Wellstar Health replaced random acts of risk identification with a program that actually closes risks

Mike D’Arezzo, Executive Director of GRC and Security at Wellstar has a phrase for how most organizations used to manage risk: random acts of risk identification.

‍

Every quarter, someone would convene a meeting. Teams would sit around a table and talk about what risks they were seeing. Someone would write the answers into a risk register (maybe in Excel, maybe in a legacy tool) and in a text box or a cell, someone would note what they planned to do about it. Everyone would nod. And then the next quarter, the same group would reconvene and nothing would have moved.
‍

The rest of the program had the same structural problem. Controls only got tested once a year, during audit prep, and even then only by sample. Evidence collection meant chasing control owners: context-switching, sending follow-ups, receiving the wrong version of the wrong policy, then starting over. At Wellstar's scale, that process was unsustainable. You can't have enough staff to monitor all of your controls manually. It's not even theoretically possible.
‍

The tools Mike had used earlier in his career hadn't helped much. Legacy GRC platforms were form-heavy and brittle: rename a field, corrupt the table. Getting vendor questionnaires out meant managing two separate instances across a DMZ, exporting data between them manually. Mike taught himself Visual Basic just to move data from Excel into XML into a database. That's what passing for automation looked like.

What Wellstar needed wasn't just a better tool. It needed to get off the annual audit cycle entirely, and build a program that actually operationalized risk management instead of documenting it.

Wellstar implemented Complyance, and Mike noticed two things almost immediately: how fast people picked it up, and how much of the low-value friction just disappeared.

‍

"I was like, oh, this is going to be a learning curve. No, it wasn't sitting in front of ChatGPT saying 'computer, tell me what you know.' It was natural. iPhone simple. Take it out of the box, power it up, start using it."

‍

The evidence workflow changed first. When a security analyst named Bill needs to find where a specific control is supported in NIST CSF, he goes into Complyance and finds it in three minutes, including the evidence that supports it. The old process: open files, check version history, determine if this is the right version, contact the right owner, wait. Mike's observation: it now takes his team longer to log in through single sign-on than it does to find the actual answer.

‍

That speed matters beyond efficiency. When an auditor asks for something and you produce it immediately, with confidence, the dynamic changes. They stop looking for reasons to keep digging.

‍

For PCI compliance, which Mike's team was three weeks from completing at the time; the entire evidence package was essentially done. One piece of evidence was outstanding, waiting on a busy control owner. One. The rest was collected, reviewed, validated, and organized. That's what audit prep now looks like at Wellstar, instead of a waterfall process that stretches for months and surfaces problems at the end when there's no time to fix them.

‍

If you can produce evidence fast, and with surety and confidence, that auditor really gets the sense that you know what you're doing. You don't give them a chance to dig deep. You're like, 'Nope, we've got everything. We're ready.'"

‍

The AI handles the evidence hygiene: identifying old versions, flagging what needs to be updated, surfacing the right policy without someone having to go hunt for it. The human stays in the loop on what matters.

‍

"There is somebody who double-checks the more important things, but going out and collecting it, finding out where it is, saying this is old and should be updated, AI takes care of all of that."

‍

The shift from once-a-year sample testing to 365-day continuous visibility is the result Mike returns to most. At Wellstar's scale, testing a sample of controls during an annual audit cycle was never actually compliance, it was compliance theater. The real question is whether controls are working every day, for every employee, across every system. That question is only answerable with something that runs at AI speed.

‍

Risk management is also starting to function the way it's supposed to. Instead of text boxes in a risk register that no one acts on, risk treatment plans now generate actual tasks, assigned to the right people. Risks get worked. Some get closed. The quarterly meeting still happens, but it's not the entire program anymore.

‍

The team feels different too. Mike describes it as reducing stress and wear. Nobody joined a security team to spend their days sending email follow-ups to control owners or chasing down whether the PDF they received matches the version that was signed off on. Complyance handles the low-value work. The team handles the risks.