Governance, Risk and Compliance (GRC) Management is fast becoming an integral business function across industries. Some management teams choose to look at GRC and the supporting eGRC systems as an additional, but unavoidable cost to their organization. However, true leaders will approach implementation of a GRC program as an opportunity for investment that will pay both short and long-term dividends in the way of reduced fees or fines as well as identify areas for time or cost-savings in daily operations.
Healthcare. It’s one of the most highly regulated industries, and is laden with compliance challenges. Keeping up with numerous regulations, audits and quality demands is not easy. Without a cohesive strategy, lapses are bound to occur. It is critical for Healthcare institutions to implement programs to effectively and efficiently meet ever-evolving needs. Industries such as banking and finance have been impacted by, and have learned to thrive in environments with intense regulatory standards. Healthcare organizations must look to this example and create and execute GRC programs with integrated sets of control standards, policies, procedures, and tools.
First, companies must focus on their business processes. Organizations with mature GRC environments know that effective and efficient business activities that support and derive value from GRC are not bolt-on additions to their existing business processes. In fact, rather than being additional activities performed by risk professionals, business risk management must be integrated – woven into the fabric of existing business processes. Risk professionals should guide and advise on this integration, but since business owners are ultimately responsible for the risks associated with their areas, these business owners should also own the integration and the resulting business processes – with the supporting risk and compliance activities ‘baked in’ to their regular operational tasks.
Complex business processes benefit from supporting technologies. Automated alerts, email reminders, organized document attachments, policy and control inventories and mapping, and pre-built workflows are just some of the features that technology provides to improve the efficiency and accuracy of business processes and their integrated GRC activities. There is a need to entrench a firm eGRC system that operates in a coordinated and systematic way. Only through the planning, implementation, and utilization of such a system can Healthcare businesses provide better quality services, reduce managerial costs, and improve processes to meet governance requirements, risk management goals, and compliance regulations.
Despite the growing importance of effective management, many Healthcare providers are slow to adapt a GRC approach that is well integrated within the business and management processes. Often caught in a reactive mode, Healthcare organizations are stuck with minimal results for maximum effort.
Take for example one of our current healthcare clients. Before they made an investment in an eGRC system, the organization suffered from a fragmented risks program using spreadsheets and text documents that were not always shared across the enterprise. Each business unit maintained their own “sources of truth” with regard to business processes, supporting technologies used etc. that, in many cases, were duplicative and conflicting. Formulating a coherent compliance or risks assessment across the enterprise took months and were at best incomplete. In addition, the cost of regulatory non-compliance became very high and was beginning to affect their public reputation. Such immaturity of GRC management is highly reactive and can deeply affect internal and external risks. But now, even though they’re still expanding and optimizing, they’re already seeing returns from the initial operationalized functions of their eGRC.
One example of this return was realized upon implementation of a cohesive Issues Management function, where it was learned that multiple similar risk remediation activities were occurring within different corporate silos. Those efforts have since been combined, driving a more effective result while simultaneously saving hundreds of thousands of dollars in operating and capital expenses.
Gartner has provided us with stages of maturity that describes the GRC Maturity Model:
*Source: “Governance, Risk and Compliance (GRC) Maturity Model,” AMR (Gartner) Research
GRC is a journey, but adopting proven systems and techniques can give your organization a head start on the correct path, sometimes skipping the reacting stage altogether.
Based on the four stages of GRC maturity described above, note that the earlier stages (Reacting and Anticipating) are clearly more reactive while the later stages (Collaborating and Orchestrating) are more proactive.
Being reactive to unplanned events will generally incur costs in proportion to the frequency, breadth, and depth of the unplanned events while proactively planning, integrating, measuring, and continuously refining operating models will generally drive business value and reduce the cost of those unplanned events.
The anticipated benefits of implementing and continually refining GRC programs can be described through 4 areas:
- Eliminating redundant processes and technologies
- Reduced fines and penalties incurred due to insufficient compliance and/or reporting
- Increased control and business process efficiencies enabled through automation and continuous monitoring
- Improved alignment to business objectives and strategies
- Decreased capital reserve requirements and increased risk tolerance through better risk management and loss mitigation
- Increased funding available to lines of business to drive new product development and demand generation
- Effective top-down and bottom-up reporting
- Increased public and reputational confidence due to simplification of risk management processes and outcomes
- Better management decisions based on availability of more accurate and timely information
- Fewer application and business process downtime/interruption events
- Decreased vulnerability to loss of institutional knowledge and experience typically associated with reorganizations and staff attrition
* Source: EY’s “Turning risk into results – Unlocking the power of GRC technology” and Brenda Boultwood, “The GRC Value Proposition”)
GRC is an investment that pays dividends, and not just through cost savings associated with reduced fines. Healthcare providers have the opportunity to evolve their GRC programs to drive revenue through increased business process performance efficiency and greater control over their risk profile, leading to cost savings, and increased value for management.