Amir St. Clair, Advocate Health: Coming to FAIRCON24 to Learn about FAIR, Share Experience Reporting to Boards
Amir St. Clair, Associate Vice President, Enterprise Risk Management for Advocate Health, the third-largest nonprofit integrated health system in the United States, is typical of the quality of attendees you’ll meet at the 2024 FAIR Conference – sharing about their extensive experience leading cyber risk management programs and open-minded about the new approaches pioneered by the FAIR community.
FAIR Conference 2024
Amir will appear on the panel
What Does Effective Cyber Risk Reporting and Board Oversight Look Like?
Wednesday, October 2, 1:45
Fairmont Hotel, Washington, DC
Amir’s general approach to briefing the board assumes he’s dealing with sophisticated players who “bring their own, personal business or professional experience that they have encountered themselves as a leader. They also bring key events happening in the industry or the world that frames their view.
“It is our job to match up with the relevant realities of what's going on in our organization. We're going to do that through data and numbers and metrics to help them understand the breadth and depth of what that risk looks like across the organization.”
Amir’s team currently uses a GRC and related tools to identify risk and organize risk management and “I’m still new to getting to know FAIR and the FAIR Institute. I wanted to attend and speak at FAIRCON to develop and expand my own understanding of the resources and tools available through that networking community.”
Amir identified some of the current issues facing CISOs and enterprise risk managers reporting to boards, particularly in the healthcare industry:
Artificial Intelligence
“The challenge with AI is that space is evolving so much faster than we can assign key risk indicators to understand our vulnerability. The goal must be to create an enterprise risk management program that is adaptable enough to revise itself over time to make sure it captures the risk appropriately but also creates enough guardrails where we understand what’s our risk appetite and risk tolerance with some quantifiable data analytics.”
Third-Party Risk Management
Amir says the Change Healthcare ransomware incident that seriously disrupted the medical payments system raised questions that go beyond healthcare to any large organization.
“First, you need a risk assessment process in place to assess and validate the vendors that you already have.
>>Is a continuous monitoring process in place?
>>What are the security controls the vendors have in place?
>>How many vendors do you need for redundancy?
>>Do vendors understand their own vendors?
“Step Two is you need to engage your vendors in your own enterprise risk management process, particularly the ones that have a high financial value or material impact… Enterprise risk needs to be involved in the strategic planning process and third-party vendors are critical to the success of our mission and making sure that there's an ongoing dialogue as you build out strategy, I think is also critical.”
More sessions at the 2024 FAIR Conference:
- Proactive Cyber Risk Management Strategies to Build Resilience in the Healthcare Sector, Tuesday, October 1, 4:00 PM
- Workshop: Mastering AI Governance and Risk Management Monday, September 30, 1:00 PM
- Beyond Boundaries - Orchestrating Cyber Resilience Across First and Third Party RiskTuesday, 2:45 PM
See the FAIRCON 2024 Agenda Hereo
See a video introduction to the FAIR Conference