Photo: AUTHOR

Acentral issue for most pharmaceutical organizations, and all businesses, is the fragmented and reactive way governance, risk, and compliance (GRC) tasks are handled across the enterprise. Sales managers may be responsible for ensuring that next quarter's revenue projections aren't overblown. Information technology (IT) staff may be responsible for appropriately protecting customer data. The chief financial officer's office may be responsible for meeting financial reporting mandates. And as new GRC issues arise—because of emerging regulations, industry guidelines and frameworks, or a breaking news story—executives scramble to quickly put "point" GRC measures in place. In the pharmaceutical industry, for example, an individual Warning Letter focused on a specific issue may be addressed through a quick fix or point solution.

This fragmented, reactive approach has several serious problems:

• It drives up GRC costs because efforts and expenses are constantly duplicated
• It limits the effectiveness of each individual GRC initiative because each project team solves its problems in a unique way, rather than using proven processes and best practices that are already in place
• It increases overall risk because risk mitigation is not sufficiently coordinated across the enterprise
• It delays time-to-fulfillment because each GRC project solves the same process and technology problems again and again
• It does not produce board-level GRC confidence because it does not enable true enterprise-wide visibility of GRC status and practices.

For these reasons and others, it is crucial for executive management to bring order to GRC activities across the enterprise—that is, across all GRC mandates, all business functions, all business units, all underlying IT infrastructure, and all geographies.

Figure 1

Chief compliance officers (CCOs) often step forward to take on the responsibility of developing this coherent approach to GRC. Although corporate integrity agreements are sometimes the impetus for these initiatives, CCOs often struggle to find a starting point to building a comprehensive GRC program. Each of these basic elements must balance the specificity necessary to ensure that each individual GRC objective is fulfilled with the flexibility necessary to ensure applicability to any and all GRC objectives across and beyond the walls of the enterprise.

The cost of chaos

It's hard to blame anyone for the current fragmented state of enterprise GRC efforts. Corporate executives had no way to anticipate the scale of today's GRC workloads, the complexity of individual GRC mandates, or the pace at which GRC requirements would continue to change. In addition, new requirements have blindsided organizations, leaving them no time to step back and develop a holistic strategy for addressing all of their present and future GRC challenges.

Every executive, however, is now aware of how big a burden GRC has become. They are aware that GRC burdens are not going to get any lighter and might get a whole lot worse. They're also well aware that their organizations' approaches to GRC are unacceptably fragmented. This fragmentation across the enterprise has serious consequences, the most troubling of which are described below.

Significantly higher GRC costs. When corporate GRC efforts are fragmented, expenditures of time and money are constantly duplicated. Project teams must work through problems that others may already have solved. New systems are put in place when existing systems could readily be used across multiple mandates. Productivity is lost because employees get pulled away from their jobs multiple times for training, instead of just once. All of these inefficiencies divert financial and human resources that could bring much greater returns if they could be allocated elsewhere.