CSV Working Party Update

Report
CSV Working Party Update
1
PRISME MEETING
23rd May 2012
Richard F Shakour – Merck
Frank Gorski - Pfizer
Agenda – CSV Working Party
2
• CSV Working Party
• Vendor Assessment
• Vendor Assessment/Audit Framework
• Inefficiencies/Problems
• Potential Solutions
• Vendor Compliance Assessment Service (VCAS)
• Overview of VCAS Phases
• Benefits & Potential Return On Investment
• Proposal & Next Steps
PRISME CSV Working Party
3

Background: CSV Working Party formed during last PRISME Meeting in Cambridge,
Massachusetts at BiogenIdec Oct 2011.

CSV Working Party: Various industry SMEs in attendance:
PRISME CSV Working Party
Name
Sid Senroy
Bernd Doetzkies
Ron Fitzmartin
Jonathan Helfgott
Uwe Trinks
Glyn Williams
Richard Shakour
Volker Erat
Ulrik Jørgensen
Alan Polack
Cynthia Senerchia
Frank Gorski
Christopher John McElroy
Rocco. B .Timpano
John Wise
Susan Marino
Susan Fantoni
Company
BiogenIdec
Daiichi Sankyo
Decision Analytics (Now with FDA)
FDA
Foresight Group
IDBS
Merck
Novartis
Novo Nordisk
Oracle
Oracle
Pfizer
Pfizer
Pfizer
PRISME Forum
Roche
Sanofi-Aventis
PRISME CSV Working Party
4

Objective:

Objective: To streamline and optimize (and where feasible harmonize) the vendor
audit/assessment process across industry and vendor community thereby reducing cycle time,
decreasing unit cost and increasing coverage.

Frequency: Bi-weekly meetings.

Obstacles:

There was a delay in folks obtaining local approval (legal) to share specific vendor assessment details and in some
cases even to attend the CSV working party meetings.

Name
Sid Senroy
Bernd Doetzkies
Uwe Trinks
Glyn Williams
Richard Shakour
Volker Erat
Ulrik Jørgensen
Alan Polack
Frank Gorski
Company
BiogenIdec
Daiichi Sankyo
Foresight Group
IDBS
Merck
Novartis
Novo Nordisk
Oracle
Pfizer
Status In Providing Vendor Assessment/Attendance
Not provided/ Did not attend
Presented
Provided
Provided
Presented
Not provided/Did not attend
Presented
Not provided/Did not attend (Conflict Meeting)
Presented
Susan Marino
Roche
Not provided/Did not attend
Susan Fantoni
Sanofi-Aventis
Presented
Some membership concerns
Harmonization Of Vendor Assessments
5
 As part of the bi-weekly CSV Working Party Meeting -
various companies provided information and/or presented
around vendor assessment processes.
 Vendor Assessments Common Categories






Security/Access Controls
• Vendor assessment
questions seem to be very
similar between various
Compliance
companies.
Infrastructure
• The questionnaires can
be potentially
harmonized.
Data Integrity
Privacy/Confidentiality
Availability of information/procedures/policies/training
Common Vendor Assessment Framework
6
Problem:
• Extensive
Questionnaires/Assessments
places burden on both vendor and
auditing groups.
• Expectations are not defined on
completing vendor assessment.
*Proposed Solution(s):
• Establishing vendor assessment
harmonization and defined
expectations/criteria.
• Establishing Vendor Risk
Management/ Vendor Profiling.
Vendor Assessment Sent to Vendor
Evaluation Of Results
From Vendor
Assessment
(High-Medium Risk)
Audit Required
Audit
Approved
(Major/Minor/
Improvement)
Audit Not
Approved
Problem:
• Culture based vs. risk based
approach to conducting vendor
audits.
• Onsite audits are frequently
conducted that have high associated
costs and effort.
*Proposed Solution(s):
• Establishing robust vendor data
collection, vendor risk profiling,
leveraging vendor desktop/remote
reviews vs. onsite.
Audit Is Not
Required/Optional
(Low/No Risk)
Follow Up
Action/Re-Audit
* PRISME CSV Working Party discovered Pfizer/PWC VCAS Tool (or similar) could be utilized to implement solutions
detailed above. VCAS tool and potential ROI will be discussed in the following slides.
Contents
Vendor
Compliance
Assessment
Service
 Introduction
 Vendor Audit Methods
 Process Overview
 Benefits
<Insert HSI Classification>
7
Problem Statement–Vendor Environment at Pfizer
Problem: Pfizer operates a complex business which requires the use of vendor
services. Outsourcing and Information Security have been identified as the top
concerns within the industry.
Quantity &
Diversity of
Vendors
•
•
•
BT 500+
Pan Pfizer: 50,000+
Diverse range of
services provided
Increased
Outsourcing
•
‘In house’ tasks now
being performed by
outside companies
Rapid Pace of
Delivery
•
Timescales for
project/service
implementation reduced
Information
Security
•
Increasing sensitivity of
the information or data
processed/held by
business partners
Global Interdependence
Solution: Conduct vendor audits & assessments to understand, mitigate or accept risks
from vendors
<Insert HSI Classification>
8
Prior Vendor Audit Methods
Old Method: Onsite vendor audits were conducted to mitigate risks from
utilizing vendor services or business partners.
Traditional onsite audits required:
2 - 3 days onsite & 5 - 6 days of offsite activity therefore  500 vendors = 1000 man days of audit = 3+ years of a full time team
 5,000 vendors = 10,000 man days of effort = 30+ years of efforts
(team of 20+ for 3 to 5 years!)
Old vendor audit method = $20K - $25K/audit plus travel costs*
 Approximately 50 audits/year = > $1M Annual spend
 500 audits >10million $/year
Due to the volume and diversity of Pfizer’s vendors, this traditional method is
no longer sustainable from a workload and cost perspective
* (Illustrative example, not meant to represent actual Pfizer cost)
<Insert HSI Classification>
9
New Vendor Audit/Assessment Methods
New Method: Risk assessments or evaluations of vendors are conducted using a
spectrum of review based on the entity’s estimated risk. This method is a more efficient
use of resources and will provide an appropriate risk assessment.
100%
79%
VDR - Remote
assessments
(telephone/webex)
VDR - Remote
assessments
(documentation
reviews with
vendor)
VDR - Reviews of existing
reports
(e.g. SAS 70, SSAE 16)
2%
VCA -Selfassessments
15%
Amount of Effort &
Cost
Review Method
Quantities
VOA - Onsite
audits
No Action
0%
10
3%
Spectrum of Review
<Insert HSI Classification>
10
VCAS Scope
Who We Look At
Types of Audits







Software
Data Centres
IT hardware
Suppliers hosting Pfizer data
Suppliers accessing Pfizer
data
Outsourced services e.g.
Helpdesks ( usually
processing or holding Pfizer
data including Non BT
activity)
Mixed scenarios e.g. Where
supplier uses Pfizer
processes and their own
processes outside the Pfizer
environment
What We Look For
Risk or Regulatory
Areas Covered










GMP, GLP, GCP, GDP
ERES ( Part 11)
Sarbanes Oxley
Privacy – general not country
specific
IT security (Logical)
Physical Security
PDMA
HiPAA
PCI
Others (by request)
VCAS
Does Not
 Test functionality
of software
 Perform intrusive
technical testing
e.g. penetration
testing
 Install any
software into
supplier
environments
 Review vendor
financials
<Insert HSI Classification>
11
VCAS Phases
 VCAS process consists of 3 phases:
VCAS
 Profile: Information is collected from the
requestor to develop a vendor profile
 Assess: Information provided by the vendor
(questionnaires or documents) is analyzed
against expectations and level of
compliance is reported back to requestor
 Review & Decide: Business group
leverages the VCAS assessment to
determine next steps
Profile
Review &
Decide
(Business)
Assess
 Next we will look at each phase in detail……
<Insert HSI Classification>
12
Phases
1. Profile
Vendor
Data
Collection
• Business
Sponsor
• Previous
Assessments
• Vendor
contacts
• Contracts
2. Assess
Preliminary Entity
Profiling
Preliminary Service
Profiling
Output:
• Assessment Type
• Assessment Scope
3. Review and Decide
Periodic Review
VCAS
Processes
Preliminary Vendor
Risk Profile and
Rating
Residual Risk
Rating and Score
Business Action:
• Accept
• Share / Transfer
• Reduce
•VOA
•VCA
•VDR
Technical
Security
Assessment
Assessment
Report
Remediation and
Re-assessment
VCAS Report
• Inherent Risk Rating and
Score
<Insert HSI Classification>
13
Components of the Vendor Risk Profile
Profile Phase: Categories
Vendor Risk Profile
Entity Profile
Service Profile
(Max Score 100)
Experience
& size etc.
(20%)
Familiarity
to Pfizer
(Includes
contract
status)
(40%)
Prior
Reviews
(40%)
Depicts
approximate
category
weighting
Service Operation
Service
Scope
(15%)
Service
Type
(15%)
Regulatory
/ Legal
Data & Information
Data Access
(10%)
Data
Sensitivity
(20%)
Availability
Impact
(10%)
Uptime Req.
(5%)
SOX
GxP
PCI
SPI
HIPAA
(25%)
<Insert HSI Classification>
14
Profile Phase: Output (example 1)
100
Entity Profile
80
60
40
Vendor A
& Service Z
Vendor A
& Service Y
20
20
40
60
80
100
Service Profile
<Insert HSI Classification>
15
Benefits of VCAS
Cost Benefits of VCAS
Annual
Budget*
$X
$X+10%
$X+10%
$X
*Excludes PWC investment to build VCAS framework
<Insert HSI Classification>
16
General Benefits of VCAS Program
 Enhanced Selection and Management of BT Suppliers - provides
awareness of the compliance status of vendors
 BT visibility into the state of compliance of vendors – allows BT to see
reports & responses with quantitative analysis within an Automated Risk Tool
 Periodic Vendor Monitoring - initiated throughout the engagement of BT
suppliers based on vendor service or risk.
 A Variety of Methods for Vendor Evaluation - via vendor self-assessment,
remote assessment (audit) which are appropriate to the services and risks
present by engagement of those vendors
 Establishment of a Preferred List of Vendors - aligned to Pfizer IT control
domains, thus further reducing administrative costs associated with numerous
vendor engagements
<Insert HSI Classification>
17
Proposal & Next Steps
1.
CSV Working Party will meet post PRISME Members meeting (23rd May) to review minutes/feedback
received (~June 2012)
2.
CSV Working Party is recommending the PRISME Members/Delegates attend a presentation on the
VCAS model provided by PwC and Pfizer (~June 2012)
3.
PRISME Members to decide whether to pursue local adoption of the VCAS model or similar. If
favorable the CSV Working Party (or delegates) will work independently to obtain local stakeholder
approval and support (~June – July)
4.
CSV Working Party will meet to discuss progress on potential local adoption of VCAS model (~JulAug)
5.
Review progress on the adoption of the VCAS model or similar at the PRISME Member’s Meeting ~
(~Oct 2012, US)
6.
Post Oct 2012 – leveraging potentially shared vendor profiles/assessments (across industry)
(dependent on steps 3 -5)

similar documents