- In general, I think that you have put together a well-thought out paper.
- I like Page 5 where you have indicated that each eHealth program can apply flexible weights to the report card. Risk management tools need to be flexible to address different situations.
- The opportunity-risk matrix in Table 5 is also a nifty idea.
- I am very interested in seeing the paper put into real practice. In fact, application of the paper is a theme for me. Applying this to a pilot area of eHealth will be the true test of what works, what does not work and what needs to be refined a bit.
- The biggest potential obstacle that you may face is with the definition of risk.
- There are many competing definitions of the word risk out there. You have defined risk as the possibility that a threat will be realized resulting in harm or loss.
- The risk management world is slowly moving towards more of a risk definition that is uncertainty of outcome, with an outcome potentially having both positive and negative elements.
- I like the uncertainty definition much better because it inherently contains both the positive and negative definition of risk. It also forces the risk assessor / manager to focus on events and scenarios that have not occurred yet as opposed to issues that have already materialized.
I may seem to be quibbling but I have come to the epiphany that when I talk about risk management, often everyone in the room has different definitions of risk (a bad thing, uncertainty, an impact, a possibility, etc.). If you agreed with the semantics change, the language would change slightly in the paper. For example, in the title:
The eHealth Risk Report Card:
A practical approach to realizing opportunities in eHealth from understanding and managing risk
- Many in the audience for this paper could potentially have little understanding of risk management methodology. Hopefully that is not the case too often as a CIO should have at least a rough understanding of risk management. Still, you may want to have a brief primer on risk management in your back pocket or in an Appendix.
- Much of the material that was brought over to SSHA to help define the risk management framework came from the brilliant Australian Risk Management Standard AS/NZS 4360:2004 RISK MANAGEMENT. You will want to cite the framework in your end notes.