The Driving Force Behind Governance, Risk, And Compliance

Introduction

For companies in highly regulated industries, information management is a critical component of compliance. Quality and compliance requirements permeate an organization by necessity, not only due to myriad laws, regulations, and ‘Good Practice’ standards, but also because of the fact that most organizations strive to improve operational excellence, organization, clarity, transparency, and accountability.

The content and process management demand that compliance and quality mandates place on organizations in regulated sectors — such as life sciences, including pharmaceutical, medical devices and biotechnology, as well as food production, chemicals, transportation, etc… — are high. For example, there are more than 14,000 federal, state and industry laws, standards and regulations that dictate how long to keep paper and electronic records. (Source: Cadence Group, 2011)

Given the high priority that organizations in heavily regulated industries must place on quality and compliance management and the amount of documentation they must produce to support and fulfil governance, risk management and compliance (GRC) initiatives, it is no longer practical to manage content separately from quality and compliance. As a result, enterprise information management (EIM) must play a central integrated role in effective quality and compliance management.

EIM provides a centralized system and approach for classifying and storing information and for maintaining version control. It also automates workflows; integrates with other business systems to reduce data silos; and provides security by limiting access to only authorized individuals. It also provides a full audit trail of document access, versioning, and approvals that organizations need to maintain quality and prove compliance. Most importantly, an effective EIM system drives daily quality processes and alerts key personnel about tasks that require attention, rather than merely serving as a well-organized (yet static) collection of all GRC related documents and data.

Enhancing Core Governance, Risk and Compliance Components With Enterprise Information Management

According to industry experts, GRC (governance, risk management and compliance) includes four processes that are document-control and enterprise information management-centric: audit management, risk management, compliance and policy management, and change management. Each process presents a unique set of challenges related to EIM.

Audit Management

Most highly regulated organizations are very familiar with audits, such as those performed for regulators and for customers who require assurance that vendors are producing products according to their specifications and compliance requirements. There are also internal audits to ensure that organizations are following their own quality system policies.

EIM can help streamline audits with the ability to quickly and efficiently produce evidence to verify if the right people are doing the right things at the right time across an organization’s departments and functional groups, such as training, human resources, research and development, manufacturing, maintenance and the supply chain. With an audit trail of all designated activities, EIM also provides a clear illustration to auditors of the quality and compliance related activity within an organization.

Furthermore, EIM provides a solution for reporting audit findings far beyond documenting them in a spreadsheet. The most advanced EIM systems can automatically establish relationships from audit findings to corrective actions and change requests. These activities are associated with responsible employees with deadlines and reminders providing better transparency and insight into the processes, as well as a clear division of tasks and responsibilities to resolve the issues found.

Risk Management

Without operational oversight, it is difficult to identify, assess, manage and reduce risks. Without a capable and easy to use content management system, it is difficult to achieve operational oversight. It’s not uncommon for companies to store millions of files in thousands of folders across many network drives, and it is difficult to remember file locations and naming conventions. Furthermore, a keyword search can return thousands of documents. When files are organized based on folders, mapped drives and manually naming conventions, it can be difficult to assemble and maintain the many documents required for risk assessments, such as audit reports, SOPs, training and maintenance records, government regulations, and various reports from all business units.

EIM helps organize and archive the supporting documents across departments that provide the operational oversight needed to determine risk. It provides transparency across departments and reduces information silos. The most effective EIM systems manage content based on relationships, workflows, and version control rather than on file locations and ad hoc collaboration. The risk-assessment process within the EIM system becomes the de facto administrator — managing status, approvals, next steps, version control, permissions and related content. Risk assessment reports and all related work are then easily and directly accessible to the authorized individuals and groups at any time without time-consuming searches. Any change requests, such as revised SOPs resulting from the risk assessment, are initiated via automated workflows so that accuracy, context and relationships are maintained.

Compliance And Policy Management

With limited staff and resources available for compliance-related activities, organizations need to be as efficient and cost-effective as possible in the management of this important set of processes. One of the most direct and straightforward ways to keep these activities efficient and cost-effective is with an EIM solution.

For example, an important aspect of achieving and proving compliance lies in the management and use of standard operating procedures (SOPs). The onus of managing and documenting the creation, collaboration and maintenance of SOPs is like that of audits, risk assessments, and change requests; however, SOPs document actual business operations and procedures, and quality standards require that relevant employees be made aware of them. The audience that reads SOPs is much larger than the audience that reads other quality and compliance content. Furthermore, if an incident such as an injury occurs, companies need to assess whether the employee was properly trained, and SOPs were followed.

An EIM system can dramatically simplify and improve the process of documenting the creation, maintenance, and adherence to SOPs. Employees who are required to read SOPs and confirm they’ve understood the material can do so directly from the system, which then records the events, tests results, and related digital signatures. When SOPs are modified, the system documents the collaboration and details of employee access to the modified SOPs for training purposes. If companies must demonstrate that their employees read SOPs at given intervals, the EIM system provides a quick and easy way for documenting and communicating it to auditors, as well as risk and compliance managers.

In addition, SOPs themselves can be integrated into workflows. For example, if an SOP or regulation states that certain documents must be periodically reviewed for updates, read for training purposes, or shared with other parties, that process itself can be automated within the EIM system, which generates automatic reminders and audit trails as required.

A particularly powerful capability provided by some EIM solutions is the ability to link, or relate, SOPs to other documents, such as a machine or a software manufacturer’s documentation, based on intuitive descriptions without concern about file locations and naming conventions. As a result of these relationships, all related content that a given user or group is authorized to access is immediately available with the appropriate version of the SOP.

Change Management

Change is the only constant, and an organization can succeed in effectively managing change with efficient, transparent, and auditable processes. When an incident or deviation occurs, many organizations have SOPs in place to determine and contain the root cause, manage the corrective and preventive actions (CAPAs), issue change requests (CRs), modify SOPs, and re-train staff as needed. EIM solutions can administer these change-management processes and related content creation, modification, approval, and distribution by organizing the processes and all related content and collaborators around a commonly understood “business object,” such as a CAPA or a Change Request, rather than the necessary content and related information being scattered in various silos, such as email attachments, network drives, local hard drives, mobile devices and so on.

For example, if a machine breaks down on the shop floor and causes an incident or a deviation, the manufacturer’s documentation for the machine, the maintenance and training records, the risk assessments, and audit findings can all be included and accessed together with the information supporting the investigation and remediation. Alternatively, if an audit reveals that several hospitals in a healthcare system are not using specified equipment, the audit finding can be included with the corrective action documentation for transparency, traceability and future reference. This process occurs transparently within the EIM system itself, which avoids the silo and risk of relying on individuals to keep track of the change-management process. All change-management actions occurring within the EIM system are captured and available for use in quality and compliance reports.

Integrating Eim With Systems That Administer Quality And Compliance Activities

Among the main obstacles that organizations face with respect to quality and compliance management are the information silos that are all too common across disciplines, departments, systems and geographic locations. Various document versions are buried in multiple internal business systems, emails and other storage locations; documents are lost due to accidental deletions or misfiling; or a document or procedure may be still be “owned and managed” by an individual that has already left the company.

Review processes may be difficult to track and follow, file naming conventions and storage locations may vary or be ignored, and related documents may be difficult to locate, retrieve, and assemble.

When it’s time for an audit, or an event occurs that requires corrective action or an investigation, a fire drill of document retrieval and compilation ensues. At that time, it may be possible to prove that you have the required documents, but difficult to prove who read, approved, updated, and signed off on them.

In order to break down information silos and improve collaboration and decision-making processes, it’s essential to integrate EIM with other systems that support quality and compliance management. Enterprise Resource Planning (ERP), Customer Relationship Management (CRM) and engineering software systems, such as PDM or PLM, should integrate with EIM to enable and manage collaboration on contracts, SOPs, audits, risk assessments and other quality and compliance documents and initiatives that require information about orders, vendors, customers, product designs, raw materials, production schedules and processes, and finance and accounting procedures.

For example, when a new part is added to an ERP system, the information can be automatically reflected in the EIM system, and the EIM system can then initiate the collaboration process on any related quality and compliance documentation, such as documenting the vendor, raw materials, production processes and electronic signatures. Documentation associated with the part can also be linked to documentation of related parts and assemblies for use in quality and compliance reporting.

Customer information from a CRM system can be integrated with any quality and compliance documents relating to the customer to ensure a complete view of interactions with that customer. Integration can also be bidirectional, such that a change to a customer address in a document updates the address in all other documents and in the CRM system itself. Integration ensures that a single record — such as a customer, part, or vendor from a single source — populates related quality and compliance content, which avoids re-entering information with the potential to introduce inaccuracies.

To ensure adoption of EIM and the benefits it provides to quality and compliance management, EIM must also integrate with Microsoft Office and SharePoint for content creation, collaboration, editing and storage.

This integration must be as seamless as possible, with the objective that it does not change the way users normally access and edit content. Such integration enables the operational oversight required and the efficiency needed to effectively manage quality and compliance.

Compliance, Content And The Cloud

The advantages of cloud computing are clear: on-demand self-service provides immediate access to applications and information; ubiquitous network access provides always-on availability to qualified devices anywhere with an Internet connection; location-independent resource pooling distributes processing and storage demands across available infrastructure for efficiency; scalability accommodates high and low demand volumes; and pay-per-use ensures that subscribers pay only for the services that they need.

Beyond the flexibility that it provides, cloud computing can aid in quality and compliance management as well. If a cloud vendor proves that it meets quality and compliance standards for its infrastructure, platform and/or application, then its customers can leverage that proof in their quality and compliance management and reporting initiatives. Cloud services often meet quality, compliance, and security standards better than on-premises solutions because the cloud service provider solely focuses on maintaining its infrastructure, platform and/or application and delivers a uniform service to all subscribers. The costs of hardware, maintenance and security are spread across a pool of subscribers, which helps support the infrastructure required to maintain high quality and compliance standards. Cloud computing also enables customers to allocate more resources toward their core competency and fewer toward IT infrastructure, maintenance, and quality and compliance management.

Each organization must evaluate its quality objectives and regulatory requirements in determining whether to manage quality and compliance content in the cloud, on premises or via a hybrid cloud model.

In addition to quality and compliance requirements, organizations must evaluate investments in existing infrastructure, ability to integrate applications, and the steps, costs, and risks involved in migrating on premises quality and compliance content to the cloud.

Many organizations choose to manage quality and compliance content in a hybrid environment employing both on-premises and cloud deployments, keeping confidential and regulated information on premises behind the firewall, while publishing other information on a public or private cloud. The benefits of a hybrid cloud approach include the ability to cost-effectively augment existing IT resources to accommodate new or temporary projects or peaks in demand; to shift spending away from on premises system maintenance and toward innovation; and to gradually migrate to the cloud while preserving current investments in on-premises systems.

Some EIM solutions today can be deployed on premises, in the cloud, or in a hybrid environment. The most important consideration outside of security, quality and compliance mandates is selecting the EIM deployment model that best supports the organization’s ability to efficiently and effectively manage quality and compliance content based on its size, user profiles, and geographic distribution.

Final Word

There is a clear convergence between EIM and governance, risk and compliance (GRC). Given the high demands that GRC places on highly regulated companies and the limited resources that most organizations can allocate to it, it’s important to consider the benefits of efficiency, transparency, auditing, archiving, security, collaboration, process management, signature recording, reporting and content retrieval that EIM can provide.

For more information on how we can help your organisation please email: peter@documentmanagementsoftware.com.au or visit www.documentmanagementsoftware.com.au


Peter Ellyard

Having spent over 20 years immersed in the document management software industry I have found that by offering a simple to use, highly effective electronic document management solution (knowledge management software) we increase productivity dramatically. Typically by an hour per person, per day! This is not rocket science, just a simple way to streamline your day to day information needs.