A multinational pharmaceutical giant wanted to simplify and standardize risk processes to provide timely insights into global quality, supply continuity, and manufacturing risks. Its previous manual approach and lack of efficient collaboration across business units and geographies limited its visibility into key risk and compliance areas and therefore its decision-making abilities.
The company sought a solution that could help address the existing challenges and bring structure and consistency to risk and compliance activities across locations. Towards this goal, it chose MetricStream Integrated Risk Solution. With the implementation, the company is achieving increased visibility and measurement into key risks along with increased speed, agility, and scalability in risk processes based on industry best practices and global quality requirements. In fact, it has compressed time frames – up to 30% – in managing risks and resolving issues through greater accountability across 20,000+ products in over 36 facilities worldwide.
Struggles of the Traditional Approach
Prior to MetricStream, the company primarily depended on manual effort for conducting risk and compliance activities, which resulted in a lot of inefficiencies. In addition, the lack of a centralized database of assets, risks, and controls made it difficult to understand various types of risks and their interconnectedness to effectively gauge their potential impact.
This archaic approach, along with little or no collaboration across groups, obstructed visibility into aggregated risk and compliance areas, which—for a company with global operations—was proving to be a major challenge.
The pharma titan started looking for a solution that could integrate, strengthen, and digitize its fragmented and manual risk management processes and facilitate harmonization across business units and locations. Among other things, it wanted a solution that could enable effective oversight over external entities and provide it with actionable data to ensure product quality.
The Implementation
The company went live with an initial business rollout of the MetricStream Integrated Risk Management solution which was then extended to new users and more global locations and business units. The deployment was particularly focused on three concurrent workstreams:
- Providing an integrated view of connected risk across manufacturing divisions, sharing risk information effectively across sites and functions.
- Ensuring compliance with global quality standards and procedures for failures and hazards, using what-if scenarios, by location, by product, including external entity materials.
- Establishing one, standardized process for the aggregation, tracking, and management of supply continuity risks/quality risks across enterprise
A new project workstream to deploy risk-based asset management is in progress. It will be focused on enhancing resilience by understanding risk and impact of failures across facilities and critical manufacturing assets in the overall process.
Centralized Repository and GRC Library
With MetricStream, the company now has a centralized repository of critical facilities, products, assets, and processes as well as full linkage of all risk, controls, and checklists. It can create and manage GRC Library contents (such as sites, products, assets, auditable entities, hazards, harm, failure mode, failure effect, and many others), which serve as the master data for the wider risk management program. MetricStream also provides a framework to create relationships between various GRC Library content.
This integrated approach provides the company with a complete picture of its risk profile as well as enhances its ability to understand various types of risks, their underlying causes, risk relationships, and impact, and facilitates effective sharing of risk information across sites and functions.
Quality Risk Assessment
The implementation has empowered the company to effectively manage all risks within its manufacturing division. It can now rate the risks (high, medium, low) based on various factors and scoring methodologies and then proactively address each potential risk that might impact the business functions.
Quality risk assessments can be performed by using the appropriate risk assessment methodology based on the objectives, scope, lifecycle phase of the product, process or system, and other relevant factors. Once the risk is assessed, risk control measures (risk elimination, risk mitigation, and/or risk acceptance) are identified to mitigate risk and to ensure that the company’s products continue to meet the required quality standards and regulatory requirements. Going a step further, MetricStream also evaluates residual risk once actions have been implemented and the associated mitigation actions are documented in the risk register.
After risk evaluation in the risk register, risk teams can choose to escalate their risks further to relevant teams that can generate reports/dashboards and present it to senior management for discussing further risk mitigation strategies.
External Entity Site Risk Assessment
With MetricStream, the company can effectively assess the operational risks of external entities who directly or indirectly contribute to its business. Once the assessment is performed, all high and medium risks are further elaborated and scored in an external network risk register, which can then be analyzed to bring under control.
Risks are mitigated by implementing controls and actions which are reviewed and monitored on a regular basis and, if required, escalated to relevant teams until and unless the risk is closed. Based on the evaluation, gaps that may impact reliable supply, quality, and technical requirements for the intended product are identified.
External Entity Oversight Level
The deployment has also empowered the company to assess the performance of external entities and calculate risk level that can help define the oversight level (Level 0, Level 1, Level 2, or Level 3). MetricStream’s system auto calculates the risk score and recommends oversight level, which is then reviewed and approved by the key personnel -- Quality Director/Designee in this case, who can change the recommended oversight level with justification.
