Most executives would agree that achieving regulatory compliance across a life science company has become nearly impossible. However, strict enforcement of global regulations, the potential of crippling business impact, and the need for brand and patient protection also makes necessary the pursuit of proactive risk management and global compliance. Companies large and small are moving heaven and earth in order to pull together a snapshot-in-time of overall risk and risk priorities for their organizations.

Functional groups across an organization have varying degrees of focus and control around their own risk and compliance processes. Departments like corporate compliance, Risk Management, QC/QA, Supply Chain, IT, Clinical, Commercial Operations, R&D, EHS, Safety, and RA are all required to assess risk and compliance against growing and dynamic — and sometimes contradictory — global regulations and internal policies, down to the control level. Visit any of these folks and you will find several complex multi-tab spreadsheets that are used to collect a wide range of assessment data from responders inside and outside the company walls. The spreadsheets are typically e-mailed to responders and, when completed, then returned along with separate supporting documents.

This is where existing processes often come apart — when completed assessments and attachments are dropped into a document management system or home-grown risk database and checked off as complete — because it is a grueling task to actually review answers and map them to compliance requirements, internal policies and the relevant regulations. Often, a key risk indicator is flagged and possibly remediated by one functional area, but many opportunities for improvement and risk mitigation via remediation are missed, and operations are left at risk of facing severe consequences.

Pulling together summary reports on key risks and remediation progress from each functional group, so that projects can be prioritized and budgeted, is difficult at best and often left to “gut” decisions. When risk and compliance management remains disjointed and reactive due to bad process and resource constraints, businesses are left with:

• Little visibility as to brand, product, and organizational risk and compliance exposure
• Functional groups that are unprepared for audits
• Continuous exposure to legal action, fines, and revenue loss
• Patient safety liabilities

The good news is that it doesn’t have to be this hard. There are now solutions that efficiently tie regulations and controls to assessments, and have platforms for managing projects and workflows. Non-conformance gaps and risk can be quickly identified, prioritized, and remediated.

Establishing a Compliance Framework
Highly regulated industries, such as life sciences, must comply with extensive and complex regulations. The requirements imposed by the relevant regulations often have common or overlapping requirements. To make the process more efficient and ensure full compliance, organizations will often rely on a framework comprised of an organized set of controls used to measure compliance against multiple regulations, standards, and best practices in Governance, Risk and Compliance (GRC). Every organization will need to have a framework to measure compliance risk from third parties.

An effective framework is built around three key elements:

1. Authoritative Sources: The global regulations, laws, industry standards and policies that apply to an organization. Some of these are mandated. FDA and EMA impose legal regulations for life science companies, and Sarbanes Oxley (SOX) sets requirements for publicly traded firms. State governments have privacy laws to protect against the disclosure of personal information. If you process credit card transactions, the Payment Card Industry Data Security Standard (PCI DSS) is required by the credit card companies. Other sources are at the discretion of the organization. For IT security, the organization may adopt ISO 27002. The organization may have policies that are required as part of their best practices. Some of these authoritative sources are also considered frameworks. The Unified Compliance Framework (UCF) is a framework for IT security. Most companies with common characteristics in a given industry will have the same mandated requirements.
2. Controls: A control is a requirement imposed by the relevant Authoritative Sources. A Control may be a definition of a process to mitigate risks, enforce a mandated policy statement and/or address the directive of an Authoritative Source. The Control may have one or many Control Tests associated, to ensure that the Control is effective and thus ensure continued compliance. Controls can also be directly associated with Authoritative Source content, to allow a mapping of an organization’s internal controls to those mandated by the Authoritative Source.
3. Control Level Associations: This is a process that harmonizes the various regulatory requirements that allow for common requirements from multiple sources to be mapped to a single control. This is also referred to as cross mapping. This process minimizes overlap and resolves conflicting requirements. Obviously as regulations are imposed or changed, this process must be updated.

Developing and maintaining associations between specific regulatory requirements, standards, controls, and assessment questions requires significant effort, and is a costly part of the compliance challenge. Automation can help, but solutions vary in sophistication and effectiveness. In addition to the regulatory mandates, you must also consider your organization policies that should be mapped against the regulatory controls. Many organizations will have company-specific IT policies or corporate ethics standards.

Utilize a Workflow Management Platform
Once the compliance framework and assessments have been developed and mapped to the controls within the framework, it’s time to think about putting the process into motion via workflow automation. To do this, a database-driven platform is required to manage the flow of information between risk assessment-requesting and -responding people and organizations. E-mail template management within the system notifies people that there are ‘to-dos’ in the system that require a response. An assessment may need to be completed or a request for a remediation plan may be waiting.

SaaS (software as a service) or cloud-based solutions are often preferred, particularly for assessing third party entities such as key suppliers or other affiliates. This is because the hosted or cloud system resides outside the company firewall and allows the exchange of data to be handled in a more secure fashion.

Analytics Drive Risk and Compliance Visibility
Now we can understand the significant benefits resulting from a solid compliance framework that is tied to internal and external controls and assessments, and managed with proper workflow architecture. Errors typical in a manual system are eliminated, not to mention the time saved in trying to find that needle in a haystack, time better spent working on closing gaps. It also provides a single system of record and audit trail for corporate compliance across many regulations, controls, and policies. However, powerful analytics are required as part of any platform solution in order to pull everything together for management team visibility and quick decision making.

Strong analytics provide the necessary engine to show risk and compliance scoring, Key Risk Indicators (KRIs) and progress of remediation efforts. Ad hoc reports and dashboards facilitate the monitoring of risk and compliance by authoritative source, business unit, functional group, product, and third party suppliers.

Managing cross-functional risk and compliance internally and from partners, vendors, and business affiliates is becoming a critical success factor for all life science companies. As you build your risk management programs, look for frameworks and best practice models, including technology solutions that provide a quick start on the road to more effective risk and compliance management. Successful automation requires a focused solution that is built with an underlying platform and processes that are able to quickly expand across the enterprise.

---

Jeff Schwartz is head of Professional Services at Avior Computing Corp. He can be reached at jschwartz@avior.com.