Having all these people together under one organizational roof means it is easier to see if a denial-of-service attack is actually part of another, bigger threat by understanding its potential financial impact. The strategy has also made it possible to create a model for defining and measuring inherent, managed and residual risk at Providence.

Combining the security and risk functions raised their profile and made the entire organization more aware of what risk is. This, in turn, has led to a better understanding of what really causes risk for Providence, a nonprofit that runs 27 hospitals, 214 physician clinics, senior services and more in five states.

"We've really worked on the human side of risk management," says Cowperthwaite. "Instead of just asking the top five executives what risks they saw, we asked the top 150, 'What risk do you face?'"

Healthcare reform is a great example of this. Historically, Providence had viewed it as a risk--not because it's bad or good, but because it causes change.

"By talking to all these people, we found out it's not the healthcare reform that's the risk, it's the things we need to change because of it," he says.