap (e.g. insufficiently strong locks on eleven safes holding cash) may cause a specific adverse event to be experienced (e.g. theft of the cash from one of those safes) leading to one or more specific adverse impacts experienced by the compromised business (e.g. loss of the cash held in one of those safes).

Discussion of exposures in terms of categories of exposure leads to discussions of actions in terms of categories of actions:

Reduction in exposures to risks categorized as “external theft and fraud” and “internal theft and fraud” is strongly correlated with increased investment in “physical safeguards” (a category of controls).  It’s probable that if you perform analysis of historical data that a statistical correlation will be found between increased investment in physical safeguards and loss events categorized as theft.  However, the risk of loss from those specific eleven safes with the sub-standard locks will only be mitigated by an action that will specifically stop cash from being stolen from those 11 safes, i.e. replacing and upgrading their locks.

What does all of this have to do with washing hands?

First a disclaimer: I am neither a medical professional nor a public health professional. The remainder of this article is a thought experiment to consider what is now a daily decision-making activity for all of us from an operational risk perspective.  For public health information about what you should do during the COVID-19 pandemic please consult the website of the Centers for Disease Control and Prevention, your local department of health or the equivalent local public health authority in the location that you are currently in.  

This article is being written in the third week of March 2020 at a time when everyone is spending their time focused on reducing exposures to one potential risk event i.e. the infection of ourselves, our families, teams and communities with the COVID-19 virus.  Our daily lives have started to have a lot more in common than with that of a proto-human ancestor than we are used to.  Each time we leave our homes we need to be vigilant and take preventative steps to stop ourselves becoming a victim of a threat from the natural world.

The public health guidance about the internal controls we each need to deploy is clear: social distancing: keeping 6 feet apart from other people, washing hands, not touching your face with unwashed hands and regularly disinfecting frequently touched surfaces.

Changing people’s behavior is hard.  The objective of causing a large group of people to uniformly adopt a new behavior requires messaging that is clear, concise and consistent otherwise the message will be lost in the small print.  The criticality of the message “do not share passwords” just doesn’t come across when delivered in the middle of an information security policy compliance training course alongside a long list of other compliance requirements. The message starts to take hold when delivered through a concerted campaign of frequent messages that say very little more than “do not share passwords”.

Public health messaging uses the same approach of broadcasting and repeating simple, clear and unambiguous messages: “Wash your hands.” The shortage of hand sanitizer in stores and the number of people singing “happy birthday” to themselves as they wash their hands is evidence of the effectiveness of this approach.

Concise, clear communication like this does not however leave much room for detailed guidance about specific scenarios about when someone should wash and re-wash and how often.  How often should someone wash their hands?

A thought process based on correlation-derived inference might go as follows:

• Increasing the amount of washing hands across the population is correlated with a decrease in instances of infection. 
• Therefore, I should wash my hands more often (say, five or ten times more than I normally do).
• Having increased my hand washing frequency, I have effectively deployed the preventative control of hand washing to mitigate my personal risk of infection/

But does this make sense if you think in causal terms?

All that is necessary for infection is for single virus particle, a virion, to enter a person’s respiratory system via their mouth, nose or eyes. The most likely way this will happen is by touching our own face after being in close contact with an infected person or by touching a surface that has respiratory droplets from an infected person (You can also be infected by being near an infected person while they sneeze or cough but washing hands won’t help here: just keep six feet apart from everyone).

Assuming that we are all properly practicing social distancing then thinking in causal terms the minimum frequency with which we should wash / sanitize our hands is:

BEFORE you touch your face AFTER touching a surface that may been touched by an infected person OR AFTER being on contact with another person.

Simple isn’t it?

I went to the grocery store two days ago.  I kept my hands firmly on the handles of my pushcart whenever I wasn’t picking something up from a shelf to prevent myself from absent-mindedly touching my face.  I’m aware that pathogens can survive longest on non-porous surfaces like glass so I wore cordless headphones so there would be no reason to bring my phone to my face.  Phones have long been identified as germ magnets but the risk of transferring Covid-19 virions to your phone after touching another surface and then infecting yourself after using the phone seems to be regarded as very low.  The public health messaging doesn’t go as far as the special case about how to use cell phones during the pandemic.  If it did it then the guidance would get long and complex and the simple messaging would be lost.  However, because I thought through how to apply the guidance in causal terms, I identified a potential risk and found sources online saying that the risk was low but it’s a good idea to disinfect your phone anyway and it can’t hurt.  I finished paying for the groceries and loaded up my backpack (I live in Brooklyn, New York, so no car).  My hands no longer had anything to hold in order to stop me absent-mindedly touching my face, so I immediately sanitized them.  I returned home.  As soon as I walked through the door, I used the bottle of sanitizer that we keep just inside the entrance to the apartment to sanitize my hands again.  

I felt virtuous, I had walked in my proto-human ancestor’s footsteps and not her cousin’s: Even though my lived experience shows zero correlation between leaving my home and encountering Covid-19 I had thought through the hazards of the trip to the grocery store in causal terms and identified the steps in my routine that exposed me to hazard and appropriately deployed mitigating controls.

An hour after returning home I looked at my watch on my wrist and realized that I had touched its glass surface multiple times during my excursion.  I had sanitized my hands after returning home but I had not sanitized my watch and I had touched my watch and multiple other things including my face after returning home:  Oops.

I presume the risk of contracting Covid-19 from your watch is as low as it is from catching it from a phone but I was chastened by this moment of realization that even though I had tried very hard to identify all the instances of threat in this expedition there was at least one place where my thought process of causal reasoning had broken down.

Conclusion

Thinking scenarios all the way through in purely causal terms isn’t easy but the lesson of the statistics class to not conflate correlation with causation really is intrinsic to how we got where we are as a species.  It’s how we learned to avoid falling victim to the risks of predators at the entrance of the cave and it’s the mechanism for identifying appropriate mitigations to operational risks, including our now daily preparation to avoid the adverse impacts of external events.

---

Endnotes

Endnote 1

Nassim Nicholas Taleb offered a similar allegory in The Black Swan (Taleb, 2007):

“Consider a turkey that is fed every day. Every single feeding will firm up the bird’s belief that it is the general rule of life to be fed every day by friendly members of the human race “looking out for its best interests,” as a politician would say. On the afternoon of the Wednesday before Thanksgiving, something unexpected will happen to the turkey. It will incur a revision of belief.”

Taleb, Nassim Nicholas. 2007. The Black Swan: The Impact of the Highly Improbable. Events : Random House, 2007.

Endnote 2

A freelancer or proprietor of a small business does not have that luxury and must think in purely causal terms: If there are insufficient funds in the bank account to make payroll and sufficient receivables are not received from creditors by the end of the month then at least someone will not get fully paid.