forrestor on pharma erm

Helping Business Thrive On Technology Change

April 24, 2006

Pharma Risk Managers: ERM Is In Your Futureby Michael Rasmussen and Laura Ramos

BE

ST

PR

AC

TIC

ES

© 2006, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, Forrester’s Ultimate Consumer Panel, WholeView 2, Technographics, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. To purchase reprints of this document, please email [email protected].

BEST PRAC TICESIncludes Consumer Technology Adoption Study data

EXECUTIVE SUMMARYPharma risk managers and compliance professionals face increasing regulatory scrutiny and market pressures that amplify both business and operational risk. To keep from drowning under a rising tide of agency mandates, legal precedents, and financial controls, pharma must abandon its reactive, functional approach to risk mitigation in favor of a more proactive and structured enterprise risk management (ERM) response. Key software providers and professional services organizations stand ready to help pharma firms build governance, risk, and compliance (GRC) processes and the supporting technology platforms needed to efficiently detect and deter risks, driving top-line business performance improvements through widely applied risk management processes.

TABLE OF CONTENTSIntense Regulatory Scrutiny Raises The Risk Burden For Pharma

Pharma Firms Feel The Heat Of Business Risk

ERM Is Pharma’s Rx For Compliance And Risk Management

Federated ERM Delivers Tangible Benefits

Technology — Selectively Applied — Boosts Pharma’s Move to ERM

Software Providers Deliver Key ERM Components

What Are The Key Capabilities Of GRC Platforms?

Professional Service Firms Provide The GRC Integration Know-How

RECOMMENDATIONS

Measure The Risk Profile And Take An ERM Approach Based On Maturity

WHAT IT MEANS

Pharma Leverages ERM Practices To Raise Performance

Supplemental Material

NOTES & RESOURCESForrester interviewed 18 vendor and user companies, including: AssurX, Gilead, IBM, Janseen Pharmaceuticals, KPMG International, Leiner Health Products, Pilgrim Software, PricewaterhouseCoopers, and QUMAS.

Related Research Documents“The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2006”March 16, 2006, Tech Choices

“The Promise Of Next-Gen eClinical Trial Software”March 15, 2006, Market Overview

“Pharma Faces Privacy Challenges On The Road To RFID Adoption”February 22, 2006, Trends

“Trends 2006: Enterprise Risk And Compliance”December 13, 2005, Trends

“Seven Habits Of Highly Effective Compliance Programs”July 12, 2005, Best Practices

April 24, 2006

Pharma Risk Managers: ERM Is In Your FutureKey Vendors And Service Providers Offer Fundamental ERM Building Blocks TodayThis is the first document in the “Industry Perspectives On Risk And Compliance” series.

by Michael Rasmussen and Laura Ramoswith Bradford J. Holmes, Laurie M. Orlov, Alyssa L. Baer, and Samuel Bright

2

7

9

15

16

17

http://www.forrester.com/go?docid=38185&src=38030pdf








Best Practices | Pharma Risk Managers: ERM Is In Your Future

© 2006, Forrester Research, Inc. Reproduction ProhibitedApril 24, 2006

2

INTENSE REGULATORY SCRUTINY RAISES RISK BURDEN FOR PHARMA

Regulatory compliance is the centerpiece of risk management and governance in the life sciences industry. Firms that fail to comply with regulations — and a growing number of financial assurance and legal precedent requirements — set by these agencies will suffer shutdowns in manufacturing operations, product withdrawals, fines, lawsuits, revenue loss, and tarnished reputations. Operational risk, as well as regulatory compliance, places a greater burden on pharma risk managers because:

· Regulations apply across the entire product life cycle in pharma. Compared with other industries, the risk and compliance profile spans the full pharma product life cycle — from invention to testing, manufacturing, and marketing (see Figure 1). Unlike service delivery in banking or product safety in the automotive industry, pharma must manage risk across a broader range of intellectual property management, clinical (public) trials, submissions, operational validation, privacy, sales practices, and brand reputation management activities.

· International operations and markets increase complexity. The companies that produce drugs are some of the world’s largest and most globally distributed firms. They must not only control far-ranging operations — as Chiron failed to do when its flu vaccine production in Liverpool, UK violated US FDA good manufacturing practices (GMP) regulations — but also navigate a complex set of local restrictions on promotional and sales activities, which vary across every border.

· Multifaceted partner relationships dominate. Worldwide drug supply chains include a complex network of manufacturers, wholesalers, secondary distributors, and retailers, all with independent risk mitigation issues. Due to varying chargeback and rebate practices, different participants, including hospitals, dispensing physicians, clinics, elder care facilities, pharmacies, retail chains, or the government, see a wide range of discounts, which complicates contract management. Secondary buying and selling opens the door to counterfeit drugs and threatens consumer safety. Lawmakers at the federal and state level want technology, such as RFID, electronic signatures, and tracking applications, used in the supply chain to ensure that products flow from the manufacturer to the destination without risk of theft or tampering.1

· Mergers and acquisitions complicate business operations. During the past seven years, the pharma industry has seen record merger activity in both number and size. Rapid M&A activity creates broken and inefficient processes as companies struggle to integrate new operations while maintaining regulatory validation. Pharma’s growing use of outsourced or offshore vendors to supplement internal resources for clinical trial data management, application development, and IT system management further complicates the operational landscape.2


© 2006, Forrester Research, Inc. Reproduction Prohibited April 24, 2006

3

Figure 1 Risk And Compliance Requirements That Pharma Faces Across The Business Cycle

· Product mishaps cause serious, highly visible damage. Because they affect consumer health, product failures can devastate firms’ reputations, brand identities, and financial performances. Before Vioxx, other drugs such as Paxil (an antidepressant that reportedly increased suicidal tendencies in teens) and Baycol (a cholesterol-lowering medicine that was recalled after reports of muscle damage) suffered expensive recalls or large class action suits when manufacturers failed to mitigate risks in clinical research, efficacy trials, quality assurance, or abuse.

Pharma Firms Feel The Heat Of Business Risk

Pharma firms face a growing share of financial risks as well. In a study of risk in the pharma industry, KPMG revealed that the top 20 pharma firms disclosed more risks — often with greater severity — in their financial reports between 1998 and 2003. By 2003, more than half cited underdeveloped product pipelines, changes in accounting standards, and product launch problems as risks to ongoing operations — issues that barely made their radar screens five years earlier.3

Source: Forrester Research, Inc.38030

Product developmentand approval

Manufacturing anddistribution

Marketing andpromotion

Scope ofcompliance/

risk in eachbusiness area

Pharma-specificcompliance and

risk examples

Manage research and development to build and diversify drug portfolio. Regulations require firms to document the development process, clinical trials, and safety data.

Validate that processes, facilities, and controls to manufacture, package, and hold a drug meet safety, identity, quality, and purity standards in accordance with approved drug formulation, efficacy profile, and labeling regulation.

Record ongoing consumer safety and report on potential risks and adverse events. Manage brand reputation and avoid expensive litigation. Increase visibility into previous stages to minimize liability/culpability that the firm may bear.

• R&D good clinical practices

• New compound/product portfolio

• Therapeutic/researchportfolio

• Toxicology• Clinical trials: Phase I-III• Regulatory affairs

• Labeling and annualreporting (SPL, PLR)

• Inventory security vaulting

• Manufacturing systemvalidation (GMP)

• Environmental healthand safety

• Process and analyticaltechnology (PAT)

• Audits/quality control• Sample accountability

• Chain of custody, pedigree, counterfeit/theft prevention

• Brand/reputationmanagement

• Litigation, preservationholds

• Medical affairs• AERS — adverse events

safety warnings/reporting• Phase IV trials• Safety signal data mining• Corporate integrity, fraud,

and abuse



4

More recently, KPMG-sponsored research conducted by the Wharton School of the University of Pennsylvania shows that pharma industry stocks are more susceptible to bad news than the overall Standard and Poor’s (S&P) 500 index.4 In addition to these operational risks, pharma firms also worry about:

· Rising audit burdens, inspections, and fines. The list of US and international regulations is longer than ever, and the consequences for noncompliance are growing (see Figure 2 and see Figure 3). Pharmaceutical companies paid more than $3 billion in regulatory settlements and criminal fines since 2000 as the US Department of Health & Human Services (HHS) Office of the Inspector General (OIG) and state attorneys general put their sales, pricing, and promotional activities under closer scrutiny.5 Major firms, such as Abbott Laboratories, Schering-Plough, and TAP Pharmaceutical Products, have corporate integrity agreements that require them to document their business practices and demonstrate to auditors that their pricing and marketing practices are pristine.

· Tarnished reputations. Waning consumer confidence introduces further risk to the pharma industry as well as to brand reputations. In 2005, 53% of respondents to the Consumer Technographics® Q4 2005 North American Healthcare, Customer Experience, and Retail Online Survey did not feel that drug companies accurately presented product benefits and risks in their advertising.6 Public mistrust leads to further regulations. It also increases risk mitigation costs and activities, as well as financial and reputation risks should noncompliance occur.

· High-visibility privacy issues. With the growth of online pharmacies, global clinical trials, and electronic medical records, pharma firms face an increased risk of inadvertently exposing patient information. The bulk of privacy concerns today centers on clinical trial information — who participated in which types of trials — but also extends to employee data and the extent to which employers should know about the drugs their workers take. Finding the right solution is difficult because certain solutions, such as using RFID technology to track pills, lead to privacy concerns should wrongdoers misuse the technology.7

· The pressure to track consumer usage. As the public, media, academics, and lawmakers debate whether clinical trials can detect medical risks adequately, despite growing effort and costs, pharma firms will have to employ pharmacovigilance: tracking consumer use more carefully to identify and evaluate safety signals earlier.8 Firms must continuously monitor the entire history and life cycle of a drug and expressly manage its risk.

· The fragmentation of enterprise remedies. To keep global operations running smoothly, large pharma firms decentralize compliance and governance in business units and treat business risks, compliance, and quality control as completely separate activities. They typically use a variety of vendor solutions, often implementing them in functional silos, and are only now beginning to look at integration into a broader risk and compliance management platform.



5

Figure 2 Global Regulations Affecting Pharma Risk


Current Good Practices (cGxP) — FDA 21 CFR Parts 210, 211, 221,600, 610Referred to collectively as "cGxP" — with the “x” representing manufacturing, laboratory, clinical, or distribution — these rules form the core FDA regulations for quality and control.

Corrective and Preventive Actions (CAPA)CAPA requirements manage quality control. A corrective actioneliminates the causes of an existing nonconformity, defect, or otherundesirable situation in order to prevent recurrence. Preventive actioneliminates the cause of a potential nonconformity, defect, or otherundesirable situation (ISO 8402).

Environmental, Health & Safety (EH&S)The CDC regulates the possession, use, and transfer of select agents andtoxins that pose a threat to public health and safety. Regulations requiregreater tracking of the amount, location, and security of potent virusesand bacteria, and background checks and restrictions on those whoresearch these agents.

Corporate Integrity AgreementsDelivered as corrective actions and penalties from the Department ofJustice, require pharmaceutical companies to react quickly to issuesrelated to Medicaid/Medicare abuse, sales and marketing abuse, andgovernment pricing issues.

The FDA’s “21st Century” initiative2004 FDA report highlighting specific steps the agency will take to develop and implement quality systems management and a risk-based, product-quality regulatory system.

Clinical Trial Directive to the European Commission (2001/20/EC)Regulates clinical trials conduct; protects the rights, safety and well-beingof trial participants; simplifies governing clinical trials across nations; andestablishes procedures to harmonize trial conduct in the European Unionto ensure the credibility of results.

Regulations and scope

Secondary area of focusPrimary area of focus No significant focus in this area

R&

D

Tria

ls

Ap

pro

vals

Man

ufa

ctu

rin

g

Dis

trib

uti

on

Mar

keti

ng

Safe

ty



6

Figure 3 Pharma Regulations Affecting Operational Risk


Regulations and scope

Electronic Common Technical Document (eCTD)In 2005, the FDA revised electronic submissions guidance to includeelectronic common technical document (eCTD) specifications. Thisguidance expects to enhance the receipt, processing, and review ofelectronic submissions to the FDA.*

Prescription Drug Labeling — Physician's Labeling Rule (PLR)Drug labeling is the primary means of providing critical information aboutdrugs to practitioners. In January 2006, the FDA announced that US product inserts (USPIs) must highlight important facts, summarize info, and organize label content for easier offline and online navigation. †

Structured Product Labeling (SPL) Starting in 2005, the FDA required drug manufacturers to submit prescribing and product information in SPL format in a human- and machine-readable format. Using XML, SPL makes information in FDA-approved package inserts (labels) more structured and accessible.§

Periodic Safety Update Reports (PSUR)The FDA Post Marketing Drug Risk Assessment (PMDRA) program requires PSURs to protect public health by summarizing interval safety data and overall safety evaluations. The PSUR includes updates on emerging or urgent safety issues, as well as major signal detection and evaluation.

Prescription Drug Marketing Act (PDMA)This 1987 law aimed to prevent the wholesale distribution and sale ofsubpotent, adulterated, counterfeit, or misbranded prescription drugs.‡

Electronic Records — 21 CFR Part 11FDA guideline that requires firms to ensure the authenticity, integrity, and confidentiality of electronic records. Also requires firms to document the installation (IQ), operational (OQ), and performance qualifications (PQ) of computerized systems, validating installation, configuration, and any ongoing change management.

*This guidance discusses issues related to the electronic submission of applications for humanpharmaceutical products and related submissions, including abbreviated new drug applications (ANDAs),biologics license applications (BLAs), investigational new drug applications (INDs), new drug applications(NDAs), master files (e.g., drug master files), advertising material, and promotional labeling.

†Electronic drug label information will streamline the way physicians and patients access importantprescribing information over the Internet. Source: February 3, 2006, Quick Take “New FDA Labeling Rule Will (One Day) Improve Drug Safety.”

‡Source: September 21, 2005, Market Overview “Pharma Won't Meet ePedigree Deadlines” and July7, 2005, Best Practices “Authentication, Not RFID, Will Make Drugs Safer.“

§Source: October 24, 2005, Best Practices, “10 Steps To Pharma SPL Success,” October 24, 2005, BestPractices “Pharma Strategies To Meet SPL Deadline,” and September 13, 2005, Trends “SPL WillPropel Pharma Into XML Adoption.”

Secondary area of focusPrimary area of focus No significant focus in this area

R&D

Trials

Approvals

Manufacturing

Distribution

Marketing

Safety



7

ERM IS PHARMA’S RX FOR COMPLIANCE AND RISK MANAGEMENT

Faced with increasing regulation, growing proof that fragmented departmental tactics fail, and higher corporate accountability bars, pharma risk managers can no longer afford to address departmental risks in isolation. Risks in pharma have become highly interdependent; a risk in one area of the organization can affect other areas. Risk interdependency will force the industry toward proactive approaches over the next 24 months.9 To address risk complexity, pharma risk managers and compliance professionals must develop ERM approaches that prevent or contain incidents, address exposures preventatively, and ferret out possible risks before they become serious problems. To get there, pharma must:

· Appoint a chief risk or compliance officer. Pharma boards must create an executive role responsible for the GRC architecture, ERM processes, and high-level GRC best practices. The top risk and compliance officer’s job should focus on increasing risk management awareness at all levels, setting corporate risk training requirements, and communicating risk mitigation progress through metrics and averted-risk cost savings (see Figure 4).

· Implement GRC platforms. To manage risk and compliance at an enterprise level, pharma companies must assess their current GRC platform technologies and make new investments as required. A common GRC platform is critical to building an ERM and compliance program. As pharma moves from a siloed to a federated risk and compliance model, the technology platforms’ ability to integrate and share data with other systems becomes critical.

Figure 4 Top Five Activities Top Pharma Risk Executives Should Do


1. Develop an ethics and control culture that is communicated through central, corporate policies and procedures and top-down, executive enforcement of risk management practices.

Improve executive and line management confidence in the organization’s operational and financial integrity.

Maintain accurate and timely risk information that enhances visibility, measurement, and control of risk while sharing risk across the organization.

Accurately measure risk and compliance through a consistent and systematic approach that departments can adopt and modify according to their independent requirements.

Measure risks not only at the system or project level but also from an organizationwide view of risk management that cuts across business units and processes.

2.

3.

4.

5.



8

· Develop risk intelligence. Pharma firms must become risk agile; that is, they must be up to date and aware of risk so that they can navigate around the risks safely. This agility will depend on defining a taxonomy of risks that affect their business performance and strategy, such as financial integrity, operational efficiency, and regulatory compliance. Pharma firms accomplish this by establishing key risk indicators (KRIs) that are mapped to key performance indicators (KPIs) and by using technology, such as dashboards, to monitor and report on risk. They must deploy GRC technology that integrates with enterprise resource planning (ERP) systems, such as SAP, Siebel for CTMS and Sales, SAS, or Oracle, to actively communicate these KRIs.

Federated ERM Delivers Tangible Benefits

Because of their large size, international operations, and complex regulatory burdens, pharma firms succeed when they adopt a federated model for ERM — one that takes a hybrid approach between a completely centralized and a completely decentralized (siloed) model. With a federated approach, pharma companies distribute ERM responsibility to business units and brands, while centralizing accountability under the chief risk and compliance officer. A federated model helps maintain consistent policies, standards, architecture, and metrics, while ensuring that risk and compliance metrics are properly and confidentially monitored across the organization. Moving to a federated risk management approach, pharma will experience:

· A better balance of risk and reward across the product portfolio. Moderating risk in a highly competitive and regulated environment requires pharma firms to manage drug portfolios across a long product life cycle and to counteract changes in competitive environments, supply, litigation threats, foreign exchange exposure, price controls, and patent protection. A federated model implements a consistent GRC architecture with distributed responsibilities to monitor, measure, and manage the drug portfolio life cycles from filing through expiration, and it further monitors diversification and intellectual property to hedge against future risk.

· Reduced fines. Even as the US Department of Justice (DOJ), state attorneys general, and the HHS expand their enforcement activities and investigate more than 500 drugs from 150 US and European companies, current trends indicate that these numbers — and the size of the individual penalties — will only rise. Firms operating under consent degrees today learned the hard way that a federated ERM model not only keeps firms from running afoul of regulators but can also reduce the severity of fines by showing a proactive, executive commitment to corporate governance.

· Earlier visibility into litigation threats. New litigation and court trials are a constant threat, and pharma stakeholders should avoid seeing potential courtroom battles as a way to drive prioritization. Instead, a federated ERM approach with executive oversight can monitor the market, use lessons learned from previous cases to increase the risk intelligence inside pharma organizations, and make employees more aware and vigilant about the risk issues that can result in legal action.



9

· More productive M&A and biotech partnerships. Large pharma firms that apply a federated ERM architecture and risk management metrics to partnerships gain greater visibility into partner — or supplier — productivity. They can spot material events, such as a particularly innovative drug candidate or unexpected changes in a clinical trial, and respond faster to changes in external partnership circumstances, unanticipated competition, or the acquisition of partners or competitors during mergers.

TECHNOLOGY — SELECTIVELY APPLIED — BOOSTS PHARMA’S MOVE TO ERM

Pharma firms can’t model, measure, and manage risk without technology. Most firms have just begun to take a risk-based approach to operational management and lack the mature compliance structure, executive office, staff, and technology required to assess risk and compliance companywide.

Software Providers Deliver Key ERM Components

Where compliance was once managed with spreadsheets, documents, and homegrown applications, software platforms have emerged that drive value through consistent collection and processing of compliance information (see Figure 5).

A variety of risk and compliance software providers now service the pharma market. Vendor offerings range from applications that focus on specific compliance issues to broader GRC platforms with functionality across the phases of the pharma life cycle, including product development and approval, manufacturing and distribution, and marketing and promotion (see Figure 6).

The first step down the ERM technology road is to look at existing technology investments, including ERP, enterprise content management (ECM), business process management (BPM), and dashboards and integrate them into a common GRC architecture (see Figure 7).

The goal? Set a technology strategy that allows pharma firms to combine disparate compliance and governance technologies into a coherent environment for managing risk across the enterprise. Pharma firms accomplish this by either:

· Integrating specialty products . . . Firms select applications aimed at silos of pharma risk, such as corrective and preventive action (CAPA), corporate integrity, QA/manufacturing, clinical trials, and aggregating their individual risk outputs into an ERM dashboard.

· . . . or replacing siloed systems with a holistic GRC platform. For this option, a pharma firm implements a dominant platform that provides a single system of record to monitor risk and compliance across the organization.



10

Figure 5 GRC Management Vendor Landscape In Pharma


Pharma GRC offering

Primary area of focus for this platformPlatform has the right features but not as broadadoption, or partially supports requirements in this areaDoes not meet requirements in this area

AmadeusInternational

The Amadeus eQCM solution is a process control platform for themanagement of highly regulated processes involving risk,governance, EH&S, and GxP processes.

The CATSWeb platform provides a system for compliant tracking and reporting for pharma companies.

AssurX

Axentis

Datasweep

EtQ

DendriteInternational

CIMCONSoftware

Axentis Enterprise is a broad GRC platform with a particular strength in corporate integrity agreement management.

Provides solutions to manage FDA 21 CFR Part 11, document and data management, change control, and GAMP4-based validation.

Provides a system for managing GxP processes and compliance.

State Compliance Solutions helps pharma manage the policies and regulatory requirements across the pharma life cycle.

The FDA Compliance Management System is a Web platform that documents and maintains quality assurance practices.

IBM

MetricStream

MeritSolutions

NetRegulus

QUMAS

Stelex Provides software to manage manufacturing quality and control.

SpartaSystems

The TrackWise platform provides quality management and regulatory affairs management.

The QCompliance Suite enables enterprise quality assurance and regulatory compliance management through a single platform.

PlateauSoftware

LMS facilitates training and communication requirements derived from compliance requirements.

PilgrimSoftware

Provider of quality management solutions for global organizations, including GxP, document/training, and CAPA/complaints processes.

Provides software to assess risks associated with adverse events and product quality issues.

The QualityStream application enables companies to manage compliance processes across quality and CAPA requirements.

Provides software solutions for life sciences focusing on GMP compliance.

Enables compliance across clinical trials, submissions, GxPs, and contracts through an integrated enterprise approach to GRC with a single view across systems.

Prod

uct d

evel

opm

ent

and

app

rova

l

Man

ufac

turin

g an

ddi

strib

utio

n

Mar

keti

ng a

ndp

rom

otio

n



11

Figure 6 ERM Gains Seen Across The Pharma Business Cycle

Figure 7 Pharma Components Of GRC Architecture And Framework


CAPA management problem(large pharma company)

Manufacturing GMP problem(Belgium pharma company)

Product developmentand approval

Manufacturing anddistribution

Marketing andpromotion

Corporate integrity agreements (CIAs)

(various)

History of poor managementoversight within their internallydeveloped process. Correctiveactions took too long toinvestigate or implement. Anunacceptable percentage of theactions were either marginallyeffective or completelyineffective.

Resolution and benefits

• Firm implemented NetRegulus.

• Software enabled managers tostay on top of priority items andresolve issues earlier and moreeffectively.

• Used QUMAS QComplianceSuite as a single platform forcompliance documentationand process management.

• Gained insight into complianceand risk issues earlier throughconsistent reporting across theorganization.

• Implemented Axentis as acentralized platform for solvingaccountability and managementproblems related to CIAs.

• Firms were able to reduce finesand decrease CIA terms bydemonstrating advancedaccountability practices.

Lacked a single platform tomonitor all operationalprocesses from manufacturingplants in Europe to chemicalmanufacturing worldwide.

US DOJ and state attorneys general issue corporate integrity agreements against firms for Medicaid/Medicare abuse and government pricing/discounting inconsistencies.


Layers

Provides the monitoring interface and ability to track KPIs and KRIs.

Provides the collaboration and process management of pharma riskand compliance processes (e.g., CAPAs, complaint handling, QA).

Contains the business rules for risk in compliance in pharma(e.g., 21 CFR Part 11, workflows, GxP).

Handles the retention, disposition, and destruction of the content layer.

Forms the base of the pharma GRC stack to store metadata and content.

Provides the data consolidation and integration with ERPsystems and databases.

Reporting

Process

Business rules

Records management

Content

Data integration

Definition



12

The latter, holistic approach allows firms to manage GRC as a complete (nonfragmented), federated enterprise initiative. Pharma firms are finding that many of the FDA regulations (and those from other regulatory bodies, such as the SEC) have substantial overlaps, especially in the areas of roles and responsibilities, traceability of actions, documentation, and validation. With simpler audits and fewer processes around change control, pharmaceutical firms can realize a substantial cost savings in both implementation and sustained compliance. This also supports pharma’s efforts to comply with recent regulatory trends such as the FDA’s 21st Century initiative, which aims to drive pharma from a siloed approach historically aimed at “quality by inspection” to an enterprise approach focused on “quality by design.” This move to “quality by design” requires the aggregation and communication of risk information across the pharma life cycle.

Risk agility is tied to the implementation of an enterprisewide GRC platform, commensurate with the degree of risk and the degree of intelligence about the risk, that manages ERM. Many pharma companies are implementing a defined GRC architecture that ties this all together as part of revamping or consolidating legacy ERP systems, often in a service-oriented architecture (SOA) type of format. A defined GRC architecture linked into the broader enterprise architecture can provide an ERM dashboard across multiple pharma ERP systems

What Are The Key Capabilities Of GRC Platforms?

GRC platforms enable pharma companies to establish a platform that maintains a single and consistent system of record for enterprise risk and compliance while managing the intricacies and relationships of risk and compliance. Pharma must use GRC platforms to create a centralized hub of risk and compliance documentation, assessment, analysis, and loss information from every part of the business. GRC platforms feature capabilities in four areas:

· Policy, procedure, and control documentation. GRC platforms allow for the development, documentation, and communication of policies, procedures, and controls to the entire business environment. Pharma firms can provide one complete system of record for compliance documentation and communication across the organization.

· Risk and control assessment. GRC platforms manage and survey various areas of the business to assess risk, compliance, and controls across the business environment. Pharma firms can have a consistent approach to assessing controls, leveraging assessments, and measuring quality assurance for compliance requirements.

· Risk analytics. GRC platforms use metrics derived from policy and control documentation, combined with the data gathered in risk and control assessments, to quantify and model risk to the business. Pharma firms can measure and report on KRIs and their potential impact on business performance to management.



13

· Loss, event, and investigations management. GRC platforms collect records for tracking organization losses, events, gaps in controls, and audit findings while facilitating the investigation and response process. Pharma firms can maintain a centralized record for CAPA, complaints, and adverse events.

GRC platforms allow for these four capabilities by integrating content management, BPM, and workflow capabilities with dashboard and business intelligence functionality.

Firms should select vendors according to how well they fill identified gaps in ERM functionality requirements. Those firms focused on obtaining a core GRC system will find that Axentis, IBM, and QUMAS are the primary platforms offering the breadth of GRC capabilities across the pharma life cycle today. Those focused on integrating specialty software products into their GRC architecture will want to closely evaluate the software’s ability to integrate with other systems through open APIs. Many of these specialty vendors also see the ERM writing on the wall and are quickly executing strategies that expand their offerings into a more holistic GRC platform.

Professional Service Firms Provide The GRC Integration Know-How

Professional services firms (PSFs) can help pharma risk managers develop risk and compliance processes and integrate technology to support them (see Figure 8). While their offerings can overlap, PSFs that assist pharma in enterprise risk and compliance can be categorized across three domains:

· Audit and advisory. All of the major audit firms have practices dedicated to the life sciences industry. These PSFs help pharma to architect and execute risk and compliance strategies that start at the board and the executive level and drill down into the various business units, controls, and processes. Pharma should look to audit and advisory firms to educate management on the need for enterprise risk and compliance and demonstrate how risk management as a business strategy leads to top-line productivity, not just risk mitigation and legal cost avoidance.10

· Consulting. Following the execution of a GRC strategy is the implementation and integration of required processes and supporting technology. While the major audit and advisory firms have the personnel in place to execute a risk and compliance strategy, consulting firms support and fill out this work as it drives deep into the implementation and integration of business and technology.

· Legal. The waters of risk and compliance are infested with litigation and regulatory sharks that can quickly degrade compliance and brand. Legal firms play an important role in educating and guiding pharma firms through tricky interpretations of regulatory ruling, litigation, and case law.



14

For any given part of ERM across the pharma life cycle, all three of these PSF domains have their relevant role. While there is overlap between the offerings and capabilities in these three categories (specifically between the audit and advisory PSF role and the consulting PSF role), an organization can expect an audit and advisory firm to define the ERM vision and gain executive support, the consulting role to build the ERM processes and integrate technology, and the legal role to provide the legal opinion and guidance to validate that legal requirements are met.

Figure 8 Professional Services Firms Focused On Pharma Risk And Compliance


Category Description

Deloitte’s Life Sciences & Healthcare industry practice has risk and compliance expertise across audit, advisory, tax, and consulting to ensure risk and compliance solutions are integrated into business processes.

KPMG‘s Global Pharmaceuticals practice is staffed by industry focused teams that bring broad experience at both executive and operational levels to help pharma companies manage risk and compliance.

Pricewaterhouse Coopers’ global pharma practice has broad experience in delivering performance improvement and compliance and risk management services. It has been particularly successful in corporate integrity agreement work.

IBM Business Consulting Services has specific capabilities that enables it to integrate risk and compliance into the technology and business process architecture.

McKinsey’s Pharmaceuticals & Medical Products practice provides a range of consulting services to help pharma firms architect business processes to manage risk and compliance.

Polaris Management Partners is a management consulting firm focused on helping life sciences companies with compliance around finance, sales, and marketing processes.

Protiviti provides risk management services to the life sciences industry, focusing on internal audit outsourcing and co-sourcing, sales, marketing and medical affairs compliance, and revenue risk management.

Arnold & Porter offers a life sciences legal practice designed to help clients respond quickly to the new competitive demands created by the ongoing revolution in pharma.

King & Spalding has a pharmaceutical practice assisting clients in aspects of patent prosecution, patent litigation, international patent oppositions, licensing, financing, FDA regulatory matters, products liability, and corporate counseling and transactions.

Audit and advisory

Consulting

Law

Firm

Deloitte

KPMG International

PricewaterhouseCoopers

IBM

McKinsey & Company

Polaris Management Partners

Protiviti

Arnold & Porter

King & Spalding



15

R E C O M M E N D A T I O N S

MEASURE THE RISK PROFILE AND TAKE AN ERM APPROACH BASED ON MATURITY

Rather than foundering under a wave of regulatory mandates and legal challenges, pharma companies must recognize both the imperatives and the benefits of a structured approach to ERM. How structured an approach — and where to start — depends on a firm’s risk management maturity and on its current level of GRC platform investment. Treating risk management as separate from compliance and validation will no longer work. To make an enterprisewide approach to risk successful, pharma companies should:

· Define the firm’s risk appetite at the board and the executive level. Recognizing pharma’s traditionally conservative approach to risk, risk executives and their staff must determine whether the risk/reward profile of the firm is consistent with current business objectives. Based on this assessment and the level of alignment found, pharma risk managers and compliance professionals must determine whether the firm’s risk maturity level and technology budget support a novice, engaged, or advanced ERM approach.

· Integrate risk and compliance at the novice stage. Risk managers should break down the walls between quality assurance and regulatory silos not only to fill in GRC architecture gaps but also to create a single, consistent framework for managing risk across organizational boundaries and processes. Novice ERM firms should use risk management metrics to communicate that compliance is not simply about keeping regulators happy but also about building strong governance practices throughout the firm that can sustain long-term change.

· Make risk monitoring and measurement part of current SOP at the engaged stage. Pharma firms should incorporate monitoring, corrective action, remediation, risk analytics, and reporting process and technology into standard operating procedures (SOP), supported by a data model that allows risk managers to examine data by product, region, agency, or process. This will allow engaged firms to leverage their GRC architecture and forecast risk across their product portfolios, business operations, and legal matters while staying abreast of changes in the regulatory landscape.

· Implement an executive risk management dashboard at the advanced stage. Firms at the advanced stage of ERM maturity must leverage technology to expose daily processes, with clear definitions of control points and responsibilities, and categorize the associated risks by severity and probability of occurrence. Senior management should help establish risk severities and definitions to ensure that the executive team understands how their individual decisions expose the firm to different types of risk.

Because the vendor landscape for ERM is so large and fragmented today, pharma firms should work with PSFs to set ERM strategy and close technology gaps in their GRC architecture. Pharma firms auditing pricing and commercial business practices — and needing an overall



16

risk management strategy that incorporates the findings — should consider working with PricewaterhouseCoopers, a firm with a demonstrated record in corporate integrity agreement and code of conduct work. Firms that need financial and operational risk profiling should consider working with KPMG, a firm that has demonstrated the value in moving risk management from detect-and-correct toward a broader approach to reducing earnings volatility.

W H A T I T M E A N S

PHARMA LEVERAGES ERM PRACTICES TO RAISE PERFORMANCE

Pharma firms that adopt ERM approaches — backed by a GRC architecture and executive sponsorship in the form of a chief risk or compliance officer — will outdistance their competition as they:

· Foresee and address major industry landscape changes. During the past five to seven years, pharma underwent unprecedented change in marketing, research, and sales stemming from changes in direct-to-consumer advertising, the FDA’s Critical Path initiative, and the growth in online pharmacies and alternative suppliers. The rate of change will only increase as the populations in nations such as Canada, Japan, Western Europe, and the US age. Firms with mature corporate governance processes and GRC architectures will better anticipate and adapt to the major structural, cultural, operational, and technological changes that unpredictable market changes will create.

· Drive business performance improvements by managing risk. Adopting a risk-based approach to corporate oversight allows pharma firms to respond to competitive or threatening issues from a performance enhancement, rather than risk response, perspective. For example, risk-rating applications let firms reduce onerous validation efforts required by an exhaustive approach to compliance. Risk management technology and programs applied in this manner produce tangible business benefits, such as reduced operational cost and streamlined system validation, and move risk management from a cost of compliance to a business performance management tool.

· Improve reporting transparency and accuracy. Using risk and compliance will enhance not only the flow and efficiency of internal processes, data, and information systems but will also improve a firm’s response to new and complex compliance challenges. As regulators, external stakeholders, and a skeptical public require more accurate and transparent reporting, pharma firms that use risk intelligence data to monitor their own internal activities will be more willing to expose their well-governed processes to closer scrutiny.



17

SUPPLEMENTAL MATERIAL

Companies Interviewed For This Document

Amadeus International

Arnold & Porter

AssurX

Axentis

CIMCOM Software

Datasweep

Deloitte

Dendrite Software

EtQ

Gilead

Human Genome Sciences Incorporated

IBM

Janseen Pharmaceuticals

King & Spaulding

KPMG International

Leiner Health Products

McKinsey & Company

Merit Software

MetricStream

NetRegulus

Pilgrim Software

Plateau Software

Polaris Management Partners

PricewaterhouseCoopers

Protiviti

QUMAS

Sparta Systems

Stelex

ENDNOTES1 Manufacturers, distributors, and life sciences technology providers are struggling to overhaul their drug

tracking practices before regulators mandate more expensive and unwanted solutions starting in mid-2006. See the September 21, 2005, Market Overview “Pharma Won’t Meet ePedigree Deadlines.”

2 While pharma companies currently send many of the same IT activities offshore as other industries, such as software maintenance and desktop support, Forrester’s Business Technographics data shows that within the next 12 months, drug firms plan to increase the amount of custom application development done abroad. See the March 8, 2006, Trends “Pharma Takes Custom App Development Offshore.”

3 The risk profile of pharma companies is increasing and hitting board-level concerns. This is revealed in an enlightening report by KPMG International. Source: “Pressure Points: Risk Management in the Pharmaceuticals Industry,” KPMG International (http://www.kpmg.ca/en/industries/cib/biotech/documents/pressurePoints.pdf).

4 In a report sponsored by KPMG, Wayne Guay, associate professor of accounting at Wharton, analyzed pharmaceutical company performance measures, including cash flow, net income, sales, and returns





18

on investment, and compared these findings to companies listed on the S&P 500 index. Over a 13-year period ending in 2004, pharma companies proved to be 50% riskier, with both positive and negative events exercising a pronounced effect on shareholder value and reputation. Source: “Pressure Points: Risk Management in the Pharmaceuticals Industry,” KPMG International (http://www.kpmg.ca/en/industries/cib/biotech/documents/pressurePoints.pdf).

5 This figure is approximate, as reported by interviewees to Forrester during our research for this report.

6 Forrester conducted an online survey of 10,073 US and Canadian individuals who are members of Survey Sampling International’s online panel. Forrester Research weighted the data by age, gender, income, broadband adoption, and country to demographically represent the adult North American population. Survey Sampling fielded the survey in October 2005. Source: Forrester’s Consumer Technographics Q4 2005 North American Healthcare, Customer Experience, and Retail Online Survey.

This is further supported by a Harris Interactive Survey, which found in 1997 that 79% of adults in the US believed pharma was doing a good job in serving their customers; this number went down to 44% in 2004.

7 Pharma manufacturers and distributors must step up their use of RFID to understand how to collect and manage drug supply chain data while preventing any inappropriate uses that compromise consumer privacy. See the February 22, 2006, Trends “Pharma Faces Privacy Challenges On The Road To RFID Adoption.”

8 As defined by the FDA, pharmacovigilance is: “. . . all scientific and data gathering activities relating to the detection, assessment, and understanding of adverse events. This includes the use of pharmacoepidemiologic studies. These activities are undertaken with the goal of identifying adverse events and understanding, to the extent possible, their nature, frequency, and potential risk factors.” Source:

“Guidance for Industry Good Pharmacovigilance Practices and Pharmacoepidemiologic Assessment,” March 2005, (http://www.fda.gov/cder/guidance/6359OCC.htm).

9 Increased risk and regulatory pressures in a distributed enterprise propel organizations to craft consistent game plans for centralizing GRC oversight. Convergence of risk management and corporate oversight activities are the key trends across all industries in 2006. See the December 13, 2005, Trends “Trends 2006: Enterprise Risk And Compliance.”

10 In particular, during interviews with Forrester, KPMG demonstrated capability in understanding ERM drivers on business and concerns at the executive level down deep into the organization (this is further illustrated in their insightful report previously cited, “Pressure Points: Risk Management in the Pharmaceuticals Industry”) while PricewaterhouseCoopers demonstrated a unique understanding of and capabilities in working with pharma firms in response to corporate integrity agreements issued by the US DOJ.




Forrester Research (Nasdaq: FORR)

is an independent technology and

market research company that

provides pragmatic and forward-

thinking advice about technology’s

impact on business and consumers.

For 22 years, Forrester has been

a thought leader and trusted advisor,

helping global clients lead in their

markets through its research,

consulting, events, and peer-to-

peer executive programs. For more

information, visit www.forrester.com.

Australia

Brazil

Canada

Denmark

France

Germany

Hong Kong

India

Israel

Japan

Korea

The Netherlands

Switzerland

United Kingdom

United States

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139 USA

Tel: +1 617/613-6000

Fax: +1 617/613-5000

Email: [email protected]

Nasdaq symbol: FORR

www.forrester.com

H e l p i n g B u s i n e s s T h r i v e O n T e c h n o l o g y C h a n g e

For a complete list of worldwide locations,visit www.forrester.com/about.

Research and Sales Offices

38030

For information on hard-copy or electronic reprints, please contact the Client

Resource Center at +1 866/367-7378, +1 617/617-5730, or [email protected].

We offer quantity discounts and special pricing for academic and nonprofit institutions.