Defragmenting GRC: Confidence and Cost-Efficiency in a Time of Chaos - Pharmaceutical Technology

Latest Issue

Latest Issue
PharmTech Europe

Defragmenting GRC: Confidence and Cost-Efficiency in a Time of Chaos
The scope and complexity of GRC requirements are expanding so rapidly that businesses are struggling to fulfill them despite an increased willingness on industry's part to apply additional GRC resources.

Pharmaceutical Technology

Reduced effectiveness of each individual GRC initiative. When individual project teams use different policy and procedure formats, terminology, support systems, and processes, the effect on the workforce is multiplied. Understanding and following prescribed practices, getting direction, accessing procedures, dealing with uncoordinated training programs, lack of adequate records management, and available information for regulators all become unnecessarily burdensome. In addition, management is unable to maintain the access to information necessary for making informed business decisions. A fragmented GRC environment also prevents incremental improvements in process, policy, and technology from being replicated across the enterprise, further hindering the ability of all project teams to fulfill their full performance potential.

Delayed fulfillment of GRC objectives. When project teams can't adequately benefit from the work of their peers across the enterprise, it slows them down. They must rediscover resources and reevaluate technologies. They must negotiate new relationships with vendors and get new procurement approvals from purchasing. These delaying factors can be particularly problematic when it comes to meeting regulatory deadlines. Delays in order fulfillment can also extend an organization's exposure to a wide range of financial and legal risks.

Low executive-and board-level GRC confidence. Board members and C-level executives can only have confidence in an organization's overall GRC posture if they have information about conditions and issues across the enterprise. A fragmented GRC environment does not provide this essential end-to-end visibility. Instead, it forces those ultimately responsible for the enterprise's GRC performance to monitor and consolidate multiple GRC information sources.

In addition to being logistically cumbersome, this siloed approach creates more potential points of failure in the GRC chain wherever information from disparate systems must be consolidated. By implementing an integrated GRC program, organizations can reduce costs, improve effectiveness, accelerate the fulfillment of current and future mandates, and deliver the consolidated view of GRC status that upper management must safeguard their own interests and those of all corporate stakeholders.

Defining GRC

The first step in defragmenting GRC programs across the enterprise is to properly define GRC and GRC success. Companies must have a clear sense of what sorts of activities fall under the umbrella of enterprise GRC management and what common purpose those activities serve.

Governance, risk, and compliance are distinct but closely related ideas. The following definitions, while technically incomplete, are simple enough for the purposes of this article:

  • Governance is what companies decide to do. These decisions may be internally or externally driven, but either way governance is the management activity that draws the picture of what the company's behavior should look like if all goes according to plan.
  • Risk is what influences those decisions. All companies must make business decisions based on whether they want to accept, mitigate, or eliminate a given set of risks to minimize the downside and maximize the upside.
  • Compliance is how companies decide to do it. Compliance consists of the policies, processes, people, controls, tools, and other measures that a company deploys to fulfill its governance objectives and reasonably minimize risk.

In this context, enterprise GRC can be viewed as everything everyone at a company does that falls into one of these categories. This doesn't mean that all GRC activities must be managed in a centralized or monolithic way, but it does mean that all GRC activities across the enterprise must be recognized as such—and that they must all be subject to whatever global GRC management principles are put in place in an organized and distributed fashion.

Pharmaceutical organizations have focused primarily on the "C" in "GRC" because of regulatory scrutiny, but many organizations are building risk-management programs to become active in identifying and managing risks before they become compliance issues, as opposed to reactive in dealing with risks that already have turned into compliance issues.


blog comments powered by Disqus
LCGC E-mail Newsletters

Subscribe: Click to learn more about the newsletter
| Weekly
| Monthly
| Weekly

What role should the US government play in the current Ebola outbreak?
Finance development of drugs to treat/prevent disease.
Oversee medical treatment of patients in the US.
Provide treatment for patients globally.
All of the above.
No government involvement in patient treatment or drug development.
Finance development of drugs to treat/prevent disease.
Oversee medical treatment of patients in the US.
Provide treatment for patients globally.
All of the above.
No government involvement in patient treatment or drug development.
Jim Miller Outsourcing Outlook Jim MillerOutside Looking In
Cynthia Challener, PhD Ingredients Insider Cynthia ChallenerAdvances in Large-Scale Heterocyclic Synthesis
Jill Wechsler Regulatory Watch Jill Wechsler New Era for Generic Drugs
Sean Milmo European Regulatory WatchSean MilmoTackling Drug Shortages
New Congress to Tackle Health Reform, Biomedical Innovation, Tax Policy
Combination Products Challenge Biopharma Manufacturers
Seven Steps to Solving Tabletting and Tooling ProblemsStep 1: Clean
Legislators Urge Added Incentives for Ebola Drug Development
FDA Reorganization to Promote Drug Quality
Source: Pharmaceutical Technology,
Click here