A leading healthcare products manufacturer successfully embarks on the path towards building a robust, collaborative, and harmonized approach to GRC, supported by an integrated technology infrastructureDownload an Insight
With risks and regulatory requirements becoming more numerous and complex, it is critical for businesses to implement a robust Governance, Risk, and Compliance (GRC) program. Many organizations are adopting an enterprise GRC strategy that enables them to standardize, centralize, and improve the transparency of end-to-end GRC processes - be it tracking regulatory changes, monitoring controls, managing risks, conducting audits, or ensuring policy conformance. One such organization is a Fortune 500 healthcare products manufacturer.
GRC Challenges at the Healthcare Products Organization
The healthcare products manufacturer is one of the most recognized and admired organizations in the world. Headquartered in North America, the organization is home to hundreds of thousands of employees working in several independent business subsidiaries across multiple countries.
This vast enterprise, operating in a decentralized model, threw up several GRC challenges for the organization. For instance, when it came to GRC planning, each of the business subsidiaries would put forth a different plan about how they were going to govern their risk, and meet their compliance requirements. Each subsidiary also had different definitions of what constituted a high risk or critical compliance area. Even acronyms to define the GRC program often varied - should it be GRC or eGRC, ERM or Risk Management?
This disparity in the GRC approach extended to assurance functions. Within each function, there were multiple business and regulatory points of view. For instance, each compliance domain (e.g. privacy, security, GXP) had varying process priorities (e.g. audits, regulatory compliance, risk management).
All these differences made it difficult for the organization to work towards an enterprise-wide GRC initiative, and gain a uniform view of GRC processes at the top.
When the organization's compliance committee conducted an internal situational analysis, it found:
- Multiple governance groups operating in siloes with duplication of risk and control activities
- Difficulty in gaining an enterprise view of the risk and control environment
- Compliance activities overlapping and duplicative
- Growing audit/ assessment fatigue in the business due to multiple reviews of the same process/ activity across the year
- Multiple risk assessment methodologies being used, hindering the ability to create a single picture of performance
Transforming the Organization's GRC Approach - Enterprise Level Initiatives
After its internal situational analysis, the organization outlined an action plan focusing on the following high-level processes:
- Regulatory intelligence - How to gather, analyze, interpret, and communicate regulatory updates to the organization
- Enterprise Risk Management - How to assess, control, mitigate, and monitor risk while bringing various risk management groups together
- Audit management - How to plan, schedule, execute, and follow up audits; how to gain a global view of audit plans around the world, and identify duplication of activities
- Compliance management - How to plan, execute, report, and certify compliance
To begin with, external benchmarking helped the organization determine where it was and where it wanted to go. The organization then identified ways of improving collaboration across governance processes. For instance, business subsidiaries were encouraged to share best practices on managing physical security risk since it affected many of them. By collaborating, they could learn from each other, and adopt a more holistic and uniform approach to risk management.
Similarly, various assurance groups such as GXP and SOX - which shared many similar regulatory requirements - began collaborating to eliminate redundancies in controls, control monitoring, and audits. To ensure efficiency, enterprise governance teams began doing quarterly reviews of all assurance activities.
Coverage maps were also developed to identify the impact of audit and enterprise risks across the organization. These maps helped assurance groups select those risk areas that needed to be focused on more than others. It also helped them determine if there were overlaps between various risk areas.
The organization then reviewed its GRC initiatives and growth priorities to ensure that they were aligned with its strategic principles, risk appetite, and Credo. Once the organization was satisfied with the direction of its GRC efforts, it selected the COSO framework to implement a common language for its Enterprise Risk Management program.
In 2010, the organization created a risk framework to provide a consolidated view of key risk management processes and solutions, facilitating a shared frame of reference. Select risk areas were represented on the framework in the context of four categories of objectives: Strategy, Reporting, Compliance, and Operations. Various cross-functional committees helped ensure that complementary risks were reviewed and mitigated using an integrated approach. Simultaneously, the Board of Directors took on the responsibility of overseeing overall risk management practices.
The Organization's Risk Governance Structure
Tactical Level Initiatives
The organization's IT infrastructure was governed by multiple compliance regulations such as security and privacy mandates, SOX, GXP, and Internet copyright requirements. However, there was no common database where IT personnel could check what requirements and controls were needed to satisfy a particular regulation. Considering that a single control could be mapped to multiple regulations, it became important to build a comprehensive compliance and control library.
The organization developed a process to harmonize compliance requirements. The process involved building a database where internal requirements could be mapped to external regulations in a one-to-many manner. This initiative was targeted at eliminating duplication, and enabling effective reporting. It also helped make compliance more efficient and streamlined by bringing together all compliance information in one framework. At the same time, it ensured that each business unit was able to view only the information that was specific to its requirements. For instance, SOX managers were able to view IT security and privacy from only a SOX compliance perspective.
Implementing a GRC Infrastructure
Like the healthcare products manufacturer, many organizations are looking to implement a centralized approach to GRC that can address both enterprise and tactical level initiatives. The first step in that direction is to lay the foundation for a unified GRC program, while also thinking about how technology can support this initiative. The healthcare products manufacturer is implementing an integrated platform that can consolidate various GRC processes - including risk assessments, audits, and compliance- into a single framework. The platform normalizes data, while simultaneously rolling it up to the enterprise level to be viewed by the senior management.
A Business Performance-based Approach
Before choosing a GRC platform or framework, organizations should take the time and effort to identify what kind of technology would best support their GRC strategy and goals. Here are a few key factors to keep in mind:
A Flexible and Robust Information Model
GRC technology should be able to map each business objective to the corresponding area of compliance, business functions, processes, risks, and controls in a one-to-one and one-to-many manner. This enables organizations to better understand the relationships between various GRC processes, and establish a common risk and compliance language. Moreover, when a change occurs -such as when a new control or regulation is introduced - stakeholders will be able to determine the implications and impact of that change across the business, and take appropriate action.
Integration of GRC Initiatives
GRC technology should enable bi-directional linking between the different components of the GRC program. This helps improve collaboration across assurance functions, while minimizing redundancies. It also optimizes the value of various GRC processes. For instance, it enables risk-based audits which allow auditors to focus on high-risk areas instead of trying to audit all areas at once.
GRC has become an integral part of strategic decision-making. Therefore, a GRC technology framework should be able to collate risk, compliance, and audit intelligence from across the enterprise and route it to the senior management and board of directors who can then respond proactively to ensure that risks are mitigated in time, and that regulatory violations do not occur. The framework should also be able to maintain a thin line between aggregated GRC program views and security.
Management of Complex Ecosystems
Organizational ecosystems are no longer limited to the four walls of an office. They extend to suppliers, business partners, vendors, and customers across the globe. GRC technology should be able to support this complex ecosystem in various ways, and establish a culture of transparency and accountability. For instance, it could offer suppliers direct access to the system to monitor their performance and address areas of concern.
Given the complexity of most organizations, it may not be strategically possible to implement a broad based set of GRC solutions across the enterprise all at once. A more beneficial approach would be to first establish an overall GRC framework, and then gradually extend it to different business functions. Start with the area that is most challenging. It could be risk management, internal audits, or issue management. Once the framework has been established in this area, it can then be expanded to other GRC areas across the enterprise. The GRC technology adopted should be able to support this endeavor.
Best Practices for a Successful GRC Program
Here are a few best practices for organizations to consider while building a GRC program:
- Set a tone at the top to accelerate GRC implementation
- Create opportunities for different functions to share insights - Information sharing sessions are useful in identifying best practices on how to evaluate risk, or plan for audits. These sessions also help different groups realize that they are not competing with each other but can learn from each other.
- Simplify key messages - Use pictures and visuals wherever possible to communicate compliance and control requirements especially in global organizations where different business groups may speak different languages.
- Enhance collaboration through technology - An integrated technology framework can break down organizational silos, and enable seamless collaboration and coordination of GRC activities across the enterprise.
- Start with the end in mind - Find out what should be reported and how. Ask executives if there is anything they want to see that hasn't yet been provided in the reports.
- Develop a heat map of critical actions - It is extremely difficult to try and implement all GRC activities at once. A more efficient approach would be to map each GRC activity to the amount of effort and costs required, and then accordingly prioritize the activity.
- Identify high risk areas - Use risk heat maps to locate and profile high risk areas in the organization so that more time and attention can be focused on them.
- Harmonize compliance activities and controls - Activities like change management and access control usually have common requirements across regulations. Leverage an integrated technology framework to map these various requirements to processes and functions, thus minimizing redundancies, and harmonizing controls.
- Do not ignore the need for organizational change management - Get people involved and listen to their point of view to gain some valuable tips.
- Improve top-level visibility - Provide graphical dashboards and charts to help stakeholders and directors at the top quickly gain an understanding of the status of enterprise GRC activities. This helps enhance decision-making and identify opportunities to improve business performance.
- Track the journey - Monitor the progress of GRC activities against predefined milestones, and set up automated alerts to notify the appropriate personnel if an activity is not proceeding as planned.
The Road Ahead
As organizations grow, expand, and merge, it is important to build a strong GRC foundation that is sustainable, flexible, and able to efficiently adapt to change. The healthcare products manufacturer is focused on adopting an enterprise-wide approach to risk monitoring, measuring, and reporting without impeding its decentralized operating model. Increased coordination is being encouraged among different stakeholders, and the approach is bottom-up rather than the top-down.
Like the healthcare products manufacturer, most organizations have a complex set of GRC processes - including enterprise risk management, regulatory compliance, marketing compliance, and complaints management - all of which have to be consolidated into a single comprehensive GRC framework supported by robust technology infrastructure. When this approach is effectively implemented, it can simplify and strengthen collaboration across different functions, while also providing a unified view of enterprise GRC. The end-result is an improved ability to pre-empt and mitigate risks, prevent regulatory violations, and improve business performance.