OR WAIT null SECS
The scope and complexity of GRC requirements are expanding so rapidly that businesses are struggling to fulfill them despite an increased willingness on industry's part to apply additional GRC resources.
Acentral issue for most pharmaceutical organizations, and all businesses, is the fragmented and reactive way governance, risk, and compliance (GRC) tasks are handled across the enterprise. Sales managers may be responsible for ensuring that next quarter's revenue projections aren't overblown. Information technology (IT) staff may be responsible for appropriately protecting customer data. The chief financial officer's office may be responsible for meeting financial reporting mandates. And as new GRC issues arise—because of emerging regulations, industry guidelines and frameworks, or a breaking news story—executives scramble to quickly put "point" GRC measures in place. In the pharmaceutical industry, for example, an individual Warning Letter focused on a specific issue may be addressed through a quick fix or point solution.
This fragmented, reactive approach has several serious problems:
For these reasons and others, it is crucial for executive management to bring order to GRC activities across the enterprise—that is, across all GRC mandates, all business functions, all business units, all underlying IT infrastructure, and all geographies.
When pharmaceutical companies are dealing with multiple mandates, three basic requirements must be fulfilled to develop a coherent approach to GRC across the enterprise:
a consistent corporate definition of GRC and GRC success; a common enterprise-wide framework for managing all GRC-related processes; and a single integrated technology platform for GRC automation, recordkeeping, and reporting.
Chief compliance officers (CCOs) often step forward to take on the responsibility of developing this coherent approach to GRC. Although corporate integrity agreements are sometimes the impetus for these initiatives, CCOs often struggle to find a starting point to building a comprehensive GRC program. Each of these basic elements must balance the specificity necessary to ensure that each individual GRC objective is fulfilled with the flexibility necessary to ensure applicability to any and all GRC objectives across and beyond the walls of the enterprise.
The cost of chaos
It's hard to blame anyone for the current fragmented state of enterprise GRC efforts. Corporate executives had no way to anticipate the scale of today's GRC workloads, the complexity of individual GRC mandates, or the pace at which GRC requirements would continue to change. In addition, new requirements have blindsided organizations, leaving them no time to step back and develop a holistic strategy for addressing all of their present and future GRC challenges.
Every executive, however, is now aware of how big a burden GRC has become. They are aware that GRC burdens are not going to get any lighter and might get a whole lot worse. They're also well aware that their organizations' approaches to GRC are unacceptably fragmented. This fragmentation across the enterprise has serious consequences, the most troubling of which are described below.
Significantly higher GRC costs. When corporate GRC efforts are fragmented, expenditures of time and money are constantly duplicated. Project teams must work through problems that others may already have solved. New systems are put in place when existing systems could readily be used across multiple mandates. Productivity is lost because employees get pulled away from their jobs multiple times for training, instead of just once. All of these inefficiencies divert financial and human resources that could bring much greater returns if they could be allocated elsewhere.
Reduced effectiveness of each individual GRC initiative. When individual project teams use different policy and procedure formats, terminology, support systems, and processes, the effect on the workforce is multiplied. Understanding and following prescribed practices, getting direction, accessing procedures, dealing with uncoordinated training programs, lack of adequate records management, and available information for regulators all become unnecessarily burdensome. In addition, management is unable to maintain the access to information necessary for making informed business decisions. A fragmented GRC environment also prevents incremental improvements in process, policy, and technology from being replicated across the enterprise, further hindering the ability of all project teams to fulfill their full performance potential.
Delayed fulfillment of GRC objectives. When project teams can't adequately benefit from the work of their peers across the enterprise, it slows them down. They must rediscover resources and reevaluate technologies. They must negotiate new relationships with vendors and get new procurement approvals from purchasing. These delaying factors can be particularly problematic when it comes to meeting regulatory deadlines. Delays in order fulfillment can also extend an organization's exposure to a wide range of financial and legal risks.
Low executive-and board-level GRC confidence. Board members and C-level executives can only have confidence in an organization's overall GRC posture if they have information about conditions and issues across the enterprise. A fragmented GRC environment does not provide this essential end-to-end visibility. Instead, it forces those ultimately responsible for the enterprise's GRC performance to monitor and consolidate multiple GRC information sources.
In addition to being logistically cumbersome, this siloed approach creates more potential points of failure in the GRC chain wherever information from disparate systems must be consolidated. By implementing an integrated GRC program, organizations can reduce costs, improve effectiveness, accelerate the fulfillment of current and future mandates, and deliver the consolidated view of GRC status that upper management must safeguard their own interests and those of all corporate stakeholders.
The first step in defragmenting GRC programs across the enterprise is to properly define GRC and GRC success. Companies must have a clear sense of what sorts of activities fall under the umbrella of enterprise GRC management and what common purpose those activities serve.
Governance, risk, and compliance are distinct but closely related ideas. The following definitions, while technically incomplete, are simple enough for the purposes of this article:
In this context, enterprise GRC can be viewed as everything everyone at a company does that falls into one of these categories. This doesn't mean that all GRC activities must be managed in a centralized or monolithic way, but it does mean that all GRC activities across the enterprise must be recognized as such—and that they must all be subject to whatever global GRC management principles are put in place in an organized and distributed fashion.
Pharmaceutical organizations have focused primarily on the "C" in "GRC" because of regulatory scrutiny, but many organizations are building risk-management programs to become active in identifying and managing risks before they become compliance issues, as opposed to reactive in dealing with risks that already have turned into compliance issues.
Creating a common GRC framework
The variation and complexity of ethical and regulatory mandates that pharmaceutical companies must address today make it unlikely that any single, centralized group of individuals will be able to manage GRC efforts across the enterprise. Nor is it feasible to apply identical compliance controls to every type of GRC initiative, because the measures needed to fulfill Sarbanes–Oxley financial reporting requirements, for example, are quite different from those needed to protect an organization against pretexting. However, these diverse GRC activities can still be managed in a similar manner under a common framework. Although this framework varies from company to company, based on factors such as size and industrial and organizational complexity, some basic components are common to all enterprise GRC frameworks.
Enterprise governance. It is generally recommended that all enterprise GRC activities—no matter how broadly distributed—report to an enterprise GRC committee or a CCO. Again, there is significant variation in exactly how different companies structure this governing body.
The charter of this committee is typically to define enterprise GRC principles, approve enterprise policies, provide guidance to individual GRC initiatives, and authorize any GRC-related technology investments. This committee also provides a vehicle for communicating with the company's executive committee or board of directors, both to report on overall enterprise posture and to respond to any directives they may choose to initiate.
Enterprise risk. Because risk is the measure of all GRC activities, a common method of assessing risk should be applied across the enterprise. These risks should include:
Enterprise compliance. By sharing information and insight, each GRC group in the company can make life easier for every other group and maximize the total effectiveness of the company's cumulative GRC efforts. For example:
Implementing an enterprise GRC technology platform
Of all the resources that pharmaceutical companies can potentially leverage across their enterprise GRC efforts, a common GRC technology platform may be the most important. A common enterprise GRC technology platform can enhance GRC success in several ways:
Why unify now?
Most pharmaceutical companies have plenty of other technology on their shopping lists. They need good reasons to invest the time and resources required to create a foundation for enterprise-wide GRC. Here are just a few:
Governance, risk, and compliance management pressures are escalating, but companies only have limited resources with which to respond. To properly allocate those limited resources, to maximize the results they achieve, and to achieve required results as quickly as possible, it is essential to bring some semblance of order to GRC efforts across the enterprise. Pharmaceutical companies that bring this kind of organization to GRC will reduce their risk with less effort and less cost than those that don't, allowing them to devote more of their resources to innovation, opportunity, and bottom-line growth.
Brett Curran is vice-president of GRC and privacy practices at Axentis, Inc., Skylight Office Tower, 1660 West Second Street, Suite 250, Cleveland, OH 44113, firstname.lastname@example.org. A former chief compliance officer and technology professional, Curran is a frequent speaker at GRC industry conferences, a contributor to the Open Compliance and Ethics Group as well as to IBM's Data Governance Council, and a blogger for "Compliance on Demand."