The customer is a global Life Sciences company operating in over 50 international markets. With $5bn annual turnover it has more than 4000 employees.
The customer was separating out (divesting) from a Fortune 50 organization with a need to install and implement a solution across a wide range of GRC activities: Compliance Objectives Framework, Vendor Management, Data Privacy Management, Security Testing Results, Anti-Corruption, Quality Management (Actions, Deviations, Events), Risk Management (Technology, Enterprise).
There were many good legacy best practice processes but no licenses for legacy solutions. Legacy processes were performed across 6 different systems and there were also many spreadsheet based processes. Legacy data was disparate and hard to use for executive reporting.
So far, the Risk Management & Compliance group has already set-up the initial baseline of compliance control requirements, implemented a Vendor Compliance Assessment Service (VCAS) and several other services. We are also supporting Legal & Procurement in the delivery of FCPA and due diligence through the same platform, reducing the number of systems, lowering costs and improving the visibility of compliance status information.
First, executive sponsorship was ensured, the intended path was socialized and the right representative team was put together. Next step was to distill the objectives (activities and metrics) and identify the organizations priority order for releasing and operationalizing their GRC activities. Then the required benefits were captured and kept at the heart of each stage.
Having all of the above in place, a ‘vanilla’ AdaptiveGRC system was provided – with all the components set-up in COTS (out of the box) configuration, ready to customize and configure.
Then we configured the GRC engineering pillars in the AdaptiveGRC application for universal use across the system.
As each process was deployed, we ensured that all high value information sharing opportunities are leveraged. As an example: for data privacy details about what internal and external service providers ‘touch’ the system was captured. This information is correlated in the process against the provider record, so as well as being able to review suppliers for each system, it is also possible to look at what systems each provider is involved with.
During the step-based implementation process of three AdaptiveGRC modules (Compliance Manager, EA Manager, Quality Manager) the following GRC functions were delivered: Compliance Requirements Framework, Vendor Risk Profiling, Application Risk Profiling, Vendor Compliance Assessments, Privacy Change Reporting, Security Testing Results Management, Anti-Corruption Assessments, Quality Management (Events, Findings, CAPAs, Deviations).