Core 4.0

C-RM 3-1: Information Systems Risk Assessment and Reduction

Submited by: Tom Goddard

The Basics

URAC assumes that your organization has a comprehensive risk management program, and in this standard, requires that your information systems are a component of that system. Specifically, the IT component must address explicitly data storage, gathering, and transfer.
Your organization must conduct risk assessment in these three areas, and that assessment must periodically include "an entity with the expertise to handle these types of assessments and that has no stake in the outcome of the assessment." This can be an internal entity or an external contractor. 
The IT risk management program must address threats relating to both access and incidents, including breaches.
In the event your organization encounters issues or potential issues, it must implement responsive processes that include:

  • root cause analysis;
  • corrective action plan ("CAP") development;
  • CAP management; and
  • ongoing compliance monitoring and reevaluation.

Management Tips

There's a lot to this standard. Let's take the management requirements one at a time.
First, you'll need a policy and procedure that outlines your IT risk management strategy. Every aspect of this standard will need to be addressed in that P&P. 
Second, you'll need to identify the risk assessment entity. In small organizations, it may be difficult for such an entity, if it is internal to the organization, to claim it has no stake in the outcome of the risk assessment. Some issuers of cyber insurance provide risk assessment as part of the coverage. In the alternative, you could engage one of the many consultants who provide this service.
Third, regarding the organization's response to potential or actual risk issues you may discover along the way, we recommend that you develop a CAP template that tracks both the URAC requirements and your policy. You'll want it to be easy for your staff to develop a CAP should a staff member discover risk-related issues.
Fourth, many CAPs fail not because they're badly developed but because they are forgotten. Be sure your systems ensure that CAPs don't fall between the cracks, perhaps by having a process of moving all open CAPs onto a standing agenda of a committee or team of managers to review periodically. Such review must be clearly and thoroughly documented.
Finally, do not use URAC's word "promptly" when defining the speed of your organizational response to identified issues. Rather, define what that means in terms of days or weeks.

Accreditation Tips

Desktop Review
Submit to URAC your comprehensive policies and procedures regarding IT risk management. In addition, you may find it useful to submit a template risk management spreadsheet, meeting minutes, screenshots of process flows, etc.
Validation Review
The URAC reviewer will discuss the risk management processes with both senior leadership and staff who are involved in those processes.
Document reviews
The reviewer also will examine auditor reports, committee meeting minutes, documentation of corrective action plans, and any other documentation that will demonstrate your organization's compliance with all the elements of this standard.

  • Core 3.2 / 06.03.2019

    CORE 11 - Written Business Agreements

    My colleagues and I have noticed, as have some veteran URAC reviewers to whom we've spoken lately, that some folks are still misinterpreting this standard. Let me see what we can do to help sort out the confusion.The standard requires that your organization keep "signed written agreements with all clients describing the scope of the business arrangement.""For which organizations does your organiza...

  • Core for Health Plan 3.2 / 06.03.2019

    CORE 40 - Health Literacy

    This standard, a new, experimental standard, suggests that your organization should have policies and procedures that address health literacy. In this context, the meaning of health literacy is, "The degree to which individuals have the capacity to obtain, process, and understand basic health information and services needed to make appropriate decisions regarding their health." The three suggested...

  • Core for Health Plan 3.2 / 06.03.2019

    CORE 39 - Consumer Satisfaction

    This short standard requires that your organization have a mechanism to collect information about your consumers' satisfaction.This often is done in the form of customer satisfaction surveys, consumer complaints, and sometimes even focus groups. Find out what your organization does -- it's likely more than one mechanism.