From Undervalued to Indispensable: How to Elevate ERM in Board-Level Discussions
Cybersecurity is more than an IT issue - it’s a patient safety and operational risk. In healthcare, Enterprise Risk Management (ERM) must address cyber threats that disrupt care, compromise safety, and damage reputations. Yet, only 49% of risk management teams play a significant role in cybersecurity, despite 70% of hospital boards recognizing its importance.
Key Takeaways:
- Cyber Risks Are Growing: Over 134 million individuals were affected by healthcare cyberattacks in 2023.
- Human Error Dominates: 90% of breaches stem from mistakes, making a strong cybersecurity culture essential.
- Boards Need Better Data: Use metrics like financial impact, downtime, and compliance rates to show ERM’s value.
- Integrate ERM and Cybersecurity: Align risk management with business goals like patient safety and operational continuity.
Quick Action Plan:
- Link Risks to Business Goals: Show how ERM supports patient care and financial stability.
- Use Data to Communicate: Present risks in dollars and operational impacts.
- Build a Unified Strategy: Merge IT, clinical, and risk teams to prioritize threats.
To elevate ERM in board discussions, focus on measurable outcomes, clear communication, and aligning cybersecurity with strategic priorities.
Making ERM Matter to the Board
Connecting ERM to Business Goals
Enterprise Risk Management (ERM) plays a critical role in addressing healthcare challenges. For example, cyberattacks affected over 55 million individuals in fiscal year 2022, a number that surged to more than 134 million in fiscal year 2023 [4]. This sharp rise highlights the need to link ERM with essential business objectives like patient safety, operational continuity, and financial stability.
To address cyber risks effectively, organizations should integrate Cyber Risk Management into both financial and operational budgets [4]. Aligning ERM with these core priorities not only highlights its importance but also helps demonstrate measurable value to the board. This approach enables organizations to translate risks into actionable outcomes.
"A business-as-usual approach to cyber risk management is bound to result in catastrophic damage. Those charged with governance, from the board to the C-suite, must drive a strong tone at the top, communicate a sense of severity and urgency, and challenge the status quo of their ERM programs and cyber security awareness throughout every level of the organization. There is little to no room for error." - COSO and Deloitte [1]
Using Data to Show ERM Impact
Data can make a strong case for ERM's value. Here’s how metrics can help:
| Metric | What to Measure | Why It Matters |
|---|---|---|
| Financial | Cost of breaches, prevention ROI | Links risks to business performance |
| Operational Risk | System downtime, service disruptions | Highlights effects on patient care |
| Compliance Status | HIPAA/GDPR adherence rates | Demonstrates regulatory compliance |
| Security Posture | Vulnerability closure rates | Tracks progress in reducing risks |
Chief Information Security Officers (CISOs) should use quantitative risk analyses to convert technical data into financial insights [3]. For instance, they can calculate cost savings from risk mitigation efforts or show the return on investment for cybersecurity measures. These metrics create a clear, business-oriented narrative that resonates with board members.
Speaking the Board's Language
Once data is in place, the next step is communicating it in terms the board understands. Focus on:
- Patient Impact: How ERM safeguards patient care and safety.
- Financial Metrics: Risk exposure quantified in dollars.
- Strategic Alignment: How ERM advances the organization’s goals.
Developing dashboards that combine technical vulnerability data with operational impacts can help bridge the gap [4]. These tools allow board members to see how technical risks connect to broader business outcomes.
Finally, senior leaders must ensure that information security and ERM efforts are fully integrated [1]. This unified approach gives the board a clear, comprehensive view of risks, enabling them to make better decisions about resource allocation and strategy.
Merging Cybersecurity with ERM
Building a Combined Risk Strategy
Healthcare organizations are increasingly recognizing the importance of integrating cybersecurity into broader Enterprise Risk Management (ERM) frameworks. This approach focuses on assessing cyber risks through their potential impact on patient care and safety [1]. For instance, a ransomware attack targeting electronic health records could disrupt operations and jeopardize patient outcomes by restricting access to critical data.
Here’s how to create an effective combined strategy:
-
Establish Cross-Functional Teams
Bring together IT security experts, clinical staff, operations managers, and risk professionals to ensure diverse perspectives are included in decision-making. -
Prioritize Risks
Focus on the threats that pose the greatest risks to patient care, essential operations, data security, regulatory compliance, and financial stability. -
Promote a Risk-Aware Culture
The American Hospital Association highlights that an organization's "cybersecurity culture – the people – are the best defense or weakest link, and the most cost-effective defensive measure" [1]. Every employee should understand their role in managing risks.
This integrated approach lays the foundation for using advanced tools to deliver continuous insights into risks.
Risk Management Tools and Systems
The rising number and severity of cyber incidents make it clear that healthcare organizations need reliable risk management systems. These tools should merge cyber and enterprise risk data, enabling continuous threat monitoring, seamless data sharing, real-time analysis, and automated processes.
Frameworks like NIST CSF 2.0 provide a structured way to address these challenges [2]. They offer a shared language for discussing risks across departments and ensure comprehensive threat coverage.
To implement these systems effectively, healthcare organizations should:
- Conduct regular assessments that evaluate both technical vulnerabilities and operational impacts
- Maintain real-time visibility into risks across the organization
- Foster collaboration between IT security teams and other departments
- Automate routine security tasks while keeping human oversight in place
- Define clear metrics to measure the effectiveness of risk management efforts
The ultimate goal is to create a unified risk perspective, empowering better decision-making at every level. By aligning cybersecurity with ERM, organizations can safeguard patient care, ensure operational stability, and support their broader strategic goals.
Giving Boards Clear Risk Insights
Board vs Management Duties
Boards and management teams play different roles in managing enterprise risks. Management is responsible for the day-to-day controls, while boards focus on oversight and governance. Boards need to evaluate cyber risks based on their impact on strategy, finances, and overall resilience. This approach ties back to the importance of aligning cybersecurity efforts with business goals.
Key Risk Metrics for Boards
For effective oversight, boards need clear, tailored metrics that connect technical risks to business priorities. These metrics help boards understand the organization’s risk position and the effectiveness of its cybersecurity measures. For example, HCA Healthcare provides its board with detailed enterprise risk management (ERM) materials, highlighting top risks across various parts of the organization [6].
Here are some of the most relevant metrics for board discussions:
| Metric Category | Key Indicators | Business Impact |
|---|---|---|
| Financial Impact | Loss to value ratio, Control cost per IT asset | Highlights how efficiently security spending is managed |
| Risk Exposure | Cyber risk percentage, Average activities per IT asset | Reflects the current threat environment |
| Program Effectiveness | Risk reduced per unit cost, Cybersecurity efficacy | Measures the return on cybersecurity investments |
"Presenting a full slate of risk scenarios to the board is not beneficial until the scenarios are ordered and prioritized using quantitative measurement that is in a familiar format for executives. The members of board committees are adept at managing financial measurements. The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk." [7]
In addition to metrics, boards need proper training to interpret these figures effectively.
Board Risk Training Needs
A significant 87% of C-suite professionals and board members express doubts about their organization’s cybersecurity capabilities [7]. To address this, training programs should focus on:
- Risk Quantification Basics: Helping board members understand how technical risks translate into financial terms.
- Industry Comparisons: Teaching them how to assess the organization’s risk profile against peers in the healthcare sector.
- Strategic Alignment: Ensuring they can evaluate how ERM objectives align with strategic plans.
"We should also factor in the fact that board members are not stupid, and they can learn anything they need to that helps them make strategic decisions." - Pete Lindstrom, Cyber Strategist, Spire Security [5]
Regular audits of the information provided to boards are crucial to ensure the data is accurate, timely, and complete [8].
sbb-itb-535baee
Conclusion: Strengthening ERM in Healthcare
Key Actions for Healthcare Leaders
Healthcare leaders need to take bold steps to enhance their Enterprise Risk Management (ERM) programs. In 2023 alone, 655 breaches compromised over 116 million patient records - a staggering 108% increase from the previous year [9]. To make ERM a central part of their strategy, executives should focus on three main areas:
Strategic Priorities
- Make cybersecurity a central focus of enterprise risk [1]
- Evaluate cybersecurity spending as a percentage of the overall budget [1]
- Collaborate closely with leaders in Risk, Compliance, and Privacy to align initiatives [9]
Risk Evaluation and Communication
- Translate cyber risks into financial terms for better understanding [3]
- Use dashboards to monitor key risk indicators [3]
- Provide actionable recommendations to stakeholders [9]
"How well you communicate with different levels and groups is a major factor in how successful you can be as a modern CISO."
– Paul Connelly, Fortified board member [9]
These steps not only address immediate challenges but also build a foundation for stronger, more resilient healthcare security.
ERM’s Role in Improving Healthcare Security
A robust ERM program directly contributes to better security outcomes. For instance, 70% of U.S. hospital boards now include cybersecurity in their risk management oversight [1]. By following the strategies outlined above, organizations can achieve tangible progress in key areas:
| Area | Current State | Target Improvement |
|---|---|---|
| Corporate Risk Team Involvement | 38% | Align with IT team (86%) |
| Risk Management Organization Role | 49% | Expand to cover majority of enterprise |
| Board Cybersecurity Confidence | 18% lack confidence | Increase through targeted training |
These improvements highlight the importance of board-level involvement in ERM. To ensure success, organizations must promote a culture of cybersecurity from the top down. Additionally, giving the Chief Information Security Officer (CISO) the authority and independence needed to safeguard both patient data and organizational assets is crucial [1]. This approach transforms ERM into a key driver of strategic decision-making, making it indispensable for healthcare organizations.
Health Care Enterprise Risk Management: Issues Related to ...
FAQs
How can healthcare organizations incorporate cybersecurity into their Enterprise Risk Management (ERM) frameworks effectively?
To successfully integrate cybersecurity into an Enterprise Risk Management (ERM) framework, healthcare organizations should focus on creating a risk-aware culture where cybersecurity is a shared responsibility across all levels of the organization. Encourage staff to prioritize cyber hygiene and provide ongoing training to reinforce best practices.
Use structured frameworks like the NIST Cybersecurity Framework or FAIR model to systematically identify, assess, and manage cyber risks. Incorporating cybersecurity into financial planning and operational budgets ensures that it is treated as a strategic priority. Additionally, fostering collaboration between IT and other departments strengthens overall risk management efforts and aligns cybersecurity goals with organizational objectives.
By embedding cybersecurity into ERM, healthcare organizations can better protect sensitive data, ensure compliance, and build resilience against evolving threats.
What key metrics can hospitals present to their boards to highlight ERM's impact on patient safety and operational stability?
To effectively demonstrate the value of Enterprise Risk Management (ERM) to hospital boards, focus on metrics that directly connect ERM to patient safety and operational continuity. Key metrics include:
- Incident Response Times: Measure how quickly your organization identifies, contains, and mitigates cybersecurity threats that could impact patient care.
- Downtime Reduction: Highlight decreases in system downtime, emphasizing the continuity of critical healthcare operations.
- Patient Safety Outcomes: Showcase data on reduced risks to patient safety, such as fewer breaches of sensitive medical information or improved compliance with healthcare regulations like HIPAA.
By presenting metrics that align with the board's priorities - such as protecting patients, ensuring compliance, and maintaining operational efficiency - you can clearly illustrate ERM's indispensable role in achieving organizational goals.
How can healthcare leaders help board members better understand and manage cybersecurity risks?
Healthcare leaders can take several practical steps to improve board members' understanding and oversight of cybersecurity risks:
- Integrate cybersecurity into enterprise risk management (ERM): Position cyber risks as part of the broader organizational risk strategy, emphasizing their impact on patient care, financial stability, and legal compliance.
- Communicate in financial terms: Present cybersecurity risks using clear financial metrics, such as potential costs of breaches or probability of losses, to make the risks more relatable and actionable for board members.
- Provide actionable insights: Share detailed updates on top risks, organizational preparedness, and key risk indicators (KRIs) to ensure the board has a clear picture of the current risk landscape.
By aligning cybersecurity with strategic goals and using language and data that resonate with board members, leaders can elevate its importance in executive discussions and decision-making.
