Acentral issue for most pharmaceutical organizations, and all businesses, is the fragmented and reactive way governance, risk,
and compliance (GRC) tasks are handled across the enterprise. Sales managers may be responsible for ensuring that next quarter's
revenue projections aren't overblown. Information technology (IT) staff may be responsible for appropriately protecting customer
data. The chief financial officer's office may be responsible for meeting financial reporting mandates. And as new GRC issues
arise—because of emerging regulations, industry guidelines and frameworks, or a breaking news story—executives scramble to
quickly put "point" GRC measures in place. In the pharmaceutical industry, for example, an individual Warning Letter focused
on a specific issue may be addressed through a quick fix or point solution.
This fragmented, reactive approach has several serious problems:
- It drives up GRC costs because efforts and expenses are constantly duplicated
- It limits the effectiveness of each individual GRC initiative because each project team solves its problems in a unique way,
rather than using proven processes and best practices that are already in place
- It increases overall risk because risk mitigation is not sufficiently coordinated across the enterprise
- It delays time-to-fulfillment because each GRC project solves the same process and technology problems again and again
- It does not produce board-level GRC confidence because it does not enable true enterprise-wide visibility of GRC status and
For these reasons and others, it is crucial for executive management to bring order to GRC activities across the enterprise—that
is, across all GRC mandates, all business functions, all business units, all underlying IT infrastructure, and all geographies.
When pharmaceutical companies are dealing with multiple mandates, three basic requirements must be fulfilled to develop a
coherent approach to GRC across the enterprise:
a consistent corporate definition of GRC and GRC success; a common enterprise-wide framework for managing all GRC-related
processes; and a single integrated technology platform for GRC automation, recordkeeping, and reporting.
Chief compliance officers (CCOs) often step forward to take on the responsibility of developing this coherent approach to
GRC. Although corporate integrity agreements are sometimes the impetus for these initiatives, CCOs often struggle to find
a starting point to building a comprehensive GRC program. Each of these basic elements must balance the specificity necessary
to ensure that each individual GRC objective is fulfilled with the flexibility necessary to ensure applicability to any and
all GRC objectives across and beyond the walls of the enterprise.
The cost of chaos
It's hard to blame anyone for the current fragmented state of enterprise GRC efforts. Corporate executives had no way to anticipate
the scale of today's GRC workloads, the complexity of individual GRC mandates, or the pace at which GRC requirements would
continue to change. In addition, new requirements have blindsided organizations, leaving them no time to step back and develop
a holistic strategy for addressing all of their present and future GRC challenges.
Every executive, however, is now aware of how big a burden GRC has become. They are aware that GRC burdens are not going to
get any lighter and might get a whole lot worse. They're also well aware that their organizations' approaches to GRC are unacceptably
fragmented. This fragmentation across the enterprise has serious consequences, the most troubling of which are described below.
Significantly higher GRC costs.
When corporate GRC efforts are fragmented, expenditures of time and money are constantly duplicated. Project teams must work
through problems that others may already have solved. New systems are put in place when existing systems could readily be
used across multiple mandates. Productivity is lost because employees get pulled away from their jobs multiple times for training,
instead of just once. All of these inefficiencies divert financial and human resources that could bring much greater returns
if they could be allocated elsewhere.