Category: GRC/ERM

Three trends from the 2020 Origami Risk User Conference

Origami Risk users gathered in San Antonio from January 12-16 for our 2020 User Conference. The fifth such event hosted by Origami, this iteration of the conference was the largest to date, with more than 500 people representing organizations from across the risk and insurance industry in attendance.

Collaborative, hands-on learning opportunities led by members of the Origami service team ranged from “boot camps”—introductions to the system for newer users—to instruction on setting up dashboards and reports to more advanced topics such as system administration. Attendees also had the opportunity to meet with an Origami expert for one-on-one sessions for a closer look at specific features or areas of the system they wanted to know more about.

Client co-presenters led sessions covering a wide range of topics including GRC, underwriting, safety, audits, and claims administration, to name just a few. As in previous years, the delivery of actual use cases and the opportunity for those attending sessions to ask questions about the ways in which Origami Risk is being used to address “real world” challenges provided a unique opportunity for peer-to-peer learning. read more

Why the California Consumer Privacy Act (CCPA) may be the tip of the regulatory iceberg for compliance

On January 1, 2020, a new California regulation went into effect that may push many unsuspecting enterprises doing business in the state into costly noncompliance while also introducing reputational risk and threatening their brands. The California Consumer Privacy Act (CCPA) grants new consumer rights related to data storage, use, and protection. Companies failing to comply with these rules can be fined up to $7,500 for each violation. Despite the potential impacts, a recent survey by the IT security firm ESET shows how ill-prepared most enterprises are regarding this new compliance obligation:

  • Nearly half of all respondents had never heard of CCPA
  • More than 8 in 10 respondents did not know if the law even applied to their business
  • A third of executives were unsure if their organizations needed to change how consumer data was stored/processed
  • Nearly 1 in 4 respondents “didn’t care” about becoming compliant
  • More than half had not performed a risk assessment on cybersecurity within the past year

Given the stakes involved, this broad lack of urgency is concerning but not all that surprising. A DataGrail survey indicated that despite investing thousands of hours and being given a two-year head start, only half of the companies reported achieving compliance with the General Data Protection Regulation (GDPR), a similar data privacy regulation in Europe. Additionally, 70% of enterprises admitted the systems they were currently using to comply would not scale. When the pace of regulatory change is accelerating so rapidly, most enterprises are being caught flat-footed.

read more

The Importance of GRC as a Risk Initiative: Q&A with Mary Upshaw

Origami Risk has expanded its operations in the UK, Europe, and Middle East due to rapid growth in the region. Mary Upshaw, Head of Professional Service – EMEA at Origami, discusses the current risk landscape, expected trends, and the role technology plays in an effective GRC programme.

From the perspective of a client executive who is working very closely with UK and EMEA-based organisations, what are the most pressing issues risk managers face in regards to GRC?

There are a few that come to mind. The first is dealing with regulatory change. How do organisations stay on top of risk associated with regulatory compliance when the landscape is constantly changing, the jurisdictions that companies reside in are growing, and laws around privacy are growing?

The second is getting different groups and departments within an organisation to work together toward a shared GRC approach. For example, there might be an internal controls team that rolls up through the CFO; an enterprise risk management (ERM) team that works for the CRO; a business continuity management (BCM) unit that flows through a CTO; and a compliance group that reports to the general counsel’s office. Risk managers need to set a tone that conveys that all of these groups must work together in order to reap the benefits of GRC.

read more

ERM Done Differently

Those in the risk management field have heard plenty about the benefits of establishing an enterprise risk management (ERM) program. In some cases, they’ve likely heard too much. Lost in debates about frameworks or which acronym to employ (ERM vs. IRM vs. GRC) is the answer to the question, “How do I actually establish an ERM program that produces tangible, measurable results?”

An ERM program doesn’t have to be overly complicated. (Really!) Neither does it have to be an academic exercise that takes you away from critical daily tasks. When ERM is done right, it’s tied directly to your organization’s central strategic goal and consists of clearly laid-out, doable steps.

You can launch a manageable and sustainable ERM program. You can get everyone on board with the process. You can find success without losing your mind.

You can do ERM differently.

Focus on execution

ERM isn’t a magical, all-knowing tool into which issues are input and solutions spit out. ERM is a considered process that forces you to ask the right questions—questions that lead to the right preventative measures. So when embarking on the creation of an ERM program, your focus should be on execution: What actions am I not taking today that I should be taking in order to get out in front of risks?
read more

How to get leadership buy-in for ERM

Before organizations can begin implementing an enterprise risk management (ERM) program, they must get buy-in from leadership. But in order for leadership to feel comfortable buying into a program, they must have sufficient evidence that it will make a difference for the organization’s overall goals.

There’s a solution to this catch-22. By having the right conversations and showing results from smaller-scale initiatives, organizations can demonstrate the value of an ERM program to leadership—and do so without the same time, effort, and resources required for a full-scale ERM operation.

Start the old-fashioned way

The right technology can be instrumental in demonstrating ERM program successes. However, before using technology to prove the benefits of an ERM program, risk managers can begin influencing leadership through small, in-person conversations.

“One of the biggest buy-in methods for a successful strategy is talk,” writes Darius Delon, AVP of risk services for Mount Royal University, in the article Putting Strategy into Risk Management. “One person at a time, one hour at a time, one advocate at a time. People will not buy-in to ERM just because they read something you put in front of them or heard at a large forum. Talk to them, work with them, get small wins…”

read more

Risk management technology’s role in keeping ERM on track

Enterprise risk management (ERM) programs require focused planning and commitment from a range of stakeholders within an organization. However, even organizations with the best intentions can see ERM efforts fall to the wayside as more pressing day-to-day issues take precedence.

In the article Leveraging Technology To Drive Sustainable ERM Initiatives, Origami Risk’s Josh Newsum discusses the powerful role of risk management technology in keeping ERM initiatives on track, as well as how organizations can achieve the best results, regardless of where they are in the process.

Read the article in Risk Management →

Hospital staff burnout, part 2: How healthcare ERM can prevent burnout

As the hospital burnout crisis continues to make headlines, healthcare organizations are in need not only of solutions that address the consequences of burnout, but also strategies for preventing burnout in the first place. As discussed in part 1 of this series, the right healthcare risk management technology can play a role in efforts to ensure physicians are more fully engaged. Physicians who feel connected to the core purpose of their work are less likely to burn out, and more likely provide quality patient care.

Another approach to addressing clinician burnout is the establishment of an organization-wide plan to monitor, analyze, and, ultimately, prevent the condition from occurring. Efforts to mitigate burnout will likely come from many directions within an organization, but to streamline the process and get everyone on the same page, a logical but perhaps unexpected place to start is with the hospital risk management team. Healthcare risk managers can play a crucial role in successfully preventing burnout by viewing burnout like the other risks they manage, developing a healthcare enterprise risk management (ERM) framework, and leveraging the technology they already work with on a daily basis.

read more

Healthcare administration: The vital role of healthcare risk management

Those working in the healthcare industry are no strangers to constant change. A healthcare risk management program and the right technology can help to effectively monitor risk across specialties and improve patient safety. Origami Risk’s Bill Schwacke spoke to Future of Personal Health about the intersection of risk management and the healthcare industry.

Risk management software is used in various industries. How is it applied to healthcare?
Risk management software is at the center of a healthcare organization’s approach to risk, safety, claims, and insurance. The software can define the provider’s approach to risk by linking, organizing, and distributing data from independent, critical functions to provide an organizational view of risk.

Can you elaborate on the correlation between patient safety and risk management software?
Patient safety and risk management software are often linked due to the nature of the data involved. While they often work independently, there are insights that can be discovered when linked together. These insights can improve quality of care and reduce claims/insurance costs for the organization.

Read the full article in Future of Personal Health.

ERM – Moving beyond enterprise risk assessments and risk heat maps

Enterprise risk assessment and risk heat map in the risk management process

Risk assessments and heat maps remain central components in most enterprise risk management (ERM) programs. Yet there is considerable debate about their effectiveness and both tools have no shortage of critics. In 2011 Howard Sklar, a Forbes contributor, outlined one of the most popular criticisms regarding companies that viewed risk assessments as a document instead of a risk management process. He noted, “Companies that fail in this way are often trying to check the risk-assessment box on their program. That’s fine, as far as it goes. At first glance, a risk assessment seems like a low-ROI effort. You put in time and potentially money, and you get back a piece of paper laying out what you already know.

Similarly, others deride heat maps as nothing more than “colorful guesses.” Brian Priezkalns, in the not-too-subtly titled article, Why I hate Heat Maps, says “Heat maps are just a terrible terrible terrible way to understand, communicate about, and decide how to respond to risks. They either mess up what you already knew, or they hide the fact you are too ignorant to make a rational decision. Everything that can be done with heat maps would be done better with actual numbers.”

If the risk assessment and risk heat map have such fierce critics, then why are they still central to most ERM programs? In this article, we’ll examine what drives the limitations, and the key missing ingredient that turns them into powerful assets. read more

GRC: Where to start? Productive healthcare ERM tools

Coordinated care in hospitals starts with the right GRC tools and ERM framework.

In November 2018, Baylor St. Luke’s Medical Center in Houston made two medical errors, the second of which lead to the death of a 75-year-old patient. After an investigation by the Houston Chronicle and ProPublica, the Centers for Medicare and Medicaid Services issued a report in early 2019 that outlined a pattern of blood labeling errors at the hospital. A ProPublica article on the report states:

Dr. Ashish Jha, an expert in hospital quality, reviewed the government’s findings and said it appeared St. Luke’s was struggling to meet basic care standards. The labeling mistakes, he said, seemed indicative of ‘a broader systemic problem.’… St. Luke’s appeared to miss warning signs in the months prior to the deadly mistake, according to the government report.

The “broader systemic problem” Dr. Jha mentions is, unfortunately, not unique to St. Luke’s. Many hospitals and healthcare systems face organization-wide, process-related issues, especially in a modern healthcare landscape that’s rife with change. Mergers, multiple technology platforms, and changing healthcare policies, to name just a few, contribute to widespread miscommunication and a lack of transparency. This, in turn, jeopardizes the overall quality of care within these organizations.

Hospitals can stem the scope of these issues by implementing a healthcare enterprise risk management (ERM) program. Healthcare ERM establishes a standardized framework for identifying risk across an organization, encourages cross-departmental collaboration, and shifts hospitals from a reactive clinical risk program to a proactive holistic risk management program. A straightforward process, along with the right technology that leverages healthcare analytics, can help to make this shift effective.

read more