Success Story: How a Healthcare Leader Built a Holistic Risk Program

When one of the largest nonprofit health systems in the Northeast set out to transform their risk management program, they weren’t just looking for better tools—they were pursuing a more holistic strategy. They wanted to connect the dots across IT Governance, Business Continuity, and Third-Party Risk Management and create a system that could proactively guide decision-making instead of reactively tracking problems.

Already using LogicManager’s IT Governance, Business Continuity, and Third-Party Risk Management solutions since 2023, the team was ready to take their program to the next level. Their goal: develop a connected, automated approach to understanding and managing residual risk, eliminate subjectivity from assessments, and leverage automation to drive more consistent, actionable outcomes.

Their journey demonstrates how a clear vision, combined with the right technology, can empower a health system to not only streamline operations but uncover the Risk Ripple—the often-overlooked ways risks in one area can affect every corner of the organization.

The Problem: Disconnected Manual Processes

For this healthcare system, residual risk assessments were essential. The team maintained a sophisticated, spreadsheet-based model that incorporated multiple weighted factors: initial employee screening, security awareness training, data privacy, AI usage, and more. These inputs were used to assign each vendor a risk rating that directly influenced onboarding and review decisions.

But the process was entirely manual, time-consuming, and disconnected from their automated vendor assessments and criticality tiers within LogicManager.

“Right now, all of this is manual,” one team member explained. “We don’t do anything with the assessment tab… these questions don’t drive the assessment. Because of course, we can always go over to the same vendor and reassess, but it’s not built in yet.”

The problem wasn’t just time—there was a strategic disconnect. Their residual risk scoring operated independently from their criticality assessments, making it difficult to scale governance consistently.

The Vision: A Unified, Automated Residual Risk Process

What set this team apart was their vision. They weren’t satisfied with simply replicating their spreadsheet inside LogicManager. They wanted to evolve the process.

They worked closely with LogicManager to map out a path forward. The solution? Introduce new risk factors into LogicManager that would mirror the components of their residual risk model—topics like AI policies, patch management, and information security—and assign them low weights so they wouldn’t overshadow existing criticality scores.

“By assigning a very low weight to areas like data privacy and employee screening, you can prevent them from skewing vendor criticality, but still take advantage of automation from the assessment tab to drive residual risk scoring,” their LogicManager advisor explained.

This approach would give them the best of both worlds: consistency with their manual model and the benefits of automation, all while keeping their vendor tiering logic intact.

Bringing Risk Ripple Intelligence to Life

By rethinking how residual risk factors were integrated, this healthcare system took a major step toward realizing the Risk Ripple—the idea that every risk, if left unmanaged, can ripple across departments, functions, and strategic goals.

They expanded LogicManager’s configuration to include new profile fields for residual controls and linked those fields directly to assessment logic. This meant that the answers vendors provided—whether they used AI, whether they had recent penetration testing, or how they trained staff—could now automatically influence a residual risk score, without manual calculation.

As one team member confirmed: “If we go to AI, we would then have to actually assign values to each of these numbers to help calculate the new weighted score… and then we could have up to 7 sections to assess the various areas and weight them”.

The team also verified how LogicManager calculates weighted and unweighted scores, ensuring they could design a scoring model that mirrored their existing logic.

“You can adjust the risk factors, scoring logic, and weightings to reflect the unique nuances of your residual risk model,” their advisor noted. “It just takes thoughtful configuration.”

Rather than see this as a limitation, the team embraced it as a design challenge—and solved it.

Automation, Accuracy, and Strategic Value

Once implemented, the new model brought immediate benefits:

• Automation: Residual risk scores were now driven by vendor responses, not by manual math.
• Clarity: Visibility rules ensured vendors only saw questions relevant to their profiles, reducing friction.
• Alignment: Residual risk and inherent risk were kept separate, but both were automated within the same system.

“Whatever the answers are will drive automatically what we have determined… and we can look at those automatically without having to read all the questions,” said one team member. “We can let the answers tell us what the number should be.”

More importantly, the team found a way to automate the residual risk rating using LogicManager’s rule engine. By setting automation rules that triggered when risk scores fell within certain thresholds, they could now assign a residual risk level directly within the vendor record—without manual intervention.

This strategic automation not only reduced workload but also allowed the team to focus on what matters most: interpreting the results and advising stakeholders.

Connected Governance: Beyond Third Parties

What makes this program truly holistic is how it spans across departments and disciplines. The same logic used to evaluate vendors is now being extended to IT Governance and applications.

“We added [risk factors] for applications… anything that we want to assess as important,” one team member noted.

By centralizing assessments in LogicManager, they’ve built a unified governance model that supports:

• Business Continuity: Tabletop exercises that tie directly into recovery plans.
• IT Governance: Centralized assessments of business impact, data sensitivity, and technical complexity.
• Strategic Alignment: Risk scoring and frequency of reviews that align with business priorities.

As a result, their team is no longer managing risk in silos. They’re managing risk as a network—understanding how one weak link can ripple across the chain.

Leading the Way

Throughout the process, it became clear: this team was breaking new ground.

“I haven’t seen other customers doing something similar,” their advisor admitted. “This is my personal side note… I’ve been thinking really hard how to translate that and how to automate this process.”

This team approached a known industry challenge—residual risk quantification—not as a constraint but as an opportunity to innovate. They refused to settle for a workaround and instead reimagined the process from the ground up, aligning it with LogicManager’s capabilities in a way that pushed the platform to new potential.

They asked the hard questions:

• How do we quantify residual risk consistently?
• How do we automate a model that previously existed only in spreadsheets?
• How do we do this without compromising our criticality tiers?

They prototyped, tested, and collaborated across departments. They didn’t wait for a feature to be built—they leveraged what existed to build something that didn’t.

And perhaps most importantly, they did so in a way that others can follow. Their configuration decisions—adding low-weighted risk factors, separating residual indicators from inherent drivers, and using LogicManager’s rule engine to automate outcomes—form a blueprint for any organization looking to advance its own maturity.

“We’ve gone from being reactive to being advisors,” said one team member. “And that changes everything.”

In a landscape where risk is increasingly dynamic, interdependent, and high-stakes, this healthcare organization proved what’s possible when teams are empowered with the right tools and a bold mindset.

Advice for Other Organizations

What’s the key to their success?

• Think holistically: Integrate risk programs across functions and domains to ensure decisions are informed by the full context of your operations.

• Build with purpose: Configure your assessments to reflect what actually drives risk in your organization—not just what’s easy to track. Prioritize impact over tradition.

• Leverage Risk Ripple thinking: Understand how isolated risks can cascade across your business, and design your assessments to surface those connections before they become disruptions.

By investing in a smarter, more connected approach, this healthcare system didn’t just gain efficiency—they gained foresight.