5 Things to Know About Governance, Risk, and Compliance

Posted by Ken Reiher

Have you heard the term GRC but not quite sure what it includes? Or how it relates to healthcare?

As advocates of a functional governance, risk and compliance strategy for any type of healthcare provider, be it a multi-facility health system or a solo practitioner, we are committed to providing education on a proper GRC strategy and tactical execution in order to safeguard all types of protected healthcare data, including protected health information (PHI).

To that end, we’ve put together this list of the top 5 things you need to know about governance, risk, and compliance.

GRC combines governance, risk, and compliance for a universal strategy.

More than stand-alone security or compliance efforts, governance, risk, and compliance work together to create a universal, protective strategy.


This type of enterprise strategy requires a top-down governance approach that is led by executive leadership, and that empowers all staff to speak up when they see something that could be a risk or vulnerability. Traits of a functional governance model include:

  • A collaboration between all members of the executive team who work together to elevate the need for a foundation of security and compliance.
  • Constant, vigilant awareness of risk areas and resource allocation to mitigate those risks.
  • An empowered chief information security officer (CISO) who can act as a check and balance to other departments, such as IT, risk management and compliance.
  • A culture that rewards, rather than punishes, behavior for protecting data and information.


If you think of governance as the 50,000-foot strategic level, compliance is the 25,000-foot  view that focuses on compliance and due diligence required for regulations and frameworks such as HIPAA, HITRUST, NIST CSF, Promoting Interoperability, PCI, DNV, and others.

  • Based on your governance strategy, which compliance frameworks make the most sense for your organization?
  • Do you have organizational change management that will support structural or operational adjustments based on the frameworks you select?
  • Do you have the resources and processes in place to document policies, procedures and due diligence?

[For more on compliance, check out our blog post on what you need for a functional compliance program.]


Think of risk management as the tactical, day-to-day, boots-on-the-ground processes to mitigate risks and vulnerabilities. What risks and vulnerabilities have been revealed during your quarterly governance review? Have you prioritized them from highest risk to lowest? What is your action plan to address them?

GRC is different from healthcare compliance.

It might seem obvious from item #1 above, but it’s worth stating more plainly.

Healthcare compliance is focused on answering the question: “Are we compliant with federal, state, and other regulations?” Compliance is about documenting due diligence related to your chosen frameworks and taking the steps required to comply.

While you can have a healthcare compliance strategy, it is only one part of a broad-reaching governance, risk and compliance strategy.

Governance, risk and compliance isn’t just for large health systems.

Though single-facility hospitals or solo providers may not have the operational complexity of a sprawling health system, they most likely have the same kinds of risk.

They use, store and share PHI. They work with third-party vendors and other business associates. They purchase and use network-based technologies and medical devices. They employ staff who use those technologies. All of these areas are prone to risk and require a GRC strategy to protect data and information. The scale may be different, but the risks are the same.

How many small practices have been hit by ransomware that came through a third-party vendor? It does not matter the size or scope of the organization. The need for a broad-reaching approach is paramount.

GRC is particularly complex.

Because it combines three potentially disparate areas, a universal strategy can be difficult to wrangle, especially for large, geographically dispersed organizations. Do you track high-risk gaps and the cost to mitigate them?

  • Do you review vulnerability test findings and taking corrective action?
  • Have you tested your Disaster Recovery plan?
  • How often do you conduct workforce training and mitigate risks found?
  • Do you keep an eye on industry breaches and trends?
  • Where have you made progress?
  • What areas need improvement?
  • How are your risk assessments performed today?
  • Do you have several departments gathering the same or similar data?
  • Is your executive leadership aware of risk areas and prepared to allocate resources to mitigate them?

These are just a few areas that need attention. A functional governance, risk and compliance strategy requires thoughtful planning, a collaboration between teams, and proper funding for technical and human resources.

There are resources to help.

Trying to figure out how to manage a universal GRC strategy? It’s not simple, nor is it a short-term endeavor. A true strategy should be as foundational to healthcare operations as safe patient care. Thankfully, there are resources that can help:

Risk registry

We recommend using a risk registry to manage risk across silos in your organization. A complete registry will provide transparency to risk areas throughout the entire enterprise, which will help guide a more efficient governance strategy that will work for the whole organization.

GRC software

Spreadsheets, binders, notepads, handwritten audits. While these tools may have worked in the past, they are obsolete in today’s digital care environment. If your organization uses more than one security framework, how do you keep track of it all? How do you manage potentially hundreds of third-party vendor audits? You need comprehensive governance, risk and compliance software that offers a variety of features, including audits, incident management, notifications, tasks and action plans, and vendor management.

Consulting expertise

Your governance model may require the voice of an outside, objective third party who can look beyond the norms in your organization and offer suggestions for improvement. Or, you may just need an extra set of expert hands to help with the everyday assessments, audits, workforce training, security walkthroughs, and the like. Regardless of the need, know that you do not have to go it alone. Look to a GRC consulting team that can be your partner in delivering a long-term universal strategy.

Learn what ComplyAssistant Software can do for you

Additional GRC resources from ComplyAssistant:

Blog: Governance Report Cards = Better Compliance Budgeting

Article: Is Meaningful Use Still Meaningful?

Article: A Guide to the NIST Cybersecurity Framework

Blog: Moving mountains: Why a healthcare compliance consultant might be your new best friend

Solution: GRC software from ComplyAssistant