On-Demand: CAPstone: Shattering the Tech Ceiling | Part III – EverCare Inc.

November 30, 2022

For the third episode of the series, we interviewed the President and CEO from a not-for-profit organization specializing in health care who was fast-tracked in her career as the youngest member of the executive cabinet, leading Human Capital, Compliance, IT, Operational, and Executive functions. 


Transcript

Rahul Mahna: Thank you so much, Bella. And I'm really excited to have this being our third part of our series, Shattering the Tech Ceiling with Outsourcing Services.

Rahul Mahna: And today, we have a fabulous panel and a good discussion that we're going to have with Sylvia McTigue, President and CEO of EverCare, which is a non-profit community-based healthcare provider in the Hudson Valley, committed to the growth and development of community based programs that keep those under their care safe and healthy in their own homes. That's the tagline from the website. I am sure Sylvia will do a much, much better job of explaining who it is. And, of course, my esteemed colleague, Amy MacFadyen, who is there with me, a tried and true trooper in the audit and tax base, and she has some wonderful questions with me about healthcare and where it's going.

And so, a little bit of background, however, to take one step back and for some context on this series, what are we trying to achieve? And really, what we're trying to do is learn from some of the executives that we know of that are very successful in what they're doing. And in one niche that is very popular within our firm is healthcare. Healthcare is seen a lot. It's had a lot of changes over time. We've seen it evolve with our industry, whether it's audit, whether it's tax, whether it's outsourced IT services that I govern.

And I thought this would be a really nice opportunity to talk a little bit more about it. What are the challenges? What are we seeing? How is technology being used to evolve this industry? And what are executives and successful CEOs doing about that? So, that's really the basis of the conversation. I'm looking forward to having this. Again, as Bella said, if you have any questions, please put them in in the bottom. We'll try to get to them. And with that I'll turn it over to Amy. So, Amy's going to just turn her mic off mute real quick, and then she will get started.

Amy MacFadyen: I've only been doing this a couple years everybody, really. No problem. Thank you, Rahul, so much. Very happy to be here this afternoon. I'm very excited for the next hour. I am a not-for-profit partner in our Iselin office in Metropark, New Jersey. Thank you all for joining us here this afternoon. I have just received my 17th anniversary certificate this month. So, I've been with the firm for a bit of time and really enjoy the not-for-profit space and working with entities, not-for-profits, including in the healthcare arena, just like Sylvia. So, with that, welcome Sylvia. Thank you so much for joining us here today. We're really excited to learn more about you, EverCare, and of course, the space, the technology space itself. So, could you start by explaining to our audience that's here today, what is Evercare?

Sylvia McTigue: Sure, I'd love to. Hello friends. Thank you Rahul and Amy for having me. I quite like this format. It's a little bit different for me, but any chance I get when I'm asked to brag about EverCare and our people, I'd certainly be more than happy to. And I made my leadership team and my family log on in case I have to dial a friend. So, hopefully we're shored up in that regard, but as Rahul will stated, we're a not-for-profit community based services in the state of New York. Been here for the last 26 years. Being a not-for-profit, the sole purpose is to serve so society, take care of the people who need us, the most frail and elderly who rely on us. So, it's a great mission and values based proposition that we are entrusted to serve. The book of business for us ranges from managed care to home care to social day.

In terms of managed care, very briefly, we are a New York State Medicaid care program. You can think of it as an insurance program that care manages, streamlining the delivery of long-term services really to people who are chronically ill or disabled and who wish to stay in their homes and communities. The degree by which we are deemed competent by the department is determined by our ability to prevent the decline of health status, to avoid institutionalization and keeping a member independent and safely living in the community or at home, which is what we want for ourselves. We want that for our loved ones. So, it is in incredibly important. The social day program is exactly what it sounds like. We operate centers for the elderly where they come in for the day for socialization, fine motor skills, gross motor skills, the mind, emotional health, the body overall wellbeing, very, very special program with particularly caring staff, I have to really say.

And the third is a certified agency. Some of you in the audience may have had the need for such services post-acute stay hospital discharge if you need a clinician to come to your house. We do this on an episodic, highly skilled, very, very caring clinicians there as well in your home to ensure good health outcomes. And that's, in very broad brush strokes, whatever EverCare does.

Amy MacFadyen: Wow, that's really amazing. What an incredible organization. And it certainly sounds like it keeps you all very busy. That reaches such an amazing audience. So Sylvia, with all that said, what is your background? What was your education and your professional path to getting to where you are today?

Sylvia McTigue: Well, how far back would you like me to go? I grew up in the Alps of Austria herding livestock.
Amy MacFadyen: Day one.

Sylvia McTigue: Well, interesting fun fact, I was 18, came to United States as a nanny with $70 in my pocket and not really speaking English. I was a nanny for 10 years for an amazing family, still very close today. Went to NYU, got my bachelor’s in industrial organizational psychology. I had a real interest in learning about behaviors at work, great interest in human resources all along. Really had a great interest in how the business works, so I took classes at Stern. And I was lucky because my very first job in HR was under very strong, highly competent mentor with high expectations that really set the tone, I have to say, for the rest of my career, even today. I went to study. Wanted to get my JD and employment law. But I have to say reflecting back, having worked 12, 15 hours a day and having new twins, kind of made that a little bit more challenging.

So, I smartened up and learned that instead, I can hire brilliant legal minds that exceed excel in legal strategy and still accomplish the same goals. So, when you're asking me about sort of my career path, I was rapidly promoted in all the different roles that I had. Started in human resources, became a VP of human resources. I was asked to lead components and merger and acquisition work for an organization ranging from Long Island up to Albany. Then I was moved into operations, and I think that was my biggest learning oversight over quality, clinical education, learning and development. Then I became actually a chief compliance officer. I was responsible for about a year or so in that role, and then was asked to run an insurance plan as its chief operating officer. And I had about three weeks to study up all on actuarial sound desk and risk corridors and medical loss ratios and all the things that I would've never in my wildest dreams thought I would, A, be interested in or capable or competent in.

So, that was a huge learning curve, truly. But it was necessary. And with the legal separation from the former parent after that legal separation, I was appointed ultimately president and CEO. What you might find interested or what the audience might find interesting, I had about six months from that separation to peel apart to very complex corporations. It was almost like a startup, but we were already fully operational and in business. So, we had to implement our own HR and finance department. We rebranded the corporation entirely. We set the marketing strategy. I built out the compliance charter, the IT infrastructure, which is what we here to talk about today. It's a nice entry for that conversation, I find, where we really needed everything from scratch, routers, switches, gear, ports, hardware, cabling. Cabling, who knew? Invested over probably a million dollars in an EMR infrastructure, despite significant financial constraints as a not-for-profit.

So, it took a lot of hard work and courage and only doing so in six months. So, with that behind us, certainly I'm looking forward to more focused discussions And in terms of schooling, later on, most recently went back to taking classes at Harvard Business School to continue to learn and very much applicable in terms of EverCare today and future positioning. And you ask, Amy, about my professional path. And looking back, I will say that all of it even still today, rooted in hard work and long hours, mostly filled with high risk propositions. I think that's where my conservative view really comes into place because the risks are quite high. And then having had supervisors who've always said, give it to Sylvia if you want to get it done. That's how I always got stuck. But the most undesirable problems. That sometimes still happens today, but hopefully not too long winded of an answer to your question.

Amy MacFadyen: That was fascinating. That was really great. Well, I have to say, a lot of times the hardest workers are rewarded with more work.

Sylvia McTigue: Right you are

Rahul Mahna: So true. I don't know about you Amy, but I feel a little inadequate hearing that whole background that she has.

Sylvia McTigue: I have, yeah. Absolutely

Rahul Mahna: Right? And so I got a chance to meet Sylvia a few months ago. And a little bit about my background is I also, Sylvia, thought about becoming a lawyer. And so not many people know this. I thought a lot about it. And then IT bug just kind of pulled me in. And that was many, many years ago and it's what I've done for my entire career. So, I've been in it for 20, 30 some odd years. I've seen the evolution. Every six, seven years, it's changed. Went from the .com to internet, and now we're deep into the cybersecurity world and the hot topics. And so, I get a chance to meet a lot of new interesting people, a lot of interesting executives and CEOs like yourself. And so, I remember I got a chance to meet you because of an RFP that came into our firm. And I remember the RFP came in, and I have a nice size team, and they looked at the RFP and they said, "Rahul, you better take care of this one. This is a tough one."

And so, I looked at it and I said, wow, the person who wrote this RFP has to have deep knowledge of our IT space. Must have been in the industry as long as me, has really good understanding of process and knowing how risk comes in, not only from it but it comes in from organizational design and I was very impressed with how that RFP was put together. Possibly one of the best RFPs I've seen at my time at Eisner. And all of that is to pay compliments to you, but also to ask you... Hearing your background, knowing that you know came to this country with $70 in your pocket, not really thinking you're going to be where you are today, and probably you never could see that straight line, many of us cannot, but how did you write at RFP to this level? How do you have the skills and how did you develop this deep, I would say, understanding of it to even know how to formulate something like that as a CEO of a large healthcare organization?

Sylvia McTigue: Well, thank you, Rahul, for noticing because seemingly my team didn't appreciate the entered RFP. I think they were, yeah, not impressed, but thank you. I hope this is recorded because it will have to replay it at the next team meeting. So, I thank you. It's a really interesting question. I have never been asked this before, so let me think. With no education, how did I learn the skills to do that? I think it's never been about education, and it's always been about learning. And I think it stems probably from an intrinsic desire to gain knowledge and skills because it was essential to my ability to do the jobs that I have been entrusted to deliver on. Really, if you don't have an option, you ask to lead a charge, you have to lead a charge. So, probably, Rahul, it was no different in that regard. It was high risk. And now, I have to be honest, and I'm curious, the audience may feel the same way.

It's paralyzing, honestly, the more you progress within an organization because you are responsible to lead the teams, to keep the organization compliant, to meet the mandatory requirements, ensure stakeholders are provisioned for. It requires this unequivocal trust with regulators because we are a highly regulated business. So, you learn and you learn fast. And IT specifically, which is what your question is. I have Department of Financial Services cybersecurity regulation, we have state and federal law, heavy mandates. You have HIPAA, you have high tech rules, and the litany of governing security provisions inside and outside the IT infrastructure. So, you have to make it your business to learn. So, perhaps putting it together, it's probably fair to say, and I never thought of it this way, so I really appreciate the question, it was born out of compliance. And that probably actually helped. The separation from the former parent, understanding what state the organization was in at the time, and having to rebuild, I think did it.

And for myself, it dictates today what I'm going to spend time on and what I'm not going to spend time on. And understanding the liabilities around the frailty of IT infrastructure and the pitfalls and the risks is truly mission critical. So, that's how I think I learned the skills. Undoubtedly, I have strong partners. And maybe that's a good segue. I wanted to talk about this a little bit. Having strong partners was everything, even during the RFP process, because the RFP process really allowed me to learn. So, if people were to ask in the audience for feedback, I would say it's all about the partnership because I can't know everything about everything. I'm not an expert. I don't profess to be an expert. But finding trusted partners who are transparent, who are able to explain complex matters in a meaningful and precise way, which Eisner did... I interviewed others. I put others through the same ringer that are in the competitive market.

I don't want to hear from an outsourced IT provider how complicated it is or that I just trust the experts. If it's complicated, I need to see the schematics, I need to see the operating manuals, I want to see the data dictionaries, and so forth. And I need you to walk me through it, and you need to be able to explain it to me in a meaningful way where it makes sense, because I will always have the questions and I do expect them to be answered. And in our case, it was great because I walked away richer than after the discussions and the collaborations way before contracting than I did going into it.

Rahul Mahna: That's a lovely point. And as I have developed our practice in outsourced IT, I often preach that we're not in the tech business anymore. We're really in the risk management business for our clients. And depending on what vertical it is, we're tuned into what are the attributes, what are the compliance, what are the regs, what are the issues impacting our clients and using technology to facilitate those regulations and to protect our clients? And that's really the approach. And I think we both chatted about this a little bit in our RFP response even. That's how I present ourselves all the time, which I think is a little distinguishing factor in how we go to market and how we talk about things. And one of the areas you mentioned is regulation. And so we're very blessed in our firm that I have multiple strengths and people within the firm.

For example, Amy is just a wonderful powerhouse in terms of nonprofits and audit knowledge. There's other gentlemen and women in teams that have healthcare knowledge governance that we need and so forth. You were in New York state, and I know New York has a lot of regulations right now. You mentioned some of them a little bit. Could you maybe just talk a little bit more about, for those that are in New York or impacted by healthcare in New York regulations, what what's going on in New York regulations right now a little bit? How did you learn about it? How are you staying abreast about it?

Sylvia McTigue: It's a natural process because we have regulations we follow. There is the state and regular updates that are issued. There's the administrative letters. We have a contract with the Department of Health that is quite explicit with regards to meeting those requirements. They're updated quite frequently. I think more so today than I've seen before is the speed by which regulations change and how we are required to be on top of them fairly quickly. The operational risks and potential damage to the brand and reputational risk dictates that without a doubt. So, I think if that becomes... If you are working in an industry that is heavily regulated, I think we all would say, that you stick to your knitting, that's your basic, that's your framework, and you work from there.

Amy MacFadyen: Yeah. It's funny that I look at it always from the auditor hat, right? I've always got my auditor hat on. I can't help it. And understanding that you go through a number of regulatory audits, regulatory compliance. And I love your line that compliance drives a lot of your innovation, a lot of your technology, the way you're developing your programs or your technology and IT so that you can meet those compliance requirements. So, can you talk more about how those formal regulations really had to be addressed by technology? How did technology really help EverCare in this compliance and audit world now that you have to go through?

Sylvia McTigue: Yeah, sure it has significantly. Because I was just mentioning reputational risk for the brand. Just one cyber attack, one example of a PHI exposure can be insurmountable. It can close you down. So, you can't take shortcuts, and you must be surrounded by subject matter experts in all risk categories. So, I have to say today, my leadership team... Hi guys... is always pushing for automation. The more we can automate as part of audits, for example, the better of a performing organization we are. We are not where we envision to be because it's been a few years. So, are we consider that still in terms of system built, not having arrived? And maybe we'll never arrive. Maybe in three years, I will still say to you, we are not where we envision it to be because on how everything moves and what the opportunities are, but we are pushing... If you're asking how did the technology help us regulatory compliance, we are pushing workflows to control error flows.

We're pushing the workflows to control error and fail rates. Honestly, we're using technology platforms to audit our own work products. We identify people versus system issues much sooner today than we used to, much earlier for sure. And we have automated many of our standard audit practices by means of tech. And if I think just a few years back, we've talked about this a little bit also, we really are a different organization today because of leveraging it. And when you as an organization spend as much on tech, all of us do, people in the audience who obviously have an interest in it and are connected to it, all of us will agree that the spend has certainly increased. So, you have to see the return on investment. You want to leverage the dollar spend on every single component of it.

Amy MacFadyen: That's very interesting. And I mean, vital, clearly vital to what you do. Because if you didn't have that IT component to complete these regulatory compliance things that you need to do, I'm sure daily, monthly, quarterly, let alone get to the audit, you would be drowning in it if you didn't have those systems in place. So, that must be very imperative. It's interesting. You were just talking about it's costly too, right? And you also, earlier the discussion, talked about when you were pairing away from that parent relationship and you had to ramp up with all of that and it was very costly, and you're a not-for-profit. Then and now, as prices are rising, you must have had many conversations with your board. You must have had to have a lot of discussions about why is this important then and even now? What is happening in the world of technology? Why are spending these dollars important? Why are these costs important? How do you have those discussions with the board? Who's driving that strategy? Who's driving those discussions? How do those that come up? How did that come about?

Sylvia McTigue: You ask really good questions, Amy. I have to think about this. Makes me work a little hard here. I'd have to say it truly depends on the topic before us. At different times, different drivers. There is, I have to say, a particularly strong collaboration with our board of trustees, not a board of directors, we have a board of trustees, same difference, more or less. So, in our case, the trustees play a unique role in the organization as they do everywhere. They are, in our case, nose in and hands off. I think having been through the past we have, there is a great understanding of their own fiduciary responsibilities and duties. And that also, much it does with myself makes us always sort of double check in making sure that we are on the right path. We are usually always aligned in that regard. And with regard to strategy, in general terms, the focus is aligned probably directionally that I very clear that I serve with the pleasure of the trustees and I deliver on the strategic objectives as required.

Not necessarily important who brings it to the table because we have such great consensus, mission based, value based. We're very clear. We have a much more formalized process. Maybe this is of interest to the audience, I'm not sure, but we have a more formalized process in place for setting strategic deliverables that are approved by the board of trustees always. So, my leadership team is expected to actively participate in strategic planning sessions. They're super collaborative, they're purposeful, they're a lot of fun. They're actually awesome, I think.

Amy MacFadyen: Oh, that's awesome. That's awesome feedback.

Sylvia McTigue: Again, they may sit there rolling their eyes saying, "I don't know Sylvia." But I think if they were pressed, they would probably say that too. It's a very engaged bunch for sure. So, they're a very driven bunch also and they want to do good, so I think they're very much aligned with the overall mission. But we want to understand, generally speaking and bigger brushstrokes, what the operational risks are, asset impairment risk, what are the competitive risks? And we build the business strategy into it to best understand the overall franchise risk and to help us ultimately dial up the performance and to understand what actions specifically lead to economic value for us. Because we need to ensure that our focus, in a not-for-profit environment when funds are finite, that we are focusing on the right things. I don't know, Amy. I don't want to bore the audience or you or Rahul, but would you like to hear a little bit about how we prioritize your set strategy or save that for another day?

Amy MacFadyen: No, I think that would be a great idea. I mean, I'm sure there are audience members on here going, "These are the kind of conversations I need to or want to or I'm trying to have," and I think it's great to hear some of this detail.

Sylvia McTigue: Great. And just stop me or give me the signal if it's too much information, but I can really... And I don't want to give away obviously our secret sauce either, but I think in brush strokes or in larger terms, I can talk a little bit about, so for example, I look for there always to be a balance tension between risk on one side and innovation and creativity on the other. And sometimes they can be conflicted. So, I think keeping that balance, because even though we are in a risk averse environment and there is a lot of risk, we don't want to lose out an innovation and creativity. I think that's critically important. So, in our case, all business strategy sits at the core of four systems used to be two, but I sort of upgraded. I leveled up, as my staff would say. I leveled up, all with the goal to create the right alignment between business strategy and operational strategy. So, I come with many flaws.

One of my many flaws is, and I've gotten that feedback so I'm very comfortable sharing that flaw, because it's not a secret in this organization, but is divergent between business strategy and operational strategy, because I have the idea, I want to implement it, and I already moved on. I'm already onto the next big thing. I already have.... I have a new plan for them. And where they are still they're cleaning up the mess I left, saying, "Sylvia. Earth to Sylvia, come back here. This is what I thought we were going to be working on." So, separating the needs and the wants from my office certainly has become a really important exercise because it allows the team to say, "Sylvia is a need or is this something you want?"

And then it allows us to kind of reshuffle and be a little bit more specific about what we are trying to accomplish. So, in terms of systems, very briefly, I mentioned to you that... So, we've always had fundamentally, and I think any organization, or if you are preparing for strategic planning, a strategic retreat or you're sort of setting the overall strategy for the corporation, in our case, certainly, it always started with our belief system. Those are our core values. Who are we? What do we stand for? Why are we proud to work here? What are our credos, values, mission, purpose. We are saying, be good, do good. So. It unifies us in saying that any strategic objectives and any goals that we may have to tie back to our belief system, very strongly rooted. We recruit for it, we maintain it throughout employment, and it's really the core of the corporation.

The other one, which is equally as important, is our boundary systems, which are the risks to be avoided? What are our rules? What are we going to do? What are we not going to do? So what if... What's the acceptable behavior? What differentiates us? So, those are your sort of the policy statement, taps into the regulatory framework. You get the idea. Has to fit within those beliefs with both of those systems. And the newer focus and what I'm super excited on is we also implemented, I'm going to call this sort of interactive control systems. We have a newly established department learning and organizational effectiveness, a little bit different than our prior EverCare Academy, really looking at organizational effectiveness. They do some pretty interesting work there. So, I need them to look at, for examples, patterns of learning or adaptation to change all critical and determining. Determining, is that a word, determining? Doesn't sound right.

Amy MacFadyen: It is now. It is now. We'll tell Webster.

Sylvia McTigue: That's the problem when it's not your primary language, although my husband will tell you, it's always very convenient when I say it's a language barrier. Critical... The failure or success. So, that looks at our sort of strategic uncertainties. So, those are the interactive. And the last one, the second one we are now also having as part of the strategy is the diagnostic control systems. Super excited talk about IT. We have also a newly established department, although I have to say it's a year and a half, so not new new, not new idea, but new in a way business intelligence and analytics where they track the critical performance variables of the progress made. That's where we set the accountability measures, our business measures, and we monitor them. Because if we don't have these systems in place, whether it's interactive control or diagnostic control, then you really... How do we know if our strategic objective or the goals that everybody is working toward every year? How does it work?

So, from there, once that's set, there's only kind of two more steps to it. We develop a strategy map. We do that during strategic retreat. In our organization, for this year, for 20 22, 2023, we have a financial perspective, expanding revenue opportunities, improving efficiencies, inventory returns, in our case, census. We have a customer perspective, we talk about our image, relationships with others, product attributes, services in our case, process perspective where we look at operational management, innovation processes, and learning and growth. That's human capital, organization capital, and very importantly, the IT capital. And once that's done on the strategy map, we convert it into the balance scorecard. We use Kaplan and Norton’s Research regarding same. That seems to be working great for us. And then my VP of learning and organizational effectiveness is entrusted on a monthly basis to sort of gather and have the conversations with the leadership team. I may do so during my one-on-one sessions so that we are copacetic. We have to sometimes make changes to...

Where we start in the beginning of the year is not always where we end up because of other priorities that we have to reshuffle, but that is some information on strategy, if that's helpful. Yeah, I think that's very interesting.

Rahul Mahna: Yeah, it's something a lot of our organizations are going through right now, I would say, especially in and if I could take a turn on that a little to the IT side. And so, I think we went from, years ago, of not having access to a lot of this information to more information being available. And just taking one step back to reflect on some of your comments and some of our previous capstones with the other CEOs that we've had, it seems like data and transparency and being curious seem to be common themes that keep coming up in these webinars that we're doing. And in summary, I think you are also saying those same kind of topics. And so, you have an organization like yours. You have a ton of data, and you're using that data and you're trying to empower some of your management team, I can see. Whether it's the board of directors, your executives, you're putting all that together.

And in our industry this data has become what we call data lakes, because so many organizations have just piles and piles of data now that's being accessible. They don't know what to do with it, so you put them in these lakes. And then you try to run data visualizations out of the lakes and you try to make KPIs and you give KPI dashboards to your board of directors, to your team. So, it seems like if you look at a dial, we've gone from no access to data to a lot of access. And now, I think my question to you and your organization you're thinking is through is, do you get to a point where there's too much data and you have analysis by paralysis, where you can't make decisions because you've got so much data coming at you? How do you think about that? Does that worry you? Does that happen in your organization? Could you comment on that?

Sylvia McTigue: Oh my gosh, it is so true. It's so true. We literally... And I promise you I'm not lying. We just had a conversation, I think it was yesterday. We just said business intelligence and analytics has now built out the dashboards for my leadership team. So, we meet with a business leader yesterday to go over the monthly financials and the business analysis. And we look at it and it's amazing. The data is sliced and diced in a million different ways in a million different formats. So, it's so much. And we literally... I think we actually used the word overload, data overload and how much there really is. And I said it's okay. It's okay because data is good, but on the flip side, it has to be meaningful. Otherwise, it's rendered useless. You might as well not even do that. You know how before I was mentioning business strategy versus operational strategy? Wants versus needs, I want all the data. I want to be able to drill down, up and down vertically, and I want to drill down sideways, and I want to trend it over 26 years.

And if business and intelligence analytics tells me, "Sylvia, we don't have the data 26 years because we didn't even have a system in place," I make them find the data, and I make them try to still come up and give me trended data. But at the end of the day, my question always is, and I think that's what you are getting at, Rahul, which is, so what? So what? Who cares? Data overload is getting a root canal through your feet. It's painful. Nobody wants it. It's one of these things. And for the managers, particularly for the leadership team, time is finite. Everybody is so busy and it has to make sense to them. So, my leaders have gotten much more verbal as customers, even of the BIA department, which is service department, and really just saying, "Just give me the facts, just the facts."

So, there is I think a great opportunity next level, or maybe the missing link or the next level link, Rahul, of saying, you do have to have the solid base of data, but there's a great opportunity, in our case for the BIA team to come up now with a more lasered focus. We already leverage today, Tableau. We leverage Power BI. We even have Python expertise on the team. So when one day we have to manage big data, we are good to go. And I couldn't be prouder. Shout out again. I couldn't be prouder of them, honestly, the kind of work that has been done. And I think it's the next level now to say, "So what?" So, summarizing all in digestible pieces but still having the data behind it for it to be reviewed and be meaningful, I think is the way to go. So, it's okay, as long as we are able to digest it.

Rahul Mahna: That makes a lot of sense to me. And some of the clients that we work with I think also went from a period of having no data and thinking there's not that much risk in their organization, having a lot of data and saying, "So what? What do I do with this?" But I think one thing that is clear is that there's a lot more risk now that we have all this data. Maybe before, it was stored in the file cabinet, things were faxed.

Sylvia McTigue: Right.

Rahul Mahna: The risk was a little maybe not seen or maybe even wasn't as much. But now that everything's digital and it's in Power BI, tableau, to your point, it's in these databases. There's risk now .and what do we do with that risk? And so, the next thought I have is, how do you inure that risk? Do you have an insurance policy? Because there's only so much we can do, is being thoughtful and being it secure and having a good cyber hygiene program to protect that data.

But there's always that you never know that might happen. So, cyber insurance used to be a one pager. I remember five years ago, one of our state farm partners used to come to me and say, "It's just one page. It costs a couple thousand dollars. Can't you get your clients to sign this one pager? They don't even have to read it. Just sign it for a couple thousand dollars and they get a policy." And now, the landscape's changed a bit. So, could you reflect a little bit on healthcare for EverCare? How has cyber insurance changed? What's your thoughts about it in your view on cyber insurance?

Sylvia McTigue: Yeah, you need it. We have had it for many years. I can't imagine that not being an option. And funny you mentioned that because I think it was not even a page, it was a paragraph vetted into what your liability waiver carrier, liability writer, I don't even know. But over the years, I have to say... Oh, actually, Rahul, can I ask you a question? What would you say... Do you know what the percentage of organizations might be that may not have cyber insurance as you see it?

Rahul Mahna: Oh, that's a wonderful question. So, we're actually doing our own market research right now. We're undergoing a market research study. That's one of the questions I can broadly say it was about 50-50. It was still not overwhelming towards cyber insurance.

Amy MacFadyen: And Sylvia, if I can jump in there to your comment about at one point in time it was a paragraph. I mean, there was a time... We'll ask about it at times in our audits, of course. And just a few years ago, we would ask. And I had one client in particular, and there was like, oh yes, absolutely, it's on our general liability insurance. And a few years ago, it was and it was a paragraph. And then we'd come back the next year and we say, "Oh okay, did you re-up? Did you renew your cyber?" "Oh, yes we did. It's in our general liability insurance." They look at, it's not there anymore, because it became its own policy. But they weren't informed that that was now a separate policy, which of course, it needs to be now. But that's, I mean, how dramatic it's changed.

Sylvia McTigue: Yeah. Yeah, I'm probably exaggerating when I say almost 28 pages, but the level of specificity with regard, and then, it appears. I don't know that because I'm not running that insurance program, interested what the sort of risk portfolio looks like behind it in how you answer those questions, because obviously, that increases risks. They put a monetary value to it. And you know how I was saying earlier, you have to be wise, particularly if you're not for profit of how you spend your money and have a tendency on tying money to risk? That's a good one, because it's necessary. The risk is just too high. It really is. And then having a partner. And this time around was really eye-opening, because I read still through every single writer and every single component of it. So does my chief of staff and really vetting through it.

But it's gotten much more intense, self-testing, output, all of those. There was new Microsoft queries that had to be run on how Microsoft deems your secured environment to be, what that percentage is. Do we offset it with other things here and there? So, yeah, it's gotten... I'd recommend it, for sure.

Amy MacFadyen: Yeah. It's interesting. Talked about, in the last 45 minutes, we've talked about the additional compliance are in an industry that is very compliance driven, but really, in the non-for-profit world, there's compliance in a lot of areas, and not just in the healthcare industry. Of course, you see a lot of it. There's cyber risk. There's more to these insurance requirements. And then there is the day-to-day operations that needs to happen at any entity. I mean, you still need to be able to get in and turn on the computer and have our phone calls and the internet needs to work. And so, we're talking about all of these complexities happening. And that have almost nothing to do with actually functioning day to day. So, an additional to all of these things and entity needs to function day to day. And I understand, especially in the not-for-profit industry, everyone has a lot of hats operationally, fiscally, and there's not a lot available to create big robust IT departments and to have a number of people be able to handle all of this.

And a lot of entities, when I have discussions, and it's one person. It's Jane Smith, and she runs all of it, not just... "Oh, nope, Jane can handle it all. She's got her cyber down, she's doing the operation side of it, making sure all that runs and working, collaborating with the business office on the cyber risks and the assurance policy and any compliance that goes down. I mean, understanding the limited resources in the not-for-profit world and handling the IT role, is this really a one person job anymore? And looking at that, where do you decide internally, what do you handle? And externally, where do you bring in those strong partners? You talked about strong partners earlier. So how do you make that decision on who's internal, who's external, and can one person handle it?

Sylvia McTigue: No, it just isn't. We are no longer telling staff to turn on the printer when they call to say the printer is not working, or the mouse is stuck. Those are not the phone calls anymore. I'm sure. I mean, I couldn't even imagine, Amy and Rahul, on your end, what kind of help desk calls you guys get, but I may have been the one to say my printer is again not working for you to say is it plugged in? But it's more complicated now. We're re-engineering constantly security parameters and we are doubling down on firewalls and we are looking for additional safeguards. I mean, it feels like we implement the multifactor, and there is I think a multifactor that sits on top of the multifactor, because that is secure socket layer certificates and how often do we look at the NL wear and then decide that there is a better, stronger version of it.

And we are doing internal and external pen testing, and we are running fishing campaigns and we are doing training because we are paralyzed. So, I think... And this is, of course, to the obvious, having secured server environments and secure file S for protocols 24/7, but there's limited resources. Also, you know what I found? And I think it was about we responded to the insurance when we opted up the insurance again, I found that our staff today are much more sophisticated. They have greater visions on how to improve their line of business. They have become much more power users with pretty solid expectations of what they expect. So, we need SMEs, subject matter experts, and I think to be nimble on our feet and to pivot based on the rapidly changing business needs. We need experts in all areas. So, I need a CISO. We all should have a CISO, a chief information security officer from a liability perspective alone. And so... But we may not be large enough to have a CISO, so that's a good subcontracted.

I think that's an excellent way of saying how do we create the safety net around it. I may have application needs, so we need application specialists. So, you may need coders, you may need developers, which you can't necessarily find in-house, unless, of course, you have a large IT team. And presuming there's people in the audience, we part of very large teams or larger organizations, but I still feel there has to be sort of this economy of scale. To me, honestly, especially if there ever was a cyber breach, I have to enact our incident response plan and the business continuation protocols. I need to be ready to have competent experts 24/7 to manage it, to manage this sort of impending crisis. So, outsourcing it for that perspective, to me, today makes sense. Again, there might be a point of critical mass we're outsourcing doesn't make sense. But I would venture to guess, if I could look into the future, as I like to do, I would still maintain a contractual relationship for specialized services because it just makes sense. It just makes sense.

Amy MacFadyen: Yeah, for sure. Well, that's some really great recommendations, and I think definitely food for people to chew on and think about as they're looking at their own organizations. There certainly is a lot of pressure there across the board. Now, you spoke about future just now, so that makes me wonder, what is the future for Sylvia? What is the future for yourself? What's the evolution of your role?

Sylvia McTigue: I'm going to Disney World.

Amy MacFadyen: I'm coming. I'm coming.

Sylvia McTigue: And you should go too. And the whole audience should go, like you get a vacation, and you get a vacation, you get a-

Amy MacFadyen: That would be-

Sylvia McTigue: That’s awesome.

Amy MacFadyen: ... a great webinar.

Sylvia McTigue: Oh my goodness, what's the future? I think we've bent the curve of the past. To be honest, I think we are able to now look to spend our energies on building more rapidly and out of forward looking, less back. We certainly had, for the last couple of years, a lot of building to do. That was the strategy. That's what had to happen. But undoubtedly, it would be growth, expansions. Probably thinking about merge acquisition kind of type. And I think we are ready. I think the team is ready. We're excited to... And we want to do what we are doing maybe on an impacting communities, maybe on a bigger scale. So, definitely, I think there is some opportunities in the future that are more exciting than the past. I would say hopefully less work, but for some reason, I don't see that being a realistic thing, but and then putting on the spot, not having really thought about this a whole bunch, but that I would think would be probably a good view of the future.

Amy MacFadyen: Oh, well, I can't wait to check back in a few years and see how that goes.

Sylvia McTigue: Too much work. The risk is too high.

Amy MacFadyen: I can't wait. Well, thank you so much for all that you've been sharing with us. Would you share maybe a little more about what advice you would give to someone who is trying to drive IT change in their organization?

Sylvia McTigue: I lost the last part of the sentence. Can you repeat?

Amy MacFadyen: Oh yeah, no, I'm sorry. So, what advice would you give to someone that's trying to drive change that's IT focused in their organization? Maybe they're hitting some resistance, maybe they're just trying to start that conversation, what kind of advice would you give?

Sylvia McTigue: To the governing body, board of directors?

Amy MacFadyen: Sure. Yeah, absolutely.

Sylvia McTigue: If the board, let's say, doesn't have the expertise, then the board must look to the C level. So, that must be you, and making your business known. I think advice on helping the cost to derive change. I think if... In my case, for example, alone, me alone with my knowledge at the time, I don't know, I could have driven change because that's my job and I would have, but I think the advice... It's not advice. I don't think I'm in a position to give good advice, but I can give you an opinion, certainly. I think bringing experts in and having Jim do a thorough assessment is a really good place to go. It just makes sense to me, because you want to know, and the governing body wants to know the good, the bad, and the ugly. I think it's as simple as that, because then you weigh the risks of not knowing.

I'm a board member also. I'm the chair of the governance and nominating committee in one of the associations and an executive member of the Managed Care Coalition. I will tell you, if I didn't have knowledge in an area and it was presented as part of an assessment, either by the staff or by experts, it would have my attention, full attention, particularly if there's risk associated with it. So, when you present it to the board, know what the temperature in the room is, how much info is needed, at what level of granularity, provide the education, explain the risks, and that probably works too well. I call it a healthy exchange of opinion. I do it with my leadership team all the time. They come in with their opinion, they leave with mine, and it seems to work just fine.

Rahul Mahna: Sylvia, you're not going to believe this. I'm not sure if you've looked or not, but we're almost at the end of her one hour already.

Sylvia McTigue: Oh my goodness.

Rahul Mahna: Time just flies when you're having fun chatting away.

Sylvia McTigue: It went so fast.

Rahul Mahna: I know. I know I think we have room for just one more question for a minute or two. And I'm a big sports fan, and so I watch and I read about athletes a lot. And the one thing I found curious is that professional athletes, when they reach that respective sport, let's say baseball, for example, they did not hold. Most of the effective powerhouse players had a lineage of doing different sports along the way. So, they played soccer, baseball, lacrosse, and eventually reached to where they did. Your background makes me think the same way. You had a very interesting career path going back and forth. How do you groom future leaders in your organization, and some of the audience members might want to go, to become someone like you and emulate someone like you in your organization. How do you do that within EverCare today?

Sylvia McTigue: That's a great question. We hire with intent. I hire with intent. I source talent carefully. Not always successful, but pretty much overall quite successful. We seek out great, smart, engaged, good, capable people and I think that gives you a good baseline to work off. I always look at my talent pipeline, high potential employees by curating focused discussions, monitoring their performance results, giving honest feedback. And I'm really interested in, that's my HR background, is how do they react to honest feedback, especially if it's not good? I have seen amazing stories of developmental change that I really love the most. I have to tell you, creating sort of guidelines around the KPIs, I already talked plenty about that, but aligning them, making them a true partner, aligning them with my long-term growth strategy, ensuring that they have as much information as they need to be successful. I have a tendency on sharing a lot of information.

Because if I were not to be in my seat today or tomorrow, the organization would not feel it. Because everyone is highly accountable within the area of business, they will not miss a beat. Everybody in the organization will be able to move forward, and I think that's critically important. So, try to pay it forward by sharing information because information is power. Leveraging their knowledge and skill around the very business needs, gives them opportunities. And they have a tendency, in our organization, of playing many different roles over time. I'm inherently trust and encourage and empower them to take the measured risks, and then coach and mentor for their potential success. A fun fact, maybe I can give you, I have designed positions around the talent and based on strategic objectives, and I do encourage my leaders as well to not shy away to foster innovation and growth within their own business units. So, that's how they grow and learn continuously in the feedback.

Rahul Mahna: That is fabulous. And we've just reached the end of the hour. Thank you so much from both Amy and my side. We really appreciate you being so transparent and helpful. And with that, I'll turn it back to Bella.

Sylvia McTigue: Thank you.

Amy MacFadyen Thanks.

 

About Rahul Mahna

Rahul Mahna is a Partner in the firm and leads the Outsourced IT Services team with over 20 years of experience in IT technologies, software development and cybersecurity services.

About Amy MacFadyen

Amy MacFadyen is a Partner in the firm’s Not-for-Profit Services Group and Audit Department with ten years of experience in public accounting, where she has specialized in not-for-profit and commercial auditing.

Have Questions or Comments?

If you have any questions, we'd like to hear from you.