Robert C. Kenderdine, JR

Vice President, ERP System Operations, CHRISTUS Health

At CHRISTUS Health, we deliver a complete healing experience that respects the individual. CHRISTUS Health is a Catholic, not-for-profit health system that encompasses more than 600 centers, including long-term care facilities, community hospitals, walk-in clinics, and health ministries.   

Headquartered in Irving, Texas, the organization also operates in Arkansas, Louisiana, New Mexico, Texas, Chile, Colombia, and Mexico. We are a community of 45,000 strong, with over 15,000 physicians providing individualized care.​ 

Sponsored by the Sisters of Charity of the Incarnate Word in Houston and San Antonio and the Sisters of the Holy Family of Nazareth, our mission is to extend the healing ministry of Jesus Christ to every individual we serve.​ 

Supernova Award Category: 
Digital Safety, Governance, Privacy, and Cybersecurity
The Problem: 

Managing the appropriate access and permissions for 35,000 users with diverse roles and responsibilities for a robust ERP system, Infor CloudSuite Healthcare is highly complex, especially in our dynamic environment. We need to protect sensitive information, eliminate fraud such as duplicate payments, and ensure processes align with our business rules. Additionally, we aimed to prevent employees from feeling stressed about unknowingly performing inappropriate actions. 

Our IT team had two members dedicated to Governance, Risk, and Compliance. They focused on segregation of duties (SoD), user access reviews, and elevated access requests. These tasks were error-prone and time-consuming due to manual processes and gaps in communication across various systems, each with different security and provisioning requirements. 

Completing SoD and user access audits took 18 months, increasing risk and costs due to the extensive resources needed. Our internal audit revealed 9,331 SoD violations, which our small IT team had to investigate and remediate. Elevated access requests were handled via email to role approvers, causing delays and risk as some approvers were missed or not notified. The resulting delays in provisioning left employees unable to perform their jobs effectively, leading to dissatisfaction. 

The Solution: 

When we transitioned to Infor CloudSuite in 2019, an internal audit revealed several users with inappropriate access. Addressing these issues promptly was impossible due to inadequate tools, leading to inefficiency and heightened risk. Also, we lacked confidence in the audit data. For instance, the report of 9,331 SoD violations was suspect due to potential data parsing and spreadsheet errors.

Infor GRC provided more confidence through its integrated framework that unifies governance, risk management, and compliance functions. This integration ensures consistency, efficiency, and a comprehensive approach to organizational oversight.

We also anticipated easier deployment and user adoption of Infor GRC, as it shares the same look and feel as Infor CloudSuite, with out-of-the-box content and workflows that are easily customizable. Risk dashboards allow our team to see SoD violations in real-time, utilize What-If analysis, and generate reports easily for violations and auditing.

The Results: 

Once we began our internal audit process, we realized we needed a tool to efficiently manage controls around provisioning, excessive access, and sensitive data access. With Infor GRC, we now have just one person dedicated to managing ERP risk and compliance.  This shift has reduced the workload for our IT team and internal auditors since Infor GRC automatically generates detailed reports for audits.   

We integrate directly with our organization's identity management tools, enabling secure provisioning of employees requiring elevated access ones their first day. Each elevated access request benefits from real-time visibility into a dedicated approval workflow based on functional area mapping and additional constraints, such as required training. This ensures employees are properly trained, avoiding downstream impacts on purchasing and finance. 

Each Infor GRC module took a few months to implement.  We started with Authorization Insight which has greatly reduced the time of identifying and resolving 121 true SOD violations instead of 9331. Violations are detected immediately and addressed, and What-If analysis prevents violations from occurring in the future.  Certification Manager allows us to reduce our unauthorized access footprint, minimizing opportunities to abuse privileges and expose sensitive data.  Access Manager has reduced elevated user access request provisioning time from approximately three business days to just one.

Metrics: 

Infor GRC has allowed us to more effectively control a complex and ever-changing environment to reduce the potential business risks and the costs of compliance, increase operational efficiency, and automate the audit processes. We have been able to successfully grant employees roles and responsibilities in a faster, more controlled way to prevent inappropriate access or permissions.  Here are the outcomes of each Infor GRC use case: 

Authorization Insight 

  • 94% Faster remediation - from 48 weeks to 3 weeks 
  • 561 hours saved annually – identification and remediation of 121 true violations 
  • 78% faster auditing with robust reporting, saving internal audit team time and resources 
  • 4 months to implement 

Certification Manager 

  • 75% faster excessive access reviews  - from 8 weeks to 2 weeks 
  • 240 hours saved annually  
  • 92% faster auditing with robust reporting, saving internal audit team time and resources 
  • 2 months to implement 

Access Manager 

  • 67% faster user provisioning for elevated user access  - from 3 days to 1 day 
  • 4500 hours saved annually  
  • 67% faster auditing with robust reporting, saving internal audit team time and resources
  • 4 months to implement
The Technology: 

Infor GRC is a multi-tenant solution architected as a set of docker-enabled microservices. It leverages the AWS technologies like Elastic Map Reduce and Spark for evaluating a huge amount of business process data. Organizations require powerful capabilities, designed, and built by experts, which encode years of experience, knowledge and best practices, all available at their fingertips. 

Disruptive Factor: 

Our instincts were correct: our previous manual processes delivered inaccurate information, wasted valuable resources, and exposed us to risk. Implementing Infor GRC was a smart choice because it is a native tool designed specifically for Infor CloudSuite. Infor GRC can accurately read, understand, and manipulate the data, reducing our violations from 9,331 inaccurate ones to 121 true violations, with effective remediation. 

The tight integration with Infor CloudSuite Healthcare allowed us to deploy and standardize quickly, an unexpected benefit we realized when we implemented the first module, Authorization Insight. This was game-changing, as maintaining consistency has been a significant challenge due to our frequent expansions through acquisitions and new build-outs. Infor GRC can adapt to our dynamic environment, accommodating acquisitions of various sizes and complexities with easily customizable and controlled processes. 

We have successfully rolled out three modules of Infor GRC and are now implementing the fourth one, Process Insight. This module monitors business transactions to identify accounting errors or fraudulent activities, such as duplicate suppliers, processing supplier invoices without purchase order references, duplicate payments to the same suppliers, journal entries posted on weekends, and modifications in customer credit limits. 

Shining Moment: 

We now have a one-person, very happy GRC Administrator who can use Infor GRC to easily collaborate across different departments and functions to ensure that the business processes are functioning in line with the organization's goals. This directly supports our mission to extend the healing ministry of Jesus Christ into the communities that we serve by giving our employees the productivity tools they need to redirect resources to patient care.  

About CHRISTUS Health

CHRISTUS Health is an international faith-based, not-for-profit health care system based in Irving, Texas, with more than 60 hospitals in Texas, Louisiana, New Mexico, Chile, Colombia and Mexico. CHRISTUS is made up of 50,000 Associates providing compassionate and individualized care at more than 600 centers, including community hospitals, clinics, long-term care facilities and health ministries