How VGZ Strengthens Risk & Compliance Operations with CERRIX
VGZ, one of the Netherlands’ largest health insurers, manages a broadset of operational, IT, financial and compliance risks. As an insurer,maintaining strong regulatory compliance and a well-structured risk managementsystem is essential for safeguarding trust. With this in mind, VGZ aimed toselect a GRC platform that could support its advancing risk managementpractices and provide greater structure, consistency and traceability.
After a structured evaluation, VGZ selected the CERRIX GRC tool for itsfunctional fit, intuitive workflows, mature information security, integrationwith Power BI, and its ability to link risks, controls, findings and actionsacross the Three Lines in a clear and traceable way.
A structured and phrased implementation
VGZ implemented CERRIX GRC tool in phases as part of the transition fromits previous GRC tool. The initial rollout focused on control testing, incidentregistration and action (MoI) management. Together with CERRIX, an externalimplementation partner and the internal project team, VGZ prepared its standingdata, frameworks and access structure to ensure a smooth and controlledgo-live.
The migration was carried out largely “as is,” allowing VGZ to stabilisethe environment before expanding its use of additional modules. Users weresupported through training sessions, webinars and clear instruction materials,which helped colleagues adopt the new workflows effectively.
“The workflow for control testing is straightforward,” says Erwin Holster, Senior Risk Officer. “Users were able to work with it quickly.”
VGZ started its first full control-testing cycle in CERRIX in August2024.
Enhanced structure in risk and compliance activities
CERRIX GRC tool is now used broadly across Risk & Compliance, Internal Audit, Corporate Internal Control and the first line. With a Risk& Compliance team of around 23 professionals, centralising risk information and clarifying responsibilities is an important step for ensuring consistency across teams. It supports the organisation in executing core risk and compliance processes in a more structured and consistent way.
More reliable control-testing execution
Uploaders, testers and reviewers follow a structured workflow supported by automated notifications. This reduces manual coordination and ensures each step of the process is completed correctly.
Centralisation of core risk information
Incidents, MoIs, findings, risks and controls are increasingly managed in one environment, improving completeness and making it easier to cross-reference information.
Clearer responsibilities and rights
As VGZ refines its incident and action-management processes, CERRIX helps define roles and responsibilities more clearly, supporting VGZ’s aim to strengthen first-line ownership.
Early reinforcement of risk culture
Although cultural change develops over time, CERRIX contributes to more consistent behaviours by making risk information easier to access, improving transparency and supporting stronger ownership across teams.
A stronger basis for reporting and oversight
CERRIX now serves as VGZ’s single source of truth for control effectiveness. Control-test outcomes, risk assessments, MoIs, findings and incidents are consolidated in a structured way, improving the reliability of information used for risk reporting.
VGZ combines this data with Power BI dashboards for deeper insight,including a dedicated report on operational execution risk. The next step is touse API connections, enabling up-to-date reporting at enterprise and management levels without manual exports.
This approach supports:
· greater transparency for internal stakeholders
· provides more targeted management information
· clearer reporting aligned with the risk taxonomy and regulatory expectations
A Collaborative Partnership for Ongoing Development
VGZ and CERRIX work together closely on both support and further development of the platform. As VGZ identifies new needs, these are discussed jointly with CERRIX and incorporated into the development roadmap where possible. New modules and updates demonstrate the platform’s ongoing growth, supported by open communication between the teams.
“There are always topics to refine,” saysErwin. “We address these together with CERRIX as we continue to develop our wayof working.”
This collaborative approach supports VGZ in further strengthening itsrisk and compliance framework and reinforces its position as a well-governedorganisation in the Dutch healthcare sector.
From Fragmented Risk Data to Integrated Risk Management
Accessible popup
Welcome to Finsweet's accessible modal component for Webflow Libraries. This modal uses custom code to open and close. It is accessible through custom attributes and custom JavaScript added in the embed block of the component. If you're interested in how this is built, check out the Attributes documentation page for this modal component.
