A large healthcare company implemented the popular GRC software Rsam as an on-premise solution in its cybersecurity group. Faced with slipping deadlines, the company called on AIM Consulting’s Delivery Leadership practice to get the project back on track.
Situation and Business Challenge
Like many companies in heavily regulated industries, healthcare organizations have pivoted to holistic software to manage their enterprise governance, risk, and compliance (GRC) strategy. When implemented effectively, GRC solutions provide sufficient visibility into organizations to help leaders identify and mitigate risks while providing enterprise-wide oversight and assurance.
GRC software implementations require uniting numerous siloed functional groups and processes onto a single platform, then harmonizing data flow from various sectors into a single view. Because these endeavors are highly complex, they often fail in their first attempt and either remain unusable or do not extract their intended ROI.
Such was the case at a large healthcare company in the western U.S. with several million clients and billions in annual revenue. Having implemented the popular GRC software Rsam as an on-premise solution in its cybersecurity group, the company hired two external vendors and a project manager (PM) to implement a cloud version of Rsam enterprise-wide, but the project quickly bogged down.
Following the initial scoping and intake, communication silos and broken trust compounded among the external parties, leading to the PM’s dismissal. Faced with slipping deadlines, the company called on AIM Consulting’s Delivery Leadership practice to get the project back on track.
The team of industry experts from AIM’s Delivery Leadership practice coordinated the effort to implement Rsam within the original project timeframe for seven critical functional teams: Enterprise Risk Management, Internal Audit, Regulatory Affairs, Compliance & Ethics, Privacy, Cybersecurity, and Vendor Management. Applying its deep experience in enterprise-wide software implementations and organizational change management, AIM guided each functional team through the same requirements and design; development and testing; and training, adoption, and rollout phases.
Working closely with vice presidents and other key stakeholders in impacted teams within the IT organization, AIM defined the scope, approach, and timeline of the solution and drove it to completion in the allotted 6–7 month timeframe.
Week by week, AIM worked side-by-side with internal teams and external vendors to close the security gaps by leading 55 server deployments and migrating nearly 400 database servers to a new Microsoft Azure datacenter, including the arduous work of migrating some critical legacy OS and SQL Server systems. The project resulted in the decommissioning of more than 400 legacy servers that were no longer required by the business.
Initially, AIM focused on managing vendor conflicts, rebuilding foundations of trust, forming an agile implementation team, and realigning timelines between internal teams and vendors. Migrating the Rsam instance to the cloud also involved further cross-coordination between various infrastructure, architecture and IT teams.
As a great deal of work occurred in parallel, skillful leadership was required to manage expectations and morale and ensure that resources, timelines, and scope were in alignment for each team. A strong focus was placed on process iteration to minimize waste and rework.
Organizational Change Management
Although the seven critical functional teams would be daily users of the Rsam platform, everyone within the company would need to interface with Rsam at different points in time due to the nature of these core teams. For example, one of the benefits of Rsam is its notification capability, so anytime an employee was tasked with an action related to one of the seven teams, Rsam would send a notification to the employee and grant access to the item.
Governance and Support
Because Rsam represented a new cross-functional platform for the company, governance and support guidance for the solution were included in the project’s deliverables and driven enterprise-wide by AIM. Additionally, as AIM is an industry leader in data governance, the PM ensured that data would be managed appropriately during and after the implementation.
Numerous internal teams have shared positive feedback regarding the benefits of being part of the centralized cloud-based Rsam GRC solution.
The company’s C-suite leverages Rsam’s reporting dashboards to provide views of the organization’s true risk level, enhancing executive-level decision-making and influencing the company’s direction and top priorities. Lowering the company’s risk profile and increasing resilience to internal and external risk factors in turn decreases potential harm to the company’s brand.
Recurring changes to federal and state regulations (such as HIPAA, HITRUST, CHIP, Medicare/Medicaid, and the ACA), as well as to membership requirements for inter-state group affiliations cause the organization to update compliance measures, tools, and practices frequently. The implementation and proper maintenance of a well-established Rsam solution has empowered the client to adopt new regulations more readily (e.g., GDPR) and reduce the chance of issues that often arise during such changes.
The company’s C-suite leverages Rsam’s reporting dashboards to provide views of the organization’s true risk level, enhancing executive-level decision-making and influencing the company’s direction and top priorities.
Because of the enterprise-wide nature of the implementation, as the company evolves, more teams and processes have smoothly integrated within Rsam. Not only has this streamlined and centralized processes for more teams, it also enabled their data to aggregate with the rest of the company to further refine the overall risk profile.
Get In Touch
Whether you need help with technology strategy and implementation or have an in-flight project in need of additional resources, AIM is here to help.
Fill out the form below and one of our experts will be in touch.