Skip to Main Content

insightsarticles

Artificial intelligence (AI) trends, potential, and considerations for healthcare organizations

11.28.23

Read this if you are in healthcare and interested in AI.

AI in healthcare is here. While it’s the early days and there is a lot still to figure out in terms of accuracy and risk, it’s undeniable that AI has huge potential in solving some of healthcare’s greatest challenges. 

AI to help alleviate staffing shortages

A February 2023 report to the US Senate drafted by the American Hospital Association painted a startling, though not new, picture of the healthcare staffing shortage: “The result of mounting pressures on the healthcare workforce has created a historic workforce crisis complete with real-time, short-term staffing shortages and a daunting long-range picture of an unfulfilled talent pipeline.” While this report focused on providers such as physicians and nurses, hospitals nationwide are struggling with filling positions across the board. There are just not enough people to fill the need—now and for the foreseeable future. 

AI has the potential to address this critical staffing shortage in a number of ways. The area where most people think of AI efficiencies is in administrative tasks. These, as anyone in healthcare knows, abound in the daily work. Reducing the administrative burden on clinicians means more time with patients, and more patients that can be seen. In this scenario, it’s also possible that this reduced administrative workload will reduce burnout, improve the clinician experience, potentially keep more clinicians in the field—and encourage more to join. This, in turn, can reduce recruiting and retention costs and costs associated with outsourced and travel staff. 

It has been shown that nurses can spend up to 35% of their time on data entry, documentation, and charting. Generative AI can assist in these tasks, freeing up nurses for direct patient care. 

Risks to consider: The biggest risk here is the protection of personal health information (PHI). Safeguards need to be in place to remain Health Insurance Portability and Accountability Act (HIPAA) compliant. Common AI platforms are often hosted by third-parties, or are open-source systems that require proper due diligence to help ensure that any PHI in AI systems is secured. Often, medical billing systems contain PHI that is overlooked as a risk for HIPAA compliance, but can easily result in large scale breaches. Using AI to help with such administrative tasks will save time, making sure that the correct IT controls are put in place and are frequently evaluated for operating effectiveness. 

AI to improve patient experience and outcomes

An added benefit of using AI for administrative tasks and reducing the workload on providers is that patients will have better experiences when providers have better experiences. Patients will, theoretically, have more time with their providers and more focused attention. Another way AI can help with patient experiences and outcomes is through AI diagnostic and image-interpreting tools.

With AI’s ability to sift through and analyze huge amounts of data, it can assist doctors in diagnosing patients and even predict what illnesses a patient is likely to develop—in some cases, with life-saving results. A March 2023 article in the Wall Street Journal reported that AI was able to diagnose sepsis in hospitalized patients two hours earlier on average than humans, which reduced the sepsis mortality rate by 18%.

AI is also proving to be adept at analyzing images. Using Natural Language Processing (NLP), AI can provide high-quality analysis of X-rays and MRIs, leading to precise early diagnoses. GE Healthcare reported a 30% increase in speed and enhanced image quality using this technology.

Risks to consider: As with any technology, results depend on the quality and quantity of data that is being analyzed. Patients may also feel uncomfortable being diagnosed by AI. Any diagnosis should be verified by a human and any technology should be thoroughly vetted and tested prior to use. There is a particular risk when using AI in emergency room situations, where the treating physicians may not have the patient's full medical history for backend algorithms to consider. This could result in a misdiagnosis. However, in a clinical setting, the results of AI diagnosis tools are close to the accuracy rate of a doctor (about 90%). The biggest challenge to the medical profession will be getting patients to trust the use of AI. In a study by Harvard Business Review, surveys showed that patients felt their medical conditions were unique and overwhelmingly preferred meeting with a doctor versus being diagnosed by AI.

AI and revenue cycle optimization

At BerryDunn’s Hospital Summit in October, audience members were asked where they saw AI having the greatest impact in the next five to 10 years. The top answer, with 35% of votes, was in the revenue cycle area. According to a recent article published by the Healthcare Financial Management Association, there is the potential for $9.8 billion in savings by automating revenue cycle functions. Many organizations are already using Robotic Process Automation (RPA) to aid in their revenue cycle functions. Many are now adding predictive analytics and automation using AI. 

AI tools can help revenue cycle operations in a number of ways. One example is using AI to prompt providers on when and how best to document. It can also be used in medical coding to suggest appropriate codes based on relevant clinical data. One hospital reports that they’ve saved over $1 million using AI in their revenue cycle

Risks to consider: As with most AI tools, the biggest risks are related to data privacy, security concerns, and concern about the accuracy of data. Like any investment an organization makes in technology, new systems need to be fully vetted and tested, and organizations must follow proper change management practices so that the new technology is properly designed and implemented. Rushing to implement AI may result in incorrect outputs and increase the organization’s risk exposure. 

The healthcare industry is already a front-runner in using AI and there’s an exciting future ahead. Risk management is key to launching any new technology and particularly AI. Organizations should prioritize the following: Inventorying all uses of AI at the organization, having clear policies and procedures in place, and doubling down on compliance.

If you have any questions about AI or your specific situation, please don’t hesitate to reach out to the BerryDunn team. We are here to help.

Related Professionals

Principals

  • Chris Mouradian
    Principal
    Healthcare, Not-for-Profit
    T 207.541.2274
  • Kathy Parker
    Principal
    Family Office, Real Estate, Renewable Energy, Technology
    T 857.255.2035
  • Emily Parker
    Principal
    Education, Healthcare, Not-for-profit
    T 207.991.5182

BerryDunn experts and consultants

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Do you know what would happen to your company if your CEO suddenly had to resign immediately for personal reasons? Or got seriously ill? Or worse, died? These scenarios, while rare, do happen, and many companies are not prepared. In fact, 45% of US companies do not have a contingency plan for CEO succession, according to a 2020 Harvard Business Review study.  

Do you have a plan for CEO succession? As a business owner, you may have an exit strategy in place for your company, but do you have a plan to bridge the leadership gap for you and each member of your leadership team? Does the plan include the kind of crises listed above? What would you do if your next-in-line left suddenly? 

Whether yours is a family-owned business, a company of equity partners, or a private company with a governing body, here are things to consider when you’re faced with a situation where your CEO has abruptly departed or has decided to step down.  

1. Get a plan in place. First, assess the situation and figure out your priorities. If there is already a plan for these types of circumstances, evaluate how much of it is applicable to this particular circumstance. For example, if the plan is for the stepping down or announced retirement of your CEO, but some other catastrophic event occurs, you may need to adjust key components and focus on immediate messaging rather than future positioning. If there is no plan, assign a small team to create one immediately. 

Make sure management, team leaders, and employees are aware and informed of your progress; this will help keep you organized and streamline communications. Management needs to take the lead and select a point person to document the process. Management also needs to take the lead in demeanor. Model your actions so employees can see the situation is being handled with care. Once a strategy is identified based on your priorities, draft a plan that includes what happens now, in the immediate future, and beyond. Include timetables so people know when decisions will be made.  

2. Communicate clearly, and often. In times of uncertainty, your employees will need as much specific information as you can give them. Knowing when they will hear from you, even if it is “we have nothing new to report” builds trust and keeps them vested and involved. By letting them know what your plan is, when they’ll receive another update, what to tell clients, and even what specifics you can give them (e.g., who will take over which CEO responsibility and for how long), you make them feel that they are important stakeholders, and not just bystanders. Stakeholders are more likely to be strong supporters during and after any transition that needs to take place. 

3. Pull in professional help. Depending on your resources, we recommend bringing in a professional to help you handle the situation at hand. At the very least, call in an objective opinion. You’ll need someone who can help you make decisions when emotions are running high. Bringing someone on board that can help you decipher what you have to work with and what your legal and other obligations may be, help rally your team, deal with the media, and manage emotions can be invaluable during a challenging time. Even if it’s temporary. 

4. Develop a timeline. Figure out how much time you have for the transition. For example, if your CEO is ill and will be stepping down in six months, you have time to update any existing exit strategy or succession plan you have in place. Things to include in the timeline: 

  • Who is taking over what responsibilities? 
  • How and what will be communicated to your company and stakeholders? 
  • How and what will be communicated to the market? 
  • How will you bring in the CEO's replacement, while helping the current CEO transition out of the organization? 

If you are in a crisis situation (e.g., your CEO has been suddenly forced out or asked to leave without a public explanation), you won’t have the luxury of time.  

Find out what other arrangements have been made in the past and update them as needed. Work with your PR firm to help with your change management and do the right things for all involved to salvage the company’s reputation. When handled correctly, crises don’t have to have a lasting negative impact on your business.   

5. Manage change effectively. When you’re under the gun to quickly make significant changes at the top, you need to understand how the changes may affect various parts of your company. While instinct may tell you to focus externally, don’t neglect your employees. Be as transparent as you possibly can be, present an action plan, ask for support, and get them involved in keeping the environment positive. Whether you bring in professionals or not, make sure you allow for questions, feedback, and even discord if challenging information is being revealed.  

6. Handle the media. Crisis rule #1 is making it clear who can, and who cannot, speak to the media. Assign a point person for all external inquiries and instruct employees to refer all reporter requests for comment to that point person. You absolutely do not want employees leaking sensitive information to the media. 
 
With your employees on board with the change management action plan, you can now focus on external communications and how you will present what is happening to the media. This is not completely under your control. Technology and social media changed the game in terms of speed and access to information to the public and transparency when it comes to corporate leadership. Present a message to the media quickly that coincides with your values as a company. If you are dealing with a scandal where public trust is involved and your CEO is stepping down, handling this effectively will take tact and most likely a team of professionals to help. 

Exit strategies are planning tools. Uncontrollable events occur and we don’t always get to follow our plan as we would have liked. Your organization can still be prepared and know what to do in an emergency situation or sudden crisis.  Executives move out of their roles every day, but how companies respond to these changes is reflective of the strategy in place to handle unexpected situations. Be as prepared as possible. Own your challenges. Stay accountable. 

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Crisis averted: Why you need a CEO succession plan today

Read this if your CFO has recently departed, or if you're looking for a replacement.

With the post-Covid labor shortage, “the Great Resignation,” an aging workforce, and ongoing staffing concerns, almost every industry is facing challenges in hiring talented staff. To address these challenges, many organizations are hiring temporary or interim help—even for C-suite positions such as Chief Financial Officers (CFOs).

You may be thinking, “The CFO is a key business partner in advising and collaborating with the CEO and developing a long-term strategy for the organization; why would I hire a contractor to fill this most-important role?” Hiring an interim CFO may be a good option to consider in certain circumstances. Here are three situations where temporary help might be the best solution for your organization.

Your organization has grown

If your company has grown since you created your finance department, or your controller isn’t ready or suited for a promotion, bringing on an interim CFO can be a natural next step in your company’s evolution, without having to make a long-term commitment. It can allow you to take the time and fully understand what you need from the role — and what kind of person is the best fit for your company’s future.

BerryDunn's Kathy Parker, leader of the Boston-based Outsourced Accounting group, has worked with many companies to help them through periods of transition. "As companies grow, many need team members at various skill levels, which requires more money to pay for multiple full-time roles," she shared. "Obtaining interim CFO services allows a company to access different skill levels while paying a fraction of the cost. As the company grows, they can always scale its resources; the beauty of this model is the flexibility."

If your company is looking for greater financial skill or advice to expand into a new market, or turn around an underperforming division, you may want to bring on an outsourced CFO with a specific set of objectives and timeline in mind. You can bring someone on board to develop growth strategies, make course corrections, bring in new financing, and update operational processes, without necessarily needing to keep those skills in the organization once they finish their assignment. Your company benefits from this very specific skill set without the expense of having a talented but expensive resource on your permanent payroll.

Your CFO has resigned

The best-laid succession plans often go astray. If that’s the case when your CFO departs, your organization may need to outsource the CFO function to fill the gap. When your company loses the leader of company-wide financial functions, you may need to find someone who can come in with those skills and get right to work. While they may need guidance and support on specifics to your company, they should be able to adapt quickly and keep financial operations running smoothly. Articulating short-term goals and setting deadlines for naming a new CFO can help lay the foundation for a successful engagement.

You don’t have the budget for a full-time CFO

If your company is the right size to have a part-time CFO, outsourcing CFO functions can be less expensive than bringing on a full-time in-house CFO. Depending on your operational and financial rhythms, you may need the CFO role full-time in parts of the year, and not in others. Initially, an interim CFO can bring a new perspective from a professional who is coming in with fresh eyes and experience outside of your company.

After the immediate need or initial crisis passes, you can review your options. Once the temporary CFO’s agreement expires, you can bring someone new in depending on your needs, or keep the contract CFO in place by extending their assignment.

Considerations for hiring an interim CFO

Making the decision between hiring someone full-time or bringing in temporary contract help can be difficult. Although it oversimplifies the decision a bit, a good rule of thumb is: the more strategic the role will be, the more important it is that you have a long-term person in the job. CFOs can have a wide range of duties, including, but not limited to:

  • Financial risk management, including planning and record-keeping
  • Management of compliance and regulatory requirements
  • Creating and monitoring reliable control systems
  • Debt and equity financing
  • Financial reporting to the Board of Directors

If the focus is primarily overseeing the financial functions of the organization and/or developing a skilled finance department, you can rely — at least initially — on a CFO for hire.

Regardless of what you choose to do, your decision will have an impact on the financial health of your organization — from avoiding finance department dissatisfaction or turnover to capitalizing on new market opportunities. Getting outside advice or a more objective view may be an important part of making the right choice for your company.

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Three reasons to consider hiring an interim CFO

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Article
Oxymoron of the month: Outsourced accountability

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Article
The three P's of improving your company's cybersecurity soft skills

When last we blogged about the Financial Accounting Standards Board’s (FASB) new “current expected credit losses” (CECL) model for estimating an allowance for loan and lease losses (ALLL), we reviewed the process for developing reasonable and supportable forecasts for use in establishing the ALLL. Once you develop those forecasts, how does that information translate into amounts to set aside for loan losses?

A portion of the ALLL will continue to be based on specifically identified loans you’re concerned about. For those loans, you will continue to establish a specific component of the ALLL based on your estimate of the loss ultimately expected on the loans.

The tricky part, of course, is estimating an ALLL for the other 99% of the loan portfolio. This is where the forecasts come in. The new rules do not prescribe a particular methodology, and banking regulators have indicated community banks will likely be able to continue with their current approach, adjusted to use appropriate inputs in a manner that complies with the CECL model. One of the biggest challenges is the expectation in CECL that the ALLL will be estimated using the institution’s historical information, to the extent available and relevant.

Following is just one of many ways  you can approach it. I’ve also included a link at the end of this article to an example illustrating this approach.

Step One: Historical Loss Factors

  1. First, for a given subset of the loan portfolio (e.g., the residential loan pool), you might first break down the portfolio by the number of years remaining until expected payoff (via maturity or refinancing). This is important because, on average, a loan with seven years remaining until expected payoff will have a higher level of remaining lifetime losses than a loan with one year remaining. It therefore generally wouldn’t be appropriate to use the same loss factor for both loans.
     
  2. Next, decide on a set of drivers that tend to correlate with loan losses over time. FASB has indicated it doesn’t expect highly mathematical correlation models will be necessary, especially for community banks. Instead, select factors in your bank’s experience indicative of future losses. These may include:
    • External factors, such as GDP growth, unemployment rates, and housing prices
    • Internal factors such as delinquency rates, classified asset ratios, and the percentage of loans in the portfolio for which certain policy exceptions (e.g., loan-to-value ratio or minimum credit score) were granted
       
  3. Once you select this set of drivers, find an historical loss period — a period of years corresponding to the estimated remaining life of the portfolio in question — where the historical drivers best approximate those you’re expecting in the future, based on your forecasts. For that historical loss period, determine the lifetime remaining loss rates of the loans outstanding at the beginning of that period, broken down by the number of years remaining until payoff. (This may require significant data mining, especially if that historical loss period was quite a few years ago.
     
  4. Apply those loss rates to the breakdown derived in (a) above, by years remaining until maturity.

    Step Two: Adjustments to Historical Loss Rates

    The CECL model requires we adjust historical loss factors for conditions that may not be adequately captured by the historical loss period analysis we’ve just described. Let’s say a particular geographical subset of your market area is significantly affected by the economic fortunes of a large employer in that area.  Based on economic trends or recent developments, you might expect that employer to have a particularly bright – or dim – future over the forecast period; accordingly, you forecast loans to borrowers in that area will have losses that differ significantly from the rest of the portfolio.

    The approach for these loans is the same as in the previous step. However:

    These loans would be segregated from the remainder of the portfolio, which would be subject to the general approach in step one. As you think through this approach, there are myriad variations and many decisions to make, such as:

    Our intent in describing this methodology is to help your CECL implementation team start the dialogue in terms of converting theoretical concepts in the CECL model to actual loans and historical experience.

    To facilitate that discussion, we’ve included a very simple example here that illustrates the steps described above. Analyzing an entire loan portfolio under the CECL model is an exponentially more complex process, but the concepts are the same — forecasting future conditions, and establishing an ALLL based on the bank’s (or, when necessary, peers’) lifetime loan loss experience under similar historical conditions.

    Given the amount of number crunching and analysis necessary, and the potentially significant increase in the ALLL that may result from a lifetime-of-loan loss model, it’s safe to say the time to start is now! If you have any questions about CECL implementation, please contact Tracy Harding or Rob Smalley.

    Other resources
    For more information on CECL, check out our other blogs:

    CECL: Where to Start
    CECL: Bank and Branch Acquisitions
    CECL: Reasonable and Supportable

    To sign up to receive notification of our next CECL update, click here.

    • In substep (c), you would focus on forecasted conditions (such as unemployment rate and changes in real estate values) in the geographical area in which the significant employer is located.
    • You would then select an historical loss period that had actual conditions for that area that best correspond to those you’ve just forecasted.
    • In substep (d), you would determine the lifetime remaining loss rates of loans outstanding at the beginning of that period.
    • In substep (e), you would apply those rates to loans in that geographic area.
    • How to break down the portfolio
    • Which conditions to analyze
    • How to analyze the conditions for correlation with historical loss periods
    • Which resulting loss factors to apply to which loans
Article
CECL implementation: So, you've developed reasonable and supportable forecasts — now what?