How VGZ Strengthens Risk & Compliance Operations with CERRIX
VGZ, one of the Netherlands’ largest health insurers, manages a broad set of operational, IT, financial and compliance risks. As an insurer, maintaining strong regulatory compliance and a well-structured risk management system is essential for safeguarding trust. With this in mind, VGZ aimed to select a GRC platform that could support its advancing risk management practices and provide greater structure, consistency and traceability.
After a structured evaluation, VGZ selected the CERRIX GRC tool for its functional fit, intuitive workflows, mature information security, integration with Power BI, and its ability to link risks, controls, findings and actions across the Three Lines in a clear and traceable way.
A structured and phrased implementation
VGZ implemented CERRIX GRC tool in phases as part of the transition from its previous GRC tool. The initial rollout focused on control testing, incident registration and action (MoI) management. Together with CERRIX, an external implementation partner and the internal project team, VGZ prepared its standing data, frameworks and access structure to ensure a smooth and controlled go-live.
The migration was carried out largely “as is,” allowing VGZ to stabilise the environment before expanding its use of additional modules. Users were supported through training sessions, webinars and clear instruction materials, which helped colleagues adopt the new workflows effectively.
%20(1).png)
“The workflow for control testing is straightforward,” says Erwin Holster, Senior Risk Officer. “Users were able to work with it quickly.”
VGZ started its first full control-testing cycle in CERRIX in August2024.
Enhanced structure in risk and compliance activities
CERRIX GRC tool is now used broadly across Risk & Compliance, Internal Audit, Corporate Internal Control and the first line. With a Risk& Compliance team of around 23 professionals, centralising risk information and clarifying responsibilities is an important step for ensuring consistency across teams. It supports the organisation in executing core risk and compliance processes in a more structured and consistent way.
More reliable control-testing execution
Uploaders, testers and reviewers follow a structured workflow supported by automated notifications. This reduces manual coordination and ensures each step of the process is completed correctly.
Centralisation of core risk information
Incidents, MoIs, findings, risks and controls are increasingly managed in one environment, improving completeness and making it easier to cross-reference information.
Clearer responsibilities and rights
As VGZ refines its incident and action-management processes, CERRIX helps define roles and responsibilities more clearly, supporting VGZ’s aim to strengthen first-line ownership.
Early reinforcement of risk culture
Although cultural change develops over time, CERRIX contributes to more consistent behaviours by making risk information easier to access, improving transparency and supporting stronger ownership across teams.
A stronger basis for reporting and oversight
CERRIX now serves as VGZ’s single source of truth for control effectiveness. Control-test outcomes, risk assessments, MoIs, findings and incidents are consolidated in a structured way, improving the reliability of information used for risk reporting.
VGZ combines this data with Power BI dashboards for deeper insight, including a dedicated report on operational execution risk. The next step is to use API connections, enabling up-to-date reporting at enterprise and management levels without manual exports.
This approach supports:
· greater transparency for internal stakeholders
· provides more targeted management information
· clearer reporting aligned with the risk taxonomy and regulatory expectations
A Collaborative Partnership for Ongoing Development
VGZ and CERRIX work together closely on both support and further development of the platform. As VGZ identifies new needs, these are discussed jointly with CERRIX and incorporated into the development roadmap where possible. New modules and updates demonstrate the platform’s ongoing growth, supported by open communication between the teams.
“There are always topics to refine,” says Erwin. “We address these together with CERRIX as we continue to develop our way of working.”
This collaborative approach supports VGZ in further strengthening its risk and compliance framework and reinforces its position as a well-governed organisation in the Dutch healthcare sector.
From Fragmented Risk Data to Integrated Risk Management
Accessible popup
Welcome to Finsweet's accessible modal component for Webflow Libraries. This modal uses custom code to open and close. It is accessible through custom attributes and custom JavaScript added in the embed block of the component. If you're interested in how this is built, check out the Attributes documentation page for this modal component.
