We hear this question every week: “How can I get support from management for my information risk management program?”
Here are some suggestions that have helped other organizations:
Secure a friend in the boardroom
If you don’t have a sponsor on the executive team, get one! It should be someone in the C-suite who understands risk management – your legal counsel, or your CFO, or maybe your Medical Officer or COO. In addition to supporting the vision and commitment of protecting health information, reviewing and critiquing your investment requests, fashioning your arguments into the language his/her peers understand, your sponsor will be important in garnering support from other key stakeholders and helping to secure funds for strengthening your compliance program
Change the conversation: from “Compliance” to “Patient Safety & Quality of Care”
[quote style=”boxed” float=”right”]At it’s core, risk management is about preventing loss or harm.[/quote]Talk about how the confidentiality, integrity and availability of health information is critical to patient safety and quality of care. It is, after all, about the patient. At it’s core, risk management is about preventing loss or harm.
The greatest harm or loss may be incurred by your patients, members, residents, employees, customers. It’s not about you!
Establish or strengthen your risk management oversight (or governance) council
If you don’t have one already, with the help of your sponsor, establish an Oversight Council or Committee, or perhaps strengthen the one you already have, by ensuring the inclusion of stakeholders in other key functions that understand and have a need to participate in the development and maturing of your information risk management program.
The Council should be responsible for:
- Providing strategic direction relative to risk philosophy
- Establishing the authority, responsibility and accountability of the program
- Setting the organization’s risk appetite
- Understanding the level of risk in the organization and the impact of the consequences
- Approving initiatives to reduce or mitigate that risk
- Ensuring adequate resources to achieve initiatives
- Providing high level support for initiatives
- Being aware of compliance issues and remediation
- Ascertaining that risks are managed appropriately
Establish a risk management working group
A cross-functional group with “skin in the game” who should be responsible for:
- Implementing an effective coordinated program including ensuring documented policies & procedures, workforce training, sanctions for violations, incident reporting procedures and Business Associate management, among others
- Mitigating gaps or weaknesses uncovered during compliance assessments and/or risk analysis
- Keeping the Oversight Council informed on results and mitigation activities resulting from risk analysis including current and evolving risks, the likelihood of a bad thing happening and the impact should that bad thing happen, in addition to your recommendations to manage those risks
- Keeping the Oversight Council informed on regulatory changes, trends in incidents and/or breaches, results of compliance audits, progress on remediation plans, and training
Align your recommendations with the business strategy
Ensure that you do so by:
- Making sure your recommendations will improve the protection of sensitive information but won’t disrupt operations unnecessarily
- Focus your compliance and security recommendations on ensuring customer trust and creating a competitive advantage
We can assist you!
So don’t know where to start? Even more good news! Below are some helpful, no-cost, resources from Clearwater Compliance:
- Jumpstart your efforts by attending a Clearwater Information Risk Management BootCamp™ .
- Sign up for one of our complimentary best practices webinars with industry experts
- Subscribe to our newsletter for a robust summary of the latest information risk management news.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016