Success Story

A Global Life Sciences Company Implements Adaptivegrc Solution Suite For Various Governance And Compliance Needs

Industry

Animal Health

Region

North America

Company Profile

The customer is a global Life Sciences company operating in over 50 international markets. With $5bn annual turnover it has more than 4000 employees.

Challenge

The customer was separating out (divesting) from a Fortune 50 organization with a need to install and implement a solution across a wide range of GRC activities:  Compliance Objectives Framework, Vendor Management, Data Privacy Management, Security Testing Results, Anti-Corruption, Quality Management (Actions, Deviations, Events), Risk Management (Technology, Enterprise).

There were many good legacy best practice processes but no licenses for legacy solutions. Legacy processes were performed across 6 different systems and there were also many spreadsheet based processes. Legacy data was disparate and hard to use for executive reporting.

Key Benefits

90%

Increased Operational Efficiency of GRC Activities

51%

Decreased System Operation Costs

34%

Better Cross-department Information Sharing

29%

Simplification of Compliance Processes

AdaptiveGRC System Owner

Our Approach

AdaptiveGRC solution suite was selected and implemented to meet GRC requirements and needs mentioned above.

First, executive sponsorship was ensured, the intended path was socialized and the right representative team was put together. Next step was to distill the objectives (activities and metrics) and identify the organizations priority order for releasing and operationalizing their GRC activities. Then the required benefits were captured and kept at the heart of each stage.

Having all of the above in place, a ‘vanilla’ AdaptiveGRC system was provided – with all the components set-up in COTS (out of the box) configuration, ready to customize and configure.

The next phase was setting up the central GRC engineering pillars by distilling the primary GRC engineering correlation points, such as:

  • Governance Factors – the primary regulations, standards and guidelines used by the organization to drive their GRC activities and executive reporting. In this case including Information Security (ISO27001), Data Privacy, SOX, PCI DSS, FDA regulations and more.
  • Process Streams – process scenarios that the company usually uses to check on compliance status.

Then we configured the GRC engineering pillars in the AdaptiveGRC application for universal use across the system.

A stepped approach was taken to each delivery:

  • Analyze, understand and leverage legacy best practices
  • Ensure any unmet needs and challenges are captured
  • Design configuration for the activity using GRC engineering pillars while continuing best practices and meeting the previously unmet needs
  • Verify and socialize plans with all primary stakeholders
  • Modify and adjust based on feedback
  • Configure
  • Train pilot users
  • Deliver to testing
  • Address any improvement items
  • Deploy pilot
  • Address any improvement items
  • Full operational use of the GRC activity

As each process was deployed, we ensured that all high value information sharing opportunities are leveraged. As an example: for data privacy details about what internal and external service providers ‘touch’ the system was captured. This information is correlated in the process against the provider record, so as well as being able to review suppliers for each system, it is also possible to look at what systems each provider is involved with.

During the step-based implementation process of three AdaptiveGRC modules (Compliance Manager, EA Manager, Quality Manager) the following GRC functions were delivered: Compliance Requirements Framework, Vendor Risk Profiling, Application Risk Profiling, Vendor Compliance Assessments, Privacy Change Reporting, Security Testing Results Management, Anti-Corruption Assessments, Quality Management (Events, Findings, CAPAs, Deviations).

Outcome

  • Vastly improved metrics and earlier identification of issues and risks – now analyzable across the enterprise and in real time

  • Decreased system operation costs: savings of millions of dollars compared to global licenses for multiple legacy systems, zero installation footprint (operates via browser), no internal infrastructure requirement (cloud hosted)

  • Simplification of processes

  • Increased operational efficiency of GRC activities and lower operational impact

  • Faster system speeds – no data latency (everything is immediately available)

  • Improved collaboration capabilities and better cross-department information sharing

  • Integration with other high value data sources (e.g. CMDB, Active Directory, Attack & Penetration)

Other Success Stories

Pharma Companies That Trusted Us: