Remarks from RIMS Risk Manager of the Year Award

Good morning! Thank you to RIMS for this recognition and for the opportunity to make a few remarks this morning. Given the accomplishments of the Honor Roll recipients, I am truly humbled to be part of such an impressive group of risk management professionals. Congratulations to Sandy Aspinall, Jennifer Hills, and Joseph Meaney and their organizations for their accomplishments leading to this recognition.

Winning an award like this is very much a team effort. So I’d like to thank the team at Children’s, starting with my director of clinical risk management, Lisa Scafidi, who’s here today. I’d also like to acknowledge and thank my boss and mentor, Mary Anne Hilliard, our general counsel,  Jim Jones, the chair of our captive board, and our team at AON, some of whom are here this morning to help me celebrate. Last but not least, my husband, Bob, who is my biggest supporter and most trusted sounding board.

I’ve been spending a lot of time lately thinking about Cyber. This is the risk that keeps me awake at night. I suspect the same goes for many of you. A quick look at the program from this conference showed at least 20 different events on this topic. Everyone in this room, regardless of industry, is worried about Cyber.

In healthcare, we seem to be a couple of steps behind other industries in dealing with this risk. We often look to other industries for help. Many of us remain silo’d in our approach, based on the notion that Cyber is an IT risk. I think that Cyber is the singular enterprise risk facing all of us. To my mind we in healthcare have been behind, needlessly. Because we have a couple of tools we are really good at using in healthcare and I think they are key to managing cyber risk regardless of your industry. I’d like to share them with you. I like to think of them as Dorothy’s magic slippers, because we’ve had them all the time and just haven’t realized what they can do for us: collaboration and transparency. I attribute all of what I’ve been able to do at CNMC to relationship building and a multidisciplinary approach to risk. We’ve used this principle in healthcare to make patient care more safe and reliable. How many times a week do you talk to your CISO? Do you know what an ISAC is? Do you sit on your IT steering committee? While I’m stubbornly analog in my personal life, I have learned that to be an effective risk professional I need to embrace and understand technology and I need to be sure all of the components of our organization are working on this risk so that we can optimize our defenses. I have used my relationships to get a seat at this table.

On the other side of this equation is transparency. How do we respond when we have a cyber event? In our organization we have a motto- we do the right thing after we’ve done the wrong thing. This is the starting point of how we approach any patient safety event. If we cause preventable harm to a child, we tell the family. We apologize, we tell them what we will do to be sure it doesn’t happen to another child. Most people now understand that cyber breaches are to some extent inevitable. So what really matters is how an organization responds afterwards. Transparency, while initially painful, will do more to protect your reputation than silence, “alternative facts” or delay. How comfortable is your senior leadership, your board of directors, with this? What can you do to lead them to the right place in responding? Risk professionals are uniquely positioned to be the voice for transparency when an event happens.

So as you return to work after this conference, I’d like you to think about these tools, and how they might help you in containing this and other risks. They’ve been very important in my professional success. Thanks again to RIMS for this award, and to all of you for being here this morning.