Suppose a health-care facility is in need of additional resources, either video surveillance, updated access controls or even advice regarding its overall security program. Regardless of exactly what these needs may be, the justification process and “trial by fire” that the facility administrators will face is very similar.
This course of action can be broken down very simply into answering the big three questions that will be posed in one form or another in response to such requests. Let’s take a look at these questions individually and discuss some strategies that integrators should keep in mind as they work in unison with end-user customers to create a safer and more secure environment for clients, students, visitors and staff of the facilities they support.
Question No 1: What’s everyone else doing?
With many administrators and decision-makers in health care, it’s not so much a “Keeping up with the Joneses” approach as it is that nobody wants to be the first one into the pool. The early bird might get the worm, but it’s the second mouse that gets the cheese. If asked this question and you are not able to quickly and confidently provide examples of what other similar facilities or service providers are doing regarding your specific request, then this is a sign that you have not done your research and are not prepared to adequately justify the resources that you are asking for.
Look at industry trends, make some calls to other organizations and determine how they are approaching the issue that you are trying to solve and at least have several options when presenting your case. Use existing articles and best practices (such as those showcased in this publication) and demonstrate that you have really given this issue a lot of thought and considered multiple solutions before deciding upon just one answer. In today’s world you must show your work and justify the proposed technologies and services, since the “Because I said so” response only works with young children and not CFOs.
Question No. 2: Who says we have to do it?
You can expect this question to come up once you have somewhat overcome the initial hurdle of question No. 1. The point here is to essentially determine, regardless of what everyone else is doing, who is driving this decision. For the decision-maker, it’s a nice way of saying, “It’s not that I don’t believe you, but there better be more than just your opinion behind this request.” This is where research and familiarity with regulations, standards, best practices, etc., comes in (see the “End-User Insider” column in the August issue).
You do not want to be a Chicken Little who is predicting doom and gloom should the security proposal not be accepted, but you should be prepared to concisely provide meaningful and compelling reasons from a regulatory standpoint that your solution will mitigate. Use this information sparingly, however, since you do not want to use scare tactics to make your point.
Question No. 3: What happens if we don’t do this?
Here you are being asked as the subject matter expert to make a determination of the worst-case scenario. If you don’t take action, will this result in regulatory findings, a fine or perhaps a significant event that will seriously impact the organization’s brand (such as an assault, abduction, injury or death)? Who can say? This depends upon the risk appetite of the organization and how well the integrator and its end customer have explained the need for the requested equipment or service to the decision-maker.
There is no easy answer for question No. 3, but you must be ready and able to provide credible “what if” scenarios when asked. Here is where research comes in again, this time about others who may have had the opportunity to take a similar action that you are proposing and did not, and negative consequences were the result. After all, the best mistakes to learn from are those of others. Maybe that second mouse had the right idea after all.
Bryan Warren, MBA, CHPA, CPO-I, is Director of Corporate Security for the Carolinas HealthCare System in Charlotte, N.C.