leveraging it risk management to boost competitive advantage

8/8/2019 Leveraging IT Risk Management to Boost Competitive Advantage

1/28

Pharmaceuticals and Lie Sciences

Leveraging IT risk management toboost competitive advantage

Achieving integrated inormation technology,governance, risk, and compliance
http://www.pwc.com/pharmahttp://www.pwc.com/pharma


2/28


3/28

PricewaterhouseCoopers

Table o contents

The heart o the matter 2

Leveraging an IT Governance, Risk andCompliance oundation to create a competitivebusiness advantage

An in-depth discussion

Industry challenges place technology at theoreront o change, innovation, and sustainable ITGovernance, Risk and Compliance solutions

IT risk management should reach beyond compliance 6IT governance should incorporate risk 8

Policies, standards, procedures, and controls must be denedand rened into a common control set 10Compliance and monitoring can increase business benets 12Data is central to IT GRC 14Understanding relationships in all areas will orm a oundation oreective IT GRC 16

What this means or your business 18

Commitment to integrated IT Governance, Riskand Compliance can boost competitive advantage

How PwC can help your organization 22


4/28

2

The heart o the matter

Leveraging an ITGovernance, Risk and

Compliance oundationto create a competitivebusiness advantage


5/28

The heart o the matter PricewaterhouseCoopers 3

The pharmaceutical and lie sciences industries ace unprecedented compliance chal-lenges, and the close regulatory scrutiny o the industry is likely to only increase. Globaliza-tion, inormation protection requirements, business partnerships, heightened transparencyexpectations, external reporting obligations, and other drivers are orcing companies toreexamine their enterprise approach to inormation technology (IT) governance, risk, andcompliance (GRC).

At the same time, the industry aces new pressures as the pipeline o blockbuster drugsdwindles, patents expire, and research and development (R&D) productivity decreases.

Continued growth in convergence and outsourcing add to an already tangled mix.

These challenges make clear that companies in this historically protable industry increasetheir reliance on technology to acilitate the necessary transormation. Technology alsoenables companies to deliver on promises o transparency, risk management, andenhanced compliance.

To ensure the innovation necessary or continued industry success, it is critical that compa-nies implement a robust and agile risk-based technology compliance oundation. Businessesin the industry must shit away rom a costly and inecient compliance approach that reactsto regulations or inspections and audit ndings with expensive, singular or redundant solu-tions. And as the risk and compliance prole o the industry changes with the introductiono increased technology, companies must ocus on establishing embedded and sustain-

able risk management and compliance processes that continually anticipate and proactivelymanage risk on an ongoing basis.

At a time when pharmaceutical and lie sciences companies must ocus on cutting costs,organizations struggle to determine how to best spend scarce dollars on needed IT servicesand projects. A proactive and risk-based technology governance, risk and complianceapproach will allow companies to better manage the cost o compliance, to streamlinecompliance and business processes through increased automation, and to uel innovationobjectives.

Companies that take action rst not only will have a greater chance o survival but alsothey can potentially gain a competitive advantage.


6/28

4

An in-depth discussion

Industry challengesplace technology

at the oreront ochange, innovation,and sustainable ITGovernance, Risk and

Compliance solutions


7/28

An in-depth discussion PricewaterhouseCoopers

Current challenges and trends point to tremendous changes on the horizon or the pharma-ceutical and lie sciences industry. Companies need to begin rethinking how they willoperate into a more complicated uture i they want to remain competitive.

As this transormation takes shape, pharmaceutical and lie sciences companies mustbalance increasing regulatory pressures and cost management with the worlds changingneeds or medications. And they must do so by determining and working within an accept-able and controlled level o risk.

A 2008 PricewaterhouseCoopers (PwC) IT governance, risk, and compliance survey o 17pharmaceutical and lie sciences companies reveals a consistent challenge acrossthe industry: A siloed approach to IT organization, process, and technology has resultedin reactive and costly technology GRC eorts that are based on unctional or regulatoryrequirements. Instead, organizations need a proactive, ecient, and cost-eective risk-based approach that provides a oundation or innovation rooted in a sound understandingo the business needs.

This challenge demands a more coordinated approach toward risk and technology compli-ance. To eectively manage risk to an acceptable level, companies should consider adoptinga ramework that acilitates consistent decision making related to risk management, requiredpolicies, internal controls, and sustainable compliance.

As part o PwCs 2008 IT GRC survey, companies were queried in the ollowing areas: ITrisk management, IT governance, policies and standards, procedures, controls, monitor-ing, and data management. In our experience, these categories represent the elements oa successul IT governance, risk, and compliance program. The discussion that ollows isbased on company survey responses and subsequent interviews with a selection o partici-pating organizations.

PwC surveyed 17 pharmaceutical and lie sci-

ences companies and supplemented that data byinterviewing individuals across unctional areas,including chie inormation ocers, IT complianceorganization leaders, general counsel, privacy,risk management, and internal audit.


8/28


9/28


Respondents also stated that ew organizations have ormal processes in place to embedrisk management into decision-making processes, and ewer have dened who will beaccountable or deciding an acceptable risk level. Most companies said they struggle todene their risk tolerance, the risk appetite o the organization, who makes these cost/risktrade-o decisions, and how IT risk links to business objectives.

In the current market, risk management is garnering a signicant amount o attention acrossall industries. Boards o directors want to know that companies understand and manage keyrisks. And Standard & Poors is now evaluating enterprise risk management (ERM) programsas part o its larger rating program. The Food & Drug Administration (FDA) has been promot-ing a risk-based compliance approach and quality by design, and Sarbanes-Oxley alongwith related auditing standards now promote a top-down risk-based approach.

In our experience, the most successul companies across all industries have developedIT risk policies that articulate the desired or targeted IT risk level. This is supported by asustainable governance process to establish clear accountability or managing risk to anacceptable level based on the risk tolerance o the organization. The acceptable level o riskis based on business input and the risk appetite/risk tolerance o the company as a whole.

Because IT supports the entire organization and must manage more compliance require-ments than most other areas o the business, IT oten makes the rst attempt to dene arisk management program that will streamline compliance in the absence o an overall ERMprogram. While linking ERM to IT risk is in the early stages at most companies in the indus-try, the connection between ERM and IT risk is essential to better align prioritization o and

responses to IT risk with the organizations overall risk tolerance. Without this link, IT GRCprograms will not succeed, and IT projects may not be prioritized based on the needs o thebusiness.


10/28

8 Driving industry innovation

IT governance should incorporate risk

Many companies in the pharmaceutical and lie sciences industry report they have achievedexcellence in IT governance, which is a critical component or establishing necessary ITrisk and compliance decisions. Nearly all o the survey respondents (86.6 percent) saidthey have deployed a documented IT strategy and vision that clearly articulates IT goals.The same number have aligned that vision with the overall business strategy; however, onlyslightly more than hal (53 percent) o the respondents indicated the IT governance groupsinclude both IT and business representation. Most o the organizations (86.7 percent) saidthey established a governance process or timely decision making regarding IT priorities,investments, projects, and business alignment. Only hal have a process to make decisionsand to drive consistent IT policies and standards. Although nearly hal o respondents(46.7 percent) indicated that an IT risk and compliance role has been established thatreports directly to the chie inormation ocer, only 20 percent o IT governance commit-tees include an IT risk and compliance representative. In our experience across industries,many companies also have IT risk governance committees that are separate and distinctrom their overall IT governance committees. See Figure 2.


11/28


Percentage o surveyed companies whose IT governance process includesFigure 2:

timely decision making in the ollowing areas

PwC survey o IT governance, risk, and compliance among 17 pharmaceutical and lie sciences companies, 2008Source:

Business alignment

IT controls

IT risks

IT organization decisions

IT policies and standards

IT resources

IT projects

IT investments

IT priorities

86.7%

73.3%

73.3%

60.0%

53.3%

66.7%

86.7%

86.7%

86.7%


12/28


13/28


Percentage o surveyed companies that believe IT policies and standardsFigure 3:

have been defned based on key IT risks


Yet, based on our discussions with respondents, most companies have not developed asimplied ramework that links to a ormal IT risk management process, maps to a set ocommon IT controls, and denes parties accountable or each policy area. In many casescompanies have established overlapping and redundant policies, standards, or procedures,and they do not ollow a consistent set o documents. We also ound that companies are nottypically mapping IT risk, policies, standards, and control requirements to a dened set o ITcapabilities to veriy that appropriate skill sets are in place to manage dened risks.

We learned that many companies have inconsistent denitions or policies, standards,

procedures, and controls, and that the process to keep these documents current andaligned, based on risk, do not typically exist. We noted many examples where policies,standards, and procedures have reerences to inaccurate, missing, or incomplete inorma-tion. Mergers and acquisitions have urther complicated the issue.

Across many IT organizations, dierent groups have established policies, procedures, andcontrols at varying levels o detail and structure based on their denition o risk and theirspecic regulatory requirements. Companies oten have siloed standards and controlsto meet specic FDA, Sarbanes-Oxley, privacy, Prescription Drug Marketing Act, ForeignCorrupt Practices Act, and other regulatory requirements without considering the commonelements o control that cut across these regulatory requirements.

Disagree Strongly

Disagree Slightly

Neutral

Agree Slightly

Strongly Agree

0.0%

0.0%

6.7%

40.0%

53.3%


14/28


Successul technology GRC programs begin with a simple and consistent denition opolicies, standards, procedures, and internal controls. Other key actors include: develop-ing streamlined and ocused IT policies that represent managements intent; establishingclear accountability or deployment and enorcement o policies, standards, and proceduresand developing a common control set that addresses multiple related regulatory andoperational control requirements into a single company control library that is aligned withthe results o the companys risk assessment activities. Once a risk-based common controlset is established, successul companies embed these requirements into their systems toconsistently deploy internal controls. The most successul companies across industries useEnterprise Risk Management assessments to establish a risk baseline that is periodicallyupdated to refect changes in the environment and the business.

Compliance and monitoring can increase business benefts

Many pharmaceutical and lie sciences companies (73.3 percent) see IT GRC merely as aregulatory requirement and a nondiscretionary additional cost. Only 30 percent o respon-dents viewed IT GRC as a benet that could help the business better manage its processes,increase eciencies, and ultimately help create a competitive business advantage.

Nearly all o the survey respondents (93.3 percent) said they have a process in place to testand monitor compliance with their company policies and controls. The same number saidcompliance testing and monitoring processes are based on risk; however, approximately93 percent o respondents indicated their company needs to more eectively monitor the

controls in place at third-party outsourcing providers. Additionally, 80 percent expressed thata more eective compliance dashboard needs to be developed and leveraged or reportingon the health o IT risk management and compliance to company management. Improvedmonitoring and reporting will become increasingly important given the increase in outsourcingto third parties (73 percent have outsourced help desk, 64 percent inrastructure,46 percent applications, and 27 percent business processes).

Although there is a trend toward metrics and compliance reporting that includes root causeanalysis and corrective and preventive action programs (93.3 percent), only 26.7 percentindicated that trending is perormed and monitored over time to identiy emerging issues.


15/28


At many companies, an uncoordinated approach to governance, risk, and compliance hasresulted in redundant internal and external audit groups with overlapping objectives, gapsin other areas, and inconsistent monitoring and reporting to senior management. This pointsto companies not having developed a common risk-based approach to conducting controlaudits. Oten, IT sta members spend signicant time responding to inconsistent audit nd-ings, which generally do not take into account the organizations dened risk tolerance.

Once companies establish a common risk management and internal control ramework,internal audit and quality groups can turn their attention to evaluating the eectivenesso the internal control ramework as opposed to substantively testing whether a particularcontrol is in place and operating eectively at a point in time. I eectively implemented,this approach can reduce judgment-based audit ndings and instead ocus on whetherITs internal control and compliance quality system works eectively. See Figure 4.

Percentage o surveyed companies that believe controls are based on keyFigure 4:

risks to IT and the business


Most companies queried have established IT compliance organizations to addressSarbanes-Oxley regulations, FDA regulations, IT risk, controls, continuity planning,compliance testing, and reporting. However, as the sharing o data across organizationsincreases, most o these organizations say inormation security, privacy, and data archivingpose the greatest challenges.

Disagree Strongly

Disagree Slightly

Neutral

Agree Slightly

Strongly Agree

0.0%

0.0%

0.0%

53.3%

46.7%

Data rom our surveyshowed that, as thesharing o data acrossorganizations increases,most o these organiza-tions say inormationsecurity, privacy, anddata archiving pose thegreatest challenges.


16/28


As interactions among healthcare payers, providers, and pharmaceutical and lie sciencescompanies grow, exchanging and protecting large volumes o sensitive and condentialdata will become increasingly important. While greater collaboration acilitates the neces-sary industry transormation, it also exposes the industry to increased risk, particularly to theintegrity and privacy o inormation in the health IT value chain. Regulators recognize the risk.In act, during the rst seven months o 2008, the FDA issued more than 200 warning letters,and states have decided to ocus more heavily on enorcement because o several industryprivacy breaches.

As the number o legal and regulatory requirements increases, regulators and auditors willincreasingly scrutinize IT on its ability to comply and sustain compliance with these rules,while also protecting sensitive intellectual property and personally identiable inormationsubject to global and state privacy laws.

The most successul technology GRC programs have initially identied the various internaland external groups responsible or auditing and monitoring compliance across the orga-nization. The charters and scope o these groups are aligned, where possible, with the keytechnology risks identied by management to avoid redundant eorts. Similar to a qualitymanagement system (QMS) approach, the compliance and monitoring unctions are begin-ning to ocus on evaluating the ongoing eectiveness o the entire GRC ramework ratherthan the eectiveness o a single control at a particular point in time. High-perorming tech-nology GRC unctions also consistently use compliance dashboards across the entire orga-nization to report risk management and compliance status to various levels o management.Many high-perorming governance, risk, and compliance unctions also have mapped key

controls to the associated regulations to more easily identiy the impact o a control break-down or deciency. These organizations are also beginning to automate manual complianceprocesses to streamline business processes, improve compliance sustainability, reducereliance on individuals, and reduce the cost o compliance.

Data is central to IT GRC

Inormation is the common denominator in all o the unctional areas outlined above, and itis clear that data management is a signicant area or improvement within the industry.

More than 85 percent o respondents indicate that improvements are necessary with respectto dening data owners or all categories o data, classiying data, establishing a sustainable

data cleansing process, establishing an eective record archiving and retention program,and protecting data based on the associated business value and sensitivity.


17/28


Inormation must be classied and protected accordingly as it is transerred across theenterprise, maintained in structured and unstructured ormats, and saeguarded whentranserred outside o the organization.

However, most organizations have not named owners or all data categories, and in manycases owners are not held accountable or determining how valuable the data is to the busi-ness. Also, in many cases, it is unclear whether the business unit or IT is responsible or thedata. Oten, the business eels it is ITs responsibility to own and dene the business valueor the data, but data decisions and responsibility should reside within the business. SeeFigure 5.

Percentage o surveyed companies that have identifed business ownersFigure 5:

or all categories o data


A risk-based approach helps companies consistently protect, cleanse, maintain, andarchive and dispose o data. This is increasingly important as the virtual walls o thecompany expand, inormation is used in new ways, and the volume o exchanged inorma-tion increases signicantly. Ultimately, the data collected by pharmaceutical and lie sciencescompanies will uel R&D eorts, identiy high-perorming drugs, and track drug saety trendsIn addition, automation can streamline business processes and compliance, thus savingtime and money.

Disagree Strongly

Disagree Slightly

Neutral

Agree Slightly

Strongly Agree

21.4%

14.3%

14.3%

35.7%

14.3%


18/28


Understanding relationships in all areas will orm a oundation or eective IT GRC

The complex layers o IT GRC cannot eectively operate in silos i companies hope toachieve the innovation that will position them ahead o the competition. The industrystransormation requires that pharmaceutical and lie sciences companies rst build astrong IT GRC oundation that can act as a springboard or distinctive and innovativebusiness solutions.

An integrated IT GRC approachone that addresses the end-to-end relationships in eacho the unctional areas outlined abovebridges the gap between the current technologycompliance state o the industry to the uture direction o the industry.

IT GRC componentsFigure 6:

Legal compliance Business strategy

Audit and regulatoryIT objectives

Accountability

Responsibility

Knowledge sharing

Communications

Teamwork

SustainabilityContinuous

Improvement

Complia

nce

&monito

ring

Procedures

Controls

Polic

ies&

sta

ndards

Governance

Risk


19/28


To achieve an eective IT GRC program, companies need to:

Establish a governance process that denes clear accountability and responsibilityor the components o the IT GRC program

Understand the strategic, operational, nancial, environmental, reputational, andcompliance risks that could aect business objectives

Determine a companywide acceptable risk level based on an overall risk tolerance

Establish succinct policies and standards that refect management intent and arebased on the organizations risk and control decisions

Dene a set o procedures to support policies and standards

Establish a sustainable common control set that aligns with key risks and relatedregulatory control requirements

Establish IT support processes to maintain the compliant state o regulated systemsand their underlying supporting IT inrastructure

Train people accordingly to ensure a common understanding and consistent complianceacross locations

Develop a compliance monitoring and reporting process that assures management that

key risks are being addressed

Assess the assurance coverage provided by dierent audit unctions to ensure that allkey risk areas are properly addressed

Select and deploy appropriate tools to monitor the eectiveness o compliance on aconsistent and ongoing basis across locations

More and more companies are now recognizing the need or automated solutions or ITGRC that uniy all assessment activities, link risks to controls to regulations, to eectivelyrequire and enorce compliance activities and to improve risk aggregation and reporting.


20/28

18

What this means or your business

Commitmentto integrated IT

Governance, Risk andCompliance can boostcompetitive advantage


21/28

What this means or your business PricewaterhouseCoopers 19

A oundational and integrated approach to IT governance, risk and compliance will benecessary to address the emerging risks companies will ace as the pharmaceutical andlie sciences industry increases collaboration and shares electronic inormation acrossthe Health IT value chain. But this approach will be even more essential to better managecompliance costs and to drive improved, automated and controlled business processes.

Our experience working in other industries with companies that have been successulusing an integrated approach to IT GRC reveals undamental success actors that mustbe addressed, including:

Dont boil the ocean. Companies successul in establishing an integrated IT GRC programexecute simple steps that t within the current structure at their organizations. For exam-ple, companies are expanding the agendas o existing IT governance meetings to includebusiness concerns as well as discussions and decision making related to risk manage-ment and compliance.

Dene accountability. Companies should clearly dene accountability through a gover-nance process or IT risk management, policies, internal controls, and compliance withinthe appropriate IT unctional area that aligns with how individuals are evaluated andrewarded.

Establish a common language. Oten, dierent GRC groups have similar objectives and

initiatives but use dierent words to describe common activities. Having a consistent seto terms and a process to align common objectives and related terms is essential to thesuccess o an integrated IT GRC program.

Measure teamwork and oster collaboration. The elements o a successul integratedcompliance program must include team metrics and measures to promote teamworkacross the business, unctional IT groups, quality assurance, and audit groups.

Promote sustainability. Establishing a sound IT GRC program is not a single event. Build-ing risk management into recurring natural activities, such as the strategic planning andbudgeting processes, embeds desired risk management thinking into the organizationand starts to build a risk-aware culture among all employees.

Think continually about improvement. The most successul companies have a simpleprocess in place to capture the root cause o issues, establish corrective action plans,continually evaluate trends and compliance patterns, and continually ocus on improvingthe GRC environment.


22/28


Companies can realize several signicant benets by taking an integrated approach to ITGRC. Furthermore, once the company achieves governance, risk, and compliance in a moreecient and eective manner, it can leverage IT and automation to streamline complianceand business processes and create business value. This approach allows management toestablish a dened method or decision making regarding risks, controls, and compliancethat helps ensure the organization considers key risks. Companies can better anticipateand manage risks beore they become problematic and thereby avoid potential reputationaldamage, nes, penalties, or lost revenue. Furthermore, a ocused set o controls that speci-cally addresses risks can help manage the cost o compliance. Many companies striveto comply with redundant audit ndings, but a GRC ramework helps companies to aligncontrols with the organizations risk tolerance. Additionally, improved alignment betweenmanagement, internal and external audit groups can simpliy the audit process and reeup time or strategic initiatives and activities.

The time and money that can be saved by implementing these practices will becomeincreasingly important as pharmaceutical and lie sciences companies begin to rethinktheir operations as they contemplate a changing business environment where increasinginteractions with payers and other organizations aect the use o data. By shoring up thegovernance, risk, and compliance oundation, IT can shit its ocus to automating businessprocesses, managing data, and enabling the innovation essential to discovering the preven-tive medications needed or the uture.


23/28


Case Study 1

Challenge

PwC helped a global pharmaceutical company align regulatory controls with keynancial, operational, and compliance risks so that all risks, controls, and test planscould be incorporated in an automated tool or compliance monitoring and reporting.

Beneft

The eort reduced key controls and compliance tests by more than50 percent and allowed those involved in these compliance activitiesto ocus on more strategic activities that were aimed at improvingbusiness value.

Case Study 2

Challenge

PwC assisted a global pharmaceutical company as it developed a proactive approachto identiy and manage risk that included streamlined IT policies, standards, and pro-cedures, a common denition or risk, and a risk register (inventory o prioritized risks).The company expanded its IT governance process to include risk decision makingand enhanced its compliance reporting through a common control set.

Beneft

The approach reduced compliance eorts and costs by nearly 50 percent andreduced spending on projects to correct control deciencies by approximately$3 million.


24/28


How PwC can help your organization

Leveraging the undamental success actors, PwC has helped organizations execute theollowing steps to establish an integrated IT GRC program:

Establish a process to identiy, prioritize, and organize key risks, determine the impactand likelihood o the risk, and evaluate the adequacy o existing controls.

Establish a governance process to decide on the level o risk that is acceptable andaligned with the organizations business objectives and the overall enterprise riskmanagement program.

Agree upon a set o standard risk categories and assign appropriate accountable ownersor each category. In our experience, these risk categories should consider how IT-relatedpeople, process, or technology events can impact business objectives in the ollowingareas:

Research and development-

Sales & marketing-

Manuacturing-

Quality-

Finance-

Legal-

Human resources-

IT inrastructure-

Sourcing-

Create a risk register (i.e., inventory o prioritized risks) by dening key risks or eachcategory, determining existing controls, and determining the impact and likelihood o therisk occurring.

Dene a risk-based approach or the prioritization o IT projects as part o the annualIT budget exercise.

Establish a common denition and taxonomy or policies, standards, and proceduresand simpliy the existing set o documents.


25/28

Establish ocused policies that represent managements intent or key risk categoriesalong with supporting standards and procedures where necessary.

Dene a common control set o internal controls across regulations (FDA, Sarbanes-Oxley, privacy, etc.) and internal operational requirements that aligns with key risksand policy areas.

Map IT risks, policies, standards, procedures, and controls to IT capabilities and identiyany skill areas that require enhancement.

Embed common controls into the companys system development lie cycle. Then estab-lish a consistent quality process to veriy that key controls are established as part o newsystem implementations and support processes are established to sustain the compliantstate o IT-regulated systems and their underlying IT inrastructure.

Align the scope and objectives o internal and quality audit activities and unctions to theIT GRC ramework to minimize duplication and overlap o audit activities.

Establish a dashboard reporting process that can be leveraged as part o standing ITleadership team meetings to review compliance progress and align compliance peror-mance to individual perormance measurement and rewards.

Create a continual improvement process that evaluates the root cause o compliancegaps, anticipates and addresses potential risks, evaluates trends, anticipates risks

based on emerging changes in regulation or business conditions, and establishestimely solutions.

Select and deploy appropriate tools to monitor the eectiveness o compliance on aconsistent and ongoing basis across locations and to link risks to policies, standards,procedures, controls, and compliance monitoring results.

Employ training and communications to oster adoption o the IT governance programand to drive undamental behavior change.

Reinorce desired risk management behaviors with ongoing communications and peror-mance measures to build a risk-aware culture among all employees.

Organizations are at varying levels o readiness to implement this model. And while no one-size-ts-all solution exists, PricewaterhouseCoopers has developed a maturity model thatcan acilitate decision making regarding where to start and how ar an organization wantsto go to address IT GRC. Options range rom basic oundational steps to meet minimum



26/28


compliance requirements with manual, paper-based processes, to a level o maturity thatautomates business, IT, and compliance processes to promote sustainability and improvedbusiness perormance while incorporating the company control culture and risk appetite.

A successully implemented IT GRC program can not only reduce the cost o compliance,but also can ree up valuable time and resources to ocus on distinctive business solutions.Companies acing signicant regulatory requirements have been able to use technology tocreate a competitive advantage by automating business and IT processes with embeddedcompliance requirements.

As industry transormation continues, technology will become more integral to companysuccess; however, this success can be realized only i new and emerging risks created bytechnology innovation are proactively anticipated and managed through a dened gover-nance process and the right behaviors. A reactive approach to risk and compliance will notbe viable as transormation and increased collaboration continues. The companies that areable to quickly establish a proactive approach to IT governance, risk and compliance havethe opportunity to create a competitive advantage by using that approach as a dierentiatorin the marketplace. A proactive risk based technology compliance approach can be lever-aged to build increased trust with potential business partners regarding the integrity, con-dentiality, and availability o inormation maintained, processed, and transerred by theorganization.

Companies need to determine how ar they want to go to address integrated IT gover-nance, risk, and compliance. Those who are ully committed can transorm their ocus

rom necessary compliance requirements to a more strategic approach that can leveragetechnology to uel business innovation, oster the right behaviors, manage complianceexpenses, and boost their competitive advantage.

As our experience and this survey shows, the industry consistently acknowledges that anintegrated IT GRC approach is necessary and benecial. Although many companies haveprogressed in their eorts to establish elements o a successul IT GRC ramework andmany believe they have a solid oundation, we have ound that considerable work stillmust be done to develop eective programs that consistently manage existing andmerging risks.


27/28

PricewaterhouseCoopers Global Pharmaceutical and Lie Sciences Industry Group (www.pwc.com/pharma) is dedi-cated to delivering eective solutions to the complex strategic, operational, and nancial challenges acing pharmaceu-tical and lie sciences companies. We provide industry-ocused assurance, tax, and advisory services to build publictrust and enhance value or our clients and their stakeholders. We draw on the knowledge and skills o more than

155,000 people in 153 countries rom across our network to share their thinking, experience, and solutions to developresh perspectives and practical advice.

The inormation contained in this document is or general guidance on matters o interest only. The application andimpact o laws can vary widely based on the specic acts involved. Given the changing nature o laws, rules andregulations, there may be omissions or inaccuracies in inormation contained in this document. Beore making anydecision or taking any action, you should consult a competent proessional adviser.


28/28

pwc.com/pharma

To have a deeper conversationabout how this subject may aectyour business please contact:

Pat RochePartnerPharmaceutical & Lie Sciences GroupPhone: +1 (973) 236-4844

Email: [email protected]

Brian RiewertsPrincipalPharmaceutical & Lie Sciences GroupPhone: +1 (410) 659-3390Email: [email protected]

Attila KaracsonyDirectorPharmaceutical & Lie Sciences Marketing

Phone: +1 (973) 236-5640Email: [email protected]

leveraging it risk management to boost competitive advantage

Documents