Creating Robust Policy Management for Highly Regulated Industries David Lawson 3212007

1
Creating Robust Policy Management for Highly
Regulated Industries David Lawson3/21/2007
2
Agenda

• Who We Are
• Case Study Overview Business Challenges/Solutions
  
• Risk Based Approach
• Identify Information
• Controls Matrix
• Leveled Approach v. Multi-Mode
• On-going Real Time Validation
• Compliance Approach Map
• Executive Report Options
• Extension to Business Intelligence
• Risk Management Summary
• Best Practice Next Steps

3
Company Overview

• David Lawson, Director
• Risk Management Compliance Practice
• 15 years of experience in risk and compliance
  information design, deployment, and management
• Frequent speaker at compliance industry events
• Clients have included the largest of the Fortune
  500 pharmaceutical firms
• Acumen Solutions
• Founded in 1999
• Over 1,000 successful engagements
• Fortune 500 clients, government agencies and
  emergent industry leaders
• Offices across the U.S. and in Europe
• Different from other professional consulting
  firms
• Right Size flexible enough to meet your needs,
  quickly
• Focus on Accountability Consultants compensated
  on your satisfaction
• Unmatched Quality and Service Just ask our
  clients
• Risk Management Compliance Solutions
• Compliance Blueprints
• Addressing Technical Risks

Leading Business Technology Consulting Firm
4
Case Study Overview Slide
Note to Alex Did you want a client quote or our
quote?
Acumen Solutions is a provider of business and
technical professional solutions to blue chip
companies worldwide. Right from the Start.
David Lawson, Director of Risk Management
Compliance
Clients in Life Sciences
Financial Services
Solution
Benefits
Challenge

• More compliance, less risk, without any project
  delays.
• Archer module provides for future regulatory
  changes and reduces time to implement changes
• Documented effort/decision for regulators.
• Curbs unnecessary spending.
• Ensures appropriate controls
• Executive level reporting and dashboard
  functionality without impacting the day to day
  server load.

Global Company was faced with complying with
myriad regulations from over 100
countries. Global Company had no consistent
risk based controls across the organization Comp
any had no centralized reporting and rollups to
ensure their compliance which was needed to pass
critical government audit.
Collaborated with clients executives to make
operational improvements to their newly developed
risk management approach. Utilize a custom Archer
module for the companys internal controls matrix
with extensibility. Created an Archer Risk
Management module mapped to a controls
matrix Implemented custom reports in Archer and
created a process by which results are exported
to MS-Access and other corporate reporting tools.
5
Life Science Company Challenge

• Title 21 contains regulations related to the
  manufacturing of medical devices, biotechnology
  and pharmaceuticals
• Predicate Rules
• Current Good Mfg Process - Part 210,211
• Quality System - Part 820
• Protection of human subjects Part 50
• Etc.

6
What is Part 11?

• Electronic Records and signatures
• No paper records,
• Created, stored, transmitted, modified
  electronically
• Validated systems
• Retrievability

7
Part 11 Example
8
Financial Service Industry Challenges

• Economic and supervisory
• Basel II, Capital Adequacy Directive 3 (CAD3),
  German Banking Act Sixth Act
• Governance
• SOX, Basel II, Pilar II and III, UK Combined Code
  on Corporate Governance
• Records Retention
• SOX section 802, SEC 17a-3/4, NASD 3010,
  Gramm-Leach-Bliley Act (GBLA), Data Protection
  Act in many countries globally
• Anti-Money Laundering and Know Your Customer
• USA Patriot Act, Switzerland's Ordinance of
  Control Body for Combating Money Laundering, UK
  Proceeds of Crime Act
• Accounting
• International Accounting Standards 32 and 39
• Market Practices
• EU Market Abuse Directive, US RegNMS, Soft
  Dollar, Best Execution, Mutual Fund Distribution,
  Late Trading, Market Timing, Know Your Customer
• Business Continuity
• Basel II, Guidelines from national regulators
  such as the Securities and Exchange Commission
  (SEC) and Federal Reserve in the US, or the
  Financial, Services Authority (FSA) in the UK.

9
Risk based approach

• Identify relative records (top down approach)
• Evaluate risk of record/information
• Identify appropriate/required controls
• Ensure ongoing compliance with information
  security plan for systems

10
Identify information

• Risk assessment process to include CIA as well as
  regulatory questions.
• Provides good information on what level of
  controls needed to protect (see following slide)
• Push out to individuals in the field for
  identification, use Archer for standardization of
  evaluation.

11
Controls Matrix (requirements)

• Use ISO as base for multi jurisdictional
  requirements
• Map Part 11 to ISO controls
• Use Risk questionnaire to identify record system
  requiring Part 11 compliance
• Controls include validation testing and processes

12
Control Matrix example
13
Leveled approach v Multi-module

• In several prototypes implementations
• Multi-module provides significant performance
  gains
• Esp. with large modules or lots of information
• Cross-references provide links
• Added benefit of greater extensibility

14
Controls Matrix (Applied)

• Identify processes, physical, technical
  controls applied to each system
• Applied controls v required controls defines
  compliance
• By including system scans or other related
  information, we can derive gaps in near real time.

15
Protections controls report
16
Ongoing real-time validation

• Archer stores current state of controls and
  systems
• Provides real time reports on record status
• Generate custom reports for investigators/auditors
  
• Use access controls to limit scope of report

17
Information Risk Report
18
Compliance Approach
19
Executive Report Options

• Both regulatory bodies and external auditors
  expect consistent reporting on Risk Management
  items
• Utilize the Archer Web API search service to pull
  the data from each module to an external
  reporting tool (Crystal, Cognos, Business
  Objects)
• The report views established in this tool can
  store in an external server, keeping daily
  performance of the Archer tool intact.

20
Extension to Business Intelligence

• Publish database for additional reporting or
  executive dashboards?
• Revert information back to mfg process to
  identify possible quality issues prior to recall

21
Risk Management Summary

• Establishing a Risk Management organization
  requires pooling information into a company-wide
  into a central database
• Archer is a great tool to accomplish this in
  phases
• Build out in segments then expand to additional
  areas
• Expanding creates additional ownership. Expect
  additional groups to attend change control
  boards.

22
Best Practices Wrap Up

• Policy first, build out the control framework
• Build Deficiency Management existing
  deficiencies
• Expand to Testing and Remediation
• Asset Management
• Threat and Vulnerability

23
Thank YouDavid Lawsondlawson_at_acumensolutions.
com703.600.4000