Business+Risk

=Business Risk=

Business risk is associated with the business and political environment in which the organization operates. It is perhaps the most challenging area of risk because often the organization doesn’t have control over the measures necessary to reduce the impact or likelihood of such events.

Business risks are often at the heart of the risks identified in other domains. For example, many privacy risks arise because of confused business models that don’t clearly define the roles and responsibilities of each of the stakeholders in an eHealth program. Business risk sometimes transcends the organization for regional, provincial, state and national eHealth programs where government or other supra-organizations are responsible for setting and enforcing standards and policy. The issue of eHealth governance is central to the management of business risk.

The UK Risk Management Institute has issued a standard titled [|A Risk Management Standard]. This Standard describes four types of business risk:


 * Strategic Risks** - include all of the external and environmental factors associated with an industry. In eHealth this could include political risk, user acceptance (or lack thereof), business model and governance issues.


 * Compliance Risks** - are those risks associated with the need to comply with laws and regulations. In eHealth this would include compliance with privacy and data protection legislation, health and safety regulations, and compliance with legislation governing the operation of health institutions and health professions.


 * Financial Risks** - are those risks associated with the financial structures, transactions and financial processes in place in your organization. In eHealth this could include risks associated with inadequate financial controls, fraud, legal liability and unstable sources of capital and operational funding.


 * Operational Risks** - are those risks associated with operational and administrative procedures. In eHealth this could include business continuity, disaster recovery, procurement issues, and ability to meet required service levels.

The guide also suggests a basic (though complete) approach to business risk identification and treatment. Another site, UK [|Business Link], which seems geared to small to medium sized businesses (about the size of our average health care operation), provides a good overview of the process.

Guidance for managing business risks at the organizational level can be derived from COBIT and other standards quoted in this paper. There are no defined control standards available to specifically address eHealth business risks at the regional, provincial, state and national levels. Each government jurisdiction has its own unique business and regulatory environment. However, anecdotal evidence suggests several significant control measures that should be put in place for such eHealth programs.

1. An eHealth Governance Framework and Authority – A legitimate body that has the authority to establish and enforce policy and standards in an eHealth environment that includes many healthcare organizations, health care providers and other stakeholders.

2. A Business Model – that defines the roles and responsibilities of each stakeholder in an eHealth program. This includes ensuring that all stakeholders benefit from the initiative in a manner and magnitude consistent with their investment.

3. A Contractual Framework – that accurately represents the business model and agreements between all stakeholders participating in the eHealth program. This would include consent forms and processes for patients.

4. Strategic Business and Technical Architectures –that enable the integration of the eHealth program into the larger health system and ensure that it is interoperable with other eHealth programs and systems.

5. A Stakeholder Engagement Model – to ensure that the interests of all stakeholders, and in particular, patients and end-users, are addressed in all aspects of eHealth program design, deployment and support.

In most jurisdictions around the world, governments have significant involvement in the funding and management of health care. This results in a complex political environment that has a direct impact on business risk. Political influence can be exerted by politicians or by the bureaucracy that supports the government. Political decisions affect priorities and in extreme cases can interfere with normal business protocols