Enterprise Risk Reporting: The Healthcare CISO’s Achilles Heel
Published On July 23, 2020
Blog Post by Maliha Charania, ITRM Manager at Meditology Services
Information security leaders and risk management teams for healthcare entities have struggled to update their reporting models to keep pace with the increasing variety and complexity of risks facing the modern healthcare ecosystem. The inability to effectively communicate meaningful security metrics that drive informed risk decisions from the business has become the Achilles heel for many healthcare CISOs.
Security and compliance leaders often struggle to answer fundamental enterprise risk questions from the business such as:
- What are our highest priority risks?
- What budget should be allocated for security and compliance?
- Should the business fund this project or that project?
- How much will we reduce risk if we take this or that action?
- How do we know that our prior investments have reduced our risk?
Inconsistent and overly technical security metrics have resulted in security leaders resorting to anecdotal and artful storytelling instead of relying on objective risk measures that are meaningful and actionable for the business.
Security and risk metrics presented to leadership often lack alignment with a strategic risk management vision. Risk metrics require appropriate business context to effectively advise the organization on enterprise risk and empower leadership to make informed decisions on investments and mitigation of identified risks.
Risk management leaders must also strike the right balance of reporting the right metrics to the right audiences at the right time. For example, presenting technical and operational measures to executive audiences can potentially confuse and alienate a strategic-minded audience and undermine the team’s ability to secure support and investment in the security and risk management functions.
Target Outcomes for Enterprise Security Risk Reporting
- Support Executive Messaging – Provide meaningful and actionable information via dashboards, reporting, or other means for risk owners.
- Achieve Stakeholder Buy-In – Demonstrate and validate risk concepts and modeling to facilitate a shared vision. Operationalize risk reporting processes to enable stakeholders to assist with objective decision making.
- Provide Visibility – Deliver accurate information to enable proactive risk assessment and management. Support the analysis and consumption of ad hoc or recurring reports.
- Enable Ownership – Facilitate the education of personnel responsible for the implementation of risk reporting functions.
- Mature Reporting Mechanisms – Support the design, testing, and deployment of new risk reporting models.
- Evolve Risk Reporting Practices – Monitor and evolve metrics, KRIs, KPIs and enhance reporting via automation and process improvements.
Designing Effective Risk Metrics & Reporting Structures
The following principles and considerations are recommended for the design of strategic metrics and reporting models for healthcare entities:
- Start with the outcome in mind; design and build strategic metrics that answer critical questions for the business vs presenting risk data that is readily available or easily produced
- Align with industry standard risk reporting and security controls models including FAIR, ISO, NIST, COBIT, CVSS, and HITRUST
- Establish current state and future state maturity targets and KRIs for each risk area
- Establish clear links between executive, strategic, and operational reporting levels
- Communicate risk information in terms that the business can understand
- Collect and report risk information in a way that is operationally feasible and appropriate for the organization
- Provide the processes, tools, templates, and dashboards that present a visual picture of risk
- Gather and organize data that provides a clear picture of risk tailored to target stakeholder groups
- Provide a structure that allows stakeholders to make risk mitigation decisions based on timely information
- Promote stakeholder accountability through reporting, ongoing monitoring, and validation of results
- Identify the target strategic outcomes the business is trying to achieve, adjust year over year to align with maturing targets for key risk areas, then drive metrics and KRIs that would be best to move those specific initiatives forward aligned with the roadmap/vision
- Leverage Business Intelligence (BI) reporting capabilities and automation to capture and report metrics in a consistent, repeatable, and scalable manner
- Report on technical, management, and operational controls to maintain alignment with business objectives and regulatory compliance requirements including HIPAA, HITECH, and other regulations and standards
Meditology’s Enterprise Risk Management Reporting services for healthcare entities leverages leading practices from premier healthcare organizations to enhance visibility, informed decision making, and accountability for managing enterprise risk.
If delivering consistent and high-quality risk information to leadership is as challenging for you as it is for most of your peers, then reach out our team of experts here at Meditology and we can help you quickly stand up a mature risk reporting program.