Defragmenting GRC: Confidence and Cost-Efficiency in a Time of Chaos

Acentral issue for most pharmaceutical organizations, and all businesses, is the fragmented and reactive way governance, risk, and compliance (GRC) tasks are handled across the enterprise. Sales managers may be responsible for ensuring that next quarter's revenue projections aren't overblown. Information technology (IT) staff may be responsible for appropriately protecting customer data. The chief financial officer's office may be responsible for meeting financial reporting mandates. And as new GRC issues arise—because of emerging regulations, industry guidelines and frameworks, or a breaking news story—executives scramble to quickly put "point" GRC measures in place. In the pharmaceutical industry, for example, an individual Warning Letter focused on a specific issue may be addressed through a quick fix or point solution.

Photo: AUTHOR

This fragmented, reactive approach has several serious problems:

• It drives up GRC costs because efforts and expenses are constantly duplicated

• It limits the effectiveness of each individual GRC initiative because each project team solves its problems in a unique way, rather than using proven processes and best practices that are already in place

• It increases overall risk because risk mitigation is not sufficiently coordinated across the enterprise

• It delays time-to-fulfillment because each GRC project solves the same process and technology problems again and again

• It does not produce board-level GRC confidence because it does not enable true enterprise-wide visibility of GRC status and practices.

For these reasons and others, it is crucial for executive management to bring order to GRC activities across the enterprise—that is, across all GRC mandates, all business functions, all business units, all underlying IT infrastructure, and all geographies.

When pharmaceutical companies are dealing with multiple mandates, three basic requirements must be fulfilled to develop a coherent approach to GRC across the enterprise:

a consistent corporate definition of GRC and GRC success; a common enterprise-wide framework for managing all GRC-related processes; and a single integrated technology platform for GRC automation, recordkeeping, and reporting.

Figure 1

Chief compliance officers (CCOs) often step forward to take on the responsibility of developing this coherent approach to GRC. Although corporate integrity agreements are sometimes the impetus for these initiatives, CCOs often struggle to find a starting point to building a comprehensive GRC program. Each of these basic elements must balance the specificity necessary to ensure that each individual GRC objective is fulfilled with the flexibility necessary to ensure applicability to any and all GRC objectives across and beyond the walls of the enterprise.

The cost of chaos

It's hard to blame anyone for the current fragmented state of enterprise GRC efforts. Corporate executives had no way to anticipate the scale of today's GRC workloads, the complexity of individual GRC mandates, or the pace at which GRC requirements would continue to change. In addition, new requirements have blindsided organizations, leaving them no time to step back and develop a holistic strategy for addressing all of their present and future GRC challenges.

Every executive, however, is now aware of how big a burden GRC has become. They are aware that GRC burdens are not going to get any lighter and might get a whole lot worse. They're also well aware that their organizations' approaches to GRC are unacceptably fragmented. This fragmentation across the enterprise has serious consequences, the most troubling of which are described below.

Significantly higher GRC costs. When corporate GRC efforts are fragmented, expenditures of time and money are constantly duplicated. Project teams must work through problems that others may already have solved. New systems are put in place when existing systems could readily be used across multiple mandates. Productivity is lost because employees get pulled away from their jobs multiple times for training, instead of just once. All of these inefficiencies divert financial and human resources that could bring much greater returns if they could be allocated elsewhere.

Reduced effectiveness of each individual GRC initiative. When individual project teams use different policy and procedure formats, terminology, support systems, and processes, the effect on the workforce is multiplied. Understanding and following prescribed practices, getting direction, accessing procedures, dealing with uncoordinated training programs, lack of adequate records management, and available information for regulators all become unnecessarily burdensome. In addition, management is unable to maintain the access to information necessary for making informed business decisions. A fragmented GRC environment also prevents incremental improvements in process, policy, and technology from being replicated across the enterprise, further hindering the ability of all project teams to fulfill their full performance potential.

Delayed fulfillment of GRC objectives. When project teams can't adequately benefit from the work of their peers across the enterprise, it slows them down. They must rediscover resources and reevaluate technologies. They must negotiate new relationships with vendors and get new procurement approvals from purchasing. These delaying factors can be particularly problematic when it comes to meeting regulatory deadlines. Delays in order fulfillment can also extend an organization's exposure to a wide range of financial and legal risks.

Low executive-and board-level GRC confidence. Board members and C-level executives can only have confidence in an organization's overall GRC posture if they have information about conditions and issues across the enterprise. A fragmented GRC environment does not provide this essential end-to-end visibility. Instead, it forces those ultimately responsible for the enterprise's GRC performance to monitor and consolidate multiple GRC information sources.

In addition to being logistically cumbersome, this siloed approach creates more potential points of failure in the GRC chain wherever information from disparate systems must be consolidated. By implementing an integrated GRC program, organizations can reduce costs, improve effectiveness, accelerate the fulfillment of current and future mandates, and deliver the consolidated view of GRC status that upper management must safeguard their own interests and those of all corporate stakeholders.

Defining GRC

The first step in defragmenting GRC programs across the enterprise is to properly define GRC and GRC success. Companies must have a clear sense of what sorts of activities fall under the umbrella of enterprise GRC management and what common purpose those activities serve.

Governance, risk, and compliance are distinct but closely related ideas. The following definitions, while technically incomplete, are simple enough for the purposes of this article:

• Governance is what companies decide to do. These decisions may be internally or externally driven, but either way governance is the management activity that draws the picture of what the company's behavior should look like if all goes according to plan.

• Risk is what influences those decisions. All companies must make business decisions based on whether they want to accept, mitigate, or eliminate a given set of risks to minimize the downside and maximize the upside.

• Compliance is how companies decide to do it. Compliance consists of the policies, processes, people, controls, tools, and other measures that a company deploys to fulfill its governance objectives and reasonably minimize risk.

In this context, enterprise GRC can be viewed as everything everyone at a company does that falls into one of these categories. This doesn't mean that all GRC activities must be managed in a centralized or monolithic way, but it does mean that all GRC activities across the enterprise must be recognized as such—and that they must all be subject to whatever global GRC management principles are put in place in an organized and distributed fashion.

Pharmaceutical organizations have focused primarily on the "C" in "GRC" because of regulatory scrutiny, but many organizations are building risk-management programs to become active in identifying and managing risks before they become compliance issues, as opposed to reactive in dealing with risks that already have turned into compliance issues.

Creating a common GRC framework

The variation and complexity of ethical and regulatory mandates that pharmaceutical companies must address today make it unlikely that any single, centralized group of individuals will be able to manage GRC efforts across the enterprise. Nor is it feasible to apply identical compliance controls to every type of GRC initiative, because the measures needed to fulfill Sarbanes–Oxley financial reporting requirements, for example, are quite different from those needed to protect an organization against pretexting. However, these diverse GRC activities can still be managed in a similar manner under a common framework. Although this framework varies from company to company, based on factors such as size and industrial and organizational complexity, some basic components are common to all enterprise GRC frameworks.

Enterprise governance. It is generally recommended that all enterprise GRC activities—no matter how broadly distributed—report to an enterprise GRC committee or a CCO. Again, there is significant variation in exactly how different companies structure this governing body.

The charter of this committee is typically to define enterprise GRC principles, approve enterprise policies, provide guidance to individual GRC initiatives, and authorize any GRC-related technology investments. This committee also provides a vehicle for communicating with the company's executive committee or board of directors, both to report on overall enterprise posture and to respond to any directives they may choose to initiate.

Enterprise risk. Because risk is the measure of all GRC activities, a common method of assessing risk should be applied across the enterprise. These risks should include:

• Financial risk, including aggregation and analysis of exposures that can affect revenue and costs, compromise solvency, or lead to fines and judgments

• Operational risk, including keeping track of exposures that can impede delivery of goods and services, fulfillment of contractual obligations, or the company's ability to do business in specific markets

• Legal and regulatory risk, including comprehensive assessment of exposures that can trigger intervention by government agencies, provoke third-party lawsuits, or affect the ability of the company to mount an effective defense in court

• Strategic risk, including exposures associated with mergers and acquisitions, entry into new markets, and the introduction of new products.

Enterprise compliance. By sharing information and insight, each GRC group in the company can make life easier for every other group and maximize the total effectiveness of the company's cumulative GRC efforts. For example:

• When a company acquires a new sales force or new product, the compliance controls for these new additions should be quickly brought up to the standards of the rest of the company. A single "weak link" puts the entire company at risk.

• If one GRC group is having trouble getting a given supplier to fulfill its compliance requirements for a particular regulatory mandate, it makes sense to share that information with other GRC groups so appropriate pressures can be brought to bear on that supplier or a joint decision can be made to cease doing business with that supplier.

• A firm's IT team may not be able to cost-justify the modification of a core business application to implement a compliance control requested by a single GRC group, but it may be able to do so if that same modification will substantively address risks faced by multiple GRC groups.

Implementing an enterprise GRC technology platform

Of all the resources that pharmaceutical companies can potentially leverage across their enterprise GRC efforts, a common GRC technology platform may be the most important. A common enterprise GRC technology platform can enhance GRC success in several ways:

• It provides a common repository for all policy documents. This repository helps users create new policy documents for new GRC initiatives, because it makes it easier to refer to existing ones.

• It provides a common repository for controls, training materials, and other compliance resources. This repository makes it easier for different GRC groups to take advantage of existing resources and avoid duplicating efforts.

• It provides a common mechanism for segmenting users. By managing user roles in a common manner, an enterprise GRC platform ensures the right groups and individuals are involved in assessing risk and receive the right training and policies.

• It provides a common mechanism for managing GRC-related training and document distribution. Once targeted user groups are identified, GRC teams must ensure they are appropriately informed and trained with any required third-party or custom materials. They also must confirm that these tasks have been properly performed by collecting appropriate acknowledgments and attestations. Managing these tasks in separate systems is far less efficient than using a single system.

• It provides a common methodology for assessment, remediation, and other core GRC processes. It is beneficial to provide a shared set of process templates to all GRC teams across the enterprise.

• It provides a common way of managing change. By having only one place where changes must be executed, companies also avoid the risk that an individual GRC group will fail to implement a critical change.

• It provides a common reporting engine for upper management. Using one platform for all GRC-related reporting significantly improves visibility into compliance conditions across the enterprise, which allows upper management to compare the GRC performances of different business units and pinpoint risks earlier.

Why unify now?

Most pharmaceutical companies have plenty of other technology on their shopping lists. They need good reasons to invest the time and resources required to create a foundation for enterprise-wide GRC. Here are just a few:

• A firm may have an initiative on its plate that could provide the first step. Considering current issues is key—it may not be a corporate integrity agreement but it might be sales and marketing related to FCPA, or privacy, or IT governance.

• It's better to prevent fragmentation than to fix it. Companies that don't establish a firm foundation for unified GRC now will wind up entrenched in fragmentation later.

• The sooner a firm starts, the sooner it begins to regain control. By bringing coherence to GRC efforts now, companies can start to control costs and resources and lower risks.

• Delays in implementation increase exposure to risk. When individual GRC teams must build their programs from scratch, it takes them time to create solutions. So companies that unify their GRC programs now will address their exposure more quickly and completely.

• The need is urgent. C-level executives and board members should be willing to support initiatives that substantively reduce their personal exposure to risk while simultaneously protecting the interests of the business and its stakeholders.

• It won't be that painful. With today's software-as-a-service solutions, enterprise GRC capabilities can be implemented without huge capital investments in IT. These investments can be leveraged as a firm works down its priority list of GRC initiatives.

Governance, risk, and compliance management pressures are escalating, but companies only have limited resources with which to respond. To properly allocate those limited resources, to maximize the results they achieve, and to achieve required results as quickly as possible, it is essential to bring some semblance of order to GRC efforts across the enterprise. Pharmaceutical companies that bring this kind of organization to GRC will reduce their risk with less effort and less cost than those that don't, allowing them to devote more of their resources to innovation, opportunity, and bottom-line growth.

Brett Curran is vice-president of GRC and privacy practices at Axentis, Inc., Skylight Office Tower, 1660 West Second Street, Suite 250, Cleveland, OH 44113, bcurran@axentis.com. A former chief compliance officer and technology professional, Curran is a frequent speaker at GRC industry conferences, a contributor to the Open Compliance and Ethics Group as well as to IBM's Data Governance Council, and a blogger for "Compliance on Demand."