Governance, risk management, and compliance (GRC) refer to an organization’s capability to reliably achieve objectives while addressing uncertainty and acting with integrity (Rasmussen, GRC 3.0 – A History of GRC, 2013). An efficient system of GRC is critical for all organizations, specifically healthcare organizations, as GRC helps organizations set goals and reach optimum performance. A well-managed and maintained set of policies is the backbone of a successful GRC system.
Governance can be defined as “the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined” (Marks, 2010). It instills a sense of consistency and accountability within the organization. A policy management system supports this by specifically articulating the governance structure and culture of the organization. Without efficient policy management, this culture can bend, shift, and morph along the way (Rasmussen, GRC 3.0 – A History of GRC, 2013). A policy management system can also ensure that all stakeholders – board members, administrators, and health care providers– attest to, understand, and are on board with the articulated organizational structure.
Uncertainty is a part of running any organization, and hospitals are no exception. Risk management is the process of identifying, assessing, and prioritizing risks, as well as creating a plan for minimizing or eliminating the impact of negative events ( The Importance of Risk Management to Business Success, 2013). Risk management is critical to protecting a hospital from vulnerability. In a hospital, this could include accidents and outbreaks, as well as lawsuits and financial litigation. Having a robust and well-managed set of policies allows hospitals to be proactive, rather than reactive when it comes to risk management. This can help protect from financial loss, as well as protecting patient and employee safety.
Compliance completes the GRC definition by encouraging organizations to act with integrity. It means adhering to stated requirements while establishing the values, ethics, commitments, and social responsibility of the organization (Rasmussen, Why Policies Matter, 2011). Hospitals deal with many requirements and standards, from local, state, and national regulatory bodies. Regulatory bodies, such as the Joint Commission and HIPAA, set the standards for what is acceptable and unacceptable in hospitals. A well-managed set of policies can aid a hospital in creating and maintaining policies that keep them up to date on these requirements and standards.
Though a policy management system is critical to addressing GRC in hospitals, GRC is not something you buy, but rather, something you do. No software can create a GRC structure, but technology can improve and support an existing system. A policy management system can fulfill the needs of multiple stakeholders in hospitals, including board members who need to identify and manage risk, legal managers who are concerned about litigation, hospital administrators who want to ensure compliance with regulatory bodies, and health care providers who want to carry out their duties in an organized and productive manner. A good system of GRC defines governance and the culture of the company, manages risk and minimizes the effect of adverse events, and helps the organization stay in adherence with regulatory bodies. A good policy management system can support all of these things.
The Importance of Risk Management to Business Success. (2013). Retrieved May 22, 2013, from Whatisriskmanagement.net:
Marks, N. (2010, June 2). GRC: Let’s Talk About Governance. Retrieved May 22, 2013, from CMS Wire:
Open Compliance & Ethics Group. (2012). Policy Management: Visualizing an Effective Capability. Retrieved May 1, 2013, from Governance, Risk Management and Compliance Research 20/20:
Rasmussen, M. (2013, April 16). GRC 3.0 – A History of GRC. Retrieved May 17, 2013, from GRC 20/20:
Rasmussen, M. (2011, April 5). Why Policies Matter. Retrieved May 17, 2013, from GRC 20/20: