Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Similar documents
BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

LEADING WITH GRC. Approaching Integrated GRC. Knute Ohman, VP, GRC Program Manager. GRC Summit 2017 All Rights Reserved

MetricStream GRC Summit 2013: Case Study

INTELLIGENCE DRIVEN GRC FOR SECURITY

Oracle Buys Automated Applications Controls Leader LogicalApps

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Pave the way: Build a value driven SAP GRC roadmap March 2015

Next Generation Policy & Compliance

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

COBIT 5 With COSO 2013

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Security and Privacy Governance Program Guidelines

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

LEADING WITH GRC. Common Controls Framework. Sundar Venkat, Sr. Director Technology Compliance Salesforce

Healthcare Security Success Story

OVERVIEW BROCHURE GRC. When you have to be right

Turning Risk into Advantage

MNsure Privacy Program Strategic Plan FY

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Certified Information Security Manager (CISM) Course Overview

Accelerate Your Enterprise Private Cloud Initiative

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

An Integrated Approach to Technology Risk Management and Compliance

Putting It All Together:

Improve Internal Controls with Governance, Risk, and Compliance Solutions

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

Enterprise GRC Implementation

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

Achieving effective risk management and continuous compliance with Deloitte and SAP

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

locuz.com SOC Services

TX CIO Leadership Journey Texas CIOs Bowden Hight Texas Health and Human Services Commission Tim Jennings Texas Department of Transportation Mark

Welcome ControlCase Conference. Kishor Vaswani, CEO

Saving Time Amanda McPherson, CCBIA Vice President/Internal Audit Manager Colorado East Bank & Trust

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Cybersecurity. Securely enabling transformation and change

The Etihad Journey to a Secure Cloud

Growing Communities for Co-Creation : How Employees and Customers/Users Collaborate To Increase Adoption and Retention

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

MITIGATE CYBER ATTACK RISK

What It Takes to be a CISO in 2017

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

HITRUST Common Security Framework - Are you prepared?

The Customer Relationship:

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

The Business Value of including Cybersecurity and Vendor Risk in ERM

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Data Governance. Mark Plessinger / Julie Evans December /7/2017

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

How to Ensure Continuous Compliance?

RSA Advanced Cyber Defence Summit

Will your application be secure enough when Robots produce code for you?

Statement of HIPAA Readiness February 2003

Case Study. Enterprise Architecture and Rapid Business Transformation in HealthCare. Dorin Andreescu Refaat Shulaiba.

THE POWER OF TECH-SAVVY BOARDS:

Symantec Data Center Transformation

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Now on Now: How ServiceNow has transformed its own GRC processes

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

How to get the Enterprise to Understand the Value of Security

Escalated Threats to PHI Require a New Approach to Privacy and Security Wednesday, March 2, 2016

Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success

REPORT 2015/149 INTERNAL AUDIT DIVISION

Determining Best Fit for ITIL Implementation

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

SECURETexas Health Information Privacy & Security Certification Program

Optimisation drives digital transformation

CSF to Support SOC 2 Repor(ng

2017 RIMS CYBER SURVEY

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach

HIPAA Privacy, Security and Breach Notification

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Convergence of BCM and Information Security at Direct Energy

All Aboard the HIPAA Omnibus An Auditor s Perspective

A guide for assembling your Jira Data Center team

CLINICAL DIRECT MESSAGING FREQUENTLY ASKED QUESTIONS

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Embedding GDPR into the SDLC

The HIPAA Omnibus Rule

Securing Data in the Cloud: Point of View

The Evolving Threat to Corporate Cyber & Data Security

Transcription:

Ready, Willing & Able Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Agenda 1. Organization Overview 2. GRC Journey Story 3. GRC Program Roadmap 4. Program Objectives and Guiding Principals 5. Evolving your Program 6. Key Learnings and Best Practices 7. Audience Questions and Discussion

Blue Cross Blue Shield of Michigan: Company Overview Who we are A nonprofit mutual insurance company founded in 1939 The largest health insurer in Michigan, serving 4.5 million people here and 1.6 million more in other states The largest network of doctors and hospitals in Michigan: 152 hospitals, and more than 33,000 doctors An independent licensee of the Blue Cross and Blue Shield Association Number of employees: more than 8,100 What we do Design, sell and manage health benefit plans for individuals, families and Michigan-based employers, including: Traditional plans PPO (preferred provider organization) plans HMO (health maintenance organization) plans Medicare plans Medicaid and state plans Wellness-based plans Plans with health spending accounts Dental and vision plans International plans

GRC Journey Story: Blue Cross Blue Shield of Michigan Largest health insurer and network of doctors and hospitals in Michigan MetricStream Apps: Integrated GRC covering Compliance, Issue, Risk, Regulatory Alerts, Audit, Policy and Case Aligned program with business strategy Increased assurance of compliance with multiple regulations including Patient Protection Affordable Care Act, Model Audit Rule, Health Insurance Portability and Accountability Act, and Michigan Insurance Code Increased transparency into compliance issues Increased agility with integrated workflow and simplified processes with automated notifications BEFORE Disparate views of compliance dependencies Silos of compliance information Time consuming reporting processes Redundant processes Decentralized document management Audit fatigue Segregated data archiving AFTER Over 200 qualified metrics driving decisions based on common risk universe Increased transparency and line of sight into issues and risks throughout the enterprise Replaced numerous SharePoint sites with a single compliance platform Replaced and consolidated case management systems "GRC implementations are strategic. When done correctly, you can streamline your processes and enable collaboration across multiple business areas. This allows companies to leverage a common platform which leads to increased transparency and accountability. Michael Cover, GRC leader, Blue Cross Blue Shield, Michigan Watch Michael Cover s Case Study from the GRC Summit 2017 https://www.youtube.com/watch?v= C0mmmTIRfsA&t=392s

The GRC program journey has leveraged a phased roll out to drive business area enablement 2010 2014 2015 2016 2017 2018 Completed RFI Considered architecture flexibility and industry rating Made decision to use MetricStream outsourced model Defined clear program objectives Defined foundational elements common definitions Implemented same sign-on Added Affordable Care Act Completed Model Audit Rule pilot Qualified Health Plan attestations with evidence Executed executive surveys for risk assessment Debarment monitoring and tracking Implemented Model Audit Rule configuration Completed end user upgrades, no customizations presented ease for upgrade Added key state requirements for monitoring Added attorney client privilege function Added Office of the General Counsel legal matter management Added Internal Audit issue followup Generated Own Risk Solvency Assessment baseline report Integrated Active Directory Added reporting enhancements Planned for enterprise policy management Planned HITRUST policy and control framework Added Enterprise privacy monitoring

Departments are driving enterprise-level benefits Modules Functionality Risk Quarterly Risk Assessments Priority Enterprise Risk Annual Risk Assessment Ongoing Risk Assessment Third Party Risk Policy & Document Issue Policy Attestation Monitor Issues Policy Approval Monitor Corrective Action Plans Document Section 1557 Issues Departmental Procedures Regulatory Audit Issues Internal Audit Issues Internal Control Testing Issues Metric Monitoring Agent Complaint Monitoring Managed Care Manual Review Internal Control Testing OPM Reporting Risk Adjustment Data Validation QHP Attestations HITRUST Requirement Monitoring Project Documentation & Reporting Compliance Reviews Project Project Time Reporting Requirement Accreditation Requirements Debarment Checks HIPAA Risk Assessment Data Feed Attestations HITRUST Self- Assessment Incident Monitoring Fraud Investigations OCR Complaints Legal Case HIPAA Privacy Incident Enterprise Security Incidents External Audit Customer Audits Regulatory Audits Implemented In-Process Planned

Define your program objectives and set guardrails for how the team engages with the business Program Objectives Guiding Principals Governance Senior Executive Alignment and Buy-in Committees Policies and Procedures Organizational Structure Internal & External Communications Integrated Risk Risk Identification and Assessment Risk Tolerance and Analysis Risk Monitoring and Mitigation Risk Based Performance Coordinated Functions Scope and Coverage Methods and Practices Infrastructure and People Information and Technology Business Level Performance Self Assessment and Mitigation Metrics and Measures Challenge status quo Readiness and maturity Communicate often Partner with business Be your own champion Maintain Urgency OOTB functionality Customer focus Live the mantra Process and Control Optimization Programs and Major Initiatives Know Process Tipping Point

Allow your program to evolve and embrace the mantra! 2014 2015 2016 2017 2018 GRC All Aboard! Readiness! Readiness! Readiness! Transparency Alignment Reporting Do Different Do Better Ready, Willing & Able

Learn from the past or you re doomed to repeat it People Require iterative training for refresher, use of videos for efficiency Mind set change from that s how we always did things Manual processes completed by workforce members require change management support What is entered is what displays Process Time spent up front on communizing definitions and reporting Workflow is powerful embrace it but strike a balance GRC tool capabilities may impact your workflow Pilots are important and plan for more testing than you think Redundancies reduced, increases efficiency and transparency Technology GRC tools typically require significant platform planning for internal user and external user access Customizations should be avoided to optimize technology upgrades Vendor Maintain a the partnership and grow through collaboration Remember the strategic nature of the program and keep them onsite

Know your business partners, understand their goals and realize the cross functional transparency Compliance Model Audit Rule Enterprise Security Enterprise Risk Information Technology Information Security GRC Tool Integration Corporate & Financial Investigations Office of General Counsel Data Governance

Questions?

Thank You Continue the conversation on #GRCSummit

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback