Core 4.0 Pre-release

C-RM 3-1: Information Systems Risk Assessment and Reduction

Submited by: Tom Goddard

The Basics

URAC assumes that your organization has a comprehensive risk management program, and in this standard, requires that your information systems are a component of that system. Specifically, the IT component must address explicitly data storage, gathering, and transfer.
Your organization must conduct risk assessment in these three areas, and that assessment must periodically include "an entity with the expertise to handle these types of assessments and that has no stake in the outcome of the assessment." This can be an internal entity or an external contractor. 
The IT risk management program must address threats relating to both access and incidents, including breaches.
In the event your organization encounters issues or potential issues, it must implement responsive processes that include:

  • root cause analysis;
  • corrective action plan ("CAP") development;
  • CAP management; and
  • ongoing compliance monitoring and reevaluation.

Management Tips

There's a lot to this standard. Let's take the management requirements one at a time.
First, you'll need a policy and procedure that outlines your IT risk management strategy. Every aspect of this standard will need to be addressed in that P&P. 
Second, you'll need to identify the risk assessment entity. In small organizations, it may be difficult for such an entity, if it is internal to the organization, to claim it has no stake in the outcome of the risk assessment. Some issuers of cyber insurance provide risk assessment as part of the coverage. In the alternative, you could engage one of the many consultants who provide this service.
Third, regarding the organization's response to potential or actual risk issues you may discover along the way, we recommend that you develop a CAP template that tracks both the URAC requirements and your policy. You'll want it to be easy for your staff to develop a CAP should a staff member discover risk-related issues.
Fourth, many CAPs fail not because they're badly developed but because they are forgotten. Be sure your systems ensure that CAPs don't fall between the cracks, perhaps by having a process of moving all open CAPs onto a standing agenda of a committee or team of managers to review periodically. Such review must be clearly and thoroughly documented.
Finally, do not use URAC's word "promptly" when defining the speed of your organizational response to identified issues. Rather, define what that means in terms of days or weeks.

Accreditation Tips

Desktop Review
Submit to URAC your comprehensive policies and procedures regarding IT risk management. In addition, you may find it useful to submit a template risk management spreadsheet, meeting minutes, screenshots of process flows, etc.
Validation Review
Interviews
The URAC reviewer will discuss the risk management processes with both senior leadership and staff who are involved in those processes.
Document reviews
The reviewer also will examine auditor reports, committee meeting minutes, documentation of corrective action plans, and any other documentation that will demonstrate your organization's compliance with all the elements of this standard.

  • Core 4.0 Pre-release / 12.31.2018

    C-RM 3-1: Information Systems Risk Assessment and Reduction

    URAC assumes that your organization has a comprehensive risk management program, and in this standard, requires that your information systems are a component of that system. Specifically, the IT component must address explicitly data storage, gathering, and transfer.Your organization must conduct risk assessment in these three areas, and that assessment must periodically include "an entity with th...

    READ FULL POST
  • Core 4.0 Pre-release / 12.26.2018

    C-RM 2-3: Business Continuity Plan Testing

    Your organization must test its business continuity plan ("BCP") no less frequently than every two years. Notably, the BCP test can be a tabletop exercise, which URAC defines as:test of a Business Continuity Plan (BCP) that includes documentation of the following aspects of the test:A tabletop exercise simulates an incident in an informal, stress-free environment.The participants who are usually t...

    READ FULL POST
  • Core 4.0 Pre-release / 12.26.2018

    C-RM 2-2: Pharmacy Emergency Management Plan

    Applicable only to organizations seeking accreditation in one of URAC's pharmacy modules, this standard requires that your business continuity plan describe an emergency management system that addresses how the organization will distribute medications in the event of an emergency. The description must address the organization's facilities, its services, and its products in some detail. As was the...

    READ FULL POST
Top