Published in the Project Post-Gazette, January 2014
by Cheryl A. Wilson, PMP, PMI-RMP, CCEP
December 11, 2013, the Department of Health and Human Services (HHS) Secretary Kathleen Sebelius asked The Centers for Medicare and Medicaid Services (CMS) to create a new position of chief risk officer (CRO) to assess risk management practices across the CMS agency, with an initial focus on the troubled healthcare.gov website. As of this writing, this person has not been announced to the public. Secretary Sebelius goes on further to say the CRO will also “focus on our work with contractors. This is critical, because HHS is the third largest federal contracting agency, and CMS alone spent $5.3 billion in 2013 on contracting engagements. We must take steps to ensure that our contractors are well managed, and that they fulfill their commitments and provide good services and products for our tax dollars.”
Marianne Kolbasuk McGee in HealthcareinfoSec reported the overall responsibilities of this position were to be:
- Assess risk management practices associated with major agency initiatives
- Lead efforts to prepare mitigation strategies to minimize these risks
- Develop metrics to measure the effectiveness of these strategies
This article goes on to report Deven McGraw, director of the health privacy project at the Center of Democracy & Technology, added his thoughts that the CRO should ensure consistent privacy and security policies across all CMS programs and “be in charge of assuring information security across the enterprise.” This comment would appear, HHS does not have a Compliance & Ethics (C&E) program established to oversee C&E responsibilities, or to ensure overall implementation of policy and procedures, and employee training.
What is concerning, is this report goes on to quote, Ms. Sebelius: “I will ask this individual (CRO) to start with identifying the risk factors that impeded the successful launch of the healthcare.gov website and report back to me in 60 days with recommendations for strategies to mitigate risks in future large-scale, CMS contracting and IT acquisition projects.”
The problems with the healthcare.gov website are NO LONGER RISKS, THEY ARE ISSUES. Swift response plans need to be in place and we can no longer talk about them as risks. Issues cannot wait for 60 days to be reported upon, they need to be responded to immediately. HealthITSecurity.com commented that CMS was hiring a dedicated risk officer because CMS already has a CMS security personnel director, Teresa Fryer, a Security Policy and Compliance Director Jacquie Toomey and a Division of Information Security Operations.
The position of CRO has a very difference position than any of the above positions as they touch all aspects of the organization and require input from several disciplines, some of which are very complex and detailed. The CRO position many times breaks new ground in organizations, and makes decisions that could affect other senior positions. This position, like none other, looks at what could go wrong (risk potentials) from an enterprise perspective and creates a risk-aware culture across the organization. The CRO works with management of other divisions to ensure the understanding of the interrelationships of various types of risk and the financial impact of risks that have the potential to trigger. Most other top positions do not look at risk potentials from a financial viewpoint and therefore do not ensure the organization is proactively managing high risks. Most organizations look at risk management as overhead and frankly, just do not do proactive risk management because they are looking at managing from a purely bottom line for the organization. This is done by implementing an integrated risk management framework to identify, mitigate and manage risks, and allocate capital for any triggered risks or issues that arise.
The CRO should work together with the Chief Compliance Officer to ensure the organization has processes in place that comply with the very much heightened government requirements and regulations. The CRO should work with every part of the organization: senior management, operating groups, finance, legal, human resources to include the internal auditing and strategic planning activities. To recommend the best risk management and financing approaches, the CRO must have a strong working knowledge of the business operations, finances, legal issues, buyers, suppliers, raw material inputs, and finished products— in short, the entire organization or have the teamwork to provide Subject Matter Expertize in each of these areas.
Additionally, Secretary Sebelius’s request called for the CRO to assess risk management practices across the CMS agency, with an initial focus on the troubled healthcare.gov website. The CRO will hire risk managers to assess the healthcare.gov website project.
The first question that I asked October 1, 2013 when hearing of all the issues of the troubled website was:
- was a government risk manager hired at the beginning of the project?
- were the risks identified prior to them triggering into issues?
- were risk mitigation plans developed?
- had any risk process been established?
- had any issues response plans been created for the high risks identified?
Upon any undertaking of a large project, lessons learned of like projects should have been studied to identify what risk potentials might occur with the Project Manager (PM) interviewing the appropriate Subject Matter Experts (SME) on each risk potential to determine the level of potential impact. Lessons learned would have shown the PM where past risks and issues on similar projects like the healthcare.gov web site would exist. Valuable historical information into potential issues from IT projects such as privacy concerns, security issues, , site load capacity, data verification, would have provided key data ahead of time to have informed decisions to avoid risks from triggering.
CGI Federal admitted they had never done a project in similar size, complexity or visibility to the healthcare.gov web site. Proactive interviewing of SME would have provided information up front to potential risks so they could have been mitigated before they triggered into issues. Even when risks triggered in front of the entire country, answers were slow to show remediation indicating no risks had been captured, no risk mitigation plans were in place, and no issue response plans were prepared for those risks that were exhibiting risk triggering potentials.
I felt it was important to go back and review the basics to help put this entire healthcare.gov issue in perspective.
Project Deliverable: Working website by October 1, 2013
Risk: healthcare.gov web site is not working October 1, 2013
Risk potential cause analysis:
- Web site privacy issues
- Reputation damage
- Rework is risk laden
- Untrained developers
- Multiple government agencies participation
The CRO will need to step in and ensure there is a risk manager to complete the following:
- Establish a risk environment to include daily meetings on issue and risk status
- Do a complete risk assessment of what are the current issues and establish issues response plans immediately.
- Identify potential risks that have not triggered into issues and establish risk mitigation plans
- Identify an issue action owner for each issue
- Identify risk owners and risk action owners for each risk, and
- Ensure risk training is completed for all team members.
These are just a few of the potential impacts and requirements that a new minted CRO would or should be expected to review and establish if missing. The CRO position for the CMS is looking to become a very important and significant player in the CMS as it improves and upgrades its risk and issue management program.