Thursday, September 13, 2007

Catogorizing eHealth Business Risk

I have been looking for a model for categorizing and evaluating eHealth business risks. The best I've found so far is a standard and guide published by the UK Risk Management Institute titled A Risk Management Standard. This Standard describes four types of business risk:

Strategic Risks - include all of the external and environmental factors associated with an industry. In eHealth this could include political risk, user acceptance (or lack thereof), business model and governance issues.

Compliance Risks - are those risks associated with the need to comply with laws and regulations. In eHealth this would include compliance with privacy and data protection legislation, health and safety regulations, and compliance with legislation governing the operation of health institutions and health professions.

Financial Risks - are those risks associated with the financial structures, transactions and financial processes in place in your organization. In eHealth this could include risks associated with inadequate financial controls, fraud, legal liability and unstable sources of capital and operational funding.

Operational Risks - are those risks associated with operational and administrative procedures. In eHealth this could include business continuity, disaster recovery, procurement issues, and ability to meet required service levels.

All-in-all, a neat and simple way of expressing business risk.

The guide also suggests a basic (though complete) approach to business risk identification and treatment. Another site, UK Business Link, which seems geared to small to medium sized businesses (about the size of our average health care operation), provides a good overview of the process.

No comments: