In September, Cancer Care Group, an Indiana radiation oncology practice, settled with the US Department of Health and Human Services for $750,000 over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).
The problem began when a laptop was stolen from a Cancer Care employee’s car. The laptop contained unencrypted information on the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information for about 55,000 patients. After investigating the breach, DHHS concluded that Cancer Care’s failure to adopt an enterprise-wide risk analysis of what could happen to this information led directly to the problem.
At Palisade, we see companies in many sectors adopting enterprise risk management (ERM) for different reasons. For construction and engineering firms, ERM is necessary for keeping a comprehensive view on risks that affect schedules, costs, and resources. For manufacturing firms, ERM keeps tabs on material costs, exchange rates, and demand fluctuations. In healthcare, HIPAA compliance is one prime example of where ERM can help.
A key component of ERM, which DHSS expounded upon, is the establishment of processes and procedures to mitigate risks. Another key element is the notation and ‘storage’ of risks of all kinds in a register of some kind. Many software platforms exist to serve these more qualitative ERM needs.
However, it’s important to take ERM one step further to fully ensure you’re doing all that is necessary to protect yourself. Quantitative, probabilistic analytics are just as important as naming possible risks. What is the probability a risk will occur? How frequently has it occurred in the past? What’s the likely impact if it does happen? What is the range of damage it could inflict? These kinds of questions are crucial for developing a truly effective ERM plan that prioritizes mitigation efforts according to actual threat.
At Palisade we’ve seen @RISK and the DecisionTools Suite used to address these quantitative aspect. Based in Excel, these tools are easy to connect to other ERM software platforms, as many clients have done using Palisade’s Custom Solutions services. For example, Calgary-based Revay and Associates consultancy helps clients build out robust, probabilistic ERM solutions. Furthermore, global energy consultants DNV use @RISK at the core of their EMR practice. Even toy giant LEGO relies on @RISK for their corporate-level risk strategy.