Growth. Most organizations strive for it, but when it happens too quickly, unforeseen issues can arise that translate into a higher level of security related risk than the organization might be comfortable with. While most organizations constantly strive for growth and expansion, they need to recognize that with growth come growing pains and a litany of security related issues that may or may not have been factored into the plans of the organization as it continues to deal with day to day business as well as any new problems that a new acquisition might bring.

The best solution is to be proactive and attempt to identify and mitigate such issues before they become critical and become a risk to the organization and its brand. To prevent unforeseen problems that may negatively impact the organization during periods of growth or expansion, an organization should consider creating a unification program that includes incorporation of an enterprise risk management process to identify, avoid and mitigate security related issues.

Potential Security Issues with Rapid Growth

While the terms “expansion” and “growth” have little in the way of negative connotations on the surface, the reality is that there are a number of potential security issues that an organization must take into consideration when it begins to expand and increase its size and scope. Are the current security infrastructure and existing program sufficient to support the addition of more personnel and facilities? Are there proper security safeguards in place to ensure that should an event occur during the transition period that the primary enterprise and its brand will not be negatively affected? What is the potential outlook for this expansion as related to security, and will the organization need to expend resources at a higher level than was initially anticipated as part of a merger or acquisition to bring any new facilities up to organizational expectations and standards? These are just some of the issues that might arise during the expansion of an organization and that could possibly have dire consequences if not thought out and adequately planned for. This is why an enterprise risk management program for security is a wise investment, as it not only assists with current risks and issues for an organization, but it also helps to formalize the process for identifying and mitigating issues before they can occur.

What is Enterprise Risk Management?

Enterprise Risk Management, also referred to as ERM, is a process instituted by an organization’s administration or management that is applied across the organization in the setting of strategy designed to identify potential events that may affect the organization and manage risk within predetermined thresholds in order to provide reasonable assurance to stakeholders regarding the successful achievement of the organization’s objectives.

A security ERM program can encompass a number of specific objectives and strategies in identifying and reducing security related risks. This can include aligning the organizations’ risk thresholds and approaches based upon acceptable levels of risks (as defined by existing regulations, organizational principles and standards and industry best practices when assessing a site). Another technique is assessing and enhancing current states of readiness and threat response strategies in order to be more fluid and flexible should an event occur (this in turn will reduce the likelihood of unexpected losses and setbacks thanks to a well defined response program). Organizations should also seek to identify and manage cross-departmental risks as efficiently as possible while recognizing and taking advantage of opportunities to mitigate additional issues (since events seldom affect only one area or department or an organization). Such preventive steps make improving the use of capital funds and other finite resources much easier and by using a multidisciplinary process, a number of departments can review, assess and identify opportunities for improvement simultaneously, taking advantage of overlapping disciplines and a sharing of ideas that can all have an effect on the overall security posture of the facility. Human resources, IT and engineering departments all have an impact upon the security of the organization (be it from a policy, technology or physical plant perspective) and therefore should be included in any ERM processes when security is being reviewed. An economy of scale is one of the primary reasons that organizations merge, but the value added importance that a well defined security program brings can be tremendous.

Creation of a Unification Program

While there are a number of formats that can be considered for how an ERM based unification program should look for an organization, many of the differences between such programs are aesthetic in nature, and most have at their roots very similar structures as far as identifying and mitigating risks. Based upon the specific business and industry, most organizations can break their day to day processes and services into sections based upon regulatory and legal requirements into the following fundamental divisions: What must I do (required by law or regulatory agency in the form of fines and other consequences should the action not be taken properly), What should I do (the following of best practices and other advice that makes the best business sense) and What would I like to do (meaning, if given the resources, what is the ideal method for carrying out this particular task or function of the organization). By approaching an ERM process with this methodology in mind, an organization can create an assessment matrix with “Required”, “Recommended” and “Optional” security components as well as their level of impact and then evaluate the current state of business processes and states of readiness of an entity’s security program prior to becoming officially involved in a management relationship (potentially becoming obligated to then resolve any outstanding issues that might exist).

The benefits of creating and conducting such a pre-merger or pre-acquisition assessment process are numerous. The most obvious benefits are that the parent organization can get a good detailed look into not only the financial and physical state of the business they plan to integrate, but the organization also discovers any potential deficiencies that may require resources to resolve. You wouldn’t buy a house without an inspection for foundation damage or termites, so why should an organization enter into a management agreement without adequate knowledge of the potential issues that await them (and their shareholders)? Caveat Emptor (“let the buyer beware”) was good advice in ancient Rome, and this motto and its underlying philosophy has stood the test of time. A wide-ranging Enterprise Risk Management process should be an integral part of any organization’s unification, acquisition or expansion program.

Example of the Interconnectivity of Regulatory Agencies and Risk

Examples of some required regulatory risk issues that U.S. healthcare facilities must face on a routine basis come from a number of sources, but the most prevalent are the Occupational Safety and Health Administration (OSHA) The Joint Commission and the Centers for Medicare and Medicaid. Rather than look at the considerable number of standards, rules and requirements that each of these agencies places upon healthcare providers (the consequences of non-compliance being loss of accreditation, monetary fines, loss of federal reimbursement for Medicare and Medicaid and typically the eventual closing of the facility), we will focus on a very specific area, that of workplace violence, an issue which is intertwined amongst all of these regulatory bodies and must be considered when a risk assessment is being conducted for a healthcare organization.

In 1996 OSHA introduced Healthcare Guidelines for Preventing Workplace Violence for Healthcare and Social Service Workers (OSHA 3148). These guidelines provide five primary elements which any effective workplace violence program should require. While these are only guidelines, failure to follow them can and has resulted in healthcare organizations suffering penalties and fines assessed by OSHA per their general duty clause (Section 5(a)-1 of the 1970 OSH Act).

The five elements that OSHA 3148 recommends are management commitment and employee involvement, a detailed worksite analysis, hazard prevention and control processes, safety and health training and proper recordkeeping and program evaluation. Management commitment and employee involvement demonstrate organizational concern for employees’ emotional and physical well being, and an equal commitment to the safety of both employee and client.

Management should assign responsibilities regarding such programs to ensure that employees understand their role. They should allocate appropriate resources and maintain accountability for employees and work to establish a comprehensive program of medical and psychological counseling for those involved in or witness to, workplace violence. A detailed worksite analysis should include tracking and trending of workplace violence incidents and an analysis to determine methods of mitigation. Conducting screening surveys of staff to identify additional security measures should be considered, as well as an analysis of the physical work environment. This analysis should include physical security measures, administrative and work practice controls and any procedures that may minimize the risk of a workplace violence incident. Likewise, workplace violence prevention training is a crucial element of a successful overall security program in any industry. OSHA recommends that healthcare organizations craft workplace violence prevention policies and include training for staff on topics including risk factors, recognition of escalating behaviors and how to diffuse volatile situations. This training should be offered on an annual basis to all employees. Healthcare employers must also develop a standard response action plan for violent incidents that incorporates progressive behavior control methods, safe restraint techniques, locations and operation of duress or alarm devices, and procedures for obtaining counseling in the event of a violent episode or injury. Proper documentation and recordkeeping is critical to the success of such a training program, as is annual program evaluation.   

In June 2010 The Joint Commission (TJC) issued its Sentinel Event Alert #45, regarding workplace violence issues in the healthcare environment. This call to action was a result of several causal factors identified frequently over the last five years. These factors include growing numbers of family disputes inside hospitals, problems in policy and procedure development and implementation and a number of human resource-related factors, such as the increased need for staff education and competency regarding potentially violent behavior. Communication failures among staff, patients and visitors, physical environment deficiencies and inadequate security practices all contributed to the issuance of this Sentinel Event Alert. Existing Joint Commission Environment of Care Standards require healthcare facilities “to address and maintain a written plan describing how an institution provides for the security of patients, staff, and visitors.  Institutions are also required to conduct risk assessments to determine the potential for violence, provide strategies for preventing instances of violence, and establish a response plan that is enacted when an incident occurs.” Failure to do so results in a loss of The Joint Commission’s accreditation status, which results in the facility being out of compliance with the Centers for Medicare and Medicaid. The results of this are usually financially disastrous, since many hospitals in the U.S. are dependent upon federal reimbursements for non-insured persons to remain in operation. 

Therefore, if a hospital fails to meet the expectations of OSHA in regards to their guidelines, they can be cited for violating the “general duty” that every employer in the U.S. has to provide a safe working environment and be fined and then investigated by the accrediting body known as The Joint Commission. Should The Joint Commission find that its standards are not being upheld, it may affect the facility’s accreditation, resulting in a subsequent loss of reimbursement from the Centers for Medicare and Medicaid, resulting in the facility’s ultimate economic failure and collapse. This is certainly a risk worth assessing properly and mitigating at all costs.

Conducting Pre-Merger Risk Assessments and Creating SLAs

Taking the previous example of hospitals and workplace violence prevention, prior to assuming management of or acquiring a new facility, security assessments should be conducted on a number of levels involving a variety of disciplines to ensure that the risks being acquired are within tolerable limits of the organization. Teams should be assembled which represent those areas of highest risk to the organization and they should then survey and assess the potential merger or acquisition with great scrutiny, concentrating on those areas that pose the most risk should a negative event occur (security sensitive areas such as Emergency Departments for example). Once these risks have been identified, they should be listed in a prioritized format (High, Moderate and Low) based upon their severity and levels of mitigation. This will provide the organization a much better snapshot of exactly what the risks are relative to entering a relationship with an entity. Once this assessment has been vetted and examined, specific service level agreements (SLAs) detailing the levels of security services can then be created to ensure that the risk is being avoided (through mitigation methods), accepted (with clear and documented understandings about who will be responsible should an event occur), reduced (based upon the findings of the pre-merger risk assessment) or shared (with defined levels of liability). While this may sound overly suspicious in the assessment of a potential partner as a part of the organizations growth and expansion, the parent organization is after all taking on the lion’s share of the risks should the new acquisition prove to have unforeseen or previously undisclosed issues.

Benefits of ESRM

There are many benefits of an effective Enterprise Risk Management program as related to the growth and expansion of any organization and its security program. An ERM process takes distinct business units and their inherent subject matter expertise in their routine functions and consolidates risk information and responsibility into one program. It creates a more focused approach to risk throughout the organization and it  provides more integration as related to an organization’s overall growth and success as everyone is required to use standardized evaluation criteria, assessment processes and uniformity for like business units across the enterprise, which reduces the risks involved with growth and expansion. It also makes business units in the organization less of a rival to security and to one another and more of a partner in identifying and avoiding overall security related issues.