The acquisition of a Risk Management Information System (RMIS) is a project that presents serious long-term implications for your organization.  Here are some of the risks, along with proven ways to improve your satisfaction with your new RMIS, regardless of which vendor you select:

Security is a huge factor in this industry for many reasons, but notably because your RMIS will store personally identifiable information.

THE RISK
No matter how much money, resource and expertise an IT team or organization dedicates to security, there is still the possibility of a breach.

MITIGATION

1. Make sure the vendor you select has written, current SOC2-II security audits of their data center. If the vendor cannot produce an independent, certified SOC2-II audit that is current and comprehensive of all data center operations (whether that be a cloud platform or a home-grown data center) then move on immediately.  By the way, most vendors have this… they shouldn’t be in business if they do not!
2. In addition, it is imperative that the RMIS provider has a SOC2 Type II audit of every aspect of their infrastructure and processes (not just an SSAE16/SOC1). This includes everything – not just their cloud provider or data center, but should include their own brick and mortar infrastructure, their office security, their processes and procedures surrounding client data, laptops, mobile devices, document disposal, entry and exit into the work space, flash drives and more.  You should expect the vendor you select to invest time and significant money in full security audits at least once a year – including the homes of any home-based employees.  Note: It’s not easy auditing people working out of their kitchen with a lightly secured home wireless router. Some RMIS vendors cut cost by allowing the majority of their employees to work out of their house.  This sounds cool and results in a cheap system, but it is a potential data security disastor.

At some point in this industry, there will likely be a data breach.  Turn on the news every day and you will see why I say that.  If your data is affected by a breach and you do not have the appropriate audits in hand, you will most likely be asked the question:  “Why did you put our confidential data in an unaudited environment?”  In the U.S., a vast majority of the states require a class action plaintiff to prove negligence before the owner of the data is liable.  As a part of the risk management team for your organization, you must assess and mange this risk.  You will want to have confidence and be able to defend your decision to select a vendor that is fully audited versus one that has either failed audits or never invested at this level.  Oh… and do not be fooled by things like “HIPAA Compliance” or “EU Safe Harbor Compliance”, etc. These are often self-audits and can mean very little.