DE
Discover how Zurich University Hospital (USZ), in collaboration with Swiss GRC, established a central platform for information security, risk management, business continuity, and audit, laying the foundation for a robust security culture and sustainable governance in healthcare.
Initial situation and objectives
Zurich University Hospital (USZ) is one of Switzerland’s leading healthcare institutions and faces complex daily requirements related to security, quality, and resilience. Through the Association of Zurich Hospitals, USZ became aware of Swiss GRC at an early stage. The trigger for the project was a strategic decision to establish an integrated and standardized risk and business continuity management approach that would optimize and consolidate existing processes.
This need was driven by both internal objectives and external requirements. Internally, the focus was on strengthening the hospital’s risk and security culture, increasing transparency, and creating a consistent data basis across all departments. Externally, rising regulatory expectations and the growing complexity of the healthcare sector acted as catalysts for expanding and scaling the existing GRC framework.
The project objectives were clearly defined:
- Establishment of a standardized, integrated GRC system
- Increased transparency and traceability of all risk and security processes
- Replacement of decentralized documentation with a central digital platform
- Efficiency gains through standardized workflows and clearly defined central responsibilities
Implementation and collaboration
The implementation of the GRC Toolbox was carried out in close coordination between the USZ project team and the consultants from Swiss GRC. From the outset, the collaboration was characterized by open communication, short decision-making paths, and a strong focus on execution. Requirements were jointly specified, processes were systematically mapped, and both functional and technical questions were resolved efficiently.
Challenges that arose during implementation were addressed and resolved promptly thanks to the constructive partnership. Particularly valuable for USZ was the fast response time of Swiss GRC, which significantly accelerated the project and enabled the continuous evolution of the solution.
The modular architecture of the GRC Toolbox allowed for a phased rollout of key functional areas. Today, USZ already uses the ISMS, Risk Management, BCM, and Audit modules. The Data Protection and Internal Control System (ICS) modules are nearing final implementation. In addition, the expansion to include a Third Party Risk Management (TPRM) module is planned for the coming year, enabling structured and transparent management of external dependencies.
Challenges and lessons learned
| Challenges | Solution approach |
| Heterogeneous, partly manual and Excel-based risk and security processes | Introduction of a central digital platform with standardized and traceable workflows |
| Need for greater transparency and a consistent data foundation | Establishment of clearly defined structures, roles, and assessment methodologies within the toolbox |
| Strengthening the security and risk culture in hospital operations | Systematic mapping of processes within ISMS, Risk Management, and BCM to promote a unified approach |
| Interdisciplinary collaboration across multiple departments | Close coordination, an agile implementation approach, and continuous support from Swiss GRC |
Key outcomes and benefits
The implementation of the GRC Toolbox enabled USZ to structurally strengthen and modernize core elements of its risk and security management. Previously decentralized and partially manual processes were replaced by a unified digital platform that now provides a consistent data foundation across all relevant areas. This has resulted in significantly improved transparency, efficiency, and traceability in day-to-day operations.
A key benefit is that all data can now be centrally captured, analyzed, and evaluated. The harmonization of processes also facilitates coordination between departments and enables structured, audit-ready documentation. As a result, USZ now operates a GRC framework that not only supports compliance with internal standards but also provides a strong foundation for meeting regulatory requirements. The clearly defined digital standards within the toolbox create clarity for all users and foster a shared understanding of risk and security processes.
Decision to choose Swiss GRC
The decision in favor of Swiss GRC was driven by several factors. Particularly decisive were the positive references USZ obtained from other organizations, as well as the additional trust created by the option to procure the solution via the Association of Zurich Hospitals. Swiss GRC also impressed with a modular solution that can be flexibly adapted to the needs of a complex hospital environment, combined with strong domain expertise in governance, risk, and compliance.
The implementation demonstrated that the GRC Toolbox is not merely a technical tool, but a strategic foundation for building a resilient risk and security culture. The close collaboration and continuous enhancement of the solution further confirm the value of the chosen partnership.
