Not dealing with risk in the healthcare industry can have disastrous consequences. General Counsel must make efforts to categorize risk, to develop suitable prevention and response plans, and to find and apply the necessary resources to address risk. This piece will provide guidance on ways to tackle these responsibilities in the era of the modest legal-department budget.
The types of risk that confront companies in the healthcare industry vary in form and severity. Unfortunately, not every risk can be managed completely, putting General Counsel in a bind. Given this reality, senior legal executives in the healthcare world need to categorize risk by priority. High-priority risks are relatively easy to identify, including areas such as False Claims Act and other legal or regulatory violations, cyber risk, and, increasingly, risks arising from mergers and acquisitions. For most legal department leaders, medium-priority risks would include budgetary issues and concerns with outside counsel. Low-priority risks tend to emerge on a case-by-case basis and are hopefully fleeting. Categorizing risk will allow you to understand the forms of risk you face and where you should allocate your resources. It will also help you identify clearer paths for the steps required to protect the business.
Categorizing risk will allow you to understand the forms of risk you face and where you should allocate your resources.
Once you understand and categorize the risks you face, the next step is to create risk response plans. This element of your risk-management strategy is critically important. Unfortunately, it can also be the hardest part, considering the varied responses required from one form of risk to another. When dealing with whistleblowers or regulators, the response plan should include a clear mechanism to evaluate the pros and cons of particular levels of defense, communication plans, and corrective strategies to ensure the risk does not arise again.
For cyber risk, dedicate specific resources to ensure that information is protected.
For cyber risk, dedicate specific resources to ensure that key information is protected and work collaboratively with your IT team to ensure a comprehensive and sensible strategy. For information that requires less protection, be mindful of your budget realities in finding a reasonably suitable solution, and document why you are making certain decisions after advocating for what you think is required. Finally, if a cyber attack does occur, use the event to pinpoint weaknesses in the system, and be sure to fix them. In some cases, those exploited weaknesses may highlight many unexploited ones that require quick attention.
Mergers and acquisitions are increasingly common in the healthcare world, and the recent spate of deals has led to increased risk for all parties involved. The best way to manage M&A risk is to plan ahead for integration issues and be sure both parties know what they are getting into through thorough due diligence. The legal departments of acquirors in particular need to be sure that their targets meet all relevant regulatory standards to avoid post-close catastrophes.
The best way to manage M&A risk is to plan ahead for integration issues.
For other risks of medium importance, management strategies should be focused less on crisis management and more on prevention of future incidents. Finally, low-priority risk should be given attention on a case-by-case basis with a goal to make sure these small risks do not evolve into medium or high risk.
By creating effective risk-response plans, legal departments will be able to tackle the wide array of risks associated with the healthcare industry. Adequately preparing for and responding to the risks will keep your company safe, which is good for your department, as well as for your career.