In this episode, we are joined by Amanda Cohen, Director of Product at Resolver to discuss how hospital finance teams can leverage sophisticated solutions to transform risk management from a burden into a powerful strategic intelligence asset.
Highlights of this episode include:
- How governance, risk, and compliance software can help hospital finance teams
- Enterprise risk management
- How to leverage real-time data insights
- How to proactively manage third-party risk exposure
- Machine learning
- Implementing a risk management program
Mike Passanante: Hi, this is Mike Passanante and welcome back to the award-winning Hospital Finance podcast. Constant cyberthreats. Convoluted regulations. The modern healthcare landscape is an ever-evolving minefield of risk, and those employing traditional GRC techniques are struggling to keep up, let alone get ahead. But there’s good news. New AI-driven tools are giving the power to proactively identify, analyze, and address these novel risks in ways that were unthinkable even a few years ago. Today I’m joined by Amanda Cohen, Director of Product at Resolver, a worldwide leader in risk and security management software, to discuss how hospital finance teams can leverage these sophisticated solutions to transform risk management from a burden into a powerful strategic intelligence asset. Amanda, welcome to the show.
Amanda Cohen: Hi, Michael. Thanks so much for having me.
Mike: And, Amanda, as we were discussing right before we started to record, compliance is everywhere; it’s spread through everything that we do in healthcare. And I’m curious, from your perspective, how can governance, risk, and compliance software help hospital finance teams, specifically?
Amanda: Yeah. Great question. So governance, risk, and compliance software– we often call it GRC software. It helps hospitals get a better understanding of their risk exposure across the organization. A GRC tool is going to help with a couple different things and help a few different teams. So it can help you manage your compliance, manage your risk, support internal audit, third-party vendor assessment, business continuity– the list goes on. But, ultimately, the tools are there to help organizations understand where their greatest risk exposures lie, and then determine whether they have the proper controls in place to ensure that the business is operating effectively and adhering to the policies and procedures that you have in place, most importantly, giving the organization a view into risk as a whole, and then helping drive better decision-making, a culture of risk and compliance, and then helping the organization achieve its strategic objectives. So we can break that down a little bit, because every employee deals with some facet of risk and compliance, whether it’s during your onboarding and your training, whether it’s getting your password on your laptop, or protecting patient privacy. Risk and compliance feeds into the daily lives of everyone, whether you’re thinking about it actively or not. So compliance really does feed across the entire organization. And compliance professionals have a pretty diverse range of responsibilities, depending on who they are and what their objectives are. There’s tactical elements of compliance, so whether you’re submitting a claim– are you capturing the right information? Are you billing appropriately–? all the way to that patient privacy example to make sure that we’re really protecting all of our patients.
What a risk and compliance software does is really elevate that, and says, “Do we have clear visibility that the things that we have in place across the organization are operating the way they’re designed to?” You might have a system that helps automate some of these facets, but is that working the way that it’s intended? Are people adhering to the process? And then rolling up that level of oversight so you can find those areas of concern across your business.
Mike: Excellent. So how does traditional risk management vary from enterprise risk management, and what are some of the advantages of embedding an enterprise risk management function into the business?
Amanda: Yeah. So, historically, when people have thought about risk, they often think about insurance, “Do we have insurance policies that protect us against potential exposure?” They’ve also tended to be pretty reactive. And so maybe an incident has occurred and now that that gate’s been let open, “What are the things that we need to do?” and are retroactively trying to apply changes and make sure that that doesn’t happen again. There’s also been a lot of disconnect between teams. The compliance team might not share information with audit, or they might not share information with risk. But all of those teams really need to work collaboratively to make sure that you have the right insights. If everyone’s working from their own isolated excel document, it’s hard to understand or gain insight from that information. So back to the fact that risk is a part of everybody’s life, whether you’re crossing the street, you’re buying a new piece of equipment, you’re considering an acquisition, you need to think about risk holistically. So in a modern enterprise risk function, you’re really proactively thinking about risk and attempting to predict events before they actually occur. Like I mentioned earlier, one of those really critical pieces is integration. So are teams able to share data? Are they working on consistent methodology? Is high risk really high risk across the entire organization, or are we working off of different scales? Recently we actually did a risk assessment, and we uncovered that some of our key vendors– we weren’t quite protected enough against. And so we were able to quickly identify that, and then take action to make sure that our contracts were amended. We implemented some new process there, and now we feel much more comfortable with our third-party risk, as a result of thinking about our key objectives that we have as an organization, and then what types of risk could disrupt us from achieving those.
Mike: And how can teams leverage real-time data insights to help inform their risk program?
Amanda: Yeah. So there’s a couple of different ways that you can do this. Some of the most common ways are pulling in incident data. So incidents are happening constantly throughout hospitals, healthcare, but that gives you a really good insight into whether your risks are materializing, and maybe the controls you have in place are not adequately protecting you against that. So if you’re feeding your incident data into your risk management system, you’re going to be able to understand whether the risk that you have documented on the page is accurately reflective of how it’s being recognized within the organization. There’s also lots of key metrics that you could pull into your system; we call those key risk indicators. And ultimately what that’s going to do is– maybe you’re having an influx of privacy incidents or complaints, or your vendors are not adhering to their SLA. So let’s feed that information in. And again, that’s going to give you a better picture of how your risk program is operating. Are the risks and the controls you have in place really accurate? One of the major downfalls, I think, and really some of the criticism against some of these GRC teams in the past, is that the data that they’re presenting is often out of date by the time it makes its way into the presentation or into the board deck, because people are doing risk assessments maybe once a year or once a quarter. But if you have the flexibility to consistently engage with the business and collect that information, then you’re really much more able to address the risk at hand. So COVID’s a key example. If you were working in that traditional risk management process, you might have done your assessment of pandemics in December. Okay. So maybe that’s sitting somewhere around a moderate risk. We didn’t really know what kind of impact that could’ve had two years ago, but come February, March, the world is a completely different place.
And so if you’re only looking at risk very infrequently, you’re not going to have an understanding of how risk is accelerating within your business, and making sure that you’ve got the right things in place to address it.
Mike: Amanda, my next question is near and dear to my heart, because at BESLER we work with hundreds of hospitals across the United States as a business associate. And so we’re constantly in a mode where we’re having to prove our security and ensure that hospitals feel confident that they can work with us as a partner. And so when you think about– on the provider side, how can those teams proactively manage their third-party risk exposure?
Amanda: Yeah. That’s a great question. So your third-party risk exposure is just another facet of your overall risk exposure as a business. Your vendors are ultimately an extension of your organization, so their risks are your risks; their vulnerabilities are your vulnerabilities. So there’s the traditional method of, “Do they have the right information security pieces in place? Are they ISO certified? Are they adhering to all the HIPAA requirements?” There’s the traditional way of looking at them and saying, from an infosec perspective, “Are we covered? Are we confident that they’re not going to get breached?” But it also extends beyond that. Are they a reliable software vendor or vendor as a whole? Do they have the financial viability to support you for their entire engagement? Are all your vendors concentrated in one single area, and what happens if that supply chain is disrupted? What’s the backup plan? So you need to stop thinking about third party as something that’s off the side of your desk, or maybe it just sits within the information security group. But how does that fit into your risk landscape as a whole, and then making sure that you’ve got the programs in place to do your due diligence against your third parties, and make sure that you’ve got the coverage you need or the backups and the other alternatives there in place to protect you, should something go awry.
Mike: So let’s turn to technology, because we brought that up in the introduction. And, as we mentioned, there’s a wide variety of new approaches being employed. So how is machine learning being adopted into risk and compliance technology today?
Amanda: Yeah. Great question. So machine learning is sprinkled into literature across all GRC technology, but– I guess, not just in GRC technology– technology as a whole. Everyone seems to be doing something with machine learning. But the way that we’re thinking about machine learning at Resolver is in two facets. So one is with incident management. Healthcare providers experience countless incidents every year, every day, every month. And so what we’re trying to do is help organizations triage those in a more effective way, whether they came in from a consumer, a complaint– whether they’re a breach– whether it’s a whistleblowing incident– whatever it may be, we want to help organizations take action on that factor. So by pulling out a key understanding of what the incident actually was, we can help drive prioritization of those incidents, and make sure that the right people are being notified appropriately, and making sure that investigations are happening and that things are closing off as they need to, but really making sure that that incident is seamlessly working its way through the process so that we can get a resolution and feed that information back into our risk system. The other way we’re looking at it is from a regulatory compliance perspective. So we’ve partnered with another organization called [inaudible]. And where they’re really valuable is they help parse down regulatory obligations and feed that directly into our compliance offering. What’s great is that rather than pulling in the entire landscape of what you might have to adhere to, which as anyone who’s looked through compliance obligation is pretty vast– what they do is they distill that information down exclusively to what the organization has to adhere to, and then they track changes to make sure that you always have a pulse on the most recent regulatory information, and that you can have the confidence that your program is always up to date.
Mike: Okay. And what are some tips that you have for successfully implementing a risk management program at a provider organization?
Amanda: So the way I would think about it is don’t boil the ocean. There’s a lot that you can do, and I’m sure there’s a lot that you aspire to do. But get an understanding of where you stand today, where you need immediate improvement, and where you hope to immediately see value, and then where you want to be in two years, five years, and then find a tool that’ll help you grow with that. You’re also going to want to get some alignment between teams. So maybe you’re just kicking off with a compliance program, or maybe just with risk. So find the other cross-functional teams that you’re going to work with, and get an understanding of what their goals and objectives are. Because that way, when you look to grow, you can all start working off the same tool, you can share insights, and you can ultimately reduce the burden for everyone. So think long-term a little bit while you’re getting prepared, to make sure that you’re not implementing just a point solution that’s going to meet your immediate needs, but you’re eventually going to need to go and re-implement in a year-and-a-half or two years, as you start to think about things more holistically.
Mike: Great advice, Amanda. If someone wanted to find out more about you or Resolver, where can they go?
Amanda: So to reach me– you can find me on LinkedIn at Amanda Cohen; there’s a lot of us. And then, alternatively, you can find us at resolver.com, R-E-S-O-L-V-E-R.com, and there’s a lot of information for you there, should you want to learn a little bit more.
Mike: Excellent. Amanda Cohen, thanks for joining us today on the Hospital Finance podcast.
Amanda: Thanks for having me.