In an era of constantly changing technology, some companies in highly regulated industries, such as healthcare or finance, are embracing evidence-based risk management. These industries are legally required to meet certain regulations regarding the storage, retention, security and data management practices of critical data. They also need to be able to show evidence that they have risk management solutions and would be able to work through an audit, which could result from a regulator asking the company to demonstrate how they are handling risk. Aside from ensuring the safety of critical information, evidence-based risk management is also giving compliance officers a boost up the corporate ladder, as instituting a chief risk officer is becoming a more common practice. A recent Harvard Business Review study showed that 42 percent of companies with more than 10,000 employees have a chief risk officer, compared with only 11 percent three years ago.
One of the reasons evidence-based risk management is growing in practice is due to the usage of clouds for information storage and sharing, which provide instant access to data. “These are highly secure, private clouds that store very powerful informatics, that analyze not only the regulatory content rules that we [Wolters Kluwer—a global information services and publishing company] have traditionally produced but increasingly analyze the sea of data that our customers’ institutions generate,” said Jack Lynch, a member of Wolters Kluwer’s executive board, during a roundtable discussion titled Game Changers in the Information Industry: The Rise of an Evidence-Based Approach to Risk Management.
Being cloud compliant ensures companies are following SAS 70—an auditing standard that requires service organizations to demonstrate they have adequate controls and safeguards to host and process customer data—as well as adhering to other standards for firewall, data security and encryption compliance. However, some institutions have regulations that prevent them from using cloud technology, which has led companies to adopt a hybrid model, where they house some technology within their offices and also adopt an online portal to securely exchange information with clients.
One example of a company using a cloud is Medco, a pharmacy benefits manager and one of Wolters Kluwer’s clients, which uses a cloud to train its 50,000 employees in the supply chain to manage the handling and training of drugs. “In their compliance department, they actually have a marketing manager who helps the organization market their services to their prospects and their potential clients,” Lynch said. “[Compliance] helps the organization to make value creation instead of just value protection. That is the very positive side of risk management and compliance.”
In addition to technology, employees are also contributing to evidence-based risk management systems, particularly audit, risk and compliance officers, who are playing a more visible role in their companies and in boardrooms. “Their presence at the board of directors table is expected,” said Ian Rhind, CEO of Wolters Kluwer Audit, Risk & Compliance. “They’re asked by the audit committees for their diligence around audit, risk and compliance activities.” These audit, risk and compliance officers help to create an evidence-based book of records for regulators.
The chief information officer also plays a critical role in an increasingly complex technological world—this employee is faced with mitigating information risk management challenges within their companies. “When we are talking to organizations about their compliance activities and their risk management activities, always the CIO is at the table as part of the decision-making process,” Rhind said. “They are very interested in acquiring the right kind of tools to manage security breaches.” Having a CIO in place is a relatively new concept, Lynch added. “Previously IT-directors had that particular role. The CIO, coupled with the CRO and the CFO, almost have a tripartite responsibility for the institution.”
With risk management practices an essential part of company strategy—and managers and directors taking on increasing responsibilities for mitigating risk—evidence-based risk management practices along with a CRO may prove wise investments in the company’s future.