A leading healthcare products manufacturer successfully embarks on the path towards building a robust, collaborative, and harmonized approach to GRC, supported by an integrated technology infrastructure
With risks and regulatory requirements becoming more numerous and complex, it is critical for businesses to implement a robust Governance, Risk, and Compliance (GRC) program. Many organizations are adopting an enterprise GRC strategy that enables them to standardize, centralize, and improve the transparency of end-to-end GRC processes - be it tracking regulatory changes, monitoring controls, managing risks, conducting audits, or ensuring policy conformance. One such organization is a Fortune 500 healthcare products manufacturer.
The healthcare products manufacturer is one of the most recognized and admired organizations in the world. Headquartered in North America, the organization is home to hundreds of thousands of employees working in several independent business subsidiaries across multiple countries.
This vast enterprise, operating in a decentralized model, threw up several GRC challenges for the organization. For instance, when it came to GRC planning, each of the business subsidiaries would put forth a different plan about how they were going to govern their risk, and meet their compliance requirements. Each subsidiary also had different definitions of what constituted a high risk or critical compliance area. Even acronyms to define the GRC program often varied - should it be GRC or eGRC, ERM or Risk Management?
This disparity in the GRC approach extended to assurance functions. Within each function, there were multiple business and regulatory points of view. For instance, each compliance domain (e.g. privacy, security, GXP) had varying process priorities (e.g. audits, regulatory compliance, risk management).
All these differences made it difficult for the organization to work towards an enterprise-wide GRC initiative, and gain a uniform view of GRC processes at the top.
When the organization's compliance committee conducted an internal situational analysis, it found:
After its internal situational analysis, the organization outlined an action plan focusing on the following high-level processes:
To begin with, external benchmarking helped the organization determine where it was and where it wanted to go. The organization then identified ways of improving collaboration across governance processes. For instance, business subsidiaries were encouraged to share best practices on managing physical security risk since it affected many of them. By collaborating, they could learn from each other, and adopt a more holistic and uniform approach to risk management.
Similarly, various assurance groups such as GXP and SOX - which shared many similar regulatory requirements - began collaborating to eliminate redundancies in controls, control monitoring, and audits. To ensure efficiency, enterprise governance teams began doing quarterly reviews of all assurance activities.
Coverage maps were also developed to identify the impact of audit and enterprise risks across the organization. These maps helped assurance groups select those risk areas that needed to be focused on more than others. It also helped them determine if there were overlaps between various risk areas.
The organization then reviewed its GRC initiatives and growth priorities to ensure that they were aligned with its strategic principles, risk appetite, and Credo. Once the organization was satisfied with the direction of its GRC efforts, it selected the COSO framework to implement a common language for its Enterprise Risk Management program.
In 2010, the organization created a risk framework to provide a consolidated view of key risk management processes and solutions, facilitating a shared frame of reference. Select risk areas were represented on the framework in the context of four categories of objectives: Strategy, Reporting, Compliance, and Operations. Various cross-functional committees helped ensure that complementary risks were reviewed and mitigated using an integrated approach. Simultaneously, the Board of Directors took on the responsibility of overseeing overall risk management practices.
The Organization's Risk Governance Structure
The organization's IT infrastructure was governed by multiple compliance regulations such as security and privacy mandates, SOX, GXP, and Internet copyright requirements. However, there was no common database where IT personnel could check what requirements and controls were needed to satisfy a particular regulation. Considering that a single control could be mapped to multiple regulations, it became important to build a comprehensive compliance and control library.
The organization developed a process to harmonize compliance requirements. The process involved building a database where internal requirements could be mapped to external regulations in a one-to-many manner. This initiative was targeted at eliminating duplication, and enabling effective reporting. It also helped make compliance more efficient and streamlined by bringing together all compliance information in one framework. At the same time, it ensured that each business unit was able to view only the information that was specific to its requirements. For instance, SOX managers were able to view IT security and privacy from only a SOX compliance perspective.
Like the healthcare products manufacturer, many organizations are looking to implement a centralized approach to GRC that can address both enterprise and tactical level initiatives. The first step in that direction is to lay the foundation for a unified GRC program, while also thinking about how technology can support this initiative. The healthcare products manufacturer is implementing an integrated platform that can consolidate various GRC processes - including risk assessments, audits, and compliance- into a single framework. The platform normalizes data, while simultaneously rolling it up to the enterprise level to be viewed by the senior management.
A Business Performance-based Approach
Before choosing a GRC platform or framework, organizations should take the time and effort to identify what kind of technology would best support their GRC strategy and goals. Here are a few key factors to keep in mind:
GRC technology should be able to map each business objective to the corresponding area of compliance, business functions, processes, risks, and controls in a one-to-one and one-to-many manner. This enables organizations to better understand the relationships between various GRC processes, and establish a common risk and compliance language. Moreover, when a change occurs -such as when a new control or regulation is introduced - stakeholders will be able to determine the implications and impact of that change across the business, and take appropriate action.
GRC technology should enable bi-directional linking between the different components of the GRC program. This helps improve collaboration across assurance functions, while minimizing redundancies. It also optimizes the value of various GRC processes. For instance, it enables risk-based audits which allow auditors to focus on high-risk areas instead of trying to audit all areas at once.
GRC has become an integral part of strategic decision-making. Therefore, a GRC technology framework should be able to collate risk, compliance, and audit intelligence from across the enterprise and route it to the senior management and board of directors who can then respond proactively to ensure that risks are mitigated in time, and that regulatory violations do not occur. The framework should also be able to maintain a thin line between aggregated GRC program views and security.
Organizational ecosystems are no longer limited to the four walls of an office. They extend to suppliers, business partners, vendors, and customers across the globe. GRC technology should be able to support this complex ecosystem in various ways, and establish a culture of transparency and accountability. For instance, it could offer suppliers direct access to the system to monitor their performance and address areas of concern.
Given the complexity of most organizations, it may not be strategically possible to implement a broad based set of GRC solutions across the enterprise all at once. A more beneficial approach would be to first establish an overall GRC framework, and then gradually extend it to different business functions. Start with the area that is most challenging. It could be risk management, internal audits, or issue management. Once the framework has been established in this area, it can then be expanded to other GRC areas across the enterprise. The GRC technology adopted should be able to support this endeavor.
Here are a few best practices for organizations to consider while building a GRC program:
As organizations grow, expand, and merge, it is important to build a strong GRC foundation that is sustainable, flexible, and able to efficiently adapt to change. The healthcare products manufacturer is focused on adopting an enterprise-wide approach to risk monitoring, measuring, and reporting without impeding its decentralized operating model. Increased coordination is being encouraged among different stakeholders, and the approach is bottom-up rather than the top-down.
Like the healthcare products manufacturer, most organizations have a complex set of GRC processes - including enterprise risk management, regulatory compliance, marketing compliance, and complaints management - all of which have to be consolidated into a single comprehensive GRC framework supported by robust technology infrastructure. When this approach is effectively implemented, it can simplify and strengthen collaboration across different functions, while also providing a unified view of enterprise GRC. The end-result is an improved ability to pre-empt and mitigate risks, prevent regulatory violations, and improve business performance.