Monday, June 18, 2012

Assessing Risk

As part of the Summer of Compliance, we completed our first prioritization meeting.

We reviewed more than 50 risks in deal and devised a process to prioritize them.

After much discussion, we decided to assign 3 workgroups the task of intensively reviewing the risks as follows

Teams

There were fifty-five items in the list.   We clustered them into eight categories.

        1 - Access management (7 items)
        2 - Policy and other (7 items)
        3 - Content management (9 items)
        4 - Monitoring and containment (9 items)
        5 - Desktop (8 items)
        6 - Mobile computing (4 items)
        7 - Data network (6 items)
        8 - Facilities (5 items)

Those related to Facilities are part of our multi-year disaster recovery project.  They involve mechanical, electrical and environmental monitoring.    Although disaster recovery is a component of HIPAA's security rule, we'll decided to exclude these from our scoring activity.  The projects already underway and are largely managed by dedicated IS teams.

To collapse the rest into the three groups, we clustered our risks into categories and teams as follows:

        Team 1 - Access management and policy/other  (14 items)
        Team 2 - Content management and monitoring/containment (18 items)
        Team 3 - Desktop, mobile computing and data network (18 items)

We assigned 5 members to each team including appropriate representatives from IS and compliance.  We also designated team leader.

Deliverables

We created a scoring spreadsheet and gave each team the following instructions

"For items 1 to 5, please use a 1 to 5 Likert scale for your ratings.  As you can see, the lower the rating the less work, less impact, and less risk.   Vice versa for higher ratings.

        1.  Rate the workforce impact or "disruption factor".   Rate from 1 to 5; minimal to significant.   Do this for both the initial (first 6 months) and on-going impact.

        2.  Probability the vulnerability we are trying to protect against will occur.   Rate from 1 to 5; unlikely to very likely.

        3.  Impact if the vulnerability does manifest itself.   Rate from 1 to 5; minimal to significant.

        4.  Overall Compliance effort required.  Rate from 1 to 5; minimal to significant.
     
        5.  Overall Information Systems effort required.   Rate from 1 to 5; minimal to significant.

        6.  One-time capital estimate.   Consider application software, professional services, training, hardware, data base software, and other items   normally charged to one-time capital for projects such as these.

        7.  One-time internal labor.   Estimate in FTE's.   For example, a project requiring 520 hours of internal labor would be (520/2080) or .25 FTE.         Consider the full range of activities normally undertaken to bring a system into production.

        8.  Recurring internal labor.   Post-go live support also expressed in FTE.

        9.  Recurring maintenance and purchased services.    Annual cost.

        10.  Recurring - other.   Any remaining recurring support cost not included above.   Annual cost.

        11.  Overall priority - 1 to 14 for Team 1 and 1 to 18 for Teams 2 and 3.

In addition to filling in the spreadsheet, please document whatever other factors you considered or would recommend with regard to the risk item.   For example, you may suggest that an item be broken up into two or more projects to address the most important elements (80/20 rule) and keep parse the costs."

Deadlines

We asked the team leaders to submit their completed spreadsheets by June 22 so that everyone has a chance to review their work before our next planning meeting on June 27.

On June 26th, the team leaders will meet with me to consolidate all their recommendations into a single list.

On Wednesday, June 27th from 2-4pm, we will meet with all the stakeholders to present a summarization of Team deliverables, complete a consolidated ranking of all risk items, set a tentative timeline for each item by fiscal year, and identify a sponsor or lead for each item.

The end result will be a multidisciplinary compliance priority list and work plan for the next two years.

I'll let know if this formal process works to bring order to a large body of work.  At the point, I'm optimistic

Related Posts:

  • Standards for Social HistoryAs we all think about the increasing needs of telemedicine and home care to support healthcare reform efforts, I was asked about integrating home monitoring devices into EHR social history data.To my knowledge, standards for … Read More
  • The December HIT Standards Committee MeetingWe began the meeting by relating our standards trajectory to today's agenda.Our outstanding standards issues for discussion include1. ContentContinued discussion of GreenCDA on the wire and overview of Stan Huff's CIMI initia… Read More
  • Cool Technology of the WeekIn late November, I switched from a Blackberry to an iPhone 4S.  Every day I experiment with  iPhone technologies that can empower healthcare workflow, enhance security, and improve productivity.  Along the way… Read More
  • Square Foot GardeningOver the past year, readers of my blog may have noticed my increased effort to eat locally by growing my own food in my home and community garden space.    As I plan the 2012 season, I'm making a list of the fruits … Read More
  • Sending the Questions to the DataAs hospitals and practices form accountable care organizations, they will accelerate their efforts to build healthcare information exchanges and novel analytics that support community-wide lifetime care rather than siloed epi… Read More

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.

Popular Posts

Blog Archive

Copyright © 2025 themakingofanursemidwife | Powered by Blogger
Design and developed by Bhavya Soft :
Blogger Templates