GRCH LogoHealthcare organizations facing anything like a data breach, an infection outbreak, or an accidental death can find it very hard to bounce back. To stay ahead of these problems and to give patients the dignity and respect they deserve when being treated, hospitals and healthcare facilities need to approach governance, risk management, and compliance (GRC) as a whole instead of individually. GRC isn’t relevant for information technology only, but has clinical, operational and financial implications as well.

While some may think that Enterprise Risk Management is an equivalent to governance, risk management, and compliance there is a key difference. ERM strategies typically are not connected to the rest of the organization from a process or data perspective. In a hospital setting, ERM is relegated to addressing issues after they happen, whereas GRC is intended for prevention.

Establish True Culture of Safety and Reliability

Improving the culture of safety within healthcare is an essential component of preventing or reducing errors and improving overall healthcare quality. A safety culture is characterized by shared core values and goals, non-punitive responses to adverse events and errors, and promotion of safety through education and training. A safety culture requires strong, committed leadership, along with the engagement and empowerment of all employees.

Steps to GRC maturity

Currently, there are few processes or models for organizations to emulate, nor technologies to implement them. But as providers begin considering GRC, here are some likely milestones:


The first step to integrated GRC begins with an audit – establishing a baseline rating of where the organization is in their GRC “maturity.”


Results of the audit help set the baseline goals of what a successful GRC looks like.


With destination in hand, now’s the time to chart the road map.

Metrics and Measurement

Establishing acceptable performance thresholds to measure GRC, and aligning those with the metrics that reflect the current state of the organization, provides all stakeholders with what they need to succeed.


Regular reporting to decision-makers keeps the Governance in GRC. As a recent Forrester1 report points out, organizations need to continuously demonstrate the reliability of risk and compliance data, show how thoroughly risks are being tracked, and give leadership the information they need to take action.

Predictive analytics is a significant part of the reporting matrix, as it allows a GRC process to become proactive. Teams are alerted to issues so that they can be addressed before a clinical error or patient complication emerges.

As other industries have discovered, a mature risk management program contributes to better financial performance. A recent Ernst & Young report and survey found that companies in the top 20 percent of risk maturity generated three times the level of EBITDA as those in the bottom 20 percent. Financial performance was highly correlated with the level of integration and coordination across risk, control and compliance functions.compound annual growth rates graphic

1 Forrester Research, Inc., (2016, April). Measure GRC Performance to Show Processes and Data Reliability

Recent Posts

Telehealth Encourages Healthcare and the Public to Embrace Innovation

  As we head into the second half of 2020, many of the temporary flexibilities for telehealth allowed during the COVID-19 pandemic have been made permanent. Since its arrival in

Read more »
COVID-19 is Revealing the Link Between Patient Experience and Safety

COVID-19 is forcing our healthcare system to make impossible choices, but these decisions are necessary because the best way to keep patients comfortable right now is to keep them safe.

Read more »
Medical Errors – 20 years After To Err Is Human

One of the most referenced and influential reports on raising awareness of the patient safety crisis in the United States marked its 20th anniversary this fall. The Institute of Medicine

Read more »