On January 1, 2020, a new California regulation went into effect that may push many unsuspecting enterprises doing business in the state into costly noncompliance while also introducing reputational risk and threatening their brands. The California Consumer Privacy Act (CCPA) grants new consumer rights related to data storage, use, and protection. Companies failing to comply with these rules can be fined up to $7,500 for each violation. Despite the potential impacts, a recent survey by the IT security firm ESET shows how ill-prepared most enterprises are regarding this new compliance obligation:
- Nearly half of all respondents had never heard of CCPA
- More than 8 in 10 respondents did not know if the law even applied to their business
- A third of executives were unsure if their organizations needed to change how consumer data was stored/processed
- Nearly 1 in 4 respondents “didn’t care” about becoming compliant
- More than half had not performed a risk assessment on cybersecurity within the past year
Given the stakes involved, this broad lack of urgency is concerning but not all that surprising. A DataGrail survey indicated that despite investing thousands of hours and being given a two-year head start, only half of the companies reported achieving compliance with the General Data Protection Regulation (GDPR), a similar data privacy regulation in Europe. Additionally, 70% of enterprises admitted the systems they were currently using to comply would not scale. When the pace of regulatory change is accelerating so rapidly, most enterprises are being caught flat-footed.
… read more
Those in the risk management field have heard plenty about the benefits of establishing an enterprise risk management (ERM) program. In some cases, they’ve likely heard too much. Lost in debates about frameworks or which acronym to employ (ERM vs. IRM vs. GRC) is the answer to the question, “How do I actually establish an ERM program that produces tangible, measurable results?”
An ERM program doesn’t have to be overly complicated (really!). Neither does it have to be an academic exercise that takes you away from critical daily tasks. When ERM is done right, it’s tied directly to your organization’s central strategic goal and consists of clearly laid-out, doable steps.
You can launch a manageable and sustainable ERM program. You can get everyone on board with the process. You can find success without losing your mind.
You can do ERM differently.
Focus on execution
ERM isn’t a magical, all-knowing tool into which issues are input and solutions spit out. ERM is a considered process that forces you to ask the right questions—questions that lead to the right preventative measures. So when embarking on the creation of an ERM program, your focus should be on execution: What actions am I not taking today that I should be taking in order to get out in front of risks?
… read more
Before organizations can begin implementing an enterprise risk management (ERM) program, they must get buy-in from leadership. But in order for leadership to feel comfortable buying into a program, they must have sufficient evidence that it will make a difference for the organization’s overall goals.
There’s a solution to this catch-22. By having the right conversations and showing results from smaller-scale initiatives, organizations can demonstrate the value of an ERM program to leadership—and do so without the same time, effort, and resources required for a full-scale ERM operation.
Start the old-fashioned way
The right technology can be instrumental in demonstrating ERM program successes. However, before using technology to prove the benefits of an ERM program, risk managers can begin influencing leadership through small, in-person conversations.
“One of the biggest buy-in methods for a successful strategy is talk,” writes Darius Delon, AVP of risk services for Mount Royal University, in the article Putting Strategy into Risk Management. “One person at a time, one hour at a time, one advocate at a time. People will not buy-in to ERM just because they read something you put in front of them or heard at a large forum. Talk to them, work with them, get small wins…”
… read more
Enterprise risk management (ERM) programs require focused planning and commitment from a range of stakeholders within an organization. However, even organizations with the best intentions can see ERM efforts fall to the wayside as more pressing day-to-day issues take precedence.
In the article Leveraging Technology To Drive Sustainable ERM Initiatives, Origami Risk’s Josh Newsum discusses the powerful role of risk management technology in keeping ERM initiatives on track, as well as how organizations can achieve the best results, regardless of where they are in the process.
Read the article in Risk Management →
As the hospital burnout crisis continues to make headlines, healthcare organizations are in need not only of solutions that address the consequences of burnout, but also strategies for preventing burnout in the first place. As discussed in part 1 of this series, the right healthcare risk management technology can play a role in efforts to ensure physicians are more fully engaged. Physicians who feel connected to the core purpose of their work are less likely to burn out, and more likely provide quality patient care.
Another approach to addressing clinician burnout is the establishment of an organization-wide plan to monitor, analyze, and, ultimately, prevent the condition from occurring. Efforts to mitigate burnout will likely come from many directions within an organization, but to streamline the process and get everyone on the same page, a logical but perhaps unexpected place to start is with the hospital risk management team. Healthcare risk managers can play a crucial role in successfully preventing burnout by viewing burnout like the other risks they manage, developing a healthcare enterprise risk management (ERM) framework, and leveraging the technology they already work with on a daily basis.
… read more
Those working in the healthcare industry are no strangers to constant change. A healthcare risk management program and the right technology can help to effectively monitor risk across specialties and improve patient safety. Origami Risk’s Bill Schwacke spoke to Future of Personal Health about the intersection of risk management and the healthcare industry.
Risk management software is used in various industries. How is it applied to healthcare?
Risk management software is at the center of a healthcare organization’s approach to risk, safety, claims, and insurance. The software can define the provider’s approach to risk by linking, organizing, and distributing data from independent, critical functions to provide an organizational view of risk.
Can you elaborate on the correlation between patient safety and risk management software?
Patient safety and risk management software are often linked due to the nature of the data involved. While they often work independently, there are insights that can be discovered when linked together. These insights can improve quality of care and reduce claims/insurance costs for the organization.
Read the full article in Future of Personal Health.
Risk assessments and heat maps remain central components in most enterprise risk management (ERM) programs. Yet there is considerable debate about their effectiveness and both tools have no shortage of critics. In 2011 Howard Sklar, a Forbes contributor, outlined one of the most popular criticisms regarding companies that viewed risk assessments as a document instead of a risk management process. He noted, “Companies that fail in this way are often trying to check the risk-assessment box on their program. That’s fine, as far as it goes. At first glance, a risk assessment seems like a low-ROI effort. You put in time and potentially money, and you get back a piece of paper laying out what you already know.”
Similarly, others deride heat maps as nothing more than “colorful guesses.” Brian Priezkalns, in the not-too-subtly titled article, Why I hate Heat Maps, says “Heat maps are just a terrible terrible terrible way to understand, communicate about, and decide how to respond to risks. They either mess up what you already knew, or they hide the fact you are too ignorant to make a rational decision. Everything that can be done with heat maps would be done better with actual numbers.”
If the risk assessment and risk heat map have such fierce critics, then why are they still central to most ERM programs? In this article, we’ll examine what drives the limitations, and the key missing ingredient that turns them into powerful assets. … read more
In November 2018, Baylor St. Luke’s Medical Center in Houston made two medical errors, the second of which lead to the death of a 75-year-old patient. After an investigation by the Houston Chronicle and ProPublica, the Centers for Medicare and Medicaid Services issued a report in early 2019 that outlined a pattern of blood labeling errors at the hospital. A ProPublica article on the report states:
Dr. Ashish Jha, an expert in hospital quality, reviewed the government’s findings and said it appeared St. Luke’s was struggling to meet basic care standards. The labeling mistakes, he said, seemed indicative of ‘a broader systemic problem.’… St. Luke’s appeared to miss warning signs in the months prior to the deadly mistake, according to the government report.
The “broader systemic problem” Dr. Jha mentions is, unfortunately, not unique to St. Luke’s. Many hospitals and healthcare systems face organization-wide, process-related issues, especially in a modern healthcare landscape that’s rife with change. Mergers, multiple technology platforms, and changing healthcare policies, to name just a few, contribute to widespread miscommunication and a lack of transparency. This, in turn, jeopardizes the overall quality of care within these organizations.
Hospitals can stem the scope of these issues by implementing a healthcare enterprise risk management (ERM) program. Healthcare ERM establishes a standardized framework for identifying risk across an organization, encourages cross-departmental collaboration, and shifts hospitals from a reactive clinical risk program to a proactive holistic risk management program. A straightforward process, along with the right technology that leverages healthcare analytics, can help to make this shift effective.
… read more
The Operation Varsity Blues scandal has heightened reputation management concerns across the higher education community. Seeing how quickly any college or university can suffer reputational damage, and how lasting that damage can be, underscores how valuable an institution’s reputation is, and how critical it is to safeguard it.
The book Reputation management: The key to successful public relations and corporate communication by New York University professors John Doorley and Helio Fred Garcia opens with a quote from Warren Buffet who addressed a group of Salomon Brothers managers in 1991 after the firm became mired in a high-profile trading scandal: “If you lose dollars for the firm by bad decisions, I will be very understanding. If you lose reputation for the firm, I will be ruthless.”
Although numerous surveys show that many leaders of higher education institutions place the same value on reputation as Buffet does, effectively managing these risks remains elusive. In fact, most cannot even define what reputation is.
Defining Reputational Risk
In the article How to Manage Reputation Risk, Nir Kossovsky addresses the definitional ambiguity directly. “From your boardroom and C-suite to the SEC and Office of the Comptroller of the Currency, everyone agrees reputation risk exists, yet few can describe it. However, this isn’t as difficult as it seems.” Kossovsky defines reputation as the expectation of behavior that is set by stakeholders. “Customers have expectations when they buy products or services, employees have them when they accept jobs, vendors have them when they partner, creditors and investors have them, and even regulators have them.” For colleges and universities, this extends to the communities that house them, the potential pool of students and parents considering attendance, research partners, and the other organizations that interact with them.
… read more
Complying with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) regulations is a major challenge for financial institutions. Those found with deficient practices are subject to receive a Matter Requiring Attention (MRA) notification. The Office of the Comptroller of the Currency (OCC) states, “MRAs communicate specific supervisory concerns identified during examinations in writing to boards and management teams of regulated institutions. MRAs must receive timely and effective corrective action by bank management and follow-up by OCC examiners.”
This combined requirement of timeliness and proof of effectiveness makes delivering an acceptable response particularly challenging. Unfortunately, MRAs are not uncommon. The article Get to Know the “5 Cs” — BSA Matters Requiring Attention notes, “Most banks receive some sort of finding or ‘Matter Requiring Attention’ (MRA) or ‘Matter Requiring Immediate Attention’ (MRIA) regarding their BSA Program during a BSA exam.” Given the likelihood of receiving an MRA, and the burden associated with the response, developing a robust process to handle them is essential.
This post will examine how the right Enterprise Risk Management (ERM) system is uniquely suited to not only help efficiently and effectively respond to the challenges associated with MRAs, but also (when properly configured) help minimize them.
To understand how this is possible it is useful to “learn from the mistakes of others.”
… read more