The one thing every healthcare organization needs but doesn’t have

GRC Adoption Helps Bring Down Silos, Establish True Culture of Safety and Reliability

The outrage over United Airlines forcible removal of a passenger, and the company’s clumsy response, shows how vulnerable even the largest organizations are when company policies fail to adapt to an emerging crisis. Reputations are sullied and lawsuits follow. Yet while United’s stock took a hit, it has since rallied to its pre crisis-levels. Travelers will grudgingly fly the airline because it fits their fare and destination criteria.

Healthcare organizations, facing a data breach, an infection outbreak, or accidental death might not be so resilient. Their approach to governance, risk management and compliance has to be different. Like airline passengers, patients certainly deserve to be treated with dignity and respect. But a patient’s top expectation is to receive safe, quality care.

The best way to deliver on that expectation is for providers to view issues of safety, risk and compliance as a cohesive whole. From the C-suite to the emergency room, healthcare organizations are beginning to embrace GRC, or a coordinated, integrated model for all operations that include governance, risk management and compliance. What’s more, they are beginning to realize the improved financial performance that companies with robust, “mature” GRC programs experience.

GRC: What it is – and isn’t

OCEG, a GRC think tank, defines it as “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”1 When organizations reach a certain size, coordinating GRC is required to operate effectively. GRC isn’t relevant for information technology only, but has clinical, operational and financial implications. Each discipline creates information or value to the other two.

A risk to patient safety, such as a hospital-acquired infection, has clinical and financial implications. Sensitive patient data getting into the wrong hands via an employee without the proper credentials has clinical, financial and operational implications. Providers won’t get ahead of this risk curve with just spreadsheets and manual checklists. As OCEG underscores, “many GRC functions operate in isolation, (which) produce redundancy and gaps while remaining ignorant of the interrelationship of risk across silos. This has a measurable cost to the organization in inefficiency, ineffectiveness, and lack of agility.”

ERM and GRC: the same?

While many organizations may look at Enterprise Risk Management as an equivalent to GRC, ERM strategies typically are not connected to the rest of the organization from a process or data perspective. In a hospital setting, ERM is relegated to addressing issues after they happen.

High reliability organization and culture of safety

United’s reputation may suffer due to its harsh treatment of a passenger, but it’s important to note that the airline safely delivered its passengers to their appointed destination. United does this consistently, due in part to the airline industry’s incorporation of high reliability organization and culture of safety principles into their operations.

A HRO has succeeded in avoiding catastrophes in an environment where normal accidents can be expected, such as fighting wildfires, running nuclear power plants or launching an astronaut into space.

Improving the culture of safety within health care is an essential component of preventing or reducing errors and improving overall health care quality. A safety culture is characterized by shared core values and goals, non-punitive responses to adverse events and errors, and promotion of safety through education and training. A safety culture requires strong, committed leadership, along with the engagement and empowerment of all employees.

Atul Gawande’s Checklist Manifesto highlighted the need for healthcare to begin to adopt HRO and culture of safety principles. But it has a long way to go, and checklists are just the beginning.

Steps to GRC maturity

Currently, there are few processes or models for organizations to emulate, nor technologies to implement them. But as providers begin considering GRC, here are some likely milestones:

 Audit
The first step to integrated GRC begins with an audit – establishing a baseline rating of where the organization is in their GRC “maturity.” Current risk assessments and remediation activities are a starting point.

 Goals
Results of the audit help set the baseline goals of what a successful GRC looks like. What are the metrics to monitor a successful program? What are new risks the organization is facing?

 Strategy
With destination in hand, now’s the time to chart the road map. What process improvements need to take place? What are the metrics that will define success? Now is also the time to include vendors, suppliers and contractors into GRC.

 Metrics and Measurement
Establishing acceptable performance thresholds to measure GRC, and aligning those with the metrics that reflect the current state of the organization, provides all stakeholders with what they need to succeed.

 Reporting
Regular reporting to decision-makers keeps the Governance in GRC. As a recent Forrester2 report points out, organizations need to continuously demonstrate the reliability of risk and compliance data, show how thoroughly risks are being tracked, and give leadership the information they need to take action.

Predictive analytics is a significant part of the reporting matrix, as it allows a GRC process to become proactive. Teams are alerted to issues so that they can be addressed before a clinical error or patient complication emerges.

Minimize risk, maximize financial performance

These steps to GRC maturity won’t advance themselves. Outside consultants can help facilitate the process, and help design effective systems. But the true measure of a GRC-mature organization is more than consulting, processes and the technology to get things done. It’s having a thorough knowledge of how they all work together, and a willingness to think and work differently to build a culture of patient safety and efficient health care delivery.

As other industries have discovered, a mature risk management program contributes to better financial performance. A recent Ernst & Young report and survey found that companies in the top 20 percent of risk maturity generated three times the level of EBITDA as those in the bottom 20 percent. Financial performance was highly correlated with the level of integration and coordination across risk, control and compliance functions.

diag compGrowth04 11

From “Turning Risk Into Results: How Leading Companies Use Risk Management to Fuel Better Performance,” EY Limited, 2013

Healthcare is a long way from GRC maturity, but given health care’s razor-thin margins, and its current state of risk management, there’s no time like the present.

1 OCEG (2017). 2017 GRC Maturity Survey. GRC 20/20 Research,
2 Forrester Research, Inc., (2016, April). Measure GRC Performance To Show Processes and Data Reliabilit

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars