C-RM 3-1: Information Systems Risk Assessment and Reduction
URAC assumes that your organization has a comprehensive risk management program, and in this standard, requires that your information systems are a component of that system. Specifically, the IT component must address explicitly data storage, gathering, and transfer.
Your organization must conduct risk assessment in these three areas, and that assessment must periodically include "an entity with the expertise to handle these types of assessments and that has no stake in the outcome of the assessment." This can be an internal entity or an external contractor.
The IT risk management program must address threats relating to both access and incidents, including breaches.
In the event your organization encounters issues or potential issues, it must implement responsive processes that include:
- root cause analysis;
- corrective action plan ("CAP") development;
- CAP management; and
- ongoing compliance monitoring and reevaluation.
There's a lot to this standard. Let's take the management requirements one at a time.
First, you'll need a policy and procedure that outlines your IT risk management strategy. Every aspect of this standard will need to be addressed in that P&P.
Second, you'll need to identify the risk assessment entity. In small organizations, it may be difficult for such an entity, if it is internal to the organization, to claim it has no stake in the outcome of the risk assessment. Some issuers of cyber insurance provide risk assessment as part of the coverage. In the alternative, you could engage one of the many consultants who provide this service.
Third, regarding the organization's response to potential or actual risk issues you may discover along the way, we recommend that you develop a CAP template that tracks both the URAC requirements and your policy. You'll want it to be easy for your staff to develop a CAP should a staff member discover risk-related issues.
Fourth, many CAPs fail not because they're badly developed but because they are forgotten. Be sure your systems ensure that CAPs don't fall between the cracks, perhaps by having a process of moving all open CAPs onto a standing agenda of a committee or team of managers to review periodically. Such review must be clearly and thoroughly documented.
Finally, do not use URAC's word "promptly" when defining the speed of your organizational response to identified issues. Rather, define what that means in terms of days or weeks.
Submit to URAC your comprehensive policies and procedures regarding IT risk management. In addition, you may find it useful to submit a template risk management spreadsheet, meeting minutes, screenshots of process flows, etc.
The URAC reviewer will discuss the risk management processes with both senior leadership and staff who are involved in those processes.
The reviewer also will examine auditor reports, committee meeting minutes, documentation of corrective action plans, and any other documentation that will demonstrate your organization's compliance with all the elements of this standard.