I’ll soon be speaking at the PHI Protection Network conference in Anaheim, home of the underachieving Anaheim Angels in Major League Baseball. Since it’s nearly time for spring training to begin, I began musing on the parallels between professional baseball and risk management.
Both baseball and risk management rely heavily on metrics.
The book (and later movie) Moneyball chronicled how one big league manager used “Sabermetrics” to help his team succeed. Sabremetrics has fundamentally changed the game of baseball because it focuses on things that really matter – runs scored – instead of flashier metrics like batting average.
Clearwater Compliance has pioneered a new maturity model called the Information Risk Management Capability Advancement Model™ (IRMCAM™) that can do for risk management what Sabremetrics did for baseball. IRMCAM™ focuses on the metrics that really matter – not the lofty mission statements that disguise some organizations’ less-than-stellar risk management programs.
Here are the five major practice areas that IRMCAM™ measures:
- Risk Management Governance and Awareness of Benefits and Value
- Risk Management People, Skills, Knowledge and Culture
- Risk Management Process, Discipline and Repeatability
- Risk Management Use of Standards, Technology Tools and Scalability
- Risk Management Engagement, Delivery and Operations
An organization then gets a Capability Level score in each practice area. Level Zero is the equivalent of a high school pitcher looking bewildered in Angels’ training camp. Level 3 corresponds to a major league benchwarmer – good enough to be considered a pro, but not a star. And, of course, Level 6 is the risk management equivalent of winning the World Series.
Take a look at the scorecard below and ask yourself: “Where does our organization rank?”
- Level 0 Incomplete – This is the “anything goes” ranking. There’s no risk management governance; practices are ad hoc and chaotic.
- Level 1 Performed – Way too much variance in risk practices; a few successes but also many failures.
- Level 2 Managed – The key word here is “some.” The organization has some risk management processes defined, documented and practiced – and some employees are trained in them.
- Level 3 Established – There’s board-issued guidance; risk management processes are consistent across the entire organization.
- Level 4 Predictable – The organization views risk management as a business enabler; predictive risk scenarios are used.
- Level 5 Mature – Risk is considered in all Real-time continuous monitoring of risk events is standard; processes and tools are continuously improved.
The teams that succeed in Major League Baseball are those that rigorously measure their performance against benchmarks that matter. The same is true in risk management – and IRMCAM™ makes the process much easier.
Privacy starts with risk management
In an age where millions of records can be accessed and shared in a single data breach, information risk management has never been a more critical issue, especially within health care.
The third annual 2015 PHI Protection Network Conference will gather senior privacy, compliance, and security officers to share best practices and insights that will provide all attendees with tangible and actionable take-aways that can be implemented inside health care organizations today.
We hope that many of you will join us for an exciting schedule of education, thought leadership and a showcase of some of the innovative technologies and services that exist to help you meet these challenges.
Find out more about this event here.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016