NGHS slashed vendor assessment time from a week to hours

When Antonio joined NGHS, the risk program had a visibility problem. Walking the floor and talking to IT leaders, he kept hearing about risks; in passing, in hallway conversations, in one-off meetings. But none of it was landing anywhere formal. "A lot of it was really in people's heads," he says. There was no central place where controls were documented, no system tracking their current state, and no process turning what people knew into something the organization could act on.

‍

Third-party risk was in the worst shape. NGHS had been sending out vendor surveys for years, but the assessment side had completely broken down. Responses came back and sat untouched. By the time Antonio got there, some of that data was four to five years old with no analysis ever performed on it. Vendors that NGHS was actively working with hadn't been meaningfully reviewed in years.

‍

In healthcare, that gap isn't just an operational problem. Third-party vendors touch patient data, clinical systems, and infrastructure that affects care delivery. Without a functioning process to assess and track that risk, accountability was impossible, and demonstrating enterprise-level risk management to leadership and regulators was out of reach entirely.

‍

What Antonio needed was a way to get risk out of people's heads and into a syste; one where controls, policies, risks, and vendor assessments were connected, owned, and tracked.

NGHS implemented Complyance and built their third-party risk program in the platform. The shift was immediate. When vendor survey responses come back now, the AI analyzes them automatically: surfacing potential gaps and flagging areas of risk associated with each vendor, rather than leaving responses to sit unreviewed in a folder.

‍

From there, the program started to take shape in ways it hadn't before. Risk owners got assigned. Policies, controls, risks, and third-party assessment results now have relationships to each other in the platform, so when something surfaces in a vendor review, Antonio's team can trace it through to the relevant controls and understand what's actually exposed.

‍

One benefit Antonio didn't anticipate was what the platform did for his team's capabilities. With resource constraints in the GRC function, there wasn't always bandwidth to build deep domain expertise across every area. The AI has helped close that gap.

‍

"It's really allowed us to lessen the learning curve for some of our security analysts and has really enabled them to be trained by the platform itself,"

‍

The tool does more than run assessments, it helps the people running them get better at their jobs.

‍

The most direct change is speed. Third-party risk assessments that took a week now take hours. In a health system where new vendors and technologies come in constantly, that pace matters; it means the GRC team can keep up rather than fall further behind.

But the more significant shift is structural. NGHS now has a program that actually functions at an enterprise level: risk is captured, not just heard. Vendors are assessed, not just surveyed. Controls have owners and documented states. And when leadership asks about risk, Antonio's team can show them an answer rather than reconstruct one.

‍

"Compliance has given us the ability to demonstrate that we can actually manage risk at an enterprise level. There's been a dramatic improvement in how we manage risk, how we identify and assess risk, and how we ensure accountability when it comes to treating that risk. It's been huge. It's been a sea change."

‍

What's ahead is continued maturation of the program: expanding the relationships between GRC components, deepening vendor coverage, and building on a foundation that, for the first time, exists in one place.