Run Away From Old Technology!

The acquisition of a Risk Management Information System (RMIS) is a project that presents serious long-term implications for your organization.  Here are some of the risks, along with proven ways to improve your satisfaction with your new RMIS, regardless of which vendor you select:

THE RISK
This industry has a history of vendors “getting out of the business”, being acquired or being divested.  Historically, vendors have notified clients that they will be dissolving and that the client has a period of time (3-6 months typically) to find another system. No matter the size of the RMIS vendor, the chance of dissolution is a risk that must be considered and mitigated.

MITIGATION

1. Be certain you understand the stability of your vendor. Do not take this for granted. Conduct due diligence on the financials of the vendor by requesting and reviewing audited financial statements.
2. Take steps that will allow you to continue to run the system in the event of a vendor stoppage. Implement a data back-up strategy that guarantees your access to the back-up data files without a dependence on the vendor.
3. Escrow the software with an independent escrow house and make yourself the beneficiary.
4. If your vendor runs on a commercial cloud environment, get pass through language in your contract guaranteeing  that if your vendor were to dissolve, your system would continue to operate and be available on the cloud platform under the existing terms of your contract.   This will allow you to negotiate directly with the cloud provider to have them continue to run your system beyond the period of the agreement if so desired. Warning: Most legacy vendors are built with custom code.  Without those custom code developers around to maintain the code, those systems will soon cease to operate even if you have agreements with the cloud provider to continue running the system.
5. Make sure you have written clarity around your data.  You own your data.  This should be expressly agreed upon in the contract.  And, should the vendor dissolve, you should have rights to get access to your data immediately, in a readable format, without charge and without obstacles.
6. Additionally, your vendor should provide even further assurances around your data by having near real-time failover replication between two geographically separated data centers.  This gives you additional protection against a system failure, allowing you to completely switch to another node and continue to operate without disruption.

The acquisition of a Risk Management Information System (RMIS) is a project that presents serious long-term implications for your organization.  Here are some of the risks, along with proven ways to improve your satisfaction with your new RMIS, regardless of which vendor you select:

Security is a huge factor in this industry for many reasons, but notably because your RMIS will store personally identifiable information.

THE RISK
No matter how much money, resource and expertise an IT team or organization dedicates to security, there is still the possibility of a breach.

MITIGATION

1. Make sure the vendor you select has written, current SOC2-II security audits of their data center. If the vendor cannot produce an independent, certified SOC2-II audit that is current and comprehensive of all data center operations (whether that be a cloud platform or a home-grown data center) then move on immediately.  By the way, most vendors have this… they shouldn’t be in business if they do not!
2. In addition, it is imperative that the RMIS provider has a SOC2 Type II audit of every aspect of their infrastructure and processes (not just an SSAE16/SOC1). This includes everything – not just their cloud provider or data center, but should include their own brick and mortar infrastructure, their office security, their processes and procedures surrounding client data, laptops, mobile devices, document disposal, entry and exit into the work space, flash drives and more.  You should expect the vendor you select to invest time and significant money in full security audits at least once a year – including the homes of any home-based employees.  Note: It’s not easy auditing people working out of their kitchen with a lightly secured home wireless router. Some RMIS vendors cut cost by allowing the majority of their employees to work out of their house.  This sounds cool and results in a cheap system, but it is a potential data security disastor.

At some point in this industry, there will likely be a data breach.  Turn on the news every day and you will see why I say that.  If your data is affected by a breach and you do not have the appropriate audits in hand, you will most likely be asked the question:  “Why did you put our confidential data in an unaudited environment?”  In the U.S., a vast majority of the states require a class action plaintiff to prove negligence before the owner of the data is liable.  As a part of the risk management team for your organization, you must assess and mange this risk.  You will want to have confidence and be able to defend your decision to select a vendor that is fully audited versus one that has either failed audits or never invested at this level.  Oh… and do not be fooled by things like “HIPAA Compliance” or “EU Safe Harbor Compliance”, etc. These are often self-audits and can mean very little.

The acquisition of a Risk Management Information System (RMIS) is a project that presents serious long-term implications for your organization.  Here are some of the risks along with proven ways to improve your satisfaction with your new RMIS, regardless of which vendor you select:

THE RISK – Managing Your Implementation.

Many organizations in this industry have been burned by poor or completely failed implementations.  While a certain amount of hesitation is expected, it is entirely possible to manage the implementation stage to meet scope, timeline, and budget. Will your organization experience a failed implementation that must be aborted?

MITIGATION

1. Avoid making assumptions. For example, a client asks the vendor if they can do web-based intake.  The client assumes all state reporting and EDI is included in the intake, and the vendor assumes the client is just asking if they can do web-based intake. Each process should be discovered and documented as a part of the Statement of Work (SOW), including very clear deliverables.
2. Never depend on a timeframe estimate from sales.  Insist on hearing it directly from the person in the vendor organization that is responsible for actually delivering the Implementation. (and make sure sales isn’t in the room glaring at the promiser)
3. Make resources available to properly scope the project.  Revisit scope and budget during contract negotiations to remind the vendor they are about to sign their name to a legal document that contains cost and timeframes.
4. Facilitate the transfer of your data from any third parties (TPA, broker, etc.) to the vendor.  Data problems, including very late arriving data or poorly formatted data arriving with errors, can severely set back an implementation plan. If possible, find out from your data sources what they can deliver, when and for how much before you sign a statement of work. (The data providers OFTEN charge to produce the data files – this is not typically covered in the RMIS vendor’s quote)
5. Be patient with the different teams the vendor will bring in to help with your implementation (sales in the beginning, then security, then data converters, then technicians, etc).  You may have to repeat some of the discovery for these teams, but recognize that the process helps validate your needs, scope and the overall design of the project.
6. Discuss with your vendor your own resource requirements and the amount of time that will be required at different phases of the implementation.  Ensure those resources are available as needed.
7. Apply project management skills to your implementation to avoid negative consequences caused by undefined or changing scope, and keep the lines of communication open between your team and your vendor.
8. If you do bring in an outside consultant to help manage the project, instruct your consultant that their job is to facilitate communication BOTH ways – not just beat up the vendor.  I’ve seen many clients get frustrated because “it seems so simple” to them despite their lack of any experience in this technical area.    They need an objective third party to give them some hard truth from time to time.

The acquisition of a Risk Management Information System (RMIS) is a project that presents serious long-term implications for your organization.  Here are some of the risks along with proven ways to improve your satisfaction with your new RMIS, regardless of which vendor you select:

THE RISK – Selecting the Correct System for Your Organization.

There are approximately 12 vendors in the market today who purport to have a broad-based RMIS.  How do you select the right system for your organization? The key risk is that you end up with a legacy system, or with a RMIS that will soon become a legacy system.

MITIGATION

Due diligence is critical.  Don’t wait for a list of hand-picked references from the vendors.  Begin conversations with your peers early in the process.

1. Ask your peers detailed questions about their experiences including their implementation(s), scope of their project(s), support teams, day-to-day processes within their system(s), ability to do new things or ability to use the system to help with team goals and organizational vision, ongoing costs or additional costs for upgrades, new features, etc.
2. Compile a list of things you want to accomplish with your new RMIS.  Ask your peers if they can achieve those things with their system.
3. Invite 5 – 6 RMIS vendors to provide an hour and a half web demonstration for a select group of people in your organization. (see http://www.rimsmarketplace.com/sites/Risk+Management/Software for a representative list of potential vendors)  Ask the vendors to concentrate on features that they believe differentiate them from their competitors.
4. Take notes and compile a list of the features you saw that would be beneficial for you and your organization.
5. Using your combined list of features, provide a script of key items you want to see in each vendor’s follow-up demonstration.  Provide the script one week prior to your follow-up demo and invite the three most impressive back for a 2-3 hour demonstration of the the feature and function list you submitted

Provided that your team has time to commit to a full trial evaluation, request a trial from each finalist vendor.  When comparing systems in a trial, dig deep.  Don’t be fooled by systems that seem user friendly because they “lead you by the nose”.  Try to test scenarios that take you off the vendors “path’ and see how user friendly the system is after you are off the beaten trail.  Often the initial reaction is bias’ed by pretty screens and glitz.  Remember, you are going to be using the system as a work platform.  Too much glitz gets really old after awhile.