WIXLIB

Cognizant 20-20 InsightsCrafting an End-to-End PharmaGRC StrategyUnderstanding the most appropriate regulatory compliance solutionextends beyond pure technological functionalities; it requires intimateunderstanding of policies and procedures required to achieve meaningfulcompliance with regulations, worldwide.Executive SummaryThe pharmaceuticals industry and relatedbusinesses are mandated to comply with diverseregulatory standards in different countries. Thisincludes the Sarbanes-Oxley Act (SOX) in theU.S., and good manufacturing practice (GMP),good laboratory practice (GLP), good pharmacypractice, etc. in the U.S. and elsewhere. Hence,spending on governance, risk management, andcompliance (GRC) tools is necessary.to tools. This compliance strategy could compriseprocesses, a roadmap, operating procedures, etc.GRC Technology Investment DriversCorporate boards and senior executives ofpharma majors are seeking greater visibility andinsight into the effectiveness of controls andcompliance across their organizations to ensurecommitment to investors and to gain customerconfidence. Key factors influencing the recentgrowth of GRC include:This white paper details pharma-specific keybusiness processes and suitable GRC technologies available in the market. GRC Market Dynamics With steady year-over-year growth, GRC tools aredelivering increasing benefits to pharmaceuticalscompanies seeking to streamline and automatetheir compliance processes, worldwide. To properly leverage GRC, pharma companies must seeGRC as more than a tool or technology. Technology without proper direction is not going to helpmost companies anyway. What they need is adirection/approach toward compliance in additioncognizant 20-20 insights june 2013 Business transformation and SAP consolidation programs, primarily to protect investments in existing IT systems and tools.Global shared service centers and controlcenters for better utilization of resources andto ensure transparency in financial controlacross organizations.Increased regulatory requirements, along withthe persistent pressure to reduce the cost ofcompliance and assurance.Demand for integrated compliance toolsto address widespread needs of differentcompliance groups within the organization

and to consolidate disparate indicators andstandards for judging compliance across theorganization.Pharma companies are under enormouspressure since they need to assure clinicaltrials and drug manufacturing quality standards to consumers/government, in additionto finance-related assurance to stakeholders.Pharma businesses expect – and are ready – toinvest in GRC solutions that address all of theirrequirements. This eventually created a waveof innovation among GRC vendors.GRC Technology OverviewToday’s compliance departments need an integrated solution to address various stakeholderrequirements. Figure 1 highlights the differentmodules. What follows is a detailed assessment ofthe specific functionalities required.Enterprise risk management: Perform business risk assessments.Prioritize risks and prepare mitigation plans.Actively monitor changes in risk profile.Report incidents.Policies and control repository: Map policy requirements to processes,risks and controls.Maintain a repository of test scripts/data.Automatically report on results.Track exception and remediation plans.Security and segregation of duties: Facilitate automated testing of system accesscontrols.Facilitate automated testing of segregationof duties.Audit lifecycle management: Document independent audit activities.Provide quality assurance over complianceactivities.Report results.Track exceptions and remediation activities.Investment in specific modules depends on budgetdecisions from various units. As no single person“owns” four module deployments, there should beproper alignment among different stakeholdersto buy one solution for all of their requirements.Hence, selection of a GRC vendor is a processthat should be orchestrated carefully to avoidredundant solutions and to achieve cost savings.(See GRC Tools and Vendor Consideration Processfurther down on how to make this happen.)All of the above mentioned regulations/framework can be centrally configured in GRC, as shownin Figure 2, next page.GRC Technology Vendor OverviewGRC vendors can be classified into three maincategories: GRC integrated with ERP solutions: SAP andOracle are the only integrated GRC solutionsavailable. SAP’s GRC 10 is tightly integratedComponents of GRCEnterpriseRiskManagementAuditGRC CentralLifecycleManagement RepositorySecurity andSegregationof DutiesFigure 1cognizant 20-20 insights2Policies andControlRepository

with SAP’s ERP solutions in terms of designand architecture, which ensures more automated operations at a reduced cost and strongsystems performance.GRC-focused solutions: These solutions lackERP integration and process automation.Hence, their performance and automationpales in comparison with GRC solutions integrated with ERP.GRC niche solutions: This category includesproven solutions from companies such asApprova. For example, Approva’s Bizrights isa leading product in the European market andis positioned as a hybrid solution betweenintegrated and GRC-focused offerings in termsof benefits.What follows is a discussion of vendorconsiderations and an assessment of SAP GRCand Approva One (the latest version of ApprovaBizrights), two solutions with which we have vastexperience implementing for numerous pharmacompanies.GRC Tools and Vendor ConsiderationProcessFigure 3, next page, depicts a typical pharmacompany’s organizational hierarchy.There are many questions to help understandyour organization’s GRC needs. We list some ofthe more important ones below:What is the value proposition you anticipatefrom GRC? Do you need a single source risk and controlsolution? It is nothing but a centralized repository ofrisks and controls across all regulations.Solution benefits: Easy communication to audit stakeholders.Reliable change control.Automated updates to control set.Systematic allocation of ownership andaccountability.Cross-Functional GRC CapabilityGlobal Compliance PlatformGRC Technology1. Maintenance of central masterdata structures: Multiple compliance frameworks. Business objectives. Organizational hierarchy. Risk and response catalog. Account groups and financialassertions. Policies and procedures(lifecycle management). Entity level controls catalog. Process and controls repository. Control objectives catalog.2. Maintenance of “central”evaluation templates: Assessment plans (survey library). Manual test plans. Automated test scripts.Compliance Framework – COBITCompliance Framework – UK Bribery ActCompliance Framework SoX1. Assignment of relevant centralmaster data (ability to allow orprevent local modifications).2. Assignment of relevant controlevaluation templates (standardizationof testing/assessment procedures).3. Compliance-specific reportingplatform and evidence repository.4. Ability to allow or prevent “sharedevaluations” with other complianceframework(s).3. Cross-compliance planning andreporting platform: Centralized planning andmonitoring of ongoingcompliance activities. Holistic view of complianceactivities across multipleframeworks.5. Compliance-specific roles andauthorization model.Figure 2cognizant 20-20 insightsCompliance Framework – Contract3

Formalization of control framework.Reduced controls.Do you need a tool to address cross-functionalcontrol and compliance framework requirements?Your organization might require a tool tomanage diversified compliance requirementssuch as financial control framework (FCF), IScontrol framework and SOX control frameworkunder one single roof.Solution benefits: Solution benefits: Reduced rework and duplication of compliancedata.Effective utilization of controls: Linkage of keycontrols to multiple regulation risks.Linkage to organization policies andprocedures.Would you like to automate the controlself-assessment cycle?This means you can enter control validationprocedures and results within GRC. The entirelifecycle of self-assessment, from self-assuranceto control effectiveness reporting, would then beautomated with the help of GRC.Solution benefits: Does your organization desire sophisticatedreporting and remediation trend analysis?This is necessary for organizations that are nothappy with the reporting features of their currentcompliance tool. GRC provides much improvedreporting on violations and helps predictremediation trends.Effective risk assessment and scoping.Roll-forward capability.Automatic communication.Status reporting and escalation management.Reduced reliance on off-line progress.Flexible visibility of control operation andremediation progress.Targeted remediation effort.Has your organization had to confront concerns voiced by the business that it is beingover-audited?This means that synergy and alignment is requiredamong different compliance-relevant proceduresperformed by multiple lines of defense.Solution benefits: Efficient effort and reduced duplication.Does your organization require the completeinsight of continuous monitoring: data, controland transactions?This question concerns whether the businessneeds thorough monitoring on transactionsbeing done through the ERP systems againstpre-configured rules. For example, monitoring tobe done on the purchase module will yield thefollowing insights: Who performed more purchases?Was it appropriately approved?Were purchases realized into inventories?Pharma Industry Organizatonal HierarchyPharma PLCCommercialR&DFinanceOperationsand ISGlobalComplianceRegionalAudit GroupGroupInternal AuditFigure 3cognizant 20-20 insights4