We hear this question every week: “How can I get support from management for my information risk management program?”

Here are some suggestions that have helped other organizations:

Secure a friend in the boardroom

If you don’t have a sponsor on the executive team, get one! It should be someone in the C-suite who understands risk management – your legal counsel, or your CFO, or maybe your Medical Officer or COO. In addition to supporting the vision and commitment of protecting health information, reviewing and critiquing your investment requests, fashioning your arguments into the language his/her peers understand, your sponsor will be important in garnering support from other key stakeholders and helping to secure funds for strengthening your compliance program

Change the conversation: from “Compliance” to “Patient Safety & Quality of Care

[quote style=”boxed” float=”right”]At it’s core, risk management is about preventing loss or harm.[/quote]Talk about how the confidentiality, integrity and availability of health information is critical to patient safety and quality of care. It is, after all, about the patient.  At it’s core, risk management is about preventing loss or harm.

The greatest harm or loss may be incurred by your patients, members, residents, employees, customers.  It’s not about you!

Establish or strengthen your risk management oversight (or governance) council

If you don’t have one already, with the help of your sponsor, establish an Oversight Council or Committee, or perhaps strengthen the one you already have, by ensuring the inclusion of stakeholders in other key functions that understand and have a need to participate in the development and maturing of your information risk management program.

The Council should be responsible for:

  • Providing strategic direction relative to risk philosophy
  • Establishing the authority, responsibility and accountability of the program
  • Setting the organization’s risk appetite
  • Understanding the level of risk in the organization and the impact of the consequences
  • Approving initiatives to reduce or mitigate that risk
  • Ensuring adequate resources to achieve initiatives
  • Providing high level support for initiatives
  • Being aware of compliance issues and remediation
  • Ascertaining that risks are managed appropriately

Establish a risk management working group

A cross-functional group with “skin in the game” who should be responsible for:

  • Implementing an effective coordinated program including ensuring documented policies & procedures, workforce training, sanctions for violations, incident reporting procedures and Business Associate management, among others
  • Mitigating gaps or weaknesses uncovered during compliance assessments and/or risk analysis
  • Keeping the Oversight Council informed on results and mitigation activities resulting from risk analysis including current and evolving risks, the likelihood of a bad thing happening and the impact should that bad thing happen, in addition to your recommendations to manage those risks
  • Keeping the Oversight Council informed on regulatory changes, trends in incidents and/or breaches, results of compliance audits, progress on remediation plans, and training

Align your recommendations with the business strategy

Ensure that you do so by:

  • Making sure your recommendations will improve the protection of sensitive information but won’t disrupt operations unnecessarily
  • Focus your compliance and security recommendations on ensuring customer trust and creating a competitive advantage

We can assist you!

So don’t know where to start? Even more good news! Below are some helpful, no-cost, resources from Clearwater Compliance:

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.