CastleHill Managed Risk Solutions Blog

How Can I Ensure Our Vendors Are HIPAA Compliant?

Posted by Michael Duggan on Jul 20, 2017 1:54:00 PM

You’ve been diligent about developing the needed policies and procedures to ensure HIPAA compliance within your organization. It’s been challenging, but your internal audits have been positive, and you are confident your internal processes are up to standard. Are you as confident about your vendors and their HIPAA compliance?  If your vendors aren’t compliant, who pays the price? You do. As the outsourcing organization, you are responsible for the HIPAA practices of all vendors who have access to, work with, or store your sensitive PHI. Beyond the vendors who physically touch your data, such as IT providers, data centers, and document shredders, HIPAA compliance requirements could extend to other vendors who may have access to your contacts database, or even the data center where your IT provider backs up their own data (see: How Many Degrees of Separation Are There Between You and Your Data?

Read More

Topics: healthcare

How Do I Report Vendor Risk Management to My Board or Senior Management?

Posted by Michael Duggan on Jul 11, 2017 1:48:00 PM

If your bank or credit union outsources any of your functions to a third party, you are not only responsible for effective vendor risk management but for reporting the results of third party risk assessment to your leadership and board of directors. The Office of the Comptroller of the Currency (OCC) makes it clear – a credit union or bank with vendors “should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships.” Easy for them to say. If you’re that risk or compliance officer tasked with vendor risk management oversight and reporting, “commensurate” is a loaded term. How do you rate risk? How do you clearly lay out your program in a clear, understandable format? How can you be sure all your risk bases are covered?  No one wants to stand in front of senior management or their board of directors mumbling through a disjointed array of reporting or information. Whether you are flush with risk management data or aren’t sure where to start, your third-party risk management framework and reporting could spell the difference between a clear, supported program, and one that looks like an urgent SOS for intervention. We have some tips to make sure your reporting of third-party risk management to leadership is clear, effective, and on point. 

Read More

How Many Degrees of Separation Are Between You and Your Data?

Posted by Michael Duggan on Jun 29, 2017 2:17:00 PM

Being the master of all you survey is not enough in today’s business climate. Do you know the true risks which lie well below the apparent surface of your operations? Consider third parties – if you’re like most companies, you are increasingly dependent on third party entities to manage any number of a variety of critical functions, including IT, line of business applications, etc.  You understand third parties create a much more complicated operational and risk picture, but what about fourth and even fifth parties? 

Read More

Topics: Risk Management

Attending the ProcessUnity Customer Summit in October?

Posted by Michael Duggan on Jun 15, 2017 2:01:00 PM

An Insider’s Guide to Boston – where to stay, what to do, and how to prepare for the customer summit.

Summer may be in full swing, but we’re looking forward to a beautiful New England fall and the upcoming 2017 ProcessUnity Customer Summit in Boston October 24 and 25th.  Now is the time, before the whirlwind of travel and a busy summit schedule, to plan to take some time to enjoy historical and lively Boston.  We believe life should be a healthy balance between work and leisure and in that spirit, we offer you some insider Boston intel along with some of our time-tested strategies guaranteed to maximize your valuable time and energy.

Read More

Topics: Events & Conferences

Credit Unions - Working Together to Reduce Risk and Save Money

Posted by Michael Duggan on May 25, 2017 11:42:00 AM

If you are a credit union, we don’t have to tell you about the burden of governance, risk and regulatory compliance (GRC). The recent Regulatory Burden Financial Impact Study from Credit Union National Association (CUNA) and Cornerstone Advisors confirms it. In 2014, GRC for credit unions cost a whopping $7.2 billion, including $6.1 billion in actual costs and $1.1 billion in lost revenue. As member-centered institutions, everyone loses through increased costs and reduced benefits. In fact, CUNA reports that since 2008 credit unions have endured more than 190 separate regulatory changes from nearly three dozen government agencies. Is it any wonder compliance costs currently make up almost 20% of total operating expenses and a full 40% of staff expenses? The result, according to the CUNA article, is a shrinking credit union pool with numbers down 40% in the past 10 years due to factors such as mergers and reduced applications.

Read More

Topics: Credit Unions

What Banks and Credit Unions Need to Know Before Upgrading to Archer 6

Posted by Michael Duggan on May 10, 2017 12:05:00 PM

RSA Archer® ends support for all 5.X version in just over seven months. If you are a bank or credit union upgrading from RSA Archer® 5.X to RSA Archer® 6, there are a few key considerations you may not even be aware of that can spell the difference between a successful migration and seamless operation or a risk management program that goes off the rails. In today’s ever-increasing regulatory and risk management pressures for financial institutions, any downtime, loss of data, or gaps in your risk management program unnecessarily expose your institution to inefficiency and liability.

Read More

Topics: RSA Archer

Evaluating Governance, Risk, and Compliance (GRC) for Protected Health Information

Posted by Michael Duggan on May 2, 2017 11:44:52 AM

How Do Your Risk & Compliance Programs Stack Up?Do you know where your healthcare organization stands when it comes to evaluating and managing your Governance, Risk, and Compliance (GRC) for Protected Health Information (PHI)?

Read More

Topics: GRC, healthcare

The Great New England Credit Union Show Was Truly Great

Posted by Michael Duggan on May 1, 2017 10:39:07 PM

We’ve come back energized from spending time with our New England credit union community. Something unique to this area is the strong heritage of industry and entrepreneurship that is still very evident today. We were impressed with the dozens of senior bank officers we spoke to, the opportunity to learn their specific risk management challenges and gaps and share our insights and expertise. This is why we love what we do.

Read More

Topics: Events & Conferences

Maximize Your Time at the Great New England Credit Union Show

Posted by Michael Duggan on Apr 19, 2017 5:06:46 PM

We're looking forward to sponsoring and attending the 2017 Great New England Credit Union Show on April 27th. The event is just a week away, and most attendees have made their travel plans, stocked up on business cards, chosen the breakout sessions they'd like to attend, and made plans to meet up with colleagues. Simultaneously, exhibitors and sponsors are working on last-minute updates to their marketing materials and planning out a strategy for connecting with prospective clients during and after the event. Regardless of which of these groups you belong to, you may be wondering whether this event is worth the time you'll be spending out of the office. After all, that to-do list will still be there when you return.

In order to help you maximize your time at GNECUS, we've updated the strategies that will ensure you get the most out of your experience and investment.

Read More

Topics: Events & Conferences

Evaluating Your GRC Capability

Posted by Michael Duggan on Apr 17, 2017 4:28:55 PM

In Risk Management, sometimes you need to step back and evaluate the organizational landscape. You do this to understand what changes have taken place that either improved capability and capacity or diminished overall effectiveness. Engaging in this exercise will provide fresh perspective and the opportunity to understand where gaps exist, allowing you to prioritize activities going forward that remediate some of the observed shortfalls. So, why don’t more risk professionals do this? Well, we could make a long list of reasons, all of which are legitimate, but probably really cynical and unhelpful.

Read More

Topics: GRC