MASTERING REGULATORY COMPLIANCE
BEST PRACTICES EXECUTIVE SERIES
Compliance DNA – The Blue Print For Your Enterprise Compliance Strategy
The Step Above Compliance™
Compliance Process Control
The Compliance Evolution
INTRODUCTION
Traditionally, compliance initiatives were characterized as a “necessary evil” - it was a cost of doing business. As regulations became effective, the most common reaction to compliance requirements was to address them one by one as they came. Since compliance was viewed as a mandatory business requirement with no ROI justification, funds were allocated without much regard to bottom line impact. The paradigm has now shifted. With recent corporate scandals, the impact of globalization, and the growing number of overlapping regulatory mandates, organizations now view compliance more strategically. Highranking executives and newly appointed “chief compliance officers” now actively oversee many compliance initiatives and address them in a top down approach. The impact of this paradigm shift has been a profound change in the perception and implementation of compliance initiatives. Now, many c-suite compliance executives have matured in their thinking and are developing comprehensive strategies to address regulatory compliance across the organization and not as disjointed activities. While it is clear that compliance is still compulsory, forward-thinking organizations have concluded that compliance makes good business sense. As such, they are seeking new ways to achieve greater business benefit while complying with current regulations.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 1
Harmonized Compliance Management Enterprise Compliance Technology Infrastructure - A Harmonized Approach
COMPLIANCE “DNA”
One clear manifestation of this new way of thinking is to approach enterprise technology infrastructure in a more strategic manner. A key factor in the achievement of enterprise compliance is to adopt a harmonized approach to enterprise technology architecture that blends business, technology, and compliance objectives in the most optimal manner. The conclusion reached by many is to develop a comprehensive technology infrastructure that includes integrated compliance best practices and is flexible enough to allow them to adapt to ever-changing regulatory requirements. In order to achieve and sustain regulatory compliance, a new harmonized approach must be employed that integrates compliance into the fabric of every business process. Process consistency breeds compliance. Compliance becomes a by-product of everyday activity. Thus, if an organization considers itself “compliant”, it must control the very processes that sustain compliance. Given that compliance is at the very heart of the organization, it is therefore reasonable to conclude that supporting technology must be extended throughout the organization to achieve maximum benefit. Compliance Process Control is the lifeblood or “DNA” that helps organizations achieve sustained compliance, higher levels of operational efficiency, and master regulatory compliance within their organizations.
Compliance Process Control is the lifeblood or “DNA” that helps organizations achieve sustained compliance, higher levels of operational efficiency, and master regulatory compliance within their organizations
This white paper will explore the concepts of compliance mastery through examination of current regulatory trends and provide a practical approach for establishing and maintaining real compliance through implementation and deployment of compliance process control solutions.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 2
Current Regulatory Trends
GLOBAL REGULATORY TREND ANALYSIS
In today’s rapid paced business environment, automation is everywhere. Enterprise Document Management technologies, desktop applications, and point solutions are in abundance yet many companies have not realized the full potential of their technology investments. According to The McKinsey Quarterly, “90% of all system investments support “routine” functions… only 10% of system investments support distinctive tasks which are tasks that others cannot easily equal or duplicate…” Although automated systems are extensively deployed, the effectiveness of these systems is called into question due to the lack of a cohesive strategy for the organization. Companies in regulated industries are in the midst of a “perfect storm” when it comes to regulatory compliance. At the core of the storm are global competing, compliance requirements that have significant implications on the enterprise technology infrastructure. The intensity of the storm is fueled by the convergence of new regulatory requirements for greater retention, security, privacy, and governance which when taken together, accentuate the need to restructure corporate I.T. infrastructure to ensure a consistent approach to compliance. Most legacy technologies were acquired over time with little planning with respect to compliance. Over the past decade, companies in regulated industries have installed custom and off-the-shelf technologies throughout various lines of businesses to meet specific regulatory demands. These systems were characteristically expensive to deploy and were often disjointed, resulting in increased costs to validate and maintain further as time progressed. Moreover, they lacked a fundamental requirement for quality assurance which is consistency. Thus, as organizations seek to make these systems compliant, the cost of customization, validation, and integration become cost prohibitive. Some have compared compliance mandates for corporate governance as greater than the level of effort spent on Y2K initiatives. Yet, this is only one compliance requirement of many. To achieve greater business value from corporate I.T. infrastructure, it is important to recognize current compliance trends and develop a more mature approach that takes into account the strategic objectives of the organization and the need to comply with current regulatory requirements. Three trends have emerged as a result of this new harmonized strategy: ♦
Process-centric versus document-centric approach to compliance
♦
Buy versus build – deployment of off-the-shelf solutions versus custom-developed solutions
♦
Records management has emerged as an essential requirement in the compliance solution stack.
♦
Compliance best practices are built into the solution
♦
Discontinuance of “point solutions”
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 3
Compliance Maturity As the costs of technology hardware and software have decreased over the past decade, it has facilitated the shift in thinking towards a more harmonized compliance strategy. This new approach binds the organization in a seamless manner to ensure increased collaboration, efficiency, control, and management of regulatory assets across the enterprise.
COMPLIANCE MATURITY—BUSINESS & IT ALIGNMNT
The Step Above Compliance Towards Maturity
Limited Alignment between Policies and Process Controls
Accurate Recording and Reporting of Business
Passive Compliance Sub-Compliant
Base Compliance
Compliance maturity begins with an understanding that PROCESSES fuel business operations. Documents are a clear by-product of processes thus earlier initiatives were document-centric versus process-centric. Over the past decade, many highly regulated organizations (especially those in life sciences companies) have focused compliance efforts on document-centric processes to help ensure compliance with regulations. While companies have spent billons on information systems in recent years, only now are they seriously thinking of translating their IT capabilities into true process management systems. These Actively companies have discovered—the hard Automated Driving way—that although IT investment is Discovery Business essential, it is not sufficient alone. As And Risk Performance many leading global companies have Management Improvement spent millions of dollars on Enterprise Document Management or Enterprise Content Management systems to help automate compliance-mandated document processes such as change Active Compliance control and many others, some are Full Continuous Compliance Improvement frustrated in their efforts to keep up with Source: AMR Research, 2003 current regulatory requirements. These highly customized systems require extensive long term support to achieve sustained compliance. Data driven processes such as corrective and preventive actions (CAPA), ISO quality processes, or audit processes were also automated using highly customized relational database management niche solutions that addressed the relevant aspects of each of these systems. Most of these types of solutions were deployed as “point” solutions that addressed one or more processes but did not facilitate organizational collaboration or information sharing at the enterprise level. As a result, some companies found themselves with multiple point solutions addressing the same regulatory requirement using very different technology solutions from multiple vendors. This resulted in higher regulatory risk, an inconsistent approach to compliance, and higher costs long term. Further, the high cost for related professional services for the installation, validation and deployment of these systems meant that only large, well-funded enterprises could afford to take advantage of the benefits of these “solutions”.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 4
COMPLIANCE IN THE FINANCIAL SERVICES SECTOR
Compliance Maturity (Continued)
Within the financial sector, senior finance teams are laboring to comply with new regulatory regulations such as the Sarbanes-Oxley Act in a complex, rapidly changing business environment often characterized by uneven economic growth and increased investor scrutiny. Financial organizations of publicly held companies must demonstrate compliance with new regulations which translates into improved process control across all operations of the business. Compliance process control could yield significant benefits to these organizations and result in finance teams achieving a better grasp on enterprise operations and better, more cohesive strategy. After over a decade of deployment, these “compliance solutions” have not resulted in significant risk reduction or increased compliance. The chasm between unstructured compliance initiatives and a more strategic approach to compliance is called the “Compliance Maturity Gap”. Without a strategic, top-down approach, many organizations fall into this chasm characterized by highly uncoordinated, disjointed efforts across the enterprise. To achieve higher levels of compliance maturity, many progressive companies have come to realize that the most effective approach is to move from a document-centric approach to a process-centric approach to compliance. In the new paradigm, these companies view compliance as an opportunity to improve processes essential to the management of regulation information across the organization. This phenomenon has spawned a new breed of applications known as known as Compliance Process Control solutions. Compliance Process Control applications are highly flexible applications designed exclusively for highly regulated environments. They specifically address some of the key limitations of the older solutions such as:
•
Document-centric versus Process-centric
•
Highly disjointed
•
Limited Flexibility
•
No interoperability
•
Proprietary architecture – limited ability to leverage existing enterprise technologies
•
No retention strategy
•
High total cost of ownership
•
Extensive customization
•
Lack of process integration
•
Inconsistent approach to quality and compliance
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 5
The DNA of Regulatory Compliance Through the deployment of Compliance Process Control solutions, organizations can seamlessly integrate compliance processes through a highly integrated system that delivers a high degree of flexibility for change as global regulations change, and ease of validation and verification without expensive customization or costly professional services. Amadeus delivers the most comprehensive compliance process control suite in the industry that allows organizations to manage any compliance processes within a single compliance-oriented application infrastructure. eQCM, Amadeus’ flagship process control suite, is seamlessly integrated with EMC Documentum’s robust content management technologies to deliver unprecedented levels of regulatory compliance. The eQCM compliance process control suite includes the following features and benefits: Flexible process control to accommodate multiple processes in a single solution As regulations change over time, eQCM allows organizations to easily change compliance processes without expensive customization or re-validation. eQCM includes a highly flexible process control engine which is configurable by subject matter experts with limited technical ability. As current regulations change, users can update processes within eQCM through an easy-to-use interface. Since no custom coding is involved, there is no need for re-validation, thus organizations can enjoy sustained compliance over time with the peace of mind knowing that as regulations change, they do not have to make radical changes to their infrastructure to comply with new mandates. Information sharing between processes (i.e. non-conformance linked to a corrective action) eQCM blends process control for multiple compliance processes into a modular fashion. The eQCM suite includes modules for Sarbanes-Oxley, CAPA, NC, Audit Management, Customer Complaints, and many other processes. One of the key characteristics of today’s compliance requirements is the significant overlap between requirements. For example, a non-conformance process can spawn a corrective action. Within the eQCM system, the flow of information between the nonconformance module and the corrective action module is seamless, delivering a more realistic process approach.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 6
Organizational Mapping & Enterprise Collaboration
FLEXIBLE ORGANIZATIONAL MAPPING
Organizational mapping linked to automated business processes Processes are closely linked to the organizational structure of a business. Thus, eQCM includes powerful capabilities to allow users to map their organization within the system. As process control flows from one part of the organization to the other, greater consistency and information sharing automatically occurs and is not forced through “artificial” means. As your organization changes, eQCM allows you to easily update the organizational model within the system and the changes are propagated through your business processes. With many competitive systems, this is impossible without significant customization. eQCM facilitates these changes in an easy-to-use, configurable manner. Enterprise Access One of the most common problems with legacy “point solutions” is their inability to reach across the enterprise. Common access barriers are both internal and external. External factors are those such as the high cost of the applications. Internal factors are sometimes built into the applications themselves such as limited collaboration features. eQCM overcomes both internal and external factors to facilitate enterprise deployment in the most cost-effective manner. eQCM is sold as a suite of applications. The flexible price structure allows organizations to purchase the entire suite of applications in small, medium, or large volumes to ensure that all process participants have access. In some competitive offerings, only those groups that could afford the solution had access thus imposing artificial barriers to accessing critical information. Also, eQCM is deployed using a web-based, open systems architecture that facilitates easy access. This means that process participants have access to the right information at the right time without common barriers prohibiting their access. Enterprise collaboration Process control requires a high degree of collaboration to achieve maximum effectiveness. eQCM is designed to facilitate this collaboration through its highly structured process engine which includes user-definable process notifications, alerts, and information collaboration. Through integration with the EMC Documentum eRoom application, process collaboration takes on another dimension. The eQCM/eRoom integration facilitates a high degree of collaboration across the enterprise. As compliance processes are executed through eQCM, various stages of the process require extensive collaboration to achieve organizational consensus and compliance objectives. The eRoom integration helps capture organizational intelligence and facilitate process control in an easy-to-use web environment. eRoom includes dashboard capability and virtual workspaces to enable maximum process participation by all stakeholders.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 7
Built-in Compliance Best Practices
COMPREHENSIVE SEARCH & RETRIEVAL
Flexible Easy-to-Use Web Interface eQCM is a web-based application that leverages a highly advanced, extensible web architecture. From a desktop client perspective, users can leverage the training equity invested in browser applications to come up to speed quickly with eQCM. The eQCM application suite leverages commonly used hyper-linking to access relevant features of the compliance process control application. Easy search and retrieval capabilities It is commonly known that knowledge workers spend over 40% of their time searching for information. eQCM’s comprehensive search and retrieval capabilities minimize this effort. Process information involves not only searching for documents, but the process information associated with documents and data. eQCM’s robust search capabilities allow users to rapidly access the information they need in a timely manner. Time is of the essence during critical processes such as an audit process or regulatory investigation. Through eQCM, search and retrieval can be done quickly and easily. Built-in Compliance Best Practices Compliance with current regulations is a mandatory requirement. As you look to establish applications for compliance, consider if the vendor in question really understands your compliance needs. Amadeus understands compliance evidenced by the built-in best practices within eQCM. For the life sciences industry, 21 CFR Part 11 compliance is an essential requirement, yet many competing applications still require significant customization to comply. 21 CFR Part 11 features are built-in to the design of eQCM to ensure compliance. We keep abreast with changing regulations to ensure compliance. eQCM also understands audit, ISO, Six Sigma, SOX, Basel II, CAPA, EH&S, validation, customer compliant, design control, cGxP, GAMP and other key regulations and have built extensive capabilities within the software to facilitate these compliance processes. Any compliance process can be mapped within the eQCM environment. The application includes the security, retention, process flexibility and control required to ensure compliance.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 8
Security & Actionable Intelligence
Flexible, user-definable process metadata No two organizations are alike. Processes require information and metadata unique to each organization. This metadata may include product information, site information, supplier data, customer profile information, product characteristics, plant information, or any other data required for process control. eQCM includes a flexible, user-definable way to capture process metadata within the application. Through our unique bulk loading service, Amadeus can assist organizations with automated input capture of this essential information.
Robust security model Security is the bedrock of compliance. eQCM’s security model restricts access in accordance with userdefinable corporate guidelines and provides a comprehensive audit trail to track access and retrieval of sensitive compliance assets. The security model is role-based and linked to the organization chart within the eQCM process control environment.
Compliance Intelligence – “Actionable Intelligence” For Compliance Process Control A proactive, mature approach to compliance is to become more proactive than reactive. eQCM’s compliance intelligence capabilities deliver “actionable intelligence” about the status of critical compliance processes to help you identify problems before they move beyond stated guidelines for quality assurance and compliance. At a glance, eQCM allows organizations to view status and make adjustments in a timely manner. Our compliance intelligence feature puts information at your fingertips at the right time to facilitate timely decisions and helps management take the appropriate action required for compliance due diligence.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 9
The Compliance Balanced Scorecard Compliance Scorecard – measurement of key performance indicators for regulatory compliance How are you doing with your compliance initiatives? Just as businesses measure the effectiveness of their business performance, eQCM promotes a compliance “balanced scorecard” to measure key performance indicators relative to compliance. Forward-thinking organizations that have reached higher levels of compliance maturity use the compliance scorecard to monitor compliance performance for continuous improvement. eQCM allows organizations to establish as comprehensive set of key performance indicators tied directly to compliance objectives. Using our dashboard capability, compliance performance measures can be presented to senior management in a clear, concise manner. In today’s highly complex business environment, it is essential go beyond financial performance measurement. Compliance performance represents another dimension related to the overall health and stability of an organization. In recent times, leading global companies have had significant market share impact due to noncompliance. The compliance scorecard helps mitigate risks and achieve sustained compliance. Common, Standardized Databases To Establish And Maintain A Single, Unimpeachable Corporate Records Management System Over the past decade, not much attention was paid to records management technology. It was considered as one of the back office applications used by a niche group of professionals known as records managers. That has all changed. Records management technology is an essential part of a comprehensive compliance strategy. Consider Sarbanes-Oxley’s records management and retention requirements and those stipulated by the popular 21 CFR Part 11 guideline. These two regulations clearly overlap and include records capability as part of the overall mandate. Many organizations have “complied” with rules such as Part 11 without the explicit use of records management technology. However, that was during the days of compliance immaturity where process control was non-essential and systems were very document-centric. As organizations mature in their approach to compliance, it is clear that a corporate records system is no longer a luxury, it is an essential requirement. eQCM delivers records management capability through ECM Documentum’s records management system. As part of the core foundation of the eQCM application suite, all records captured within the eQCM suite are classified and indexed for ready retrieval, archival, and long term storage. Organizations are creating terabytes of information through today’s automated technology. Records management is an essential part of the DNA of the company.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 10
Integrated Document Management & Training Seamless integration of unstructured process information and documents Compliance cannot be achieved through a single application. To achieve sustained compliance organizations must integrate legacy system such as content management, ERP, manufacturing, HR, competency management, and other related systems to integrated processes and reduce compliance risk. eQCM facilitates easy integration with legacy ERP systems and includes document management as a core component of the solution stack. eQCM integrates EMC Documentum’s flagship content management technology for unparalleled document control for small, medium, and large organizations. As the leader in content management, our clients get the distinct benefit of world class content management and process control through a single, easy-to-deploy solution. Easy Validation and Verification In highly regulated environments that require validation and verification, the eQCM application suite is validation-ready. The application is delivered with a comprehensive set of validation starter document templates and test protocols to accelerate the validation of the application. Amadeus follows industry standard GAMP principles for validation and verification to ensure industry-wide acceptance. Amadeus follows ISO and GAMP best practices throughout our software development lifecycle to ensure the quality of our applications and their suitability for production. Training & Competency Management Training is an essential requirement that permeates across multiple global regulations. Any effective compliance management solution should include training and competency management as part of the core infrastructure. eQCM offers a robust competency management solution that delivers online training and the ability to manage training and competency requirements across the organization.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 11
Establishing An Effective Compliance Architecture
R
THE ACTIVE COMPLIANCE FRAMEWORK
egulatory compliance and closer scrutiny of financial and operating results are driving companies to continuously improve their gathering and analysis of information. An effective compliance architecture should include a single technology architecture that utilizes a common, shared interface and a common repository to support key compliance processes such as ISO, Sarbanes-Oxley, Six Sigma, HIPAA, CAPA, audit management, and many others. This strategic approach will help reduce the overall number of software applications and decrease the total cost of ownership over time. The system should be extensible and flexible enough to support changes in compliance processes over time. The following framework serves as the basis for establishing a good compliance architecture. The system should be extensible and flexible enough to support changes in compliance processes over time. The following framework serves as the basis for establishing a good compliance architecture. The framework shown in the figure to the left highlights the components required for a solid compliance framework. Enterprise Risk Management - The Anchor Of The Active Compliance Framework. Risk mitigation is an essential requirement for any compliance program. Thus Enterprise Risk Management spans across all modules and acts as an anchor for the active compliance framework. The foundation of the active compliance framework includes several key integrated components to ensure compliance such as records management and content management. Compliance process control represents the heart of the framework and includes highly configurable process control engine to facilitate various regulatory controlled processes. eQCM - Advanced Compliance Architecture eQCM’s open, extensible architecture enables rapid deployment and integration with other enterprise architectures such as SAP. The eQCM client component represents the web-based graphical user interface for the end user. The client is a rich Java client with light desktop foot print. Business Compliance Service is the heart of eQCM®. These services are responsible for receiving and managing all business workflow process requests from the client application.
Purdue Purdue Integration with Legacy SAPLe Systems SAPService Integration Integration Service
SAP
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 12
Final Recommendations
O
THE STEP ABOVE COMPLIANCE
rganizations have matured in their thinking towards regulatory compliance. Compliance is now the new legal best practice in the minds of many. As you attempt to move your organization the step above compliance to a higher level of compliance mastery, you must address the technology DNA that serves as the backbone of compliance. In order to master regulatory compliance you must move from a passive state of compliance where documents are the center of the universe to an active state of compliance where processes govern compliance operations. This will result in greater process efficiency, reduced regulatory risk, and sustained compliance. Your compliance strategy should encompass the following key principles:
Process Control is the blue print to guide you in your quest to move one step above compliance
•
Think in terms of buy versus build
•
Evolve from a document-centric compliance strategy to a process-centric compliance strategy
•
Move away from point solutions that address compliance in a piece-meal manner
•
Embrace compliance process control as the new paradigm
•
Develop a strategic, top-down approach Establish a compliance balanced scorecard with key performance indicators to measure your success
Compliance is here to stay. The choice is to move beyond the traditional approach to compliance to a level of mastery that will enable you to harness significant benefits with bottom line impact. Process control is the blue print to guide you in your quest to move one step above compliance. With Amadeus’ eQCM, you now have a clear choice for a new beginning.
Compliance DNA—The Blue Print For Your Enterprise Compliance Strategy © - Page 13
Page 14
Amadeus International 400 Jean-Lesage Bvld. Suite 500 Quebec City, QC, Canada G1K 8W1
AMADEUS INTERNATIONAL
Phone: 418.525.0606 Fax: 418.525.0909
. For more information, visit our website at www.amadeussolutions.com Email Us At:
[email protected]
© 2008 Amadeus International. All rights reserved. Printed in Canada. Amadeus, Quality Resource Planning, eQRP, the eQRP® logo, eQCM and the eQCM® logo are registered trademarks of Amadeus International in Canada, the United States, Europe as well as several other countries. All other product and service names mentioned are the trademarks of their respective owners.