How a healthcare provider leveraged automation to save 5,000+ hours annually to manage governance, risk, and compliance

Managing the appropriate access and permissions for 35,000 users at CHRISTUS Health with diverse roles and responsibilities for a robust ERP system, Infor® CloudSuite™ Healthcare is highly complex, especially in its dynamic environment of ongoing expansion. Headquartered in Irving, Texas, the organization also operates in Arkansas, Louisiana, New Mexico, Texas, Chile, Colombia, and Mexico.

"CHRISTUS Health partnered with Infor in 2018 to really modernize our business systems. We were operating over 16 different financial, supply chain, and human resources systems. With Infor CloudSuite, we really have streamlined all our business processes into a single platform and a single source of truth. This allows for our employees to access and update their information easily and more quickly so they can get back to the business of patient care." Says Robert C. Kenderdine, Jr., Vice President, ERP System Operations.

With a community of 45,000 patients and 15,000 physicians providing individualized care, CHRISTUS needed to protect sensitive information, eliminate fraud such as duplicate payments, and ensure processes aligned with its business rules. Additionally, CHRISTUS aimed to prevent employees from feeling stressed about unknowingly performing inappropriate actions.

The IT team had two members dedicated to governance, risk, and compliance. They focused on the segregation of duties (SoD), user access reviews, and elevated access requests. These tasks were error-prone and time-consuming due to manual processes and gaps in communication across various systems, each with different security and provisioning requirements.

Completing SoD and user access audits took 18 months, increasing risk and costs due to the extensive resources needed. The internal audit revealed 9,331 SoD violations, which the IT team had to investigate and remediate. Elevated access requests were handled via email to role approvers, causing delays and risks as some approvers were missed or not notified. The resulting delays in provisioning left employees unable to perform their jobs effectively, leading to dissatisfaction.

"When we transitioned to Infor CloudSuite in 2019, an internal audit revealed several users with inappropriate access. Addressing these issues promptly was impossible due to a lack of adequate tools, leading to inefficiency and heightened risk. Moreover, we lacked confidence in the audit data. For instance, the report of 9,331 SoD violations was suspect due to potential data parsing and spreadsheet errors." Says Malcolm Jackson, Manager, Infor ERP Technical Services.

Automating governance, risk, and compliance processes with Infor

CHRISTUS Health implemented Infor Governance, Risk, and Compliance (GRC)to provide the automation and confidence needed to lower risk and costs for the organization by successfully granting employees roles and responsibilities in a faster, more controlled way to prevent inappropriate access or permissions. Through its integrated framework that unifies governance, risk management, and compliance functions, the solution ensures consistency, efficiency, and a comprehensive approach to organizational oversight. Infor GRC is a multi-tenant solution architected as a set of docker-enabled microservices. It leverages Amazon Web Services technologies like Elastic Map Reduce and Spark for evaluating huge amounts of business process data.

"Our instincts were correct. Our previous manual processes delivered inaccurate information, wasted valuable resources, and exposed us to risk. Implementing Infor GRC was a smart choice because it is a native tool designed specifically for Infor CloudSuite. Infor GRC can accurately read, understand, and manipulate the data, reducing our violations from 9,331 inaccurate ones to 121 true violations, with effective remediation," says Jackson.

Partnering with New River Systems and Infor Professional Services, CHRISTUS was able to successfully deploy Infor GRC quickly by aligning roles and responsibilities to the positions already set up across the organization. "We partnered with Infor and New River Systems to do the implementation of Infor GRC. There's a set of rules that you implement across the modules, and we were able to work through that list quickly and identify what would be the most benefit to CHRISTUS Health."

Each Infor GRC module took a few months to implement. Starting with Authorization Insight, 121 true SOD violations were identified instead of 933, greatly reducing the remediation time moving forward. Violations are detected immediately and addressed, and What-If analysis prevents violations from occurring in the future. Certification Manager reduces the unauthorized access footprint, minimizing opportunities to abuse privileges and expose sensitive data. Access Manager reduces elevated user access request provisioning time from approximately three business days to just one.

Delivering real value with automated and controlled processes

Infor GRC has allowed CHRISTUS to more effectively control a complex and ever-changing environment to reduce the potential business risks and the costs of compliance, increase operational efficiency, and automate the audit processes. Value realization with each Infor GRC module:

Authorization Insight
• 94% Faster remediation-from 48 weeks to three weeks
• 561 hours saved annually-identification and remediation of 121 true violations
• 78% faster auditing with robust reporting, saving internal audit team time and resources
• Four months to implement

Certification Manager
• 75% faster excessive access reviews-from eight weeks to two weeks
• 240 hours saved annually
• 92% faster auditing with robust reporting, saving internal audit team time and resources
• Two months to implement

Access Manager
• 67% faster user provisioning for elevated user access-from three days to one day
• 4,500 hours saved annually
• 67% faster auditing with robust reporting, saving internal audit team time and resources
• Four months to implement

Single GRC administrator lowers risk for a 35,000-person organization

With Infor GRC, CHRISTUS now has one person dedicated to efficiently managing controls around provisioning, excessive access, and sensitive data access. This shift has reduced the workload for the IT team and internal auditors since Infor GRC automatically generates detailed reports for audits.

"We now have a one-person, very happy GRC Administrator who can use Infor GRC to easily collaborate across different departments and functions to ensure that the business processes are functioning in line with the organization's goals. This directly supports our mission to extend the healing ministry of Jesus Christ into the communities that we serve by giving our employees the productivity tools they need to redirect resources to patient care," says Kenderdine.

CHRISTUS has successfully rolled out three modules of Infor GRC and is now implementing the fourth one, Process Insight. This module monitors business transactions to identify accounting errors or fraudulent activities, such as duplicate suppliers, processing supplier invoices without purchase order references, duplicate payments to the same suppliers, journal entries posted on weekends, and modifications in customer credit limits.

"The tight integration with Infor CloudSuite Healthcare allowed us to deploy and standardize quickly, an unexpected benefit we realized when we implemented the first module, Authorization Insight. This was game-changing, as maintaining consistency has been a significant challenge due to our frequent expansions through acquisitions and new build-outs. Infor GRC can adapt to our dynamic environment, accommodating acquisitions of various sizes and complexities with easily customizable and controlled processes," says Kenderdine.