ECHO Health Enables Business Growth with NAVEX Vendor Management

About this Case Study

Implementing NAVEX IRM, ECHO launched a comprehensive and holistic governance, risk and compliance program. NAVEX IRM is an “integrated risk management” solution that enables organizations to gain a comprehensive view of their business and operations from a risk perspective. It connects individual risk disciplines and manages them in centralized fashion.

1. Industry:

   Healthcare Services

2. Number of employees:

   135

3. Challenge:

   Managing third-party vendors with rapid organizational growth in a highly regulated environment

4. Solution

   Developing a comprehensive view of business and operational risk, supported by NAVEX IRM

5. NAVEX Product:

   NAVEX IRM

Read the Case Study

Challenge:

As a company operating in highly regulated sectors, Ohio-based ECHO Health, Inc. must ensure its thirdparty vendors satisfy any related requirements. Prior to implementing NAVEX IRM, this meant sending a periodic compliance survey to around 10 vendors. These vendors handled a variety of work for ECHO, such as printing or call center services, which involved the handling of regulated information. Those involved in assessing third-party risk at ECHO would rely on tools like spreadsheets, calendar reminders and emailed forms to track vendor compliance. While the approach was labor intensive, it matched the pace of the business – for a time. To support a recent opportunity for rapid growth, ECHO saw a major increase in the number of third-party vendors necessary for its operations. Each new vendor would provide necessary services to ECHO, but also represented a new need to evaluate risk. The 130-person firm was on the precipice of a major business opportunity. It recognized the growth potential could only be realized with an efficient, scalable strategy to vet and monitor third-party partnerships.

Solution:

Implementing NAVEX IRM, ECHO launched a comprehensive and holistic governance, risk and compliance program. NAVEX IRM is an “integrated risk management” solution that enables organizations to gain a comprehensive view of their business and operations from a risk perspective. It connects individual risk disciplines and manages them in centralized fashion.

Results:

Implementing NAVEX IRM allowed a small team at ECHO to expand the scope of their vendor risk assessments eight-fold, clearing the way for the company’s growth. No longer bound to spreadsheets, calendar reminders and emailed forms, ECHO uses NAVEX IRM as a single portal to efficiently manage and monitor four risk-based tiers of vendor and subject each to differing levels of appropriate scrutiny. For example, in first two tiers, which include vendors handling protected health information, ECHO requires an annual security questionnaire. For the remaining vendors assessed at lower risk, ECHO might choose to require a survey every two years. ECHO previously focused most of its risk-assessment resources on those tier-one vendors handling the most sensitive data, but with NAVEX IRM, that scrutiny broadened.

“NAVEX IRM gives us the opportunity to really take a closer look at these partners and vendors to determine if they are the right fit. It also lets us know if we are we getting out of them what we think we should and if the relationship is where we want it to be.” said Megan Sroka, compliance manager at ECHO.

Recently, in response to national reports of a new cybersecurity risk, NAVEX IRM allowed ECHO to quickly issue a special point-in-time survey to assess the security posture of several key vendors. Compared to the manual processes of the past, the capability reflected how ECHO’s risk assessment capabilities have not only broadened but become more agile as well.

“We were able to quickly draft a five-question assessment and push it out to our tier-one vendors to make sure that they were addressing that risk appropriately. We were getting the same type of questionnaires from our clients, and we wanted to make sure that we were addressing it downstream,” Sroka said.

Using NAVEX IRM, ECHO accomplished the following:

• ECHO designed an integrated risk management architecture as a foundation for third-party risk management in NAVEX IRM.

• Architecture allowed for expansion of vendors under risk management eight-fold

• Risk-based approach allows for contextual and risk-based management of vendors:

  • Internal inherent risk identification process • Policy attestations
  • Annual and bi-annual assessment processes with custom and standardized assessments
  • Automated document and certificate collections
  • Automated scoring and finding management linked to controls provides risk insights and status

• Robust reporting provides executive and board-level reports.

• Program the foundation for efficient and effective risk management throughout ECHO.

• Established proactive risk management process that better manages risk, frees up time for other activities, and provides better analysis of vendor fit and the overall vendor relationship.

About ECHO Health, Inc.

Founded in 1997, ECHO is a payment processor serving industries including the highly regulated sectors of health care and insurance. The company processes more than 175 million transactions annually.

As a payment intermediary, ECHO handles a large amount of sensitive data such as patient health information. Compliance with regulations like the Health Insurance Portability and Accountability Act – HIPAA – is essential to ECHO’s business