Tag Archive: risk management

Understanding How Risk Management Can Improve Organizational Performance

One of the biggest challenges in risk management is risk identification. Humans are naturally optimistic, therefore we do not like to recognize or discuss risks. We need to incorporate processes such as scenario planning and the pre-mortem technique into our forecasting practices. These techniques help us overcome our aversion to recognizing and discussing risks. Only after we have identified risks can we implement tactics to reduce their probability.

Merit is frequently asked to help businesses, federal agencies and membership organizations reduce or mitigate risk – regardless of their size and business type. Often their project teams collaborate and discuss methods for improving their risk status but have proven to be flawed. The most common flaw that sets them back is their goal to have all risk plans drive their risk probability and impact to zero, in which case it would not be a risk.

Risk_RegisterStandard risk responses include Avoidance, Mitigation, Transference, and Acceptance (passive/active). At Merit, we developed a reporting process that would show that the risk factors were decreasing as the project progressed. Supplemented with suitable risk responses, the true reduction of risk probability occurs over time.

The added value that we incorporated into the risk management process was two-fold. First, because of the desire to drive the risk to as low as possible, the use of multiple risk responses could be utilized. The second process improvement would be not only to subsequently reassess the risk, but also to re-evaluate the risk probability and impact matrix after the implementation of the risk response over time.

Probability_Impact_MatrixThe Probability and Impact Matrix is one of the tools that we recommend in a risk management strategy.  It is superimposed with risks that are labeled or numbered as in the above example. “Red” area risks were uniquely documented on a trending month-to-month basis such that it could be seen “driving” toward zero.

The implementation of a risk response would then “reclassify” the risk event for the next reporting period. However, the biggest impact on reducing risk is time.  Time because we are progressively refining our process as our project develops, and because the physical window (amount of time available) for a risk event is reduced.

We invite you to learn about our modified process template so you too can incorporate it into your project plans. For more information, to learn other advanced risk monitoring, reporting, and controlling techniques or to schedule a risk management training customized for your team, contact Jim Wynne at jwynne@meritcd.com or by calling (610) 225-0449.

Permanent link to this article: http://meritcd.com/blogs/understanding-how-risk-management-can-improve-organizational-performance/

What Can Go Wrong: Managing Project Risk

What Can Go Wrong: Managing Project RiskProject managers can set themselves up for failure by not properly planning for risk. Overly optimistic proposals run over budget, past deadlines and through resources if there isn’t a comprehensive plan for mitigating and responding to expected risk.

John Juzbasich, D.Ed., a risk management expert who has taught courses both in the U.S. and internationally, says that too many project managers underestimate risk because they don’t think about what can go wrong at each step. They don’t recognize the variety, number or prevalence of risk.

For example, Juzbasich recalls an exceptional project leader in one of his courses. This woman, who had an M.D. and Ph.D. worked in the pharmaceutical industry and was in charge of a project with 50 steps. Juzbasich told her that even if she was 99 percent effective at completing the earliest steps, she would have an increasingly higher risk of failure with each ensuing one. With so many balls in the air and so many more potential risks, her effectiveness would decrease. In fact, after completing all 50 steps, her effectiveness had dropped to about 60 percent.

Why risk management training is important

To be successful in the face of numerous unknown and unpredictable risks, project leaders need to plan for emergencies and unexpected disruptions within their budgets and timelines. Juzbasich explains that there are a variety of techniques and methods that project leaders can use for risk management.

For example, the fishbone—or Ishikawa—diagram helps determine risk by analyzing a problem and pinpointing possible causes. Breaking each possible problem down to its most preventable and actionable sources, the diagram can be used for dealing with current challenges or discovering potential causes of a feared issue.

Juzbasich also uses scenario planning, the Socratic method and seven other techniques for teaching risk management. Although these techniques are familiar to most project leaders, Juzbasich finds that few people actually employ them or fully understand how they can be beneficial. So he only spends part of the first day of his course explaining the techniques. The rest of the time is used for putting these techniques into practice.

Real world applications

The purpose of Juzbasich’s course isn’t to learn the techniques—it’s to practice them for future real world use on actual projects. Risk management techniques are useless if project leaders aren’t able to take them to their team or upper management and present a solution.

Juzbasich points to an example from one of his courses: The class broke into small groups and each worked on one class attendee’s actual project issue. From there, the entire class tackled this issue and employed Juzbasich’s techniques to find solutions. That group member then took the information to her upper management. Her superiors adopted the solution, saving the large project and benefiting her company.

“What we had done during class, and as a team, worked on her situation. She was then immediately able to apply it to a work environment,” Juzbasich explains. “It isn’t theoretical at all. It’s truly hands-on learning. It benefited the overall company as well as her team because of the work we did that day. It was cool to make a difference in one day. That told me we were doing something right.”


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/what-can-go-wrong-managing-project-risk/

$4.8 Million, Highest Fines Issued by HHS to Date

ePHI breach on internetMay 2014

The Department of Health and Human Services (HHS) entered into settlements totaling $4.8 million with New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) for failing to implement appropriate administrative and technical safeguards to secure the ePHI of approximately 6,800 patients[i]. This is HHS’ highest financial sanction issued to date as a part of breach settlement agreements, confirming its commitment to enforce HIPAA compliance.

Breach Report, Investigation and Findings

NYP and CU received a complaint from an individual who found confidential health information (ePHI) including status, vital signs, medications, and laboratory results of a deceased relative, a former NYP patient, on the Internet. The HIPAA regulations require such ePHI be maintained in secure systems and kept confidential. In accordance with HIPAA requirements, they submitted a joint report of the complaint to HHS dated September 27, 2010 resulting in an investigation by HHS’ Office of Civil Rights (OCR).

OCR’s investigation found that NYP and CU have a joint healthcare services arrangement wherein CU faculty members work as attending physicians at NYP. To support the services, NYP and CU operate a shared data network including firewalls administered by employees of both entities with shared links to NYP patient information systems.

OCR identified the breach to have occurred when a CU physician employed to develop applications for both entities attempted to de-activate a networked server containing NYP patient ePHI. Due to a lack of technical safeguards in place on the network, the de-activation attempt resulted in NYP ePHI becoming accessible to internet search engines.

OCR found that neither NYP nor CU could demonstrate that its servers were secure or contained software protections prior to the breach. OCR found an additional lack of administrative safeguards, specifically that neither entity had conducted a risk analysis to identify all systems with access to NYP’s ePHI or had a risk management plan in place to address potential hazards or threats to the security of its ePHI.

Finally, OCR found that NYP failed to implement its own technical safeguards including procedures for authorizing access to its databases and information access management processes. In addition to the financial sanctions, NYP and CU agreed to a corrective action plan requiring implementation of the administrative and technical safeguards and to monitor compliance with regular reports back to HHS.

Increased HHS Enforcement of HIPAA Compliance

This action gives notice to Covered Entities and Business Associates that HHS has heightened its enforcement efforts since the enactment of HITECH and the HIPAA Omnibus Rule.

It is imperative that a healthcare organization ensure that its workforce understands the privacy and security regulations, not just completes rote training programs, and recognizes the impact that non-compliance—from even one employee—can have on an organization.

The mandated HIPAA safeguards must be in place to identify risks and threats to ePHI and patient information systems, including insider threats from its own workforce. The safeguards must be regularly monitored through risk analysis as a part of a comprehensive risk management program.

Click here to learn how to mitigate these risks with an organization-wide risk analysis.


[i] See http://www.hhs.gov/news/press/2014pres/05/20140507b.html


© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/4-8-million-highest-fines-issued-by-hhs-to-date/

Risk Management in the Biotech and Pharmaceutical Industries

Risk management in the pharmaceutical industry

The biotech and pharmaceutical industries are no strangers to risk – organizing clinical trials for medications that may never reach the open market due to inefficiency can place a significant financial burden on companies. When it comes to managing them, identifying procedures can be essential to avoiding or minimizing the financial impact of risks.

The Economist Intelligence Unit conducted a survey of senior management executives in the pharmaceuticals and life sciences industry regarding risk in their respective companies. The 65 responses were combined with those of an earlier survey of 353 executives in a wider range of other industries. It mainly focused on North America, with 65 percent of respondents hailing from the region, but also included international areas such as Europe, Asia-Pacific, Africa and Latin America.

Management is C-level

According to its findings, the EIU reported that the ultimate responsibility of risk management was falling on CEOs, CFOs, CROs and general counsel. The survey found that the senior executives could be doing a better job of defining the company’s interest in risk, ensuring that information gets to the appropriate people for assessment.

Most time spent on compliance

Following controls and monitoring, compliance takes up most of their time with risk management. However, this leaves managers and executives with less freedom to watch for emerging threats that could create financial hardships. As a result, companies are failing to spread risk awareness throughout their organizations.

Mismatch between barriers, risk processes

The results showed that two-thirds of respondents had no intention of recruiting a chief risk officer, with less than one-third saying their organization has one on staff already. While breaking down the risk management silo may have been beneficial, the lack of awareness diminishes an organization’s ability to understand new risks.

The benefit of third-party training

According to the U.S. Food and Drug Administration, quality systems are becoming integral to the pharmaceutical industry. In turn, risk management is a valuable component of an effective quality system.

The biotech and pharmaceutical industries can greatly benefit from outsourcing their risk management training to third-party experts. Merit Career Development offers courses specific in project risk management for the biotechnology and pharmaceutical industries. For more information, click here.

The EIU study underscores the advantages that extra training can bring to risk management in the pharmaceutical industry. With a healthy roster of subject matter experts, Merit can help executives not only manage current threats but also look ahead to potential emerging risks.

 

© 2014 Merit Career Development. All rights reserved. For more information, please contact Jim Wynne at jwynne@MeritCD.com.

Permanent link to this article: http://meritcd.com/blogs/risk-management-in-the-pharmaceutical-industry/