Setting Compliance Priorities

We begin the first of two compliance planning retreats at BIDMC as part of the Summer of Compliance.

Recognizing the importance of compliance projects and the need to jointly set priorities between compliance experts and IT leadership, we're putting all the stakeholders together for discussion, debate, and project ranking.

Our agenda is here.

There are very large number of possible projects to address the constant stream of regulatory change.

To set priorities, we need to understand risks, change management complexity, and resource requirements.

As a first step, stakeholders were asked to bring an inventory of their risk concerns which vary from the challenge of personal devices used to check email to website defacement.

All technology projects require the joint participation of business owners and IT service providers. Projects are a function of scope, time and resources, all of which are limited.

The challenge of addressing regulatory requirements is that demand (which can be infinite) must be balanced with supply (which is fixed). Without prioritization it's like a farmer trying to put 100 pounds of manure into a 50 pound bag (sorry for the agricultural analogies).

I'm sure that other organizations have the same challenges, so I'll openly describe the process and our conclusions. Governance is a great way to set priorities when the projects as discretionary. With regulatory requirements, nothing is discretionary and everything is about the spectrum of risk.

I look forward to our work over the next two weeks.

 

John Halamka, MD blogs regularly at Life as a Healthcare CIO.