Case Study

Global Pharmaceutical and Health Care Conglomerate Accelerates Risk Assessment and Mitigation Across Its Supplier Network

A global pharmaceutical and health care conglomerate wanted to move up on the maturity curve of its risk management program. The company operates 250+ companies in 3 broad divisions—Consumer Healthcare, Medical Devices, and Pharmaceuticals—and has 125,000+ employees in around 60 countries. It was struggling with multiple systems with varying data structures, siloed approach to risk and compliance management, duplication of efforts, and more. It was essentially looking to harmonize the processes and bring in automation.

The company wanted to implement a solution to manage risk across all phases of the supply chain for the Pharma division. It chose MetricStream Enterprise Risk Management to meet this goal. With the implementation, it now has common GRC taxonomy, greater visibility on emerging risks, streamlined policies and controls, integrated view of control test results and audit schedule, and more. The company has effectively unified its governance, risk, and compliance management processes and has a comprehensive and real-time view of its overall GRC posture enabling quick and efficient decision-making.

The Road to Digitization

Time to market and quality are two of the most critical success factors for a pharma company. Prior to MetricStream, the company lacked a consistent GRC nomenclature and relied on traditional tools and technologies, such as spreadsheets. In addition, multiple systems with varying data structures and siloed processes made risk data aggregation and normalization a daunting task.

The pharma giant wanted to create an enterprise-wide program to replace its existing decentralized and distributed risk and compliance process for suppliers across 250+ operating companies. The company chose MetricStream as it offered a powerful tool that facilitates a centralized model with all risks in one place, enabling it to better visualize the risks that matter and take appropriate mitigation action in a timely manner.

It deployed the MetricStream ERM product out-of-the-box. The product supports 400 users through an integrated risk management framework across over 1200 suppliers contributing material to over 90 products manufactured at over 250 sites. It provides the ability to correlate and gain visibility into quality, supplier, compliance risks to enterprise risks.

Common GRC Taxonomy

In terms of GRC, the company was in a fragmented state with each operating company running as a separate business and having a primary goal of serving customers in their region. There was a lack of standardization of GRC taxonomy across these operating companies, resulting in an inconsistent understanding of risks and related issues.

With MetricStream, the company now has a common risk language for shared risks, which facilitated a consistent risk understanding across the enterprise. The standardized risk taxonomy also enabled better risk reporting and measurement activities.


  • No common risk language
  • Traditional and siloed risk and compliance management processes
  • Varying process priorities between different compliance domains
  • Multiple systems with various data structures
  • Duplication of effort

Business Value Realized

  • Common GRC taxonomy
  • Streamlined and standardized policy and controls
  • Better visibility into risks and controls and improved risk reporting
  • Integrated view of control test results and audit schedule
  • Streamlined and standardized policies and controls
  • Broad awareness of risk principles

Integrated Risk Management

Previously, the use of spreadsheets by 250+ operating companies made risk aggregation and normalization extremely difficult, obstructing visibility into overall GRC posture. With the implementation of the MetricStream product the company has successfully aligned and unified risk management processes across its internal supplier network. The product integrates data from multiple risk assessment processes done on different phases of the supply chain and aligns processes and data to develop an executive view of end-to-end risk heat maps. Consolidating risk data in one place has improved the company’s risk visibility and forecasting capabilities and made it easier to ‘move the compliance needle in a powerful way’.

Streamlined Audit Processes

The company is also required to go through various kinds of audits. The previous siloed approach was highly inefficient as often the same issues were picked up in different audits again and again. With the MetricStream product, the company has one consolidated place for all of its audit related issues. The streamlined approach has made it easier to provide the relevant records to the auditors and demonstrate that the company is operating in a validated environment. The product provides an integrated view of control test results enabling the company to see in real-time what’s happening and understand where the risks are. It also provides an integrated view of the audit schedule.

Risk-aware Culture

The implementation of the MetricStream product has also facilitated broad awareness of risk principles across the organization. The company has successfully embedded risk awareness and ownership in relevant HR processes. The clarification of roles, responsibilities, and accountability has further strengthened the effective enforcement of risk management program and standardization.

In all, MetricStream has helped the company to cut down the time spent on gathering risk and compliance data and normalize it. Instead of the previous five-week process, it can now see what’s exactly happening in the risk space in real-time. This, in turn, empowers the board to quickly identify the areas to put their investment based on reliable risk information.


Ready to get started?

Speak to our experts Let’s talk