April 24, 2006

Pharma Risk Managers: ERM Is In Your Future

by Michael Rasmussen and Laura Ramos

Helping Business Thrive On Technology Change

BEST PRACTICES

B E S T P R AC T I C E S
April 24, 2006

Includes Consumer Technology Adoption Study data

Pharma Risk Managers: ERM Is In Your Future

Key Vendors And Service Providers Oer Fundamental ERM Building Blocks Today

This is the rst document in the Industry Perspectives On Risk And Compliance series. by Michael Rasmussen and Laura Ramos with Bradford J. Holmes, Laurie M. Orlov, Alyssa L. Baer, and Samuel Bright

EXECUT I V E S U M MA RY
Pharma risk managers and compliance professionals face increasing regulatory scrutiny and market pressures that amplify both business and operational risk. To keep from drowning under a rising tide of agency mandates, legal precedents, and nancial controls, pharma must abandon its reactive, functional approach to risk mitigation in favor of a more proactive and structured enterprise risk management (ERM) response. Key software providers and professional services organizations stand ready to help pharma rms build governance, risk, and compliance (GRC) processes and the supporting technology platforms needed to eciently detect and deter risks, driving top-line business performance improvements through widely applied risk management processes.

TABLE O F CO N T E N TS
2 Intense Regulatory Scrutiny Raises The Risk Burden For Pharma Pharma Firms Feel The Heat Of Business Risk 7 ERM Is Pharmas Rx For Compliance And Risk Management Federated ERM Delivers Tangible Benets 9 Technology Selectively Applied Boosts Pharmas Move to ERM Software Providers Deliver Key ERM Components What Are The Key Capabilities Of GRC Platforms? Professional Service Firms Provide The GRC Integration Know-How
RECOMMENDATIONS

N OT E S & R E S O U R C E S
Forrester interviewed 18 vendor and user companies, including: AssurX, Gilead, IBM, Janseen Pharmaceuticals, KPMG International, Leiner Health Products, Pilgrim Software, PricewaterhouseCoopers, and QUMAS.

Related Research Documents The Forrester Wave: Governance, Risk, And Compliance Platforms, Q1 2006 March 16, 2006, Tech Choices
The Promise Of Next-Gen eClinical Trial Software March 15, 2006, Market Overview Pharma Faces Privacy Challenges On The Road To RFID Adoption February 22, 2006, Trends Trends 2006: Enterprise Risk And Compliance December 13, 2005, Trends Seven Habits Of Highly Eective Compliance Programs July 12, 2005, Best Practices

15 Measure The Risk Prole And Take An ERM Approach Based On Maturity
WHAT IT MEANS

16 Pharma Leverages ERM Practices To Raise Performance 17 Supplemental Material

2006, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, Forresters Ultimate Consumer Panel, WholeView 2, Technographics, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each gure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reect judgment at the time and are subject to change. To purchase reprints of this document, please email resourcecenter@forrester.com.

Best Practices | Pharma Risk Managers: ERM Is In Your Future

INTENSE REGULATORY SCRUTINY RAISES RISK BURDEN FOR PHARMA Regulatory compliance is the centerpiece of risk management and governance in the life sciences industry. Firms that fail to comply with regulations and a growing number of nancial assurance and legal precedent requirements set by these agencies will suer shutdowns in manufacturing operations, product withdrawals, nes, lawsuits, revenue loss, and tarnished reputations. Operational risk, as well as regulatory compliance, places a greater burden on pharma risk managers because:

Regulations apply across the entire product life cycle in pharma. Compared with other

industries, the risk and compliance prole spans the full pharma product life cycle from invention to testing, manufacturing, and marketing (see Figure 1). Unlike service delivery in banking or product safety in the automotive industry, pharma must manage risk across a broader range of intellectual property management, clinical (public) trials, submissions, operational validation, privacy, sales practices, and brand reputation management activities.

International operations and markets increase complexity. The companies that produce drugs
are some of the worlds largest and most globally distributed rms. They must not only control far-ranging operations as Chiron failed to do when its u vaccine production in Liverpool, UK violated US FDA good manufacturing practices (GMP) regulations but also navigate a complex set of local restrictions on promotional and sales activities, which vary across every border.

Multifaceted partner relationships dominate. Worldwide drug supply chains include a

complex network of manufacturers, wholesalers, secondary distributors, and retailers, all with independent risk mitigation issues. Due to varying chargeback and rebate practices, dierent participants, including hospitals, dispensing physicians, clinics, elder care facilities, pharmacies, retail chains, or the government, see a wide range of discounts, which complicates contract management. Secondary buying and selling opens the door to counterfeit drugs and threatens consumer safety. Lawmakers at the federal and state level want technology, such as RFID, electronic signatures, and tracking applications, used in the supply chain to ensure that products ow from the manufacturer to the destination without risk of theft or tampering.1

Mergers and acquisitions complicate business operations. During the past seven years, the

pharma industry has seen record merger activity in both number and size. Rapid M&A activity creates broken and inecient processes as companies struggle to integrate new operations while maintaining regulatory validation. Pharmas growing use of outsourced or oshore vendors to supplement internal resources for clinical trial data management, application development, and IT system management further complicates the operational landscape.2

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

Best Practices | Pharma Risk Managers: ERM Is In Your Future

Figure 1 Risk And Compliance Requirements That Pharma Faces Across The Business Cycle
Product development and approval Scope of compliance/ risk in each business area Manage research and development to build and diversify drug portfolio. Regulations require rms to document the development process, clinical trials, and safety data. Manufacturing and distribution Validate that processes, facilities, and controls to manufacture, package, and hold a drug meet safety, identity, quality, and purity standards in accordance with approved drug formulation, ecacy prole, and labeling regulation. Labeling and annual reporting (SPL, PLR) Inventory security vaulting Manufacturing system validation (GMP) Environmental health and safety Process and analytical technology (PAT) Audits/quality control Sample accountability Marketing and promotion Record ongoing consumer safety and report on potential risks and adverse events. Manage brand reputation and avoid expensive litigation. Increase visibility into previous stages to minimize liability/ culpability that the rm may bear. Chain of custody, pedigree, counterfeit/theft prevention Brand/reputation management Litigation, preservation holds Medical aairs AERS adverse events safety warnings/reporting Phase IV trials Safety signal data mining Corporate integrity, fraud, and abuse

Pharma-specic R&D good clinical compliance and practices risk examples New compound/product portfolio Therapeutic/research portfolio Toxicology Clinical trials: Phase I-III Regulatory aairs

38030

Source: Forrester Research, Inc.

Product mishaps cause serious, highly visible damage. Because they aect consumer health,

product failures can devastate rms reputations, brand identities, and nancial performances. Before Vioxx, other drugs such as Paxil (an antidepressant that reportedly increased suicidal tendencies in teens) and Baycol (a cholesterol-lowering medicine that was recalled after reports of muscle damage) suered expensive recalls or large class action suits when manufacturers failed to mitigate risks in clinical research, ecacy trials, quality assurance, or abuse.

Pharma Firms Feel The Heat Of Business Risk Pharma rms face a growing share of nancial risks as well. In a study of risk in the pharma industry, KPMG revealed that the top 20 pharma rms disclosed more risks often with greater severity in their nancial reports between 1998 and 2003. By 2003, more than half cited underdeveloped product pipelines, changes in accounting standards, and product launch problems as risks to ongoing operations issues that barely made their radar screens ve years earlier.3

2006, Forrester Research, Inc. Reproduction Prohibited

April 24, 2006

Best Practices | Pharma Risk Managers: ERM Is In Your Future

More recently, KPMG-sponsored research conducted by the Wharton School of the University of Pennsylvania shows that pharma industry stocks are more susceptible to bad news than the overall Standard and Poors (S&P) 500 index.4 In addition to these operational risks, pharma rms also worry about:

Rising audit burdens, inspections, and nes. The list of US and international regulations

is longer than ever, and the consequences for noncompliance are growing (see Figure 2 and see Figure 3). Pharmaceutical companies paid more than $3 billion in regulatory settlements and criminal nes since 2000 as the US Department of Health & Human Services (HHS) Oce of the Inspector General (OIG) and state attorneys general put their sales, pricing, and promotional activities under closer scrutiny.5 Major rms, such as Abbott Laboratories, Schering-Plough, and TAP Pharmaceutical Products, have corporate integrity agreements that require them to document their business practices and demonstrate to auditors that their pricing and marketing practices are pristine.

Tarnished reputations. Waning consumer condence introduces further risk to the pharma

industry as well as to brand reputations. In 2005, 53% of respondents to the Consumer Technographics Q4 2005 North American Healthcare, Customer Experience, and Retail Online Survey did not feel that drug companies accurately presented product benets and risks in their advertising.6 Public mistrust leads to further regulations. It also increases risk mitigation costs and activities, as well as nancial and reputation risks should noncompliance occur.

High-visibility privacy issues. With the growth of online pharmacies, global clinical trials,

and electronic medical records, pharma rms face an increased risk of inadvertently exposing patient information. The bulk of privacy concerns today centers on clinical trial information who participated in which types of trials but also extends to employee data and the extent to which employers should know about the drugs their workers take. Finding the right solution is dicult because certain solutions, such as using RFID technology to track pills, lead to privacy concerns should wrongdoers misuse the technology.7

The pressure to track consumer usage. As the public, media, academics, and lawmakers debate
whether clinical trials can detect medical risks adequately, despite growing eort and costs, pharma rms will have to employ pharmacovigilance: tracking consumer use more carefully to identify and evaluate safety signals earlier.8 Firms must continuously monitor the entire history and life cycle of a drug and expressly manage its risk.

The fragmentation of enterprise remedies. To keep global operations running smoothly, large

pharma rms decentralize compliance and governance in business units and treat business risks, compliance, and quality control as completely separate activities. They typically use a variety of vendor solutions, often implementing them in functional silos, and are only now beginning to look at integration into a broader risk and compliance management platform.

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

Best Practices | Pharma Risk Managers: ERM Is In Your Future

Figure 2 Global Regulations Aecting Pharma Risk

Manufacturing Distribution

Approvals

Marketing

Regulations and scope Clinical Trial Directive to the European Commission (2001/20/EC) Regulates clinical trials conduct; protects the rights, safety and well-being of trial participants; simplies governing clinical trials across nations; and establishes procedures to harmonize trial conduct in the European Union to ensure the credibility of results.

Corporate Integrity Agreements Delivered as corrective actions and penalties from the Department of Justice, require pharmaceutical companies to react quickly to issues related to Medicaid/Medicare abuse, sales and marketing abuse, and government pricing issues.

Corrective and Preventive Actions (CAPA) CAPA requirements manage quality control. A corrective action eliminates the causes of an existing nonconformity, defect, or other undesirable situation in order to prevent recurrence. Preventive action eliminates the cause of a potential nonconformity, defect, or other undesirable situation (ISO 8402).

Current Good Practices (cGxP) FDA 21 CFR Parts 210, 211, 221, 600, 610 Referred to collectively as "cGxP" with the x representing manufacturing, laboratory, clinical, or distribution these rules form the core FDA regulations for quality and control.
Environmental, Health & Safety (EH&S) The CDC regulates the possession, use, and transfer of select agents and toxins that pose a threat to public health and safety. Regulations require greater tracking of the amount, location, and security of potent viruses and bacteria, and background checks and restrictions on those who research these agents.
The FDAs 21st Century initiative 2004 FDA report highlighting specic steps the agency will take to develop and implement quality systems management and a risk-based, product-quality regulatory system.
Primary area of focus
38030

Secondary area of focus

No signicant focus in this area

Source: Forrester Research, Inc.

2006, Forrester Research, Inc. Reproduction Prohibited

Trials

R&D

April 24, 2006

Safety

Best Practices | Pharma Risk Managers: ERM Is In Your Future

Figure 3 Pharma Regulations Aecting Operational Risk

Manufacturing Distribution

Marketing

Approvals

Regulations and scope

Electronic Common Technical Document (eCTD) In 2005, the FDA revised electronic submissions guidance to include electronic common technical document (eCTD) specications. This guidance expects to enhance the receipt, processing, and review of electronic submissions to the FDA.*
Electronic Records 21 CFR Part 11 FDA guideline that requires rms to ensure the authenticity, integrity, and condentiality of electronic records. Also requires rms to document the installation (IQ), operational (OQ), and performance qualications (PQ) of computerized systems, validating installation, conguration, and any ongoing change management.

Periodic Safety Update Reports (PSUR) The FDA Post Marketing Drug Risk Assessment (PMDRA) program requires PSURs to protect public health by summarizing interval safety data and overall safety evaluations. The PSUR includes updates on emerging or urgent safety issues, as well as major signal detection and evaluation.

Prescription Drug Labeling Physician's Labeling Rule (PLR) Drug labeling is the primary means of providing critical information about drugs to practitioners. In January 2006, the FDA announced that US product inserts (USPIs) must highlight important facts, summarize info, and organize label content for easier oine and online navigation.
Prescription Drug Marketing Act (PDMA) This 1987 law aimed to prevent the wholesale distribution and sale of subpotent, adulterated, counterfeit, or misbranded prescription drugs.

Structured Product Labeling (SPL) Starting in 2005, the FDA required drug manufacturers to submit prescribing and product information in SPL format in a human- and machine-readable format. Using XML, SPL makes information in FDA-approved package inserts (labels) more structured and accessible.
Primary area of focus

Secondary area of focus

No signicant focus in this area

*This guidance discusses issues related to the electronic submission of applications for human pharmaceutical products and related submissions, including abbreviated new drug applications (ANDAs), biologics license applications (BLAs), investigational new drug applications (INDs), new drug applications (NDAs), master les (e.g., drug master les), advertising material, and promotional labeling. Electronic drug label information will streamline the way physicians and patients access important prescribing information over the Internet. Source: February 3, 2006, Quick Take New FDA Labeling Rule Will (One Day) Improve Drug Safety. Source: September 21, 2005, Market Overview Pharma Won't Meet ePedigree Deadlines and July 7, 2005, Best Practices Authentication, Not RFID, Will Make Drugs Safer. Source: October 24, 2005, Best Practices, 10 Steps To Pharma SPL Success, October 24, 2005, Best Practices Pharma Strategies To Meet SPL Deadline, and September 13, 2005, Trends SPL Will Propel Pharma Into XML Adoption.
38030 Source: Forrester Research, Inc.

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

Trials

R&D

Safety

Best Practices | Pharma Risk Managers: ERM Is In Your Future

ERM IS PHARMAS RX FOR COMPLIANCE AND RISK MANAGEMENT Faced with increasing regulation, growing proof that fragmented departmental tactics fail, and higher corporate accountability bars, pharma risk managers can no longer aord to address departmental risks in isolation. Risks in pharma have become highly interdependent; a risk in one area of the organization can aect other areas. Risk interdependency will force the industry toward proactive approaches over the next 24 months.9 To address risk complexity, pharma risk managers and compliance professionals must develop ERM approaches that prevent or contain incidents, address exposures preventatively, and ferret out possible risks before they become serious problems. To get there, pharma must:

Appoint a chief risk or compliance ocer. Pharma boards must create an executive role

responsible for the GRC architecture, ERM processes, and high-level GRC best practices. The top risk and compliance ocers job should focus on increasing risk management awareness at all levels, setting corporate risk training requirements, and communicating risk mitigation progress through metrics and averted-risk cost savings (see Figure 4).

Implement GRC platforms. To manage risk and compliance at an enterprise level, pharma

companies must assess their current GRC platform technologies and make new investments as required. A common GRC platform is critical to building an ERM and compliance program. As pharma moves from a siloed to a federated risk and compliance model, the technology platforms ability to integrate and share data with other systems becomes critical.

Figure 4 Top Five Activities Top Pharma Risk Executives Should Do

1. 2. 3. 4. 5. Develop an ethics and control culture that is communicated through central, corporate policies and procedures and top-down, executive enforcement of risk management practices. Improve executive and line management condence in the organizations operational and nancial integrity. Maintain accurate and timely risk information that enhances visibility, measurement, and control of risk while sharing risk across the organization. Accurately measure risk and compliance through a consistent and systematic approach that departments can adopt and modify according to their independent requirements. Measure risks not only at the system or project level but also from an organizationwide view of risk management that cuts across business units and processes.
Source: Forrester Research, Inc.

38030

2006, Forrester Research, Inc. Reproduction Prohibited

April 24, 2006

Best Practices | Pharma Risk Managers: ERM Is In Your Future

Develop risk intelligence. Pharma rms must become risk agile; that is, they must be up to

date and aware of risk so that they can navigate around the risks safely. This agility will depend on dening a taxonomy of risks that aect their business performance and strategy, such as nancial integrity, operational eciency, and regulatory compliance. Pharma rms accomplish this by establishing key risk indicators (KRIs) that are mapped to key performance indicators (KPIs) and by using technology, such as dashboards, to monitor and report on risk. They must deploy GRC technology that integrates with enterprise resource planning (ERP) systems, such as SAP, Siebel for CTMS and Sales, SAS, or Oracle, to actively communicate these KRIs.

Federated ERM Delivers Tangible Benets Because of their large size, international operations, and complex regulatory burdens, pharma rms succeed when they adopt a federated model for ERM one that takes a hybrid approach between a completely centralized and a completely decentralized (siloed) model. With a federated approach, pharma companies distribute ERM responsibility to business units and brands, while centralizing accountability under the chief risk and compliance ocer. A federated model helps maintain consistent policies, standards, architecture, and metrics, while ensuring that risk and compliance metrics are properly and condentially monitored across the organization. Moving to a federated risk management approach, pharma will experience:

A better balance of risk and reward across the product portfolio. Moderating risk in a highly

competitive and regulated environment requires pharma rms to manage drug portfolios across a long product life cycle and to counteract changes in competitive environments, supply, litigation threats, foreign exchange exposure, price controls, and patent protection. A federated model implements a consistent GRC architecture with distributed responsibilities to monitor, measure, and manage the drug portfolio life cycles from ling through expiration, and it further monitors diversication and intellectual property to hedge against future risk.

Reduced nes. Even as the US Department of Justice (DOJ), state attorneys general, and the

HHS expand their enforcement activities and investigate more than 500 drugs from 150 US and European companies, current trends indicate that these numbers and the size of the individual penalties will only rise. Firms operating under consent degrees today learned the hard way that a federated ERM model not only keeps rms from running afoul of regulators but can also reduce the severity of nes by showing a proactive, executive commitment to corporate governance.

Earlier visibility into litigation threats. New litigation and court trials are a constant threat,

and pharma stakeholders should avoid seeing potential courtroom battles as a way to drive prioritization. Instead, a federated ERM approach with executive oversight can monitor the market, use lessons learned from previous cases to increase the risk intelligence inside pharma organizations, and make employees more aware and vigilant about the risk issues that can result in legal action.

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

Best Practices | Pharma Risk Managers: ERM Is In Your Future

More productive M&A and biotech partnerships. Large pharma rms that apply a federated

ERM architecture and risk management metrics to partnerships gain greater visibility into partner or supplier productivity. They can spot material events, such as a particularly innovative drug candidate or unexpected changes in a clinical trial, and respond faster to changes in external partnership circumstances, unanticipated competition, or the acquisition of partners or competitors during mergers.

TECHNOLOGY SELECTIVELY APPLIED BOOSTS PHARMAS MOVE TO ERM Pharma rms cant model, measure, and manage risk without technology. Most rms have just begun to take a risk-based approach to operational management and lack the mature compliance structure, executive oce, sta, and technology required to assess risk and compliance companywide. Software Providers Deliver Key ERM Components Where compliance was once managed with spreadsheets, documents, and homegrown applications, software platforms have emerged that drive value through consistent collection and processing of compliance information (see Figure 5). A variety of risk and compliance software providers now service the pharma market. Vendor oerings range from applications that focus on specic compliance issues to broader GRC platforms with functionality across the phases of the pharma life cycle, including product development and approval, manufacturing and distribution, and marketing and promotion (see Figure 6). The rst step down the ERM technology road is to look at existing technology investments, including ERP, enterprise content management (ECM), business process management (BPM), and dashboards and integrate them into a common GRC architecture (see Figure 7). The goal? Set a technology strategy that allows pharma rms to combine disparate compliance and governance technologies into a coherent environment for managing risk across the enterprise. Pharma rms accomplish this by either:

Integrating specialty products . . . Firms select applications aimed at silos of pharma risk, such
as corrective and preventive action (CAPA), corporate integrity, QA/manufacturing, clinical trials, and aggregating their individual risk outputs into an ERM dashboard.

. . . or replacing siloed systems with a holistic GRC platform. For this option, a pharma rm
implements a dominant platform that provides a single system of record to monitor risk and compliance across the organization.

2006, Forrester Research, Inc. Reproduction Prohibited

April 24, 2006

10

Best Practices | Pharma Risk Managers: ERM Is In Your Future

Figure 5 GRC Management Vendor Landscape In Pharma

Manufacturing and distribution

Pharma GRC oering

Amadeus The Amadeus eQCM solution is a process control platform for the International management of highly regulated processes involving risk, governance, EH&S, and GxP processes.
AssurX The CATSWeb platform provides a system for compliant tracking and reporting for pharma companies.
Axentis Axentis Enterprise is a broad GRC platform with a particular strength in corporate integrity agreement management.
CIMCON Provides solutions to manage FDA 21 CFR Part 11, document and Software data management, change control, and GAMP4-based validation. Datasweep Provides a system for managing GxP processes and compliance. Dendrite State Compliance Solutions helps pharma manage the policies and International regulatory requirements across the pharma life cycle. EtQ The FDA Compliance Management System is a Web platform that documents and maintains quality assurance practices.
IBM Enables compliance across clinical trials, submissions, GxPs, and contracts through an integrated enterprise approach to GRC with a single view across systems.
Merit Provides software solutions for life sciences focusing on Solutions GMP compliance. MetricStream The QualityStream application enables companies to manage compliance processes across quality and CAPA requirements.
NetRegulus Provides software to assess risks associated with adverse events and product quality issues.
Pilgrim Provider of quality management solutions for global organizations, Software including GxP, document/training, and CAPA/complaints processes.

Plateau LMS facilitates training and communication requirements Software derived from compliance requirements.

QUMAS The QCompliance Suite enables enterprise quality assurance and regulatory compliance management through a single platform.
Sparta The TrackWise platform provides quality management and Systems regulatory aairs management.

Stelex Provides software to manage manufacturing quality and control.

38030 Source: Forrester Research, Inc.

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

Marketing and promotion

Primary area of focus for this platform Platform has the right features but not as broad adoption, or partially supports requirements in this area Does not meet requirements in this area

Product development and approval

Best Practices | Pharma Risk Managers: ERM Is In Your Future

11

Figure 6 ERM Gains Seen Across The Pharma Business Cycle

Product development and approval Manufacturing and distribution Manufacturing GMP problem (Belgium pharma company)
Lacked a single platform to monitor all operational processes from manufacturing plants in Europe to chemical manufacturing worldwide.

Marketing and promotion

Corporate integrity agreements (CIAs) (various)
US DOJ and state attorneys general issue corporate integrity agreements against rms for Medicaid/Medicare abuse and government pricing/discounting inconsistencies.

CAPA management problem (large pharma company)

History of poor management oversight within their internally developed process. Corrective actions took too long to investigate or implement. An unacceptable percentage of the actions were either marginally eective or completely ineective. Resolution and benets
Firm implemented NetRegulus. Software enabled managers to stay on top of priority items and resolve issues earlier and more eectively.

Used QUMAS QCompliance Suite as a single platform for compliance documentation and process management. Gained insight into compliance and risk issues earlier through consistent reporting across the organization.

Implemented Axentis as a centralized platform for solving accountability and management problems related to CIAs. Firms were able to reduce nes and decrease CIA terms by demonstrating advanced accountability practices.

38030

Source: Forrester Research, Inc.

Figure 7 Pharma Components Of GRC Architecture And Framework

Layers
Denition

Reporting Provides the monitoring interface and ability to track KPIs and KRIs. Process Provides the collaboration and process management of pharma risk and compliance processes (e.g., CAPAs, complaint handling, QA). Business rules Contains the business rules for risk in compliance in pharma (e.g., 21 CFR Part 11, workows, GxP). Records management Handles the retention, disposition, and destruction of the content layer. Content Forms the base of the pharma GRC stack to store metadata and content. Data integration Provides the data consolidation and integration with ERP systems and databases.
38030 Source: Forrester Research, Inc.

2006, Forrester Research, Inc. Reproduction Prohibited

April 24, 2006

12

Best Practices | Pharma Risk Managers: ERM Is In Your Future

The latter, holistic approach allows rms to manage GRC as a complete (nonfragmented), federated enterprise initiative. Pharma rms are nding that many of the FDA regulations (and those from other regulatory bodies, such as the SEC) have substantial overlaps, especially in the areas of roles and responsibilities, traceability of actions, documentation, and validation. With simpler audits and fewer processes around change control, pharmaceutical rms can realize a substantial cost savings in both implementation and sustained compliance. This also supports pharmas eorts to comply with recent regulatory trends such as the FDAs 21st Century initiative, which aims to drive pharma from a siloed approach historically aimed at quality by inspection to an enterprise approach focused on quality by design. This move to quality by design requires the aggregation and communication of risk information across the pharma life cycle. Risk agility is tied to the implementation of an enterprisewide GRC platform, commensurate with the degree of risk and the degree of intelligence about the risk, that manages ERM. Many pharma companies are implementing a dened GRC architecture that ties this all together as part of revamping or consolidating legacy ERP systems, often in a service-oriented architecture (SOA) type of format. A dened GRC architecture linked into the broader enterprise architecture can provide an ERM dashboard across multiple pharma ERP systems What Are The Key Capabilities Of GRC Platforms? GRC platforms enable pharma companies to establish a platform that maintains a single and consistent system of record for enterprise risk and compliance while managing the intricacies and relationships of risk and compliance. Pharma must use GRC platforms to create a centralized hub of risk and compliance documentation, assessment, analysis, and loss information from every part of the business. GRC platforms feature capabilities in four areas:

Policy, procedure, and control documentation. GRC platforms allow for the development,

documentation, and communication of policies, procedures, and controls to the entire business environment. Pharma rms can provide one complete system of record for compliance documentation and communication across the organization.

Risk and control assessment. GRC platforms manage and survey various areas of the business

to assess risk, compliance, and controls across the business environment. Pharma rms can have a consistent approach to assessing controls, leveraging assessments, and measuring quality assurance for compliance requirements.

Risk analytics. GRC platforms use metrics derived from policy and control documentation,

combined with the data gathered in risk and control assessments, to quantify and model risk to the business. Pharma rms can measure and report on KRIs and their potential impact on business performance to management.

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

Best Practices | Pharma Risk Managers: ERM Is In Your Future

13

Loss, event, and investigations management. GRC platforms collect records for tracking

organization losses, events, gaps in controls, and audit ndings while facilitating the investigation and response process. Pharma rms can maintain a centralized record for CAPA, complaints, and adverse events.

GRC platforms allow for these four capabilities by integrating content management, BPM, and workow capabilities with dashboard and business intelligence functionality. Firms should select vendors according to how well they ll identied gaps in ERM functionality requirements. Those rms focused on obtaining a core GRC system will nd that Axentis, IBM, and QUMAS are the primary platforms oering the breadth of GRC capabilities across the pharma life cycle today. Those focused on integrating specialty software products into their GRC architecture will want to closely evaluate the softwares ability to integrate with other systems through open APIs. Many of these specialty vendors also see the ERM writing on the wall and are quickly executing strategies that expand their oerings into a more holistic GRC platform. Professional Service Firms Provide The GRC Integration Know-How Professional services rms (PSFs) can help pharma risk managers develop risk and compliance processes and integrate technology to support them (see Figure 8). While their oerings can overlap, PSFs that assist pharma in enterprise risk and compliance can be categorized across three domains:

Audit and advisory. All of the major audit rms have practices dedicated to the life sciences

industry. These PSFs help pharma to architect and execute risk and compliance strategies that start at the board and the executive level and drill down into the various business units, controls, and processes. Pharma should look to audit and advisory rms to educate management on the need for enterprise risk and compliance and demonstrate how risk management as a business strategy leads to top-line productivity, not just risk mitigation and legal cost avoidance.10

Consulting. Following the execution of a GRC strategy is the implementation and integration

of required processes and supporting technology. While the major audit and advisory rms have the personnel in place to execute a risk and compliance strategy, consulting rms support and ll out this work as it drives deep into the implementation and integration of business and technology.

Legal. The waters of risk and compliance are infested with litigation and regulatory sharks that

can quickly degrade compliance and brand. Legal rms play an important role in educating and guiding pharma rms through tricky interpretations of regulatory ruling, litigation, and case law.

2006, Forrester Research, Inc. Reproduction Prohibited

April 24, 2006

14

Best Practices | Pharma Risk Managers: ERM Is In Your Future

For any given part of ERM across the pharma life cycle, all three of these PSF domains have their relevant role. While there is overlap between the oerings and capabilities in these three categories (specically between the audit and advisory PSF role and the consulting PSF role), an organization can expect an audit and advisory rm to dene the ERM vision and gain executive support, the consulting role to build the ERM processes and integrate technology, and the legal role to provide the legal opinion and guidance to validate that legal requirements are met.
Figure 8 Professional Services Firms Focused On Pharma Risk And Compliance
Category Audit and advisory Firm Deloitte Description Deloittes Life Sciences & Healthcare industry practice has risk and compliance expertise across audit, advisory, tax, and consulting to ensure risk and compliance solutions are integrated into business processes. KPMGs Global Pharmaceuticals practice is staed by industry focused teams that bring broad experience at both executive and operational levels to help pharma companies manage risk and compliance. Pricewaterhouse Coopers global pharma practice has broad experience in delivering performance improvement and compliance and risk management services. It has been particularly successful in corporate integrity agreement work. IBM Business Consulting Services has specic capabilities that enables it to integrate risk and compliance into the technology and business process architecture. McKinseys Pharmaceuticals & Medical Products practice provides a range of consulting services to help pharma rms architect business processes to manage risk and compliance. Polaris Management Partners is a management consulting rm focused on helping life sciences companies with compliance around nance, sales, and marketing processes. Protiviti provides risk management services to the life sciences industry, focusing on internal audit outsourcing and co-sourcing, sales, marketing and medical aairs compliance, and revenue risk management. Arnold & Porter oers a life sciences legal practice designed to help clients respond quickly to the new competitive demands created by the ongoing revolution in pharma. King & Spalding has a pharmaceutical practice assisting clients in aspects of patent prosecution, patent litigation, international patent oppositions, licensing, nancing, FDA regulatory matters, products liability, and corporate counseling and transactions.
Source: Forrester Research, Inc.

KPMG International

PricewaterhouseCoopers

Consulting

IBM

McKinsey & Company

Polaris Management Partners Protiviti

Law

Arnold & Porter

King & Spalding

38030

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

Best Practices | Pharma Risk Managers: ERM Is In Your Future

15

R E C O M M E N D AT I O N S

MEASURE THE RISK PROFILE AND TAKE AN ERM APPROACH BASED ON MATURITY
Rather than foundering under a wave of regulatory mandates and legal challenges, pharma companies must recognize both the imperatives and the benets of a structured approach to ERM. How structured an approach and where to start depends on a rms risk management maturity and on its current level of GRC platform investment. Treating risk management as separate from compliance and validation will no longer work. To make an enterprisewide approach to risk successful, pharma companies should:

Dene the rms risk appetite at the board and the executive level. Recognizing pharmas
traditionally conservative approach to risk, risk executives and their sta must determine whether the risk/reward prole of the rm is consistent with current business objectives. Based on this assessment and the level of alignment found, pharma risk managers and compliance professionals must determine whether the rms risk maturity level and technology budget support a novice, engaged, or advanced ERM approach.

Integrate risk and compliance at the novice stage. Risk managers should break down the
walls between quality assurance and regulatory silos not only to ll in GRC architecture gaps but also to create a single, consistent framework for managing risk across organizational boundaries and processes. Novice ERM rms should use risk management metrics to communicate that compliance is not simply about keeping regulators happy but also about building strong governance practices throughout the rm that can sustain long-term change.

Make risk monitoring and measurement part of current SOP at the engaged stage.
Pharma rms should incorporate monitoring, corrective action, remediation, risk analytics, and reporting process and technology into standard operating procedures (SOP), supported by a data model that allows risk managers to examine data by product, region, agency, or process. This will allow engaged rms to leverage their GRC architecture and forecast risk across their product portfolios, business operations, and legal matters while staying abreast of changes in the regulatory landscape.

Implement an executive risk management dashboard at the advanced stage. Firms at

the advanced stage of ERM maturity must leverage technology to expose daily processes, with clear denitions of control points and responsibilities, and categorize the associated risks by severity and probability of occurrence. Senior management should help establish risk severities and denitions to ensure that the executive team understands how their individual decisions expose the rm to dierent types of risk. Because the vendor landscape for ERM is so large and fragmented today, pharma rms should work with PSFs to set ERM strategy and close technology gaps in their GRC architecture. Pharma rms auditing pricing and commercial business practices and needing an overall

2006, Forrester Research, Inc. Reproduction Prohibited

April 24, 2006

16

Best Practices | Pharma Risk Managers: ERM Is In Your Future

risk management strategy that incorporates the ndings should consider working with PricewaterhouseCoopers, a rm with a demonstrated record in corporate integrity agreement and code of conduct work. Firms that need nancial and operational risk proling should consider working with KPMG, a rm that has demonstrated the value in moving risk management from detect-and-correct toward a broader approach to reducing earnings volatility.
W H AT I T M E A N S

PHARMA LEVERAGES ERM PRACTICES TO RAISE PERFORMANCE

Pharma rms that adopt ERM approaches backed by a GRC architecture and executive sponsorship in the form of a chief risk or compliance ocer will outdistance their competition as they:

Foresee and address major industry landscape changes. During the past ve to seven
years, pharma underwent unprecedented change in marketing, research, and sales stemming from changes in direct-to-consumer advertising, the FDAs Critical Path initiative, and the growth in online pharmacies and alternative suppliers. The rate of change will only increase as the populations in nations such as Canada, Japan, Western Europe, and the US age. Firms with mature corporate governance processes and GRC architectures will better anticipate and adapt to the major structural, cultural, operational, and technological changes that unpredictable market changes will create.

Drive business performance improvements by managing risk. Adopting a risk-based

approach to corporate oversight allows pharma rms to respond to competitive or threatening issues from a performance enhancement, rather than risk response, perspective. For example, risk-rating applications let rms reduce onerous validation eorts required by an exhaustive approach to compliance. Risk management technology and programs applied in this manner produce tangible business benets, such as reduced operational cost and streamlined system validation, and move risk management from a cost of compliance to a business performance management tool.

Improve reporting transparency and accuracy. Using risk and compliance will enhance
not only the ow and eciency of internal processes, data, and information systems but will also improve a rms response to new and complex compliance challenges. As regulators, external stakeholders, and a skeptical public require more accurate and transparent reporting, pharma rms that use risk intelligence data to monitor their own internal activities will be more willing to expose their well-governed processes to closer scrutiny.

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

Best Practices | Pharma Risk Managers: ERM Is In Your Future

17

SUPPLEMENTAL MATERIAL Companies Interviewed For This Document Amadeus International Arnold & Porter AssurX Axentis CIMCOM Software Datasweep Deloitte Dendrite Software EtQ Gilead Human Genome Sciences Incorporated IBM Janseen Pharmaceuticals King & Spaulding ENDNOTES
1

KPMG International Leiner Health Products McKinsey & Company Merit Software MetricStream NetRegulus Pilgrim Software Plateau Software Polaris Management Partners PricewaterhouseCoopers Protiviti QUMAS Sparta Systems Stelex

Manufacturers, distributors, and life sciences technology providers are struggling to overhaul their drug tracking practices before regulators mandate more expensive and unwanted solutions starting in mid-2006. See the September 21, 2005, Market Overview Pharma Wont Meet ePedigree Deadlines. While pharma companies currently send many of the same IT activities oshore as other industries, such as software maintenance and desktop support, Forresters Business Technographics data shows that within the next 12 months, drug rms plan to increase the amount of custom application development done abroad. See the March 8, 2006, Trends Pharma Takes Custom App Development Oshore. The risk prole of pharma companies is increasing and hitting board-level concerns. This is revealed in an enlightening report by KPMG International. Source: Pressure Points: Risk Management in the Pharmaceuticals Industry, KPMG International (http://www.kpmg.ca/en/industries/cib/biotech/ documents/pressurePoints.pdf). In a report sponsored by KPMG, Wayne Guay, associate professor of accounting at Wharton, analyzed pharmaceutical company performance measures, including cash ow, net income, sales, and returns

2006, Forrester Research, Inc. Reproduction Prohibited

April 24, 2006

18

Best Practices | Pharma Risk Managers: ERM Is In Your Future

on investment, and compared these ndings to companies listed on the S&P 500 index. Over a 13-year period ending in 2004, pharma companies proved to be 50% riskier, with both positive and negative events exercising a pronounced eect on shareholder value and reputation. Source: Pressure Points: Risk Management in the Pharmaceuticals Industry, KPMG International (http://www.kpmg.ca/en/industries/ cib/biotech/documents/pressurePoints.pdf).
5 6

This gure is approximate, as reported by interviewees to Forrester during our research for this report. Forrester conducted an online survey of 10,073 US and Canadian individuals who are members of Survey Sampling Internationals online panel. Forrester Research weighted the data by age, gender, income, broadband adoption, and country to demographically represent the adult North American population. Survey Sampling elded the survey in October 2005. Source: Forresters Consumer Technographics Q4 2005 North American Healthcare, Customer Experience, and Retail Online Survey. This is further supported by a Harris Interactive Survey, which found in 1997 that 79% of adults in the US believed pharma was doing a good job in serving their customers; this number went down to 44% in 2004.

Pharma manufacturers and distributors must step up their use of RFID to understand how to collect and manage drug supply chain data while preventing any inappropriate uses that compromise consumer privacy. See the February 22, 2006, Trends Pharma Faces Privacy Challenges On The Road To RFID Adoption. As dened by the FDA, pharmacovigilance is: . . . all scientic and data gathering activities relating to the detection, assessment, and understanding of adverse events. This includes the use of pharmacoepidemiologic studies. These activities are undertaken with the goal of identifying adverse events and understanding, to the extent possible, their nature, frequency, and potential risk factors. Source: Guidance for Industry Good Pharmacovigilance Practices and Pharmacoepidemiologic Assessment, March 2005, (http://www.fda.gov/cder/guidance/6359OCC.htm). Increased risk and regulatory pressures in a distributed enterprise propel organizations to craft consistent game plans for centralizing GRC oversight. Convergence of risk management and corporate oversight activities are the key trends across all industries in 2006. See the December 13, 2005, Trends Trends 2006: Enterprise Risk And Compliance. In particular, during interviews with Forrester, KPMG demonstrated capability in understanding ERM drivers on business and concerns at the executive level down deep into the organization (this is further illustrated in their insightful report previously cited, Pressure Points: Risk Management in the Pharmaceuticals Industry) while PricewaterhouseCoopers demonstrated a unique understanding of and capabilities in working with pharma rms in response to corporate integrity agreements issued by the US DOJ.

10

April 24, 2006

2006, Forrester Research, Inc. Reproduction Prohibited

H e l p i n g B u s i n e s s T h r i v e O n Te c h n o l o g y C h a n g e
Headquarters Forrester Research, Inc. 400 Technology Square Cambridge, MA 02139 USA Tel: +1 617/613-6000 Fax: +1 617/613-5000 Email: forrester@forrester.com Nasdaq symbol: FORR www.forrester.com Research and Sales Oces Australia Brazil Canada Denmark France Germany Hong Kong India For a complete list of worldwide locations, visit www.forrester.com/about. For information on hard-copy or electronic reprints, please contact the Client Resource Center at +1 866/367-7378, +1 617/617-5730, or resourcecenter@forrester.com. We oer quantity discounts and special pricing for academic and nonprot institutions. Israel Japan Korea The Netherlands Switzerland United Kingdom United States

Forrester Research (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forwardthinking advice about technologys impact on business and consumers. For 22 years, Forrester has been a thought leader and trusted advisor, helping global clients lead in their markets through its research, consulting, events, and peer-topeer executive programs. For more information, visit www.forrester.com.

38030