CEO-to-CEO – Top 5 Questions CEOs Should Ask About Information Risk Management
In this current climate, it’s an absolute necessity that CEOs become actively involved in business risk management in general and information risk management specifically. This mandate crosses all industry sectors while the requirement in healthcare is especially important right now.
In this brief post, I invite CEOs to start an important dialog in their businesses by asking these top five starter and related questions:
- Are you and your top team formally engaged in the process? Is there a chartered risk management committee? Do you meet on a regular basis? Have you articulated your risk appetite? Is there a chartered ‘working committee’ producing specific, tangible recommendations and information for you and your committee to action? Have you helped your organization understand the direct connection between high quality care, access to care and timeliness of care with the confidentiality, integrity and availability of Protected Health Information (PHI)?
- Is your information risk management program business-driven?Have you set key business maxims or imperatives? Have information risk management maxims have been derived from these business maxims? Is your information risk management program directly tied to our enterprise risk management program? Are your Privacy / Security / Compliance teams working closely with your Enterprise Risk Management (ERM) team? Are you following industry standards such as those based on NIST or ISO risk management frameworks?
- Are you really doing bona fide risk analysis and risk management work? Does your standard vocabulary and process include information assets, threat sources, threat actions, vulnerabilities, controls, likelihood and impact? Do we have an operative, usable risk register that facilitates improved decision-making? Have you had this work reviewed by outside experts?
- Are you proactively refining your information risk management program into a mature business process? Are you actively developing skills, knowledge and experience in the risk management discipline? Are you as an executive team and your company aware of benefits and value of risk management? Are you using standards, tools and software to institutionalize the program? Are the outcomes becoming more consistent, repeatable, reliable and predictable?
- Are you producing the required outcomes of good risk management program? Bottom line: is all sensitive information being reasonably and appropriately safeguarded? Do you maintain an active “risk register”? Are you evaluating proper risk response alternatives? Are you making higher quality, more informed decisions? Are you prepared for an audit by an enforcement agency?
HIPAA Risk Analysis and Management Resources Available to You
Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater HIPAA Security Risk Analysis™ software DataSheet
- Clearwater HIPAA Security Risk Analysis™ software Free Trial for qualified organizations
- AboutHIPAA.com Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017