Industry

Animal Health

Region

North America

Company Profile

The customer is a global Life Sciences company operating in over 50 international markets. With $5bn annual turnover it has more than 4000 employees.

Challenge

The customer was separating out (divesting) from a Fortune 50 organization with a need to install and implement a solution across a wide range of GRC activities:  Compliance Objectives Framework, Vendor Management, Data Privacy Management, Security Testing Results, Anti-Corruption, Quality Management (Actions, Deviations, Events), Risk Management (Technology, Enterprise).

There were many good legacy best practice processes but no licenses for legacy solutions. Legacy processes were performed across 6 different systems and there were also many spreadsheet based processes. Legacy data was disparate and hard to use for executive reporting.

Our Approach

AdaptiveGRC solution suite was selected and implemented to meet GRC requirements and needs mentioned above.

First, executive sponsorship was ensured, the intended path was socialized and the right representative team was put together. Next step was to distill the objectives (activities and metrics) and identify the organizations priority order for releasing and operationalizing their GRC activities. Then the required benefits were captured and kept at the heart of each stage.

Having all of the above in place, a ‘vanilla’ AdaptiveGRC system was provided – with all the components set-up in COTS (out of the box) configuration, ready to customize and configure.

The next phase was setting up the central GRC engineering pillars by distilling the primary GRC engineering correlation points, such as:

• Governance Factors – the primary regulations, standards and guidelines used by the organization to drive their GRC activities and executive reporting. In this case including Information Security (ISO27001), Data Privacy, SOX, PCI DSS, FDA regulations and more.
• Process Streams – process scenarios that the company usually uses to check on compliance status.

Then we configured the GRC engineering pillars in the AdaptiveGRC application for universal use across the system.

A stepped approach was taken to each delivery:

• Analyze, understand and leverage legacy best practices
• Ensure any unmet needs and challenges are captured
• Design configuration for the activity using GRC engineering pillars while continuing best practices and meeting the previously unmet needs
• Verify and socialize plans with all primary stakeholders
• Modify and adjust based on feedback
• Configure
• Train pilot users
• Deliver to testing
• Address any improvement items
• Deploy pilot
• Address any improvement items
• Full operational use of the GRC activity

As each process was deployed, we ensured that all high value information sharing opportunities are leveraged. As an example: for data privacy details about what internal and external service providers ‘touch’ the system was captured. This information is correlated in the process against the provider record, so as well as being able to review suppliers for each system, it is also possible to look at what systems each provider is involved with.

During the step-based implementation process of three AdaptiveGRC modules (Compliance Manager, EA Manager, Quality Manager) the following GRC functions were delivered: Compliance Requirements Framework, Vendor Risk Profiling, Application Risk Profiling, Vendor Compliance Assessments, Privacy Change Reporting, Security Testing Results Management, Anti-Corruption Assessments, Quality Management (Events, Findings, CAPAs, Deviations).

Outcome