• E-mail
• Print
• RSS

Tip: Watch for signs that risk analysis could go off course

Compliance Monitor, December 29, 2004

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

Certain roadblocks can halt your risk analysis and cause a domino effect in your facility. Experienced project managers may already know that the potential for problems exists, and some problems can do more damage than others.

Picture this: At the beginning of the risk analysis, you defined your objectives and made a list of all the activities you needed to perform. But once the risk analysis starts, team members inevitably come up with additional tasks they think will improve the project's results or produce other benefits.

Project managers called these unplanned additions to a project "scope creep." An example of scope creep in a security risk analysis would be finding a potential risk that seems easy to fix, and deciding to go ahead and resolve the problem as part of the risk analysis.

You may find a serious problem and decide it needs immediate attention even before you complete the risk analysis. You may discover new sources of electronic PHI (ePHI) that you were not aware of and decide to add them to the project. Team members may discover that potential security controls could also solve other problems and try to get those controls implemented sooner.

Initially, these additions to the project may seem perfectly legitimate. However, you need to analyze each idea to ensure that its benefits outweigh its costs, and that it does not unreasonably distort your budget or schedule.

The worst danger from scope creep is overspending-spending more on the risk analysis than originally budgeted or failing to take advantage of economies of scale because you implemented controls on an unplanned, piecemeal basis.

To guard against scope creep, establish regular milestones throughout the project. This can help keep team members on track. Request regular status reports on actions and findings. Also make sure that team members specifically call out any exceptions to the original plan. This will get items of potential scope creep onto the table where you can manage them appropriately.

Editor's note: This article was excerpted from the book Complete Guide to HIPAA Security Risk Analysis: A step-by-step approach.

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

• E-mail to a Colleague
• Print
• RSS
• Archive