SlideShare une entreprise Scribd logo

Crafting an End-to-End Pharma GRC Strategy

Cognizant
Cognizant

For pharmaceuticals facing increasing oversight and regulatory constraints, governance, risk management and compliance (GRC) tools are playing a more critical role, sometimes in combination with ERP. We compare Approva Bizights and SAP GRC 10 software tools while offering a framework for choosing a suitable GRC package.

TechnologieBusiness
1  sur  7
Télécharger pour lire hors ligne
Crafting an End-to-End Pharma GRC Strategy Understanding the most appropriate regulatory compliance solution extends beyond pure technological functionalities; it requires intimate understanding of policies and procedures required to achieve meaningful compliance with regulations, worldwide. to tools. This compliance strategy could comprise processes, a roadmap, operating procedures, etc. GRC Technology Investment Drivers Corporate boards and senior executives of pharma majors are seeking greater visibility and insight into the effectiveness of controls and compliance across their organizations to ensure commitment to investors and to gain customer confidence. Key factors influencing the recent growth of GRC include: • Business transformation and SAP consolida- tion programs, primarily to protect invest- ments in existing IT systems and tools. • Global shared service centers and control centers for better utilization of resources and to ensure transparency in financial control across organizations. • Increased regulatory requirements, along with the persistent pressure to reduce the cost of compliance and assurance. • Demand for integrated compliance tools to address widespread needs of different compliance groups within the organization Executive Summary The pharmaceuticals industry and related businesses are mandated to comply with diverse regulatory standards in different countries. This includes the Sarbanes-Oxley Act (SOX) in the U.S., and good manufacturing practice (GMP), good laboratory practice (GLP), good pharmacy practice, etc. in the U.S. and elsewhere. Hence, spending on governance, risk management, and compliance (GRC) tools is necessary. This white paper details pharma-specific key business processes and suitable GRC technolo- gies available in the market. GRC Market Dynamics With steady year-over-year growth, GRC tools are delivering increasing benefits to pharmaceuticals companies seeking to streamline and automate their compliance processes, worldwide. To prop- erly leverage GRC, pharma companies must see GRC as more than a tool or technology. Technol- ogy without proper direction is not going to help most companies anyway. What they need is a direction/approach toward compliance in addition cognizant 20-20 insights | june 2013 • Cognizant 20-20 Insights
cognizant 20-20 insights 2 Security and segregation of duties: • Facilitate automated testing of system access controls. • Facilitate automated testing of segregation of duties. Audit lifecycle management: • Document independent audit activities. • Provide quality assurance over compliance activities. • Report results. • Track exceptions and remediation activities. Investment in specific modules depends on budget decisions from various units. As no single person “owns” four module deployments, there should be proper alignment among different stakeholders to buy one solution for all of their requirements. Hence, selection of a GRC vendor is a process that should be orchestrated carefully to avoid redundant solutions and to achieve cost savings. (See GRC Tools and Vendor Consideration Process further down on how to make this happen.) All of the above mentioned regulations/frame- work can be centrally configured in GRC, as shown in Figure 2, next page. GRC Technology Vendor Overview GRC vendors can be classified into three main categories: • GRC integrated with ERP solutions: SAP and Oracle are the only integrated GRC solutions available. SAP’s GRC 10 is tightly integrated and to consolidate disparate indicators and standards for judging compliance across the organization. • Pharma companies are under enormous pressure since they need to assure clinical trials and drug manufacturing quality stan- dards to consumers/government, in addition to finance-related assurance to stakeholders. Pharma businesses expect – and are ready – to invest in GRC solutions that address all of their requirements. This eventually created a wave of innovation among GRC vendors. GRC Technology Overview Today’s compliance departments need an inte- grated solution to address various stakeholder requirements. Figure 1 highlights the different modules. What follows is a detailed assessment of the specific functionalities required. Enterprise risk management: • Perform business risk assessments. • Prioritize risks and prepare mitigation plans. • Actively monitor changes in risk profile. • Report incidents. Policies and control repository: • Map policy requirements to processes, risks and controls. • Maintain a repository of test scripts/data. • Automatically report on results. • Track exception and remediation plans. Components of GRC GRC Central Repository Policies and Control Repository Enterprise Risk Management Security and Segregation of Duties Audit Lifecycle Management Figure 1
cognizant 20-20 insights 3 with SAP’s ERP solutions in terms of design and architecture, which ensures more auto- mated operations at a reduced cost and strong systems performance. • GRC-focused solutions: These solutions lack ERP integration and process automation. Hence, their performance and automation pales in comparison with GRC solutions inte- grated with ERP. • GRC niche solutions: This category includes proven solutions from companies such as Approva. For example, Approva’s Bizrights is a leading product in the European market and is positioned as a hybrid solution between integrated and GRC-focused offerings in terms of benefits. What follows is a discussion of vendor considerations and an assessment of SAP GRC and Approva One (the latest version of Approva Bizrights), two solutions with which we have vast experience implementing for numerous pharma companies. GRC Tools and Vendor Consideration Process Figure 3, next page, depicts a typical pharma company’s organizational hierarchy. There are many questions to help understand your organization’s GRC needs. We list some of the more important ones below: What is the value proposition you anticipate from GRC? • Do you need a single source risk and control solution? • It is nothing but a centralized repository of risks and controls across all regulations. Solution benefits: • Easy communication to audit stakeholders. • Reliable change control. • Automated updates to control set. • Systematic allocation of ownership and accountability. GRC Technology Cross-Functional GRC Capability Global Compliance Platform • Multiple compliance frameworks. • Business objectives. • Organizational hierarchy. • Risk and response catalog. • Account groups and financial assertions. • Policies and procedures (lifecycle management). • Entity level controls catalog. • Process and controls repository. • Control objectives catalog. 2. Maintenance of “central” evaluation templates: • Assessment plans (survey library). • Manual test plans. • Automated test scripts. 3. Cross-compliance planning and reporting platform: • Centralized planning and monitoring of ongoing compliance activities. • Holistic view of compliance activities across multiple frameworks. 1. Maintenance of central master data structures: Compliance Framework SoX Compliance Framework – UK Bribery Act Compliance Framework – COBIT Compliance Framework – Contract 1. Assignment of relevant central master data (ability to allow or prevent local modifications). 2. Assignment of relevant control evaluation templates (standardization of testing/assessment procedures). 3. Compliance-specific reporting platform and evidence repository. 4. Ability to allow or prevent “shared evaluations” with other compliance framework(s). 5. Compliance-specific roles and authorization model. Figure 2
cognizant 20-20 insights 4 • Formalization of control framework. • Reduced controls. Do you need a tool to address cross-functional control and compliance framework require- ments? Your organization might require a tool to manage diversified compliance requirements such as financial control framework (FCF), IS control framework and SOX control framework under one single roof. Solution benefits: • Reduced rework and duplication of compliance data. • Effective utilization of controls: Linkage of key controls to multiple regulation risks. • Linkage to organization policies and procedures. Would you like to automate the control self-assessment cycle? This means you can enter control validation procedures and results within GRC. The entire lifecycle of self-assessment, from self-assurance to control effectiveness reporting, would then be automated with the help of GRC. Solution benefits: • Effective risk assessment and scoping. • Roll-forward capability. • Automatic communication. • Status reporting and escalation management. Does your organization desire sophisticated reporting and remediation trend analysis? This is necessary for organizations that are not happy with the reporting features of their current compliance tool. GRC provides much improved reporting on violations and helps predict remediation trends. Solution benefits: • Reduced reliance on off-line progress. • Flexible visibility of control operation and remediation progress. • Targeted remediation effort. Has your organization had to confront con- cerns voiced by the business that it is being over-audited? This means that synergy and alignment is required among different compliance-relevant procedures performed by multiple lines of defense. Solution benefits: • Efficient effort and reduced duplication. Does your organization require the complete insight of continuous monitoring: data, control and transactions? This question concerns whether the business needs thorough monitoring on transactions being done through the ERP systems against pre-configured rules. For example, monitoring to be done on the purchase module will yield the following insights: • Who performed more purchases? • Was it appropriately approved? • Were purchases realized into inventories? Pharma Industry Organizatonal Hierarchy Pharma PLC R&D Finance Operations and IS Commercial Global Compliance Regional Audit Group Group Internal Audit Figure 3
cognizant 20-20 insights 5 Solution benefits: • Automated testing of controls is performed by GRC. • Continuous monitoring of GRC offers “detec- tive” controls. Detective controls are the rule set/processes in place that detect violations only after the control breach. For example, if the organization decides that purchase requi- sitions worth more than $10,000 require three levels of approval, then any purchase worth more than $10,000 yet containing only two levels of approval will be flagged as a violation. This feature helps organizations discover how many violations occur within a particular time frame, the reasons they occur and a possible means for mitigating this issue. Is your organization looking for integrated security and SOD along with GRC? This means that automated user provisioning to ERP is required after segregation of duties analysis from GRC. Solution benefits: • Reduce SOD analysis effort. • Automated user provisioning reduces effort from the security team and it improves reli- ance on complex SOD compliance. Comparing Approva One vs. SAP GRC Figure 4 Approva One seamlessly sup- ports ERP products such as SAP, Oracle, PeopleSoft and CGI. It has rule templates ready for the same. Any other third-party CRM systems and HR systems can also be included within Approva One with additional custom configuration effort. SAP GRC 10 seamlessly supports only SAP products. Though there are provisions given like non-SAP adapters for GRC or integration through IDM, etc. these are not proven. Approva One comes with two modules: Authorization Insight and Process Insight. Authorization Insight: Responsible for rule book design, exception management, mitigation controls, continuous monitoring and risk analysis. Process Insight: Responsible for audit lifecycle management like SOX frame- work design, design effective- ness review, internal audit planning and testing of controls, etc. SAP GRC 10 comes with modules for access control and process control, but as an integrated solution (in contrast with predecessor releases) also has a risk management module. Access Control: Access control simplifies the remediation and mitigation process with the help of process control components. It allows central management of firefighter IDs, streamlines the temporary super-user access log review by adding workflow capabilities and has business role concepts. Process Control: This helps to define and set up automated monitoring of controls and workflow alerts including transactional record and configuration changes at SAP ERP. SAP Business Objects GRC 10 version provides capabilities around content lifecycle management that allows the import and export of risks and controls together by enhancing the integration with AC and PC into a single enterprise risk management platform that provides summarized views representing the different organizational risks and related automated, manual and security controls from a business process perspective. Risk Management: SAP GRC 10 has a separate module called risk management, in contrast to Approva. This deals with risk assessment and risk prioritization. SAP risk management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best-practice management frameworks. SAP risk management uses the various work cen- ters of the GRC, in which you can carry out all risk management activities. The process control component of GRC 10 complements risk management. SAP bifurcated the risk management aspect of GRC into a separate module to give better visibility to executive management who actually require a bird’s eye view of enterprise risks and its mitigation controls.
cognizant 20-20 insights 6 » IT infrastructure. » Controls maturity. » Lines of defense model. Approva One Bizrights and SAP Business Objects GRC-10 are good packages to consider among many strong GRC solutions on the market. In its latest release, Approva One offers innovations such as a provision to follow up on SOD remediation and a user interface for end-to- end mitigation processes. Approva continues to concentrate on its core strengths (i.e., it is easy to operate, flexible, supports a wide range of financial systems and has lower procurement and operating costs). SAP Business Objects GRC-10 has been nicely upgraded. From a technical perspective, SAP GRC has moved from the Java programming language to ABAP. This core change allows centralized support across all its components. The SAP GRC solution’s new platform improves change management processes by leveraging existing transport systems, background job scheduling, archiving and other standard SAP features. SAP Roadmap for GRC promises continuous innova- tions by releasing updated GRC functionalities and patches, which bodes well for its customer base. On the other hand, Approva, as noted earlier, has also improved the capabilities of its Approva One offering, with additional updates expected. Hence, these two products are worthy of consideration for pharma GRC requirements. Other questions to resolve include: • Do you know the ratings/pros and cons of various compliance tools in the market? » Before you start researching GRC solutions, ensure that you read recent analysis from Forrester and Gartner – the two top market research companies. • What needs to be considered before con- stituting the program to identify a suitable GRC vendor? » Key users of compliance are in finance. But be sure to include other key stakeholders/ representatives in the GRC program, accord- ing to their weight in compliance needs. » Primarily target your organization’s ERP environment. But be sure to include all tools that fall within the compliance ring. » Elicit needs for different control repositories. » Get inputs from local, regional integrated assurance teams on current compliance manual processes or tools. » Perform an overall assessment of current compliance tools and processes. In a nutshell, GRC vendor selection always starts with: • An in-depth self-assessment of your compliance requirements. • An assessment of the underlying business environment, covering: References • Gartner’s French Caldwell, Tom Scholtz, John Hagerty, "Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms," July 13 2011, pp. 9-14, http://fm.sap.com/data/UPLOAD/files/ Gartner_Magic_Quadrant_for_EGRC_(July_2011)%5B1%5D.pdf. • Forrester’s Chris McClean with Stephanie Balaouras and Nicholas M. Hayes, "Enterprise Governance, Risk, and Compliance Platforms, Q4 2011," Dec 2 2011, pp. 9-10, http://www.protiviti.co.in/ en-US/Documents/About-Us/The-Forrester-Wave-Enterprise-Governance-Risk-and-Compliance- Platforms-Q4-2011.pdf. About the Author Karthikeyan Muniappan is a Senior SAP Consultant in Cognizant’s Enterprise Application Systems Practice and is a member of its SAP basis Sub-practice. He won an innovation award in 2011 from Cognizant and SAP India for his contribution to SOX/SOD compliance and the relevant toolset. Karthik has a master of engineering degree from Anna University in computer science and engineering. He can be reached at Karthikeyan.Muniappan@cognizant.com.
About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 162,700 employees as of March 31, 2013, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com for more information. World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: inquiry@cognizant.com European Headquarters 1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 207 297 7600 Fax: +44 (0) 207 121 0102 Email: infouk@cognizant.com India Operations Headquarters #5/535, Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 Email: inquiryindia@cognizant.com ­­© Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

Recommandé

ISO 55000: Asset Management System Workshop
ISO 55000: Asset Management System WorkshopISO 55000: Asset Management System Workshop
ISO 55000: Asset Management System Workshop
Life Cycle Engineering
 
Iso9001 2015
Iso9001 2015Iso9001 2015
Iso9001 2015
German Jordanian university
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
Global Manager Group
 
Ims integrated management system implementation steps-lakshy rev00-240914
Ims integrated management system implementation steps-lakshy rev00-240914Ims integrated management system implementation steps-lakshy rev00-240914
Ims integrated management system implementation steps-lakshy rev00-240914
Lakshy Management Consultant Pvt Ltd
 
So You Think You Need A Digital Strategy
So You Think You Need A Digital StrategySo You Think You Need A Digital Strategy
So You Think You Need A Digital Strategy
Alan McSweeney
 
An Integrated Management System Standard
An Integrated Management System StandardAn Integrated Management System Standard
An Integrated Management System Standard
Ralph Reid
 
IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentation
jmcarden
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
The Open Group SA
 

Recommandé

ISO 55000: Asset Management System Workshop
ISO 55000: Asset Management System WorkshopISO 55000: Asset Management System Workshop
ISO 55000: Asset Management System Workshop
Life Cycle Engineering
 
Iso9001 2015
Iso9001 2015Iso9001 2015
Iso9001 2015
German Jordanian university
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
Global Manager Group
 
Ims integrated management system implementation steps-lakshy rev00-240914
Ims integrated management system implementation steps-lakshy rev00-240914Ims integrated management system implementation steps-lakshy rev00-240914
Ims integrated management system implementation steps-lakshy rev00-240914
Lakshy Management Consultant Pvt Ltd
 
So You Think You Need A Digital Strategy
So You Think You Need A Digital StrategySo You Think You Need A Digital Strategy
So You Think You Need A Digital Strategy
Alan McSweeney
 
An Integrated Management System Standard
An Integrated Management System StandardAn Integrated Management System Standard
An Integrated Management System Standard
Ralph Reid
 
IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentation
jmcarden
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
The Open Group SA
 
CMMI-DEV 1.3 Tool (checklist)
CMMI-DEV 1.3 Tool (checklist)CMMI-DEV 1.3 Tool (checklist)
CMMI-DEV 1.3 Tool (checklist)
Robert Levy
 
It Service Management Implementation Overview
It Service Management Implementation OverviewIt Service Management Implementation Overview
It Service Management Implementation Overview
Alan McSweeney
 
Connecting Reliability & Business + ISO 55000 Framework
Connecting Reliability & Business + ISO 55000 FrameworkConnecting Reliability & Business + ISO 55000 Framework
Connecting Reliability & Business + ISO 55000 Framework
Life Cycle Engineering
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
Togaf 9.1 basic concepts
Togaf 9.1 basic concepts Togaf 9.1 basic concepts
Togaf 9.1 basic concepts
Mohamed Zakarya Abdelgawad
 
IT Strategy
IT StrategyIT Strategy
IT Strategy
Flevy.com Best Practices
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
Real IRM
 
Celonis_TISAX_Compliance_1_.pdf
Celonis_TISAX_Compliance_1_.pdfCelonis_TISAX_Compliance_1_.pdf
Celonis_TISAX_Compliance_1_.pdf
Chandra Rao
 
ISO 9001: 2015
ISO 9001: 2015ISO 9001: 2015
ISO 9001: 2015
Prasenjit Puri
 
Improving IT Service Delivery
Improving IT Service DeliveryImproving IT Service Delivery
Improving IT Service Delivery
Formicio
 
SAP and Change Management
SAP and Change ManagementSAP and Change Management
SAP and Change Management
Flevy.com Best Practices
 
Checklist Asset Management for educational purposes - ISO55000
Checklist Asset Management for educational purposes - ISO55000Checklist Asset Management for educational purposes - ISO55000
Checklist Asset Management for educational purposes - ISO55000
Cyrus Sorab
 
Knowledge management and business intelligence
Knowledge management and business intelligenceKnowledge management and business intelligence
Knowledge management and business intelligence
Azmi Taufik
 
IT4IT - The Full Story for Digital Transformation - Part 2
IT4IT - The Full Story for Digital Transformation - Part 2IT4IT - The Full Story for Digital Transformation - Part 2
IT4IT - The Full Story for Digital Transformation - Part 2
Mohamed Zakarya Abdelgawad
 
Iso 9001 2015 iso geek
Iso 9001 2015 iso geekIso 9001 2015 iso geek
Iso 9001 2015 iso geek
Varinder Kumar
 
IT Operating Model - Fundamental
IT Operating Model - FundamentalIT Operating Model - Fundamental
IT Operating Model - Fundamental
Eryk Budi Pratama
 
Business Process Management Training | By ex-Deloitte & McKinsey Consultants
Business Process Management Training | By ex-Deloitte & McKinsey ConsultantsBusiness Process Management Training | By ex-Deloitte & McKinsey Consultants
Business Process Management Training | By ex-Deloitte & McKinsey Consultants
Aurelien Domont, MBA
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
3Sixty Insights
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture tools
iasaglobal
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate Compliance
Corporater
 
GRC tools
GRC toolsGRC tools
GRC tools
RahulTripathi330262
 

Contenu connexe

Tendances

It Service Management Implementation Overview
It Service Management Implementation OverviewIt Service Management Implementation Overview
It Service Management Implementation Overview
Alan McSweeney
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
Celonis_TISAX_Compliance_1_.pdf
Celonis_TISAX_Compliance_1_.pdfCelonis_TISAX_Compliance_1_.pdf
Celonis_TISAX_Compliance_1_.pdf
Chandra Rao
 
SAP and Change Management
SAP and Change ManagementSAP and Change Management
SAP and Change Management
Flevy.com Best Practices
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture tools
iasaglobal
 

Tendances (20)

CMMI-DEV 1.3 Tool (checklist)
CMMI-DEV 1.3 Tool (checklist)CMMI-DEV 1.3 Tool (checklist)
CMMI-DEV 1.3 Tool (checklist)
 
It Service Management Implementation Overview
It Service Management Implementation OverviewIt Service Management Implementation Overview
It Service Management Implementation Overview
 
Connecting Reliability & Business + ISO 55000 Framework
Connecting Reliability & Business + ISO 55000 FrameworkConnecting Reliability & Business + ISO 55000 Framework
Connecting Reliability & Business + ISO 55000 Framework
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
Togaf 9.1 basic concepts
Togaf 9.1 basic concepts Togaf 9.1 basic concepts
Togaf 9.1 basic concepts
 
IT Strategy
IT StrategyIT Strategy
IT Strategy
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
 
Celonis_TISAX_Compliance_1_.pdf
Celonis_TISAX_Compliance_1_.pdfCelonis_TISAX_Compliance_1_.pdf
Celonis_TISAX_Compliance_1_.pdf
 
ISO 9001: 2015
ISO 9001: 2015ISO 9001: 2015
ISO 9001: 2015
 
Improving IT Service Delivery
Improving IT Service DeliveryImproving IT Service Delivery
Improving IT Service Delivery
 
SAP and Change Management
SAP and Change ManagementSAP and Change Management
SAP and Change Management
 
Checklist Asset Management for educational purposes - ISO55000
Checklist Asset Management for educational purposes - ISO55000Checklist Asset Management for educational purposes - ISO55000
Checklist Asset Management for educational purposes - ISO55000
 
Knowledge management and business intelligence
Knowledge management and business intelligenceKnowledge management and business intelligence
Knowledge management and business intelligence
 
IT4IT - The Full Story for Digital Transformation - Part 2
IT4IT - The Full Story for Digital Transformation - Part 2IT4IT - The Full Story for Digital Transformation - Part 2
IT4IT - The Full Story for Digital Transformation - Part 2
 
Iso 9001 2015 iso geek
Iso 9001 2015 iso geekIso 9001 2015 iso geek
Iso 9001 2015 iso geek
 
IT Operating Model - Fundamental
IT Operating Model - FundamentalIT Operating Model - Fundamental
IT Operating Model - Fundamental
 
Business Process Management Training | By ex-Deloitte & McKinsey Consultants
Business Process Management Training | By ex-Deloitte & McKinsey ConsultantsBusiness Process Management Training | By ex-Deloitte & McKinsey Consultants
Business Process Management Training | By ex-Deloitte & McKinsey Consultants
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture tools
 

Similaire à Crafting an End-to-End Pharma GRC Strategy

GRC tools
GRC toolsGRC tools
GRC tools
RahulTripathi330262
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
Jim Robins
 
Chase Cooper Overview
Chase Cooper OverviewChase Cooper Overview
Chase Cooper Overview
Aoife Brennan
 
A framework for developing an rfid and auto id strategy by ups
A framework for developing an rfid and auto id strategy by upsA framework for developing an rfid and auto id strategy by ups
A framework for developing an rfid and auto id strategy by ups
Pim Piepers
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product Sheet
Marco Villacorta Olano
 

Similaire à Crafting an End-to-End Pharma GRC Strategy (20)

Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate Compliance
 
GRC tools
GRC toolsGRC tools
GRC tools
 
GRC
GRCGRC
GRC
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
 
Chase Cooper Overview
Chase Cooper OverviewChase Cooper Overview
Chase Cooper Overview
 
Considerations for an Effective Internal Model Method Implementation
Considerations for an Effective Internal Model Method ImplementationConsiderations for an Effective Internal Model Method Implementation
Considerations for an Effective Internal Model Method Implementation
 
Governance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptxGovernance Risk Compliance Framework.pptx
Governance Risk Compliance Framework.pptx
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
CRM Systems Start With A Philosophy
CRM Systems Start With A PhilosophyCRM Systems Start With A Philosophy
CRM Systems Start With A Philosophy
 
Ict mgmt processes_roles_competencies
Ict mgmt processes_roles_competenciesIct mgmt processes_roles_competencies
Ict mgmt processes_roles_competencies
 
A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC 
 
Three steps-to-selecting-a-plm-system-white-paper
Three steps-to-selecting-a-plm-system-white-paperThree steps-to-selecting-a-plm-system-white-paper
Three steps-to-selecting-a-plm-system-white-paper
 
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHSAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
 
Improving Speed to Market in E-commerce
Improving Speed to Market in E-commerceImproving Speed to Market in E-commerce
Improving Speed to Market in E-commerce
 
A framework for developing an rfid and auto id strategy by ups
A framework for developing an rfid and auto id strategy by upsA framework for developing an rfid and auto id strategy by ups
A framework for developing an rfid and auto id strategy by ups
 
Axis Consulting Case Studies
Axis Consulting Case StudiesAxis Consulting Case Studies
Axis Consulting Case Studies
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product Sheet
 
ERP Gap Analysis
ERP Gap AnalysisERP Gap Analysis
ERP Gap Analysis
 
GRC Tools_ A Must-Have for Any Organization in a Regulated Industry.pdf
GRC Tools_ A Must-Have for Any Organization in a Regulated Industry.pdfGRC Tools_ A Must-Have for Any Organization in a Regulated Industry.pdf
GRC Tools_ A Must-Have for Any Organization in a Regulated Industry.pdf
 

Plus de Cognizant

Plus de Cognizant (20)

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition Engineered
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for Sustainability
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for Insurers
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to Value
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First Approach
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the Cloud
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the Future
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data Platform
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Dernier (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 

Crafting an End-to-End Pharma GRC Strategy

  • 1. Crafting an End-to-End Pharma GRC Strategy Understanding the most appropriate regulatory compliance solution extends beyond pure technological functionalities; it requires intimate understanding of policies and procedures required to achieve meaningful compliance with regulations, worldwide. to tools. This compliance strategy could comprise processes, a roadmap, operating procedures, etc. GRC Technology Investment Drivers Corporate boards and senior executives of pharma majors are seeking greater visibility and insight into the effectiveness of controls and compliance across their organizations to ensure commitment to investors and to gain customer confidence. Key factors influencing the recent growth of GRC include: • Business transformation and SAP consolida- tion programs, primarily to protect invest- ments in existing IT systems and tools. • Global shared service centers and control centers for better utilization of resources and to ensure transparency in financial control across organizations. • Increased regulatory requirements, along with the persistent pressure to reduce the cost of compliance and assurance. • Demand for integrated compliance tools to address widespread needs of different compliance groups within the organization Executive Summary The pharmaceuticals industry and related businesses are mandated to comply with diverse regulatory standards in different countries. This includes the Sarbanes-Oxley Act (SOX) in the U.S., and good manufacturing practice (GMP), good laboratory practice (GLP), good pharmacy practice, etc. in the U.S. and elsewhere. Hence, spending on governance, risk management, and compliance (GRC) tools is necessary. This white paper details pharma-specific key business processes and suitable GRC technolo- gies available in the market. GRC Market Dynamics With steady year-over-year growth, GRC tools are delivering increasing benefits to pharmaceuticals companies seeking to streamline and automate their compliance processes, worldwide. To prop- erly leverage GRC, pharma companies must see GRC as more than a tool or technology. Technol- ogy without proper direction is not going to help most companies anyway. What they need is a direction/approach toward compliance in addition cognizant 20-20 insights | june 2013 • Cognizant 20-20 Insights
  • 2. cognizant 20-20 insights 2 Security and segregation of duties: • Facilitate automated testing of system access controls. • Facilitate automated testing of segregation of duties. Audit lifecycle management: • Document independent audit activities. • Provide quality assurance over compliance activities. • Report results. • Track exceptions and remediation activities. Investment in specific modules depends on budget decisions from various units. As no single person “owns” four module deployments, there should be proper alignment among different stakeholders to buy one solution for all of their requirements. Hence, selection of a GRC vendor is a process that should be orchestrated carefully to avoid redundant solutions and to achieve cost savings. (See GRC Tools and Vendor Consideration Process further down on how to make this happen.) All of the above mentioned regulations/frame- work can be centrally configured in GRC, as shown in Figure 2, next page. GRC Technology Vendor Overview GRC vendors can be classified into three main categories: • GRC integrated with ERP solutions: SAP and Oracle are the only integrated GRC solutions available. SAP’s GRC 10 is tightly integrated and to consolidate disparate indicators and standards for judging compliance across the organization. • Pharma companies are under enormous pressure since they need to assure clinical trials and drug manufacturing quality stan- dards to consumers/government, in addition to finance-related assurance to stakeholders. Pharma businesses expect – and are ready – to invest in GRC solutions that address all of their requirements. This eventually created a wave of innovation among GRC vendors. GRC Technology Overview Today’s compliance departments need an inte- grated solution to address various stakeholder requirements. Figure 1 highlights the different modules. What follows is a detailed assessment of the specific functionalities required. Enterprise risk management: • Perform business risk assessments. • Prioritize risks and prepare mitigation plans. • Actively monitor changes in risk profile. • Report incidents. Policies and control repository: • Map policy requirements to processes, risks and controls. • Maintain a repository of test scripts/data. • Automatically report on results. • Track exception and remediation plans. Components of GRC GRC Central Repository Policies and Control Repository Enterprise Risk Management Security and Segregation of Duties Audit Lifecycle Management Figure 1
  • 3. cognizant 20-20 insights 3 with SAP’s ERP solutions in terms of design and architecture, which ensures more auto- mated operations at a reduced cost and strong systems performance. • GRC-focused solutions: These solutions lack ERP integration and process automation. Hence, their performance and automation pales in comparison with GRC solutions inte- grated with ERP. • GRC niche solutions: This category includes proven solutions from companies such as Approva. For example, Approva’s Bizrights is a leading product in the European market and is positioned as a hybrid solution between integrated and GRC-focused offerings in terms of benefits. What follows is a discussion of vendor considerations and an assessment of SAP GRC and Approva One (the latest version of Approva Bizrights), two solutions with which we have vast experience implementing for numerous pharma companies. GRC Tools and Vendor Consideration Process Figure 3, next page, depicts a typical pharma company’s organizational hierarchy. There are many questions to help understand your organization’s GRC needs. We list some of the more important ones below: What is the value proposition you anticipate from GRC? • Do you need a single source risk and control solution? • It is nothing but a centralized repository of risks and controls across all regulations. Solution benefits: • Easy communication to audit stakeholders. • Reliable change control. • Automated updates to control set. • Systematic allocation of ownership and accountability. GRC Technology Cross-Functional GRC Capability Global Compliance Platform • Multiple compliance frameworks. • Business objectives. • Organizational hierarchy. • Risk and response catalog. • Account groups and financial assertions. • Policies and procedures (lifecycle management). • Entity level controls catalog. • Process and controls repository. • Control objectives catalog. 2. Maintenance of “central” evaluation templates: • Assessment plans (survey library). • Manual test plans. • Automated test scripts. 3. Cross-compliance planning and reporting platform: • Centralized planning and monitoring of ongoing compliance activities. • Holistic view of compliance activities across multiple frameworks. 1. Maintenance of central master data structures: Compliance Framework SoX Compliance Framework – UK Bribery Act Compliance Framework – COBIT Compliance Framework – Contract 1. Assignment of relevant central master data (ability to allow or prevent local modifications). 2. Assignment of relevant control evaluation templates (standardization of testing/assessment procedures). 3. Compliance-specific reporting platform and evidence repository. 4. Ability to allow or prevent “shared evaluations” with other compliance framework(s). 5. Compliance-specific roles and authorization model. Figure 2
  • 4. cognizant 20-20 insights 4 • Formalization of control framework. • Reduced controls. Do you need a tool to address cross-functional control and compliance framework require- ments? Your organization might require a tool to manage diversified compliance requirements such as financial control framework (FCF), IS control framework and SOX control framework under one single roof. Solution benefits: • Reduced rework and duplication of compliance data. • Effective utilization of controls: Linkage of key controls to multiple regulation risks. • Linkage to organization policies and procedures. Would you like to automate the control self-assessment cycle? This means you can enter control validation procedures and results within GRC. The entire lifecycle of self-assessment, from self-assurance to control effectiveness reporting, would then be automated with the help of GRC. Solution benefits: • Effective risk assessment and scoping. • Roll-forward capability. • Automatic communication. • Status reporting and escalation management. Does your organization desire sophisticated reporting and remediation trend analysis? This is necessary for organizations that are not happy with the reporting features of their current compliance tool. GRC provides much improved reporting on violations and helps predict remediation trends. Solution benefits: • Reduced reliance on off-line progress. • Flexible visibility of control operation and remediation progress. • Targeted remediation effort. Has your organization had to confront con- cerns voiced by the business that it is being over-audited? This means that synergy and alignment is required among different compliance-relevant procedures performed by multiple lines of defense. Solution benefits: • Efficient effort and reduced duplication. Does your organization require the complete insight of continuous monitoring: data, control and transactions? This question concerns whether the business needs thorough monitoring on transactions being done through the ERP systems against pre-configured rules. For example, monitoring to be done on the purchase module will yield the following insights: • Who performed more purchases? • Was it appropriately approved? • Were purchases realized into inventories? Pharma Industry Organizatonal Hierarchy Pharma PLC R&D Finance Operations and IS Commercial Global Compliance Regional Audit Group Group Internal Audit Figure 3
  • 5. cognizant 20-20 insights 5 Solution benefits: • Automated testing of controls is performed by GRC. • Continuous monitoring of GRC offers “detec- tive” controls. Detective controls are the rule set/processes in place that detect violations only after the control breach. For example, if the organization decides that purchase requi- sitions worth more than $10,000 require three levels of approval, then any purchase worth more than $10,000 yet containing only two levels of approval will be flagged as a violation. This feature helps organizations discover how many violations occur within a particular time frame, the reasons they occur and a possible means for mitigating this issue. Is your organization looking for integrated security and SOD along with GRC? This means that automated user provisioning to ERP is required after segregation of duties analysis from GRC. Solution benefits: • Reduce SOD analysis effort. • Automated user provisioning reduces effort from the security team and it improves reli- ance on complex SOD compliance. Comparing Approva One vs. SAP GRC Figure 4 Approva One seamlessly sup- ports ERP products such as SAP, Oracle, PeopleSoft and CGI. It has rule templates ready for the same. Any other third-party CRM systems and HR systems can also be included within Approva One with additional custom configuration effort. SAP GRC 10 seamlessly supports only SAP products. Though there are provisions given like non-SAP adapters for GRC or integration through IDM, etc. these are not proven. Approva One comes with two modules: Authorization Insight and Process Insight. Authorization Insight: Responsible for rule book design, exception management, mitigation controls, continuous monitoring and risk analysis. Process Insight: Responsible for audit lifecycle management like SOX frame- work design, design effective- ness review, internal audit planning and testing of controls, etc. SAP GRC 10 comes with modules for access control and process control, but as an integrated solution (in contrast with predecessor releases) also has a risk management module. Access Control: Access control simplifies the remediation and mitigation process with the help of process control components. It allows central management of firefighter IDs, streamlines the temporary super-user access log review by adding workflow capabilities and has business role concepts. Process Control: This helps to define and set up automated monitoring of controls and workflow alerts including transactional record and configuration changes at SAP ERP. SAP Business Objects GRC 10 version provides capabilities around content lifecycle management that allows the import and export of risks and controls together by enhancing the integration with AC and PC into a single enterprise risk management platform that provides summarized views representing the different organizational risks and related automated, manual and security controls from a business process perspective. Risk Management: SAP GRC 10 has a separate module called risk management, in contrast to Approva. This deals with risk assessment and risk prioritization. SAP risk management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best-practice management frameworks. SAP risk management uses the various work cen- ters of the GRC, in which you can carry out all risk management activities. The process control component of GRC 10 complements risk management. SAP bifurcated the risk management aspect of GRC into a separate module to give better visibility to executive management who actually require a bird’s eye view of enterprise risks and its mitigation controls.
  • 6. cognizant 20-20 insights 6 » IT infrastructure. » Controls maturity. » Lines of defense model. Approva One Bizrights and SAP Business Objects GRC-10 are good packages to consider among many strong GRC solutions on the market. In its latest release, Approva One offers innovations such as a provision to follow up on SOD remediation and a user interface for end-to- end mitigation processes. Approva continues to concentrate on its core strengths (i.e., it is easy to operate, flexible, supports a wide range of financial systems and has lower procurement and operating costs). SAP Business Objects GRC-10 has been nicely upgraded. From a technical perspective, SAP GRC has moved from the Java programming language to ABAP. This core change allows centralized support across all its components. The SAP GRC solution’s new platform improves change management processes by leveraging existing transport systems, background job scheduling, archiving and other standard SAP features. SAP Roadmap for GRC promises continuous innova- tions by releasing updated GRC functionalities and patches, which bodes well for its customer base. On the other hand, Approva, as noted earlier, has also improved the capabilities of its Approva One offering, with additional updates expected. Hence, these two products are worthy of consideration for pharma GRC requirements. Other questions to resolve include: • Do you know the ratings/pros and cons of various compliance tools in the market? » Before you start researching GRC solutions, ensure that you read recent analysis from Forrester and Gartner – the two top market research companies. • What needs to be considered before con- stituting the program to identify a suitable GRC vendor? » Key users of compliance are in finance. But be sure to include other key stakeholders/ representatives in the GRC program, accord- ing to their weight in compliance needs. » Primarily target your organization’s ERP environment. But be sure to include all tools that fall within the compliance ring. » Elicit needs for different control repositories. » Get inputs from local, regional integrated assurance teams on current compliance manual processes or tools. » Perform an overall assessment of current compliance tools and processes. In a nutshell, GRC vendor selection always starts with: • An in-depth self-assessment of your compliance requirements. • An assessment of the underlying business environment, covering: References • Gartner’s French Caldwell, Tom Scholtz, John Hagerty, "Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms," July 13 2011, pp. 9-14, http://fm.sap.com/data/UPLOAD/files/ Gartner_Magic_Quadrant_for_EGRC_(July_2011)%5B1%5D.pdf. • Forrester’s Chris McClean with Stephanie Balaouras and Nicholas M. Hayes, "Enterprise Governance, Risk, and Compliance Platforms, Q4 2011," Dec 2 2011, pp. 9-10, http://www.protiviti.co.in/ en-US/Documents/About-Us/The-Forrester-Wave-Enterprise-Governance-Risk-and-Compliance- Platforms-Q4-2011.pdf. About the Author Karthikeyan Muniappan is a Senior SAP Consultant in Cognizant’s Enterprise Application Systems Practice and is a member of its SAP basis Sub-practice. He won an innovation award in 2011 from Cognizant and SAP India for his contribution to SOX/SOD compliance and the relevant toolset. Karthik has a master of engineering degree from Anna University in computer science and engineering. He can be reached at Karthikeyan.Muniappan@cognizant.com.
  • 7. About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 162,700 employees as of March 31, 2013, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com for more information. World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: inquiry@cognizant.com European Headquarters 1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 207 297 7600 Fax: +44 (0) 207 121 0102 Email: infouk@cognizant.com India Operations Headquarters #5/535, Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 Email: inquiryindia@cognizant.com ­­© Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.