Creating a common GRC framework
The variation and complexity of ethical and regulatory mandates that pharmaceutical companies must address today make it unlikely
that any single, centralized group of individuals will be able to manage GRC efforts across the enterprise. Nor is it feasible
to apply identical compliance controls to every type of GRC initiative, because the measures needed to fulfill Sarbanes–Oxley
financial reporting requirements, for example, are quite different from those needed to protect an organization against pretexting.
However, these diverse GRC activities can still be managed in a similar manner under a common framework. Although this framework
varies from company to company, based on factors such as size and industrial and organizational complexity, some basic components
are common to all enterprise GRC frameworks.
It is generally recommended that all enterprise GRC activities—no matter how broadly distributed—report to an enterprise
GRC committee or a CCO. Again, there is significant variation in exactly how different companies structure this governing
The charter of this committee is typically to define enterprise GRC principles, approve enterprise policies, provide guidance
to individual GRC initiatives, and authorize any GRC-related technology investments. This committee also provides a vehicle
for communicating with the company's executive committee or board of directors, both to report on overall enterprise posture
and to respond to any directives they may choose to initiate.
Because risk is the measure of all GRC activities, a common method of assessing risk should be applied across the enterprise.
These risks should include:
- Financial risk, including aggregation and analysis of exposures that can affect revenue and costs, compromise solvency, or
lead to fines and judgments
- Operational risk, including keeping track of exposures that can impede delivery of goods and services, fulfillment of contractual
obligations, or the company's ability to do business in specific markets
- Legal and regulatory risk, including comprehensive assessment of exposures that can trigger intervention by government agencies,
provoke third-party lawsuits, or affect the ability of the company to mount an effective defense in court
- Strategic risk, including exposures associated with mergers and acquisitions, entry into new markets, and the introduction
of new products.
By sharing information and insight, each GRC group in the company can make life easier for every other group and maximize
the total effectiveness of the company's cumulative GRC efforts. For example:
- When a company acquires a new sales force or new product, the compliance controls for these new additions should be quickly
brought up to the standards of the rest of the company. A single "weak link" puts the entire company at risk.
- If one GRC group is having trouble getting a given supplier to fulfill its compliance requirements for a particular regulatory
mandate, it makes sense to share that information with other GRC groups so appropriate pressures can be brought to bear on
that supplier or a joint decision can be made to cease doing business with that supplier.
- A firm's IT team may not be able to cost-justify the modification of a core business application to implement a compliance
control requested by a single GRC group, but it may be able to do so if that same modification will substantively address
risks faced by multiple GRC groups.
Implementing an enterprise GRC technology platform
Of all the resources that pharmaceutical companies can potentially leverage across their enterprise GRC efforts, a common
GRC technology platform may be the most important. A common enterprise GRC technology platform can enhance GRC success in
- It provides a common repository for all policy documents. This repository helps users create new policy documents for new
GRC initiatives, because it makes it easier to refer to existing ones.
- It provides a common repository for controls, training materials, and other compliance resources. This repository makes it
easier for different GRC groups to take advantage of existing resources and avoid duplicating efforts.
- It provides a common mechanism for segmenting users. By managing user roles in a common manner, an enterprise GRC platform
ensures the right groups and individuals are involved in assessing risk and receive the right training and policies.
- It provides a common mechanism for managing GRC-related training and document distribution. Once targeted user groups are
identified, GRC teams must ensure they are appropriately informed and trained with any required third-party or custom materials.
They also must confirm that these tasks have been properly performed by collecting appropriate acknowledgments and attestations.
Managing these tasks in separate systems is far less efficient than using a single system.
- It provides a common methodology for assessment, remediation, and other core GRC processes. It is beneficial to provide a
shared set of process templates to all GRC teams across the enterprise.
- It provides a common way of managing change. By having only one place where changes must be executed, companies also avoid
the risk that an individual GRC group will fail to implement a critical change.
- It provides a common reporting engine for upper management. Using one platform for all GRC-related reporting significantly
improves visibility into compliance conditions across the enterprise, which allows upper management to compare the GRC performances
of different business units and pinpoint risks earlier.