Title: Creating Robust Policy Management for Highly Regulated Industries David Lawson 3212007
1Creating Robust Policy Management for Highly
Regulated Industries David Lawson3/21/2007
2Agenda
- Who We Are
- Case Study Overview Business Challenges/Solutions
- Risk Based Approach
- Identify Information
- Controls Matrix
- Leveled Approach v. Multi-Mode
- On-going Real Time Validation
- Compliance Approach Map
- Executive Report Options
- Extension to Business Intelligence
- Risk Management Summary
- Best Practice Next Steps
3Company Overview
- David Lawson, Director
- Risk Management Compliance Practice
- 15 years of experience in risk and compliance
information design, deployment, and management - Frequent speaker at compliance industry events
- Clients have included the largest of the Fortune
500 pharmaceutical firms - Acumen Solutions
- Founded in 1999
- Over 1,000 successful engagements
- Fortune 500 clients, government agencies and
emergent industry leaders - Offices across the U.S. and in Europe
- Different from other professional consulting
firms - Right Size flexible enough to meet your needs,
quickly - Focus on Accountability Consultants compensated
on your satisfaction - Unmatched Quality and Service Just ask our
clients - Risk Management Compliance Solutions
- Compliance Blueprints
- Addressing Technical Risks
Leading Business Technology Consulting Firm
4Case Study Overview Slide
Note to Alex Did you want a client quote or our
quote?
Acumen Solutions is a provider of business and
technical professional solutions to blue chip
companies worldwide. Right from the Start.
David Lawson, Director of Risk Management
Compliance
Clients in Life Sciences
Financial Services
Solution
Benefits
Challenge
- More compliance, less risk, without any project
delays. - Archer module provides for future regulatory
changes and reduces time to implement changes - Documented effort/decision for regulators.
- Curbs unnecessary spending.
- Ensures appropriate controls
- Executive level reporting and dashboard
functionality without impacting the day to day
server load.
Global Company was faced with complying with
myriad regulations from over 100
countries. Global Company had no consistent
risk based controls across the organization Comp
any had no centralized reporting and rollups to
ensure their compliance which was needed to pass
critical government audit.
Collaborated with clients executives to make
operational improvements to their newly developed
risk management approach. Utilize a custom Archer
module for the companys internal controls matrix
with extensibility. Created an Archer Risk
Management module mapped to a controls
matrix Implemented custom reports in Archer and
created a process by which results are exported
to MS-Access and other corporate reporting tools.
5Life Science Company Challenge
- Title 21 contains regulations related to the
manufacturing of medical devices, biotechnology
and pharmaceuticals - Predicate Rules
- Current Good Mfg Process - Part 210,211
- Quality System - Part 820
- Protection of human subjects Part 50
- Etc.
6What is Part 11?
- Electronic Records and signatures
- No paper records,
- Created, stored, transmitted, modified
electronically - Validated systems
- Retrievability
7Part 11 Example
8Financial Service Industry Challenges
- Economic and supervisory
- Basel II, Capital Adequacy Directive 3 (CAD3),
German Banking Act Sixth Act - Governance
- SOX, Basel II, Pilar II and III, UK Combined Code
on Corporate Governance - Records Retention
- SOX section 802, SEC 17a-3/4, NASD 3010,
Gramm-Leach-Bliley Act (GBLA), Data Protection
Act in many countries globally - Anti-Money Laundering and Know Your Customer
- USA Patriot Act, Switzerland's Ordinance of
Control Body for Combating Money Laundering, UK
Proceeds of Crime Act - Accounting
- International Accounting Standards 32 and 39
- Market Practices
- EU Market Abuse Directive, US RegNMS, Soft
Dollar, Best Execution, Mutual Fund Distribution,
Late Trading, Market Timing, Know Your Customer - Business Continuity
- Basel II, Guidelines from national regulators
such as the Securities and Exchange Commission
(SEC) and Federal Reserve in the US, or the
Financial, Services Authority (FSA) in the UK.
9Risk based approach
- Identify relative records (top down approach)
- Evaluate risk of record/information
- Identify appropriate/required controls
- Ensure ongoing compliance with information
security plan for systems
10Identify information
- Risk assessment process to include CIA as well as
regulatory questions. - Provides good information on what level of
controls needed to protect (see following slide) - Push out to individuals in the field for
identification, use Archer for standardization of
evaluation.
11Controls Matrix (requirements)
- Use ISO as base for multi jurisdictional
requirements - Map Part 11 to ISO controls
- Use Risk questionnaire to identify record system
requiring Part 11 compliance - Controls include validation testing and processes
12Control Matrix example
13Leveled approach v Multi-module
- In several prototypes implementations
- Multi-module provides significant performance
gains - Esp. with large modules or lots of information
- Cross-references provide links
- Added benefit of greater extensibility
14Controls Matrix (Applied)
- Identify processes, physical, technical
controls applied to each system - Applied controls v required controls defines
compliance - By including system scans or other related
information, we can derive gaps in near real time.
15Protections controls report
16Ongoing real-time validation
- Archer stores current state of controls and
systems - Provides real time reports on record status
- Generate custom reports for investigators/auditors
- Use access controls to limit scope of report
17Information Risk Report
18Compliance Approach
19Executive Report Options
- Both regulatory bodies and external auditors
expect consistent reporting on Risk Management
items - Utilize the Archer Web API search service to pull
the data from each module to an external
reporting tool (Crystal, Cognos, Business
Objects) - The report views established in this tool can
store in an external server, keeping daily
performance of the Archer tool intact.
20Extension to Business Intelligence
- Publish database for additional reporting or
executive dashboards? - Revert information back to mfg process to
identify possible quality issues prior to recall
21Risk Management Summary
- Establishing a Risk Management organization
requires pooling information into a company-wide
into a central database - Archer is a great tool to accomplish this in
phases - Build out in segments then expand to additional
areas - Expanding creates additional ownership. Expect
additional groups to attend change control
boards.
22Best Practices Wrap Up
- Policy first, build out the control framework
- Build Deficiency Management existing
deficiencies - Expand to Testing and Remediation
- Asset Management
- Threat and Vulnerability
23 Thank YouDavid Lawsondlawson_at_acumensolutions.
com703.600.4000