Governance Report Cards = Better Compliance Budgeting

Posted by Ken Reiher

Gerry Blass, President & CEO, ComplyAssistant

Using the right data to secure budget for security and compliance efforts

ComplyAssistant recently contributed an article on HIT governance to, which was published on October 29, 2019. The following blog post covers some of the key points.

Just like other operational and clinical areas of a healthcare system, the right metrics can help you understand current state in your compliance and security strategy and help guide decisions for how your organization should allocate funding for health IT projects related to governance, risk, and compliance.

But, where to begin? Using a quarterly governance report card is an efficient way to gather data and see trending over time. Start with our top seven metrics to gather on your report card:

  • Risk assessment results
  • Vulnerability findings
  • Third-party vendor and business associate audit data
  • Workforce training results
  • Policy and procedure audit data
  • Disaster recovery/business continuity plans
  • Industry threat information and assessments

If you haven’t already, consider moving to a structured data collection and management model, typically using a governance, risk, and compliance software solution. Other tools, including learning management systems, technical tools, and outside resources, should also be used as sources for your quarterly report card.

Set your baseline

Don’t have a current baseline for your security and compliance metrics? That’s OK. Using our list above, aim for your next governance steering committee meeting as your deadline to collect the data you need. That will be your baseline. From there, each quarterly update of the report card will reveal trends that you may need to address as a team. And, the more effort you devote to your governance, risk, and compliance strategy, the better your report card scores will be quarter over quarter.

In addition to the report card data, we also recommend that you calculate and document your average risk score and average maturity score. These are also important to discuss during the quarterly governance meetings.

Governance and budget allocation

Now that you’ve documented risk ratings, scores on various security and compliance risk areas and potential costs to mitigate, you’re prepared for logical and informed discussions with your executive leadership and governance committee.

The governance committee should make decisions based on cost, risk, and impact to your organization’s mission. However, the committee will need to prioritize – even the largest organizations do not have unlimited resources to tackle every security and compliance vulnerability. Come prepared to outline which of your recommendations will have the most significant impact on preventing a breach, and then work your way down the list in order of priority, from highest to lowest risk.

Using a governance report card to bring real data to your governance committee on a regular basis will help educate leadership on gaps and impact, align needs across disciplines, and guide budgetary decision-making for improved strategic governance, risk, and compliance operations.

Read the full article on

Want more? Read our post on How a Functional Compliance Program Can Protect PHI.

For a consultation and demo of our GRC software, Contact ComplyAssistant.