Monday, April 23, 2007

Comments on eHealth Risk Opportunity Report Card Paper

Rupak Mazumdar, Senior Risk Analyst for the Ontario Smart Systems for Health Agency offers the following comments on the Report Card Paper.

  • In general, I think that you have put together a well-thought out paper.
    • I like Page 5 where you have indicated that each eHealth program can apply flexible weights to the report card. Risk management tools need to be flexible to address different situations.
    • The opportunity-risk matrix in Table 5 is also a nifty idea.
    • I am very interested in seeing the paper put into real practice. In fact, application of the paper is a theme for me. Applying this to a pilot area of eHealth will be the true test of what works, what does not work and what needs to be refined a bit.

  • The biggest potential obstacle that you may face is with the definition of risk.
    • There are many competing definitions of the word risk out there. You have defined risk as the possibility that a threat will be realized resulting in harm or loss.
    • The risk management world is slowly moving towards more of a risk definition that is uncertainty of outcome, with an outcome potentially having both positive and negative elements.
    • I like the uncertainty definition much better because it inherently contains both the positive and negative definition of risk. It also forces the risk assessor / manager to focus on events and scenarios that have not occurred yet as opposed to issues that have already materialized.

I may seem to be quibbling but I have come to the epiphany that when I talk about risk management, often everyone in the room has different definitions of risk (a bad thing, uncertainty, an impact, a possibility, etc.). If you agreed with the semantics change, the language would change slightly in the paper. For example, in the title:

The eHealth Risk Report Card:

A practical approach to realizing opportunities in eHealth from understanding and managing risk

  • Many in the audience for this paper could potentially have little understanding of risk management methodology. Hopefully that is not the case too often as a CIO should have at least a rough understanding of risk management. Still, you may want to have a brief primer on risk management in your back pocket or in an Appendix.

  • Much of the material that was brought over to SSHA to help define the risk management framework came from the brilliant Australian Risk Management Standard AS/NZS 4360:2004 RISK MANAGEMENT. You will want to cite the framework in your end notes.

No comments: