Prior to MetricStream, the company primarily depended on manual effort for conducting risk and compliance activities, which resulted in a lot of inefficiencies. In addition, the lack of a centralized database of assets, risks, and controls made it difficult to understand various types of risks and their interconnectedness to effectively gauge their potential impact.
This archaic approach, along with little or no collaboration across groups, obstructed visibility into aggregated risk and compliance areas, which—for a company with global operations—was proving to be a major challenge.
The pharma titan started looking for a solution that could integrate, strengthen, and digitize its fragmented and manual risk management processes and facilitate harmonization across business units and locations. Among other things, it wanted a solution that could enable effective oversight over external entities and provide it with actionable data to ensure product quality.
The company went live with an initial business rollout of the MetricStream Integrated Risk Management solution which was then extended to new users and more global locations and business units. The deployment was particularly focused on three concurrent workstreams:
A new project workstream to deploy risk-based asset management is in progress. It will be focused on enhancing resilience by understanding risk and impact of failures across facilities and critical manufacturing assets in the overall process.
Increased speed, agility,
and resilience across manufacturing and supply chain processes
Standardization across all
risk management program
Compressed time frames in resolving issues
Increased visibility and measurement into key risks
Greater resilience due to higher collaboration across groups
Centralized inventory of critical facilities, products, assets and processes
Increased preparedness in audit execution
With MetricStream, the company now has a centralized repository of critical facilities, products, assets, and processes as well as full linkage of all risk, controls, and checklists. It can create and manage GRC Library contents (such as sites, products, assets, auditable entities, hazards, harm, failure mode, failure effect, and many others), which serve as the master data for the wider risk management program. MetricStream also provides a framework to create relationships between various GRC Library content.
This integrated approach provides the company with a complete picture of its risk profile as well as enhances its ability to understand various types of risks, their underlying causes, risk relationships, and impact, and facilitates effective sharing of risk information across sites and functions.
The implementation has empowered the company to effectively manage all risks within its manufacturing division. It can now rate the risks (high, medium, low) based on various factors and scoring methodologies and then proactively address each potential risk that might impact the business functions.
Quality risk assessments can be performed by using the appropriate risk assessment methodology based on the objectives, scope, lifecycle phase of the product, process or system, and other relevant factors. Once the risk is assessed, risk control measures (risk elimination, risk mitigation, and/or risk acceptance) are identified to mitigate risk and to ensure that the company’s products continue to meet the required quality standards and regulatory requirements. Going a step further, MetricStream also evaluates residual risk once actions have been implemented and the associated mitigation actions are documented in the risk register.
After risk evaluation in the risk register, risk teams can choose to escalate their risks further to relevant teams that can generate reports/dashboards and present it to senior management for discussing further risk mitigation strategies.
With MetricStream, the company can effectively assess the operational risks of external entities who directly or indirectly contribute to its business. Once the assessment is performed, all high and medium risks are further elaborated and scored in an external network risk register, which can then be analyzed to bring under control.
Risks are mitigated by implementing controls and actions which are reviewed and monitored on a regular basis and, if required, escalated to relevant teams until and unless the risk is closed. Based on the evaluation, gaps that may impact reliable supply, quality, and technical requirements for the intended product are identified.
The deployment has also empowered the company to assess the performance of external entities and calculate risk level that can help define the oversight level (Level 0, Level 1, Level 2, or Level 3). MetricStream’s system auto calculates the risk score and recommends oversight level, which is then reviewed and approved by the key personnel -- Quality Director/Designee in this case, who can change the recommended oversight level with justification.
Overall, MetricStream has helped the company adopt a digitized approach to risk management and quality assessment. The company has benefited from improved visibility into risks and timely insights into quality and external entities, which has enabled it to accelerate its response measures and take more risk-aware, data-driven business decisions.