Governance, risk, and compliance or GRC is a term one in the pharma or biotech world might not hear all that often. It is a concept most often employed in financial, legal, and information technology divisions. “Governance” refers to the processes/procedures/activities used to manage the organization – such as management processes. This includes the GRC process itself. “Risk” refers to the assessment and mitigation (or management) of risks to the organization. This may be from a business and/or a compliance perspective – for example. Lastly, “compliance” applies to how the organization achieves adherence to internal (SOPs) and external requirements (regulatory bodies and authorities). GRC is comparable to the Quality Management System (QMS) concept found in pharma and medical device. The strength of the process comes from not only assessing/identifying/mitigating/controlling GRC elements but understanding how each relates to one another.
A quality GRC process is well-integrated into the business processes. Data collected from the various arms of GRC needs to garner information that can show trends and concerns to allow for mitigations and preventative actions to be timely and effective. This means that data collection must be accurate and timely. A software tool is useful for this. There is great value in forecasting risks based on compliance or governance activities. An interconnected GRC solution allows for visualizing data to understand how two seemingly disconnected activities impact each other – for example.
A software solution can certainly aid in managing GRC activities, but GRC isn’t as simple as buying a software. In fact, it is important to define an organization’s GRC needs as an act outside of the consideration of software. Too often, software is thrown at a problem as a solution. The reality is that the business processes, such as GRC, are the root cause of the problem. Implementing a software won’t fix a bad process (not likely at least). To create a well-oiled process, start with mapping the business needs. One can use a tool like six sigma and/or a kaizen exercise to ascertain core activities and look for inefficiencies or faults. A nice mind mapping tool, like Xmind can be useful to aid in the process. Once the process has been well-designed and achieves the necessary compliance and business objectives, a software can be a nice tool to automate that process. A GRC software suite can automate audit and risk assessment processes, for example. True value can be realized though when analytics and dashboarding is utilized for business intelligence. Understanding how aspects of GRC relate and impact each other, as mentioned above, is fundamental in obtaining meaning from the tools (such as software) in place.