This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
  • InfoCenters
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Organizational Growth: Security and Enterprise Risk Management for Healthcare Organizations
Security Leadership and Management

Organizational Growth: Security and Enterprise Risk Management for Healthcare Organizations

Medical workers
Risk Management Plan
Medical workers
Risk Management Plan
September 1, 2011
Bryan Warren
KEYWORDS healthcare security / OSHA / security risk management / workplace violence
Reprints
10 Comments

Growth. Most organizations strive for it, but when it happens too quickly, unforeseen issues can arise that translate into a higher level of security related risk than the organization might be comfortable with. While most organizations constantly strive for growth and expansion, they need to recognize that with growth come growing pains and a litany of security related issues that may or may not have been factored into the plans of the organization as it continues to deal with day to day business as well as any new problems that a new acquisition might bring.

The best solution is to be proactive and attempt to identify and mitigate such issues before they become critical and become a risk to the organization and its brand. To prevent unforeseen problems that may negatively impact the organization during periods of growth or expansion, an organization should consider creating a unification program that includes incorporation of an enterprise risk management process to identify, avoid and mitigate security related issues.

 

Potential Security Issues with Rapid Growth

While the terms “expansion” and “growth” have little in the way of negative connotations on the surface, the reality is that there are a number of potential security issues that an organization must take into consideration when it begins to expand and increase its size and scope. Are the current security infrastructure and existing program sufficient to support the addition of more personnel and facilities? Are there proper security safeguards in place to ensure that should an event occur during the transition period that the primary enterprise and its brand will not be negatively affected? What is the potential outlook for this expansion as related to security, and will the organization need to expend resources at a higher level than was initially anticipated as part of a merger or acquisition to bring any new facilities up to organizational expectations and standards? These are just some of the issues that might arise during the expansion of an organization and that could possibly have dire consequences if not thought out and adequately planned for. This is why an enterprise risk management program for security is a wise investment, as it not only assists with current risks and issues for an organization, but it also helps to formalize the process for identifying and mitigating issues before they can occur.

  

What is Enterprise Risk Management?

Enterprise Risk Management, also referred to as ERM, is a process instituted by an organization’s administration or management that is applied across the organization in the setting of strategy designed to identify potential events that may affect the organization and manage risk within predetermined thresholds in order to provide reasonable assurance to stakeholders regarding the successful achievement of the organization’s objectives.

A security ERM program can encompass a number of specific objectives and strategies in identifying and reducing security related risks. This can include aligning the organizations’ risk thresholds and approaches based upon acceptable levels of risks (as defined by existing regulations, organizational principles and standards and industry best practices when assessing a site). Another technique is assessing and enhancing current states of readiness and threat response strategies in order to be more fluid and flexible should an event occur (this in turn will reduce the likelihood of unexpected losses and setbacks thanks to a well defined response program). Organizations should also seek to identify and manage cross-departmental risks as efficiently as possible while recognizing and taking advantage of opportunities to mitigate additional issues (since events seldom affect only one area or department or an organization). Such preventive steps make improving the use of capital funds and other finite resources much easier and by using a multidisciplinary process, a number of departments can review, assess and identify opportunities for improvement simultaneously, taking advantage of overlapping disciplines and a sharing of ideas that can all have an effect on the overall security posture of the facility. Human resources, IT and engineering departments all have an impact upon the security of the organization (be it from a policy, technology or physical plant perspective) and therefore should be included in any ERM processes when security is being reviewed. An economy of scale is one of the primary reasons that organizations merge, but the value added importance that a well defined security program brings can be tremendous.

  

Creation of a Unification Program

While there are a number of formats that can be considered for how an ERM based unification program should look for an organization, many of the differences between such programs are aesthetic in nature, and most have at their roots very similar structures as far as identifying and mitigating risks. Based upon the specific business and industry, most organizations can break their day to day processes and services into sections based upon regulatory and legal requirements into the following fundamental divisions: What must I do (required by law or regulatory agency in the form of fines and other consequences should the action not be taken properly), What should I do (the following of best practices and other advice that makes the best business sense) and What would I like to do (meaning, if given the resources, what is the ideal method for carrying out this particular task or function of the organization). By approaching an ERM process with this methodology in mind, an organization can create an assessment matrix with “Required”, “Recommended” and “Optional” security components as well as their level of impact and then evaluate the current state of business processes and states of readiness of an entity’s security program prior to becoming officially involved in a management relationship (potentially becoming obligated to then resolve any outstanding issues that might exist).

The benefits of creating and conducting such a pre-merger or pre-acquisition assessment process are numerous. The most obvious benefits are that the parent organization can get a good detailed look into not only the financial and physical state of the business they plan to integrate, but the organization also discovers any potential deficiencies that may require resources to resolve. You wouldn’t buy a house without an inspection for foundation damage or termites, so why should an organization enter into a management agreement without adequate knowledge of the potential issues that await them (and their shareholders)? Caveat Emptor (“let the buyer beware”) was good advice in ancient Rome, and this motto and its underlying philosophy has stood the test of time. A wide-ranging Enterprise Risk Management process should be an integral part of any organization’s unification, acquisition or expansion program.

 

Example of the Interconnectivity of Regulatory Agencies and Risk

Examples of some required regulatory risk issues that U.S. healthcare facilities must face on a routine basis come from a number of sources, but the most prevalent are the Occupational Safety and Health Administration (OSHA) The Joint Commission and the Centers for Medicare and Medicaid. Rather than look at the considerable number of standards, rules and requirements that each of these agencies places upon healthcare providers (the consequences of non-compliance being loss of accreditation, monetary fines, loss of federal reimbursement for Medicare and Medicaid and typically the eventual closing of the facility), we will focus on a very specific area, that of workplace violence, an issue which is intertwined amongst all of these regulatory bodies and must be considered when a risk assessment is being conducted for a healthcare organization.

In 1996 OSHA introduced Healthcare Guidelines for Preventing Workplace Violence for Healthcare and Social Service Workers (OSHA 3148). These guidelines provide five primary elements which any effective workplace violence program should require. While these are only guidelines, failure to follow them can and has resulted in healthcare organizations suffering penalties and fines assessed by OSHA per their general duty clause (Section 5(a)-1 of the 1970 OSH Act).

The five elements that OSHA 3148 recommends are management commitment and employee involvement, a detailed worksite analysis, hazard prevention and control processes, safety and health training and proper recordkeeping and program evaluation. Management commitment and employee involvement demonstrate organizational concern for employees’ emotional and physical well being, and an equal commitment to the safety of both employee and client.

Management should assign responsibilities regarding such programs to ensure that employees understand their role. They should allocate appropriate resources and maintain accountability for employees and work to establish a comprehensive program of medical and psychological counseling for those involved in or witness to, workplace violence. A detailed worksite analysis should include tracking and trending of workplace violence incidents and an analysis to determine methods of mitigation. Conducting screening surveys of staff to identify additional security measures should be considered, as well as an analysis of the physical work environment. This analysis should include physical security measures, administrative and work practice controls and any procedures that may minimize the risk of a workplace violence incident. Likewise, workplace violence prevention training is a crucial element of a successful overall security program in any industry. OSHA recommends that healthcare organizations craft workplace violence prevention policies and include training for staff on topics including risk factors, recognition of escalating behaviors and how to diffuse volatile situations. This training should be offered on an annual basis to all employees. Healthcare employers must also develop a standard response action plan for violent incidents that incorporates progressive behavior control methods, safe restraint techniques, locations and operation of duress or alarm devices, and procedures for obtaining counseling in the event of a violent episode or injury. Proper documentation and recordkeeping is critical to the success of such a training program, as is annual program evaluation.   

In June 2010 The Joint Commission (TJC) issued its Sentinel Event Alert #45, regarding workplace violence issues in the healthcare environment. This call to action was a result of several causal factors identified frequently over the last five years. These factors include growing numbers of family disputes inside hospitals, problems in policy and procedure development and implementation and a number of human resource-related factors, such as the increased need for staff education and competency regarding potentially violent behavior. Communication failures among staff, patients and visitors, physical environment deficiencies and inadequate security practices all contributed to the issuance of this Sentinel Event Alert. Existing Joint Commission Environment of Care Standards require healthcare facilities “to address and maintain a written plan describing how an institution provides for the security of patients, staff, and visitors.  Institutions are also required to conduct risk assessments to determine the potential for violence, provide strategies for preventing instances of violence, and establish a response plan that is enacted when an incident occurs.” Failure to do so results in a loss of The Joint Commission’s accreditation status, which results in the facility being out of compliance with the Centers for Medicare and Medicaid. The results of this are usually financially disastrous, since many hospitals in the U.S. are dependent upon federal reimbursements for non-insured persons to remain in operation. 

Therefore, if a hospital fails to meet the expectations of OSHA in regards to their guidelines, they can be cited for violating the “general duty” that every employer in the U.S. has to provide a safe working environment and be fined and then investigated by the accrediting body known as The Joint Commission. Should The Joint Commission find that its standards are not being upheld, it may affect the facility’s accreditation, resulting in a subsequent loss of reimbursement from the Centers for Medicare and Medicaid, resulting in the facility’s ultimate economic failure and collapse. This is certainly a risk worth assessing properly and mitigating at all costs.

 

Conducting Pre-Merger Risk Assessments and Creating SLAs

Taking the previous example of hospitals and workplace violence prevention, prior to assuming management of or acquiring a new facility, security assessments should be conducted on a number of levels involving a variety of disciplines to ensure that the risks being acquired are within tolerable limits of the organization. Teams should be assembled which represent those areas of highest risk to the organization and they should then survey and assess the potential merger or acquisition with great scrutiny, concentrating on those areas that pose the most risk should a negative event occur (security sensitive areas such as Emergency Departments for example). Once these risks have been identified, they should be listed in a prioritized format (High, Moderate and Low) based upon their severity and levels of mitigation. This will provide the organization a much better snapshot of exactly what the risks are relative to entering a relationship with an entity. Once this assessment has been vetted and examined, specific service level agreements (SLAs) detailing the levels of security services can then be created to ensure that the risk is being avoided (through mitigation methods), accepted (with clear and documented understandings about who will be responsible should an event occur), reduced (based upon the findings of the pre-merger risk assessment) or shared (with defined levels of liability). While this may sound overly suspicious in the assessment of a potential partner as a part of the organizations growth and expansion, the parent organization is after all taking on the lion’s share of the risks should the new acquisition prove to have unforeseen or previously undisclosed issues.

  

Benefits of ESRM

There are many benefits of an effective Enterprise Risk Management program as related to the growth and expansion of any organization and its security program. An ERM process takes distinct business units and their inherent subject matter expertise in their routine functions and consolidates risk information and responsibility into one program. It creates a more focused approach to risk throughout the organization and it  provides more integration as related to an organization’s overall growth and success as everyone is required to use standardized evaluation criteria, assessment processes and uniformity for like business units across the enterprise, which reduces the risks involved with growth and expansion. It also makes business units in the organization less of a rival to security and to one another and more of a partner in identifying and avoiding overall security related issues.   

Subscribe to Security Magazine

Recent Articles by Bryan Warren

Saving Money and Increasing Security with GTRI Training

How 2012 Affected Healthcare Security

Preventing Laptop Theft and Data Loss

First Faces and Protected Spaces

Bryan-warren-authorpic

Bryan Warren is Director of Corporate Security for Carolinas Healthcare System (based in Charlotte, N.C.). He holds a bachelor’s degree in Criminal Justice, an MBA with a focus on legal foundations of healthcare and more than 22 years of healthcare security experience. His certifications include Certified Healthcare Protection Administrator as well as Certified Protection Officer Instructor. He has been a contributor to numerous publications including Security Magazine, Campus Safety Magazine, the Journal of HealthCare Protection Management and Health Facilities Managementand has authored chapters for the IAHSS Basic, Advanced and Supervisory Training Manuals as well as a Workplace Violence Prevention chapter for the IAHSS Healthcare Safety Certification program. He is a two-time recipient of the Russell Colling Medal for Literary Achievement in Healthcare Security and currently holds the position of President of the International Association for Healthcare Security and Safety (IAHSS). He is the Sector Chief for Emergency Services in the FBI’s Infragard program in the Charlotte region and is a member of the American Society of Industrial Security International (ASIS), the International Law Enforcement Educators and Trainers Association, and the Southeastern Security and Safety Healthcare Council. In these roles he has provided numerous presentations nationally and internationally regarding security in the healthcare environment.

Related Articles

How 2012 Affected Healthcare Security

Saving Money and Increasing Security with GTRI Training

Preventing Laptop Theft and Data Loss

First Faces and Protected Spaces

Related Products

Risk Analysis and the Security Survey, 4th Edition

Effective Security Management, 6th Edition

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws 2E

Related Events

Effective Risk Communication: Theory, Tools, and Practical Skills for Communicating about Risk

Workplace Violence Prevention Training Considerations for Healthcare Staff

Managing the Age of Active Shooter

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

security-center

The Top 5 Reasons Why Your Security Program Needs Intelligence Personnel

SEC0219-cover-Feat-slide_900px

The Road to CSO: Meet Microsoft's New Security Leader

Globe

Which Countries Have the Worst and Best Cybersecurity?

Cyber Doors

2018 Set a New Record for Security Vulnerabilities

cyber-SMB

8 Vulnerabilities Penetration Testers Recommend You Address in 2019

20180222ENR_Skyward_Drones_360x184customcontent

Events

February 19, 2019

Drones and Surveillance at MetLife Stadium

Unmanned aerial systems pose a legitimate threat to sporting events in America. The devices are not only becoming cheaper and easier to own, but technology has advanced to such a point that virtually anyone — hobbyist or terrorist — can fly one. MetLife Stadium is home of the New York Jets and New York Giants, in addition to numerous entertainment events and concerts each year.

February 26, 2019

Harness Real-time Public Information to Improve Active Shooter Response

Corporate security teams hope never to respond to an active shooter situation. But given today’s realities, companies spend a great deal of time developing guidelines, holding training sessions, and carrying out drills to ensure that their staff will be prepared in case an active shooter event occurs.
View All Submit An Event

Poll

Employee Background Screening

How Often Does Your Organization Conduct Background Screening on Employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
Security-500

Security Magazine

SEC-Feb-2019-Cover_144px

2019 February

In Security’s February 2019 issue, meet Brian Tuskan, Microsoft's New Security Leader. Learn how he has used technology, his reputation, networking and a desire to help people to become Microsoft’s new CSO. Read about the Next Generation of White Hat Hackers, How to Evaluate Security's Role, and more.

View More Subscribe
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing