For pharmaceuticals facing increasing oversight and regulatory constraints, governance, risk management and compliance (GRC) tools are playing a more critical role, sometimes in combination with ERP. We compare Approva Bizights and SAP GRC 10 software tools while offering a framework for choosing a suitable GRC package.
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Crafting an End-to-End Pharma GRC Strategy
1. Crafting an End-to-End Pharma
GRC Strategy
Understanding the most appropriate regulatory compliance solution
extends beyond pure technological functionalities; it requires intimate
understanding of policies and procedures required to achieve meaningful
compliance with regulations, worldwide.
to tools. This compliance strategy could comprise
processes, a roadmap, operating procedures, etc.
GRC Technology Investment Drivers
Corporate boards and senior executives of
pharma majors are seeking greater visibility and
insight into the effectiveness of controls and
compliance across their organizations to ensure
commitment to investors and to gain customer
confidence. Key factors influencing the recent
growth of GRC include:
• Business transformation and SAP consolida-
tion programs, primarily to protect invest-
ments in existing IT systems and tools.
• Global shared service centers and control
centers for better utilization of resources and
to ensure transparency in financial control
across organizations.
• Increased regulatory requirements, along with
the persistent pressure to reduce the cost of
compliance and assurance.
• Demand for integrated compliance tools
to address widespread needs of different
compliance groups within the organization
Executive Summary
The pharmaceuticals industry and related
businesses are mandated to comply with diverse
regulatory standards in different countries. This
includes the Sarbanes-Oxley Act (SOX) in the
U.S., and good manufacturing practice (GMP),
good laboratory practice (GLP), good pharmacy
practice, etc. in the U.S. and elsewhere. Hence,
spending on governance, risk management, and
compliance (GRC) tools is necessary.
This white paper details pharma-specific key
business processes and suitable GRC technolo-
gies available in the market.
GRC Market Dynamics
With steady year-over-year growth, GRC tools are
delivering increasing benefits to pharmaceuticals
companies seeking to streamline and automate
their compliance processes, worldwide. To prop-
erly leverage GRC, pharma companies must see
GRC as more than a tool or technology. Technol-
ogy without proper direction is not going to help
most companies anyway. What they need is a
direction/approach toward compliance in addition
cognizant 20-20 insights | june 2013
• Cognizant 20-20 Insights
2. cognizant 20-20 insights 2
Security and segregation of duties:
• Facilitate automated testing of system access
controls.
• Facilitate automated testing of segregation
of duties.
Audit lifecycle management:
• Document independent audit activities.
• Provide quality assurance over compliance
activities.
• Report results.
• Track exceptions and remediation activities.
Investment in specific modules depends on budget
decisions from various units. As no single person
“owns” four module deployments, there should be
proper alignment among different stakeholders
to buy one solution for all of their requirements.
Hence, selection of a GRC vendor is a process
that should be orchestrated carefully to avoid
redundant solutions and to achieve cost savings.
(See GRC Tools and Vendor Consideration Process
further down on how to make this happen.)
All of the above mentioned regulations/frame-
work can be centrally configured in GRC, as shown
in Figure 2, next page.
GRC Technology Vendor Overview
GRC vendors can be classified into three main
categories:
• GRC integrated with ERP solutions: SAP and
Oracle are the only integrated GRC solutions
available. SAP’s GRC 10 is tightly integrated
and to consolidate disparate indicators and
standards for judging compliance across the
organization.
• Pharma companies are under enormous
pressure since they need to assure clinical
trials and drug manufacturing quality stan-
dards to consumers/government, in addition
to finance-related assurance to stakeholders.
Pharma businesses expect – and are ready – to
invest in GRC solutions that address all of their
requirements. This eventually created a wave
of innovation among GRC vendors.
GRC Technology Overview
Today’s compliance departments need an inte-
grated solution to address various stakeholder
requirements. Figure 1 highlights the different
modules. What follows is a detailed assessment of
the specific functionalities required.
Enterprise risk management:
• Perform business risk assessments.
• Prioritize risks and prepare mitigation plans.
• Actively monitor changes in risk profile.
• Report incidents.
Policies and control repository:
• Map policy requirements to processes,
risks and controls.
• Maintain a repository of test scripts/data.
• Automatically report on results.
• Track exception and remediation plans.
Components of GRC
GRC Central
Repository
Policies and
Control
Repository
Enterprise
Risk
Management
Security and
Segregation
of Duties
Audit
Lifecycle
Management
Figure 1
3. cognizant 20-20 insights 3
with SAP’s ERP solutions in terms of design
and architecture, which ensures more auto-
mated operations at a reduced cost and strong
systems performance.
• GRC-focused solutions: These solutions lack
ERP integration and process automation.
Hence, their performance and automation
pales in comparison with GRC solutions inte-
grated with ERP.
• GRC niche solutions: This category includes
proven solutions from companies such as
Approva. For example, Approva’s Bizrights is
a leading product in the European market and
is positioned as a hybrid solution between
integrated and GRC-focused offerings in terms
of benefits.
What follows is a discussion of vendor
considerations and an assessment of SAP GRC
and Approva One (the latest version of Approva
Bizrights), two solutions with which we have vast
experience implementing for numerous pharma
companies.
GRC Tools and Vendor Consideration
Process
Figure 3, next page, depicts a typical pharma
company’s organizational hierarchy.
There are many questions to help understand
your organization’s GRC needs. We list some of
the more important ones below:
What is the value proposition you anticipate
from GRC?
• Do you need a single source risk and control
solution?
• It is nothing but a centralized repository of
risks and controls across all regulations.
Solution benefits:
• Easy communication to audit stakeholders.
• Reliable change control.
• Automated updates to control set.
• Systematic allocation of ownership and
accountability.
GRC Technology
Cross-Functional GRC Capability
Global Compliance Platform
• Multiple compliance frameworks.
• Business objectives.
• Organizational hierarchy.
• Risk and response catalog.
• Account groups and financial
assertions.
• Policies and procedures
(lifecycle management).
• Entity level controls catalog.
• Process and controls repository.
• Control objectives catalog.
2. Maintenance of “central”
evaluation templates:
• Assessment plans (survey library).
• Manual test plans.
• Automated test scripts.
3. Cross-compliance planning and
reporting platform:
• Centralized planning and
monitoring of ongoing
compliance activities.
• Holistic view of compliance
activities across multiple
frameworks.
1. Maintenance of central master
data structures:
Compliance Framework SoX
Compliance Framework – UK Bribery Act
Compliance Framework – COBIT
Compliance Framework – Contract
1. Assignment of relevant central
master data (ability to allow or
prevent local modifications).
2. Assignment of relevant control
evaluation templates (standardization
of testing/assessment procedures).
3. Compliance-specific reporting
platform and evidence repository.
4. Ability to allow or prevent “shared
evaluations” with other compliance
framework(s).
5. Compliance-specific roles and
authorization model.
Figure 2
4. cognizant 20-20 insights 4
• Formalization of control framework.
• Reduced controls.
Do you need a tool to address cross-functional
control and compliance framework require-
ments?
Your organization might require a tool to
manage diversified compliance requirements
such as financial control framework (FCF), IS
control framework and SOX control framework
under one single roof.
Solution benefits:
• Reduced rework and duplication of compliance
data.
• Effective utilization of controls: Linkage of key
controls to multiple regulation risks.
• Linkage to organization policies and
procedures.
Would you like to automate the control
self-assessment cycle?
This means you can enter control validation
procedures and results within GRC. The entire
lifecycle of self-assessment, from self-assurance
to control effectiveness reporting, would then be
automated with the help of GRC.
Solution benefits:
• Effective risk assessment and scoping.
• Roll-forward capability.
• Automatic communication.
• Status reporting and escalation management.
Does your organization desire sophisticated
reporting and remediation trend analysis?
This is necessary for organizations that are not
happy with the reporting features of their current
compliance tool. GRC provides much improved
reporting on violations and helps predict
remediation trends.
Solution benefits:
• Reduced reliance on off-line progress.
• Flexible visibility of control operation and
remediation progress.
• Targeted remediation effort.
Has your organization had to confront con-
cerns voiced by the business that it is being
over-audited?
This means that synergy and alignment is required
among different compliance-relevant procedures
performed by multiple lines of defense.
Solution benefits:
• Efficient effort and reduced duplication.
Does your organization require the complete
insight of continuous monitoring: data, control
and transactions?
This question concerns whether the business
needs thorough monitoring on transactions
being done through the ERP systems against
pre-configured rules. For example, monitoring to
be done on the purchase module will yield the
following insights:
• Who performed more purchases?
• Was it appropriately approved?
• Were purchases realized into inventories?
Pharma Industry Organizatonal Hierarchy
Pharma PLC
R&D Finance Operations
and IS
Commercial Global
Compliance
Regional
Audit Group
Group
Internal Audit
Figure 3
5. cognizant 20-20 insights 5
Solution benefits:
• Automated testing of controls is performed
by GRC.
• Continuous monitoring of GRC offers “detec-
tive” controls. Detective controls are the rule
set/processes in place that detect violations
only after the control breach. For example, if
the organization decides that purchase requi-
sitions worth more than $10,000 require three
levels of approval, then any purchase worth
more than $10,000 yet containing only two
levels of approval will be flagged as a violation.
This feature helps organizations discover how
many violations occur within a particular time
frame, the reasons they occur and a possible
means for mitigating this issue.
Is your organization looking for integrated
security and SOD along with GRC?
This means that automated user provisioning
to ERP is required after segregation of duties
analysis from GRC.
Solution benefits:
• Reduce SOD analysis effort.
• Automated user provisioning reduces effort
from the security team and it improves reli-
ance on complex SOD compliance.
Comparing Approva One vs. SAP GRC
Figure 4
Approva One seamlessly sup-
ports ERP products such as
SAP, Oracle, PeopleSoft and CGI.
It has rule templates ready for
the same. Any other third-party
CRM systems and HR systems
can also be included within
Approva One with additional
custom configuration effort.
SAP GRC 10 seamlessly supports only SAP products. Though there are
provisions given like non-SAP adapters for GRC or integration through
IDM, etc. these are not proven.
Approva One comes with two
modules: Authorization Insight
and Process Insight.
Authorization Insight:
Responsible for rule book
design, exception management,
mitigation controls, continuous
monitoring and risk analysis.
Process Insight:
Responsible for audit lifecycle
management like SOX frame-
work design, design effective-
ness review, internal audit
planning and testing of
controls, etc.
SAP GRC 10 comes with modules for access control and process control,
but as an integrated solution (in contrast with predecessor releases) also
has a risk management module.
Access Control:
Access control simplifies the remediation and mitigation process with
the help of process control components. It allows central management
of firefighter IDs, streamlines the temporary super-user access log review
by adding workflow capabilities and has business role concepts.
Process Control:
This helps to define and set up automated monitoring of controls and
workflow alerts including transactional record and configuration changes at
SAP ERP. SAP Business Objects GRC 10 version provides capabilities around
content lifecycle management that allows the import and export of risks
and controls together by enhancing the integration with AC and PC into
a single enterprise risk management platform that provides summarized
views representing the different organizational risks and related automated,
manual and security controls from a business process perspective.
Risk Management:
SAP GRC 10 has a separate module called risk management, in contrast
to Approva. This deals with risk assessment and risk prioritization. SAP
risk management enables an enterprise-wide risk management process as
mandated by certain legal requirements and recommended by best-practice
management frameworks. SAP risk management uses the various work cen-
ters of the GRC, in which you can carry out all risk management activities.
The process control component of GRC 10 complements risk management.
SAP bifurcated the risk management aspect of GRC into a separate module
to give better visibility to executive management who actually require a
bird’s eye view of enterprise risks and its mitigation controls.
6. cognizant 20-20 insights 6
» IT infrastructure.
» Controls maturity.
» Lines of defense model.
Approva One Bizrights and SAP Business Objects
GRC-10 are good packages to consider among
many strong GRC solutions on the market.
In its latest release, Approva One offers
innovations such as a provision to follow up on
SOD remediation and a user interface for end-to-
end mitigation processes. Approva continues to
concentrate on its core strengths (i.e., it is easy
to operate, flexible, supports a wide range of
financial systems and has lower procurement and
operating costs).
SAP Business Objects GRC-10 has been nicely
upgraded. From a technical perspective, SAP GRC
has moved from the Java programming language
to ABAP. This core change allows centralized
support across all its components. The SAP
GRC solution’s new platform improves change
management processes by leveraging existing
transport systems, background job scheduling,
archiving and other standard SAP features. SAP
Roadmap for GRC promises continuous innova-
tions by releasing updated GRC functionalities
and patches, which bodes well for its customer
base. On the other hand, Approva, as noted
earlier, has also improved the capabilities of its
Approva One offering, with additional updates
expected. Hence, these two products are worthy
of consideration for pharma GRC requirements.
Other questions to resolve include:
• Do you know the ratings/pros and cons of
various compliance tools in the market?
» Before you start researching GRC solutions,
ensure that you read recent analysis from
Forrester and Gartner – the two top market
research companies.
• What needs to be considered before con-
stituting the program to identify a suitable
GRC vendor?
» Key users of compliance are in finance. But
be sure to include other key stakeholders/
representatives in the GRC program, accord-
ing to their weight in compliance needs.
» Primarily target your organization’s ERP
environment. But be sure to include all
tools that fall within the compliance ring.
» Elicit needs for different control
repositories.
» Get inputs from local, regional integrated
assurance teams on current compliance
manual processes or tools.
» Perform an overall assessment of current
compliance tools and processes.
In a nutshell, GRC vendor selection always
starts with:
• An in-depth self-assessment of your
compliance requirements.
• An assessment of the underlying business
environment, covering:
References
• Gartner’s French Caldwell, Tom Scholtz, John Hagerty, "Magic Quadrant for Enterprise Governance,
Risk and Compliance Platforms," July 13 2011, pp. 9-14, http://fm.sap.com/data/UPLOAD/files/
Gartner_Magic_Quadrant_for_EGRC_(July_2011)%5B1%5D.pdf.
• Forrester’s Chris McClean with Stephanie Balaouras and Nicholas M. Hayes, "Enterprise
Governance, Risk, and Compliance Platforms, Q4 2011," Dec 2 2011, pp. 9-10, http://www.protiviti.co.in/
en-US/Documents/About-Us/The-Forrester-Wave-Enterprise-Governance-Risk-and-Compliance-
Platforms-Q4-2011.pdf.
About the Author
Karthikeyan Muniappan is a Senior SAP Consultant in Cognizant’s Enterprise Application Systems
Practice and is a member of its SAP basis Sub-practice. He won an innovation award in 2011 from
Cognizant and SAP India for his contribution to SOX/SOD compliance and the relevant toolset. Karthik
has a master of engineering degree from Anna University in computer science and engineering. He can
be reached at Karthikeyan.Muniappan@cognizant.com.