Why does IHS not publish fixed pricing for the post-incident diagnostic?

The diagnostic is delivered personally by Thomas G. Goddard, JD, PhD, CCEP — not by a team of associates working from a template. The scope of confidential interviews, organizational survey administration, structural document review, and the leadership-team debrief varies substantially based on workforce cohort size, event nature and complexity, elapsed time since the acute phase, and the regulatory environment the organization is operating in. A 60-person behavioral health program responding to a workplace-violence episode six weeks post-incident requires a different scope than a 3,000-employee integrated delivery system working through the aftermath of a ransomware attack 14 months later. A published rate card would underprice one and overprice the other.

What factors drive the cost of the post-incident diagnostic up?

Larger organizations require more interview cohort coverage and broader survey administration. Complex incidents — ransomware events affecting multiple systems or sentinel events with active regulatory investigations — require more structural document review. A larger second-victim cohort requires more interview time and more nuanced survey instruments. Incidents where a regulatory response is still active (CMS, OCR, Joint Commission, state health department) require the principal to work within privilege structures and review a larger governance record.

What does the diagnostic cost compared to the cost of NOT engaging?

The FBI Internet Crime Complaint Center (IC3) reported 1,193 healthcare ransomware complaints in 2023, more than any other critical-infrastructure sector. The Change Healthcare 2024 attack compromised 193 million individuals. Second-victim departure following a sentinel event costs $52,000-$88,000 per clinical departure (NSI Nursing Solutions, 2024). Leadership attrition post-incident compounds those costs. The diagnostic is a scoped, time-bounded investment that maps the organizational human layer so recovery can be governed rather than assumed.

When is the right time to commission this diagnostic?

The diagnostic is most useful 4-16 weeks after the acute incident phase — after the technical and legal response has stabilized but before the organization has declared itself recovered. If the breach is still being contained or the clinical investigation is still live, the diagnostic is premature. Most organizations commission it when leadership dysfunction, staff attrition, or second-victim distress is persisting well beyond the incident timeline.

Can the diagnostic be structured under attorney-client privilege?

That determination belongs to the organization's General Counsel based on the specific facts and jurisdiction. IHS does not provide legal advice. Organizations that want to structure the engagement under privilege protection should discuss that option with General Counsel before engaging. IHS can work within a privilege structure where it has been established; the engagement letter documents the working arrangement.

How does the diagnostic relate to the C3 Post-Incident Organizational Recovery engagement?

The diagnostic is the entry point; the C3 Post-Incident Organizational Recovery engagement is the recovery work itself. The two are separable: the diagnostic stands on its own deliverables and does not require a follow-on engagement to be useful. Many organizations commission the diagnostic, use the intervention prioritization with their own internal resources, and return for the recovery engagement at a later stage.

Is participation in the diagnostic interviews mandatory for staff?

No. Interview participation is voluntary. Response rates and participation patterns are themselves diagnostic data reported back to the leadership team. A second-victim cohort that declines to participate with organizational representatives is communicating something the diagnostic is designed to surface.

How Much Does the Integral Post-Incident Diagnostic Cost?

Q: How much does the Integral Post-Incident Organizational-Recovery Readiness Diagnostic cost?

The diagnostic is scoped per engagement based on organization size, event type, second-victim cohort size, time since the incident, and the depth of structural and governance review required. IHS does not publish a fixed fee schedule because the diagnostic is principal-delivered and each engagement is individually scoped. Contact us for a tailored proposal.

Last updated: May 2026

The Integral Post-Incident Organizational-Recovery Readiness Diagnostic is scoped per engagement — IHS does not publish a fixed fee schedule. Cost is driven by organization size, event type, second-victim cohort size, time since the incident, and the depth of structural and governance review required. This guide explains what determines scope, what the diagnostic delivers, and what delayed or absent organizational recovery actually costs. Delivered personally by Thomas G. Goddard, JD, PhD, CCEP.

Why IHS Does Not Publish Fixed Pricing

The diagnostic is principal-delivered — every interview, every survey instrument, every document review, and every leadership-team debrief is conducted personally by Thomas G. Goddard, JD, PhD, CCEP. There is no team of associates working from a template. Because the engagement is principal-delivered at a scope the leadership team commissions, the cost depends on what that scope actually is.

A 60-person behavioral health program working through the aftermath of a staff-directed workplace-violence episode six weeks post-incident requires a materially different scope than a 3,000-employee integrated delivery system still managing the organizational consequences of a ransomware attack 14 months later. A published rate card would underprice one engagement and overprice the other — and publishing one would misrepresent what the diagnostic costs, which is the opposite of what a cost guide should do.

What IHS can give you: the factors that drive scope up or down, a framework for what each phase of the diagnostic involves, and a direct path to a scoped proposal based on your organization's actual situation.

Factors That Affect Cost

Five variables determine the scope — and therefore the cost — of the diagnostic.

Factor	What Increases Cost	What Reduces Cost
Event type	Ransomware or multi-system cyber incident; sentinel event with active regulatory investigation; mass-casualty workplace-violence episode	Single-incident sentinel event with closed clinical investigation; contained workplace-violence episode with no active regulatory response
Organization size	Larger workforce cohort requiring broader interview coverage and survey administration across multiple sites or business units	Smaller, single-site organization with a defined affected cohort and consolidated governance record
Second-victim cohort size	Large or dispersed cohort; cohort that includes clinical, IT, compliance, and executive staff simultaneously	Smaller, geographically concentrated cohort with accessible primary contacts
Time since incident	Longer elapsed time means a larger governance record to review and more complex organizational adaptation to map	Engaging in the 4-16 week window after the acute phase, before organizational adaptation has obscured the acute signal
Regulatory-response intersection	Active CMS, OCR, Joint Commission, or state health department investigation running concurrently; privilege structure required; payer contract default provisions in play	Post-investigation environment with closed regulatory record and no pending enforcement action

What You Receive

The diagnostic produces five deliverables across a 4-6 week engagement. Each is a standalone organizational-consulting artifact — not a slide deck, not a list of recommendations without evidence, and not a report that requires the principal to remain engaged to be useful.

Post-Incident Organizational Nervous-System Map — an integrated assessment of the current autonomic state of affected teams and leadership cohorts, heat-mapped at the resolution the engagement scope permits without compromising individual confidentiality. Shows where the workforce is still operating from sympathetic activation or dorsal-vagal shutdown, and where the incident has left a persistent threat-state signature in the teams that bore the most direct exposure.
Recovery-Readiness Assessment — a structured evaluation of the structural, relational, governance, and meaning-and-purpose conditions that currently support recovery versus block it. Includes second-victim cohort identification, support-structure adequacy assessment, leadership-team trust-voltage assessment, and moral injury indicators by cohort.
Recovery Intervention Prioritization — a sequenced roadmap of structural, relational, governance, and leadership-behavior interventions across all four quadrants. Each recommendation names the dimension it addresses, the evidence base, the realistic time-to-effect, and the leadership owner.
Engagement Scoping for Recovery Work — where findings support a bespoke C3 Post-Incident Organizational Recovery engagement, the principal prepares a scoping document as part of the debrief. The diagnostic is not a sales gate; the scoping is included because the recovery roadmap is incomplete without it.
Leadership-Team Debrief and Working Session — a 90-minute working session delivered live (in-person or video). Structured to allow the leadership team to work through the findings, surface organizational context the diagnostic could not see, and align on next steps. Not a presentation.

The Cost of NOT Engaging

The diagnostic investment must be weighed against what organizational recovery costs when it is left to happen on its own — or when leadership assumes the technical and legal response track has addressed the human layer.

Cyber Incident: The Scale of the Problem

1,193 healthcare ransomware complaints to the FBI Internet Crime Complaint Center (IC3) in 2023 — more than any other critical-infrastructure sector (FBI IC3 2023 Annual Report)
193 million individuals affected by the Change Healthcare 2024 ransomware attack — the largest healthcare data breach in U.S. history (HHS OCR Breach Portal)
$22 million ransom paid in the Change Healthcare acute phase. American Hospital Association estimated total industry disruption at $872 million (AHA, March 2024)
460 ransomware attacks on healthcare organizations reported to FBI IC3 in 2022 — the highest of any sector for the third consecutive year

Second-Victim Departure: The Hidden Workforce Cost

$52,000-$88,000 per clinical departure — the average cost of replacing a registered nurse, including recruiting, onboarding, and productivity ramp (NSI Nursing Solutions, 2024 National Healthcare Retention & RN Staffing Report)
The second-victim experience following a sentinel event typically involves six stages from chaos through resolution — with a subset of the cohort never completing the recovery arc (Scott et al., Johns Hopkins, 2009)
Organizations with inadequate post-incident support structures for second-victim cohorts show measurably higher 12-month voluntary attrition in directly-affected clinical units versus matched units without incident exposure (Seys et al., 2013)
Wu (2000, BMJ) identified that medical errors involve two victims: the patient and the provider. The organizational cost of the second victim has never been the subject of a comprehensive industry-wide estimate — which measures how systematically underfunded this dimension of post-incident response remains

Leadership Attrition and Governance Degradation

Leadership teams operating from persistent sympathetic activation after a major incident make measurably worse decisions under uncertainty — a consequence of compromised prefrontal cortex function under chronic threat-state physiology (McEwen, Annals of the New York Academy of Sciences, 1998)
Trust ruptures between functions — IT and clinical, compliance and operations, executive and clinical leadership — during and after a major cyber incident do not self-repair on a timeline correlated with technical remediation. Unrepaired trust ruptures compound the governance cost across the entire post-incident period
Moral injury in healthcare staff directly involved in a sentinel event is associated with increased intent to leave the profession, not merely the organization (Talbot and Dean, The Lancet, 2018)

How the Diagnostic Is Structured

The diagnostic runs in three phases over 4-6 weeks. Each phase produces an intermediate artifact; the leadership-team debrief at the end of Phase 3 is the canonical delivery.

Weeks 1-2: Confidential Interviews and Organizational Survey

The principal conducts confidential, structured interviews with representatives across the affected organizational layers: incident-day responders and first-tier exposed staff; the second-victim cohort where identified and accessible; clinical or operational leadership directly involved in the incident response; the C-suite and, where accessible, board members involved in the governance response. Interview duration is typically 60-90 minutes per participant. In parallel, a validated, anonymized organizational survey instrument is administered to the affected workforce cohort. Instruments include the Professional Quality of Life Scale (ProQOL-5, Stamm), the Edmondson psychological-safety scale, and supplementary items calibrated to the event type.

Weeks 3-4: Structural and Governance Review

The principal reviews structural and governance documents that determine whether current conditions support or block recovery: formal incident-response documentation and post-incident action plan; governance records of the incident response; the current state of formal support structures for affected staff; the organization's relationship with applicable regulators in the post-incident period; and the structural conditions — workflow architecture, leadership communication cadence, cross-functional coordination — that are either supporting or blocking the return to integrated organizational function.

Weeks 5-6: Integration and Delivery

The principal integrates interview synthesis, survey data, and structural review into the four deliverables above. The leadership-team debrief is a 90-minute working session — not a slide presentation — walking the leadership team through the nervous-system map, the recovery-readiness assessment, the intervention prioritization, and the implications for governance and structural response going forward. Where diagnostic findings support a bespoke recovery engagement, the debrief includes a scoping conversation for that work.

Budget Planning by Phase

The diagnostic runs on a single engagement scope established at the outset — there is no per-phase billing structure. The phasing below describes where principal time concentrates across the engagement, not separate billing milestones. Understanding where time concentrates helps organizations prepare their own internal resources accordingly.

Phase 1 Concentration: Interviews and Survey (Weeks 1-2)

Principal time is highest in this phase — structured confidential interviews at 60-90 minutes per participant, survey instrument administration and monitoring, and initial data synthesis
Organizations reduce scope here by pre-identifying the second-victim cohort and providing direct access; scope increases when the cohort is dispersed, difficult to access, or operating within a privilege structure that constrains participation
Internal resource need: a single point of contact for scheduling and logistics, and organizational communication to affected staff explaining the voluntary nature of participation

Phase 2 Concentration: Document Review (Weeks 3-4)

Principal time shifts to structural and governance document review — incident-response records, post-incident action plans, regulatory correspondence, support-structure utilization data
Organizations with organized governance records and accessible documentation reduce scope here; organizations with incomplete post-incident documentation or active regulatory investigations expand it
Internal resource need: access to the governance record and the individuals responsible for regulatory correspondence and support-structure administration

Phase 3 Concentration: Integration and Debrief (Weeks 5-6)

Principal time concentrates on synthesis across all four quadrants and preparation of the leadership-team debrief — the 90-minute working session is the canonical delivery and is prepared with the same rigor as the written deliverables
Where diagnostic findings support a scoping conversation for the C3 Post-Incident Organizational Recovery engagement, that conversation is included in the debrief at no additional scope
Internal resource need: senior leadership time for the 90-minute debrief and the organizational decision-making that follows

Frequently Asked Questions

How do we get a specific proposal?

Schedule a no-obligation consultation using the link below. The principal will discuss where your organization is in its post-incident recovery, what the affected cohort looks like, and what the regulatory environment is. That conversation produces the information needed for an accurate scope — typically within one session.

Is the diagnostic covered by our cyber liability policy?

That determination belongs to your insurance counsel based on your specific policy language and the nature of the incident. Some cyber liability policies include post-incident consulting provisions. IHS does not evaluate insurance coverage; we can provide engagement documentation in whatever format your insurer requires for claim purposes.

Can the diagnostic run concurrently with an active regulatory investigation?

Yes, with appropriate privilege structure. Organizations that want to run the diagnostic while a regulatory investigation is active should discuss with General Counsel before engaging so the engagement letter reflects the appropriate working arrangement. IHS can work within a privilege structure where it has been established.

What is the minimum organization size for the diagnostic to be useful?

There is no minimum. The diagnostic has been applied in organizations ranging from community-based behavioral health programs with 40 staff to integrated delivery systems with thousands of employees. The scope and deliverable resolution scale accordingly. A smaller organization with a tightly-defined second-victim cohort can work through the diagnostic in the minimum 4-week window; a larger organization may require the full 6 weeks or a modest scope extension.

Does the diagnostic produce findings that create liability exposure?

The diagnostic is an organizational-consulting deliverable scoped for the leadership team. It does not produce root-cause findings, technical remediation recommendations, or legal risk assessments. Findings are reported at the team, cohort, and leadership-tier level — never at the individual-respondent level. Organizations that need to manage privilege exposure should consult General Counsel before engaging, as noted above.

How does this differ from a standard employee-engagement survey?

An employee-engagement survey measures satisfaction, motivation, and organizational commitment at a point in time. The post-incident diagnostic measures the current autonomic state of affected teams, the second-victim cohort, leadership-team trust voltage, and moral injury indicators — specifically in the context of a significant incident that has disrupted normal organizational functioning. The instruments, the interview protocol, and the interpretive framework are calibrated to the post-incident environment, not to steady-state workforce assessment.

What happens if the diagnostic surfaces individual staff members in acute distress?

Findings are reported at the team, cohort, and leadership-tier level — never at the individual-respondent level. If the diagnostic surfaces indicators of individual staff distress requiring clinical response, the principal will communicate to leadership that the existing clinical-support structures need to be activated, without identifying individuals. The diagnostic maps where those structures need to reach; it does not function as a clinical referral pathway.

Is the diagnostic repeatable after a second incident?

Yes. Organizations that have commissioned the diagnostic after an initial incident and then experienced a subsequent incident typically find that the second diagnostic scopes more efficiently — the organizational baseline is established, the governance record format is familiar, and the leadership team has a framework for understanding what the diagnostic surfaces. The diagnostic is a repeatable organizational-assessment instrument calibrated to the post-incident environment, not a one-time product.

Related Resources

Integral Post-Incident Organizational-Recovery Readiness Diagnostic — service page and full diagnostic description
A6 Diagnostic vs Other Post-Incident Responses — how the diagnostic differs from clinical debriefing, technical post-mortem, and legal after-action review
C3 Post-Incident Organizational Recovery — the bespoke recovery engagement the diagnostic may scope
B3 Just-Culture Infrastructure Build — structural conditions for post-incident learning
Integral Workforce & Leadership Sciences — practice line overview

Ready to Get Started?

Schedule a no-obligation consultation with IHS. The principal will discuss where your organization is in its post-incident recovery and whether the Integral Post-Incident Organizational-Recovery Readiness Diagnostic is the right next step — and if so, what an accurate scope looks like for your specific situation.

Schedule a Free Discovery Session