Defragmenting GRC: Confidence and Cost-Efficiency in a Time of Chaos - Pharmaceutical Technology

Latest Issue

Latest Issue
PharmTech Europe

Defragmenting GRC: Confidence and Cost-Efficiency in a Time of Chaos
The scope and complexity of GRC requirements are expanding so rapidly that businesses are struggling to fulfill them despite an increased willingness on industry's part to apply additional GRC resources.

Pharmaceutical Technology

Creating a common GRC framework

The variation and complexity of ethical and regulatory mandates that pharmaceutical companies must address today make it unlikely that any single, centralized group of individuals will be able to manage GRC efforts across the enterprise. Nor is it feasible to apply identical compliance controls to every type of GRC initiative, because the measures needed to fulfill Sarbanes–Oxley financial reporting requirements, for example, are quite different from those needed to protect an organization against pretexting. However, these diverse GRC activities can still be managed in a similar manner under a common framework. Although this framework varies from company to company, based on factors such as size and industrial and organizational complexity, some basic components are common to all enterprise GRC frameworks.

Enterprise governance. It is generally recommended that all enterprise GRC activities—no matter how broadly distributed—report to an enterprise GRC committee or a CCO. Again, there is significant variation in exactly how different companies structure this governing body.

The charter of this committee is typically to define enterprise GRC principles, approve enterprise policies, provide guidance to individual GRC initiatives, and authorize any GRC-related technology investments. This committee also provides a vehicle for communicating with the company's executive committee or board of directors, both to report on overall enterprise posture and to respond to any directives they may choose to initiate.

Enterprise risk. Because risk is the measure of all GRC activities, a common method of assessing risk should be applied across the enterprise. These risks should include:

  • Financial risk, including aggregation and analysis of exposures that can affect revenue and costs, compromise solvency, or lead to fines and judgments
  • Operational risk, including keeping track of exposures that can impede delivery of goods and services, fulfillment of contractual obligations, or the company's ability to do business in specific markets
  • Legal and regulatory risk, including comprehensive assessment of exposures that can trigger intervention by government agencies, provoke third-party lawsuits, or affect the ability of the company to mount an effective defense in court
  • Strategic risk, including exposures associated with mergers and acquisitions, entry into new markets, and the introduction of new products.

Enterprise compliance. By sharing information and insight, each GRC group in the company can make life easier for every other group and maximize the total effectiveness of the company's cumulative GRC efforts. For example:

  • When a company acquires a new sales force or new product, the compliance controls for these new additions should be quickly brought up to the standards of the rest of the company. A single "weak link" puts the entire company at risk.
  • If one GRC group is having trouble getting a given supplier to fulfill its compliance requirements for a particular regulatory mandate, it makes sense to share that information with other GRC groups so appropriate pressures can be brought to bear on that supplier or a joint decision can be made to cease doing business with that supplier.
  • A firm's IT team may not be able to cost-justify the modification of a core business application to implement a compliance control requested by a single GRC group, but it may be able to do so if that same modification will substantively address risks faced by multiple GRC groups.

Implementing an enterprise GRC technology platform

Of all the resources that pharmaceutical companies can potentially leverage across their enterprise GRC efforts, a common GRC technology platform may be the most important. A common enterprise GRC technology platform can enhance GRC success in several ways:

  • It provides a common repository for all policy documents. This repository helps users create new policy documents for new GRC initiatives, because it makes it easier to refer to existing ones.
  • It provides a common repository for controls, training materials, and other compliance resources. This repository makes it easier for different GRC groups to take advantage of existing resources and avoid duplicating efforts.
  • It provides a common mechanism for segmenting users. By managing user roles in a common manner, an enterprise GRC platform ensures the right groups and individuals are involved in assessing risk and receive the right training and policies.
  • It provides a common mechanism for managing GRC-related training and document distribution. Once targeted user groups are identified, GRC teams must ensure they are appropriately informed and trained with any required third-party or custom materials. They also must confirm that these tasks have been properly performed by collecting appropriate acknowledgments and attestations. Managing these tasks in separate systems is far less efficient than using a single system.
  • It provides a common methodology for assessment, remediation, and other core GRC processes. It is beneficial to provide a shared set of process templates to all GRC teams across the enterprise.
  • It provides a common way of managing change. By having only one place where changes must be executed, companies also avoid the risk that an individual GRC group will fail to implement a critical change.
  • It provides a common reporting engine for upper management. Using one platform for all GRC-related reporting significantly improves visibility into compliance conditions across the enterprise, which allows upper management to compare the GRC performances of different business units and pinpoint risks earlier.


blog comments powered by Disqus
LCGC E-mail Newsletters

Subscribe: Click to learn more about the newsletter
| Weekly
| Monthly
| Weekly

What role should the US government play in the current Ebola outbreak?
Finance development of drugs to treat/prevent disease.
Oversee medical treatment of patients in the US.
Provide treatment for patients globally.
All of the above.
No government involvement in patient treatment or drug development.
Finance development of drugs to treat/prevent disease.
Oversee medical treatment of patients in the US.
Provide treatment for patients globally.
All of the above.
No government involvement in patient treatment or drug development.
Jim Miller Outsourcing Outlook Jim MillerOutside Looking In
Cynthia Challener, PhD Ingredients Insider Cynthia ChallenerAdvances in Large-Scale Heterocyclic Synthesis
Jill Wechsler Regulatory Watch Jill Wechsler New Era for Generic Drugs
Sean Milmo European Regulatory WatchSean MilmoTackling Drug Shortages
New Congress to Tackle Health Reform, Biomedical Innovation, Tax Policy
Combination Products Challenge Biopharma Manufacturers
Seven Steps to Solving Tabletting and Tooling ProblemsStep 1: Clean
Legislators Urge Added Incentives for Ebola Drug Development
FDA Reorganization to Promote Drug Quality
Source: Pharmaceutical Technology,
Click here