Like medical specialists assembled for a consultation, there is a tendency for different parts of large organizations to focus
only on their area of concern when examining monitoring and control requirements. That can be a fatal mistake, because just
as the various parts and systems within the body are interrelated and interdependent, so are the systems within an organization
providing services to that body.
Take cost-containment, for example. The financial department is focused on assuring that costs meet predetermined budget levels.
When an organization uses manual, internally built controls, the temptation to inspect data in batches and samples is strong.
While batch processing drives costs down, it could spike an organization's level of risk, perhaps to dangerous levels.
A CM approach accomplishes reduction without compromising risk management. With a manual process, the cost is in the labor.
CM removes those labor costs by monitoring all of the data automatically, on a continuous basis. It also allows the organization
to expand its controls cost-effectively beyond the original, manual solution and further reduce the level of risk.
As part of this process, CM creates an audit trail for every activity. When an anomaly arises, the research and resolve process
is greatly streamlined because all of the data is easily visible and searchable. Further savings are realized because appropriately
designed automated controls require testing once during any given evaluation period, versus 15 to 25 times for manual controls.
This holistic approach is critical to the long-term health and success of pharmaceutical organizations, particularly in the
current, highly regulated environment. Putting automated controls in place across the enterprise now ensures that these organizations
can meet their audit and regulatory obligations today, and that they can improve business processes on an ongoing basis. It
will also help insulate them from the ever changing landscape of government regulations and auditor requirements, ensuring
that the investments made today are not lost as new policies evolve.
Making the Case
Often a change in controls within an organization is driven by compliance, and is only implemented in the aftermath of a costly
and embarrassing information risk event.
One of the keys to making the case for CM is showing how costly resolving an event after the fact will be in terms of time
and resources, and will likely bring other initiatives to a halt until a cure is developed. In the meantime, the reputation
of the enterprise suffers.
That's where it's important to create a strong business case articulating short- and long-term value propositions that resonate
with top management's higher goals. The argument becomes even stronger when presented with cost-benefit analyses, demonstrating
bottom-line results in metrics such as Net Present Value, Internal Rate of Return, and Payback Period.
When building the business case, here are some key points to include:
» Reduce the cost of compliance. The time and cost of audits and Service Level Agreement (SLA) violations are examples of the cost of compliance. CM helps
reduce them by streamlining the audit process, and by providing better coverage to mitigate risks throughout the organization.
» Reduce risk through early detection. CM lowers the probability of a risk event by detecting errors early in the process. Just as early detection is the key to
curing many diseases, early detection of errors is the key to avoiding significant information problems later.
» Expand control coverage. Most healthcare organizations don't focus on deploying controls for low- to medium-risk processes because of the cost. The
low incremental cost of deploying a CM solution in these processes enables organizations to mitigate these risks in a cost-effective
» Improve processes. While the financial value of process improvements can be difficult to quantify, their value in establishing buy-in should
not be ignored. Expected process improvements include a drastic reduction in the time required to perform control activities;
validation of all transactions while providing visibility into control actions; and a complete audit trail that validates
information is accurate, trustworthy, and reliable while providing better insight for an organization
to make effective bottom-line business decisions.
Audit and compliance issues can feel like life or death in any enterprise. In the healthcare industry, that risk is not just
figurative. It can be literal.
Continuous monitoring can help greatly reduce risk—and costs—by automatically tracking a business' vital signs and alerting
key personnel early to problems or violations, so that proper treatment can be applied. CM can also keep the enterprise healthier
by improving business processes so it can run more efficiently. Because in business as in healthcare, an ounce of prevention
is worth—well, you do the math.
Sumit Nijhawan is the Company Operations Leader at Infogix. He can be reached at firstname.lastname@example.org