1 / 18

CSV Working Party Update

CSV Working Party Update. PRISME MEETING 23 rd May 2012 Richard F Shakour – Merck Frank Gorski - Pfizer. Agenda – CSV Working Party. CSV Working Party Vendor Assessment Vendor Assessment/Audit Framework Inefficiencies/Problems Potential Solutions

beck
Download Presentation

CSV Working Party Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSV Working Party Update PRISME MEETING 23rd May 2012 Richard F Shakour – Merck Frank Gorski - Pfizer

  2. Agenda – CSV Working Party • CSV Working Party • Vendor Assessment • Vendor Assessment/Audit Framework • Inefficiencies/Problems • Potential Solutions • Vendor Compliance Assessment Service (VCAS) • Overview of VCAS Phases • Benefits & Potential Return On Investment • Proposal & Next Steps

  3. PRISME CSV Working Party • Background: CSV Working Party formed during last PRISME Meeting in Cambridge, Massachusetts at BiogenIdec Oct 2011. • CSV Working Party: Various industry SMEs in attendance:

  4. PRISME CSV Working Party • Objective: • Objective: To streamline and optimize (and where feasible harmonize) the vendor audit/assessment process across industry and vendor community thereby reducing cycle time, decreasing unit cost and increasing coverage. • Frequency: Bi-weekly meetings. • Obstacles: • There was a delay in folks obtaining local approval (legal) to share specific vendor assessment details and in some cases even to attend the CSV working party meetings. • Some membership concerns

  5. Harmonization Of Vendor Assessments • As part of the bi-weekly CSV Working Party Meeting - various companies provided information and/or presented around vendor assessment processes. • Vendor Assessments Common Categories • Security/Access Controls • Compliance • Infrastructure • Data Integrity • Privacy/Confidentiality • Availability of information/procedures/policies/training • Vendor assessment questions seem to be very similar between various companies. • The questionnaires can be potentially harmonized.

  6. Common Vendor Assessment Framework • Problem: • Extensive Questionnaires/Assessments places burden on both vendor and auditing groups. • Expectations are not defined on completing vendor assessment. • *Proposed Solution(s): • Establishing vendor assessment harmonization and defined expectations/criteria. • Establishing Vendor Risk Management/ Vendor Profiling. Vendor Assessment Sent to Vendor • Problem: • Culture based vs. risk based approach to conducting vendor audits. • Onsite audits are frequently conducted that have high associated costs and effort. • *Proposed Solution(s): • Establishing robust vendor data collection, vendor risk profiling, leveraging vendor desktop/remote reviews vs. onsite. Evaluation Of Results From Vendor Assessment (High-Medium Risk) Audit Required (Major/Minor/ Improvement) Audit Is Not Required/Optional (Low/No Risk) Audit Approved Audit Not Approved Follow Up Action/Re-Audit * PRISME CSV Working Party discovered Pfizer/PWC VCAS Tool (or similar) could be utilized to implement solutions detailed above. VCAS tool and potential ROI will be discussed in the following slides.

  7. Contents Vendor Compliance Assessment Service • Introduction • Vendor Audit Methods • Process Overview • Benefits

  8. Problem Statement–Vendor Environment at Pfizer Problem: Pfizer operates a complex business which requires the use of vendor services. Outsourcing and Information Security have been identified as the top concerns within the industry. • Increasing sensitivity of the information or data processed/held by business partners • BT 500+ • Pan Pfizer: 50,000+ • Diverse range of services provided • ‘In house’ tasks now being performed by outside companies • Timescales for project/service implementation reduced Global Interdependence Solution: Conduct vendor audits & assessments to understand, mitigate or accept risks from vendors 8

  9. Prior Vendor Audit Methods • Old Method: Onsite vendor audits were conducted to mitigate risks from utilizing vendor services or business partners. • Traditional onsite audits required: • 2 - 3 days onsite & 5 - 6 days of offsite activity therefore - • 500 vendors = 1000 man days of audit = 3+ years of a full time team • 5,000 vendors = 10,000 man days of effort = 30+ years of efforts (team of 20+ for 3 to 5 years!) • Old vendor audit method = $20K - $25K/audit plus travel costs* • Approximately 50 audits/year = > $1M Annual spend • 500 audits >10million $/year • Due to the volume and diversity of Pfizer’s vendors, this traditional method is no longer sustainable from a workload and cost perspective * (Illustrative example, not meant to represent actual Pfizer cost)

  10. New Vendor Audit/Assessment Methods • New Method: Risk assessments or evaluations of vendors are conducted using a spectrum of review based on the entity’s estimated risk. This method is a more efficient use of resources and will provide an appropriate risk assessment. 100% 79% No Action Review Method Quantities Amount of Effort & Cost 15% 3% 2% 0% Spectrum of Review 10

  11. VCAS Scope • Who We Look At • Types of Audits • What We Look For • Risk or Regulatory Areas Covered • GMP, GLP, GCP, GDP • ERES ( Part 11) • Sarbanes Oxley • Privacy – general not country specific • IT security (Logical) • Physical Security • PDMA • HiPAA • PCI • Others (by request) • Software • Data Centres • IT hardware • Suppliers hosting Pfizer data • Suppliers accessing Pfizer data • Outsourced services e.g. Helpdesks ( usually processing or holding Pfizer data including Non BT activity) • Mixed scenarios e.g. Where supplier uses Pfizer processes and their own processes outside the Pfizer environment VCAS Does Not • Test functionality of software • Perform intrusive technical testing e.g. penetration testing • Install any software into supplier environments • Review vendor financials

  12. VCAS Phases • VCAS process consists of 3 phases: • Profile: Information is collected from the requestor to develop a vendor profile • Assess: Information provided by the vendor (questionnaires or documents) is analyzed against expectations and level of compliance is reported back to requestor • Review & Decide: Businessgroupleverages the VCAS assessment to determine next steps • Next we will look at each phase in detail…… • VCAS

  13. Phases 1. Profile 2. Assess • Vendor Data Collection • Business Sponsor • Previous Assessments • Vendor contacts • Contracts Preliminary Entity Profiling • VCAS Processes • VOA • VCA • VDR Preliminary Vendor Risk Profile and Rating Preliminary Service Profiling Technical Security Assessment • Output: • Assessment Type • Assessment Scope 3. Review and Decide Assessment Report Residual Risk Rating and Score Remediation and Re-assessment • VCAS Report • Inherent Risk Rating and Score Periodic Review • Business Action: • Accept • Share / Transfer • Reduce

  14. Profile Phase: Categories Components of the Vendor Risk Profile Depicts approximate category weighting

  15. Profile Phase: Output (example 1) 100 Onsite Audit 80 Vendor Desktop Review (Remote Assessment via telephone/Webex) Entity Profile 60 Self Assessment 40 Vendor A & Service Z Vendor A & Service Y No Assessment 20 20 40 60 80 100 Service Profile

  16. Benefits of VCAS Cost Benefits of VCAS Annual Budget* $X $X+10% $X+10% $X *Excludes PWC investment to build VCAS framework

  17. General Benefits of VCAS Program • Enhanced Selection and Management of BT Suppliers - provides awareness of the compliance status of vendors • BT visibility into the state of compliance of vendors – allows BT to see reports & responses with quantitative analysis within an Automated Risk Tool • Periodic Vendor Monitoring - initiated throughout the engagement of BT suppliers based on vendor service or risk. • A Variety of Methods for Vendor Evaluation - via vendor self-assessment, remote assessment (audit) which are appropriate to the services and risks present by engagement of those vendors • Establishment of a Preferred List of Vendors - aligned to Pfizer IT control domains, thus further reducing administrative costs associated with numerous vendor engagements

  18. Proposal & Next Steps CSV Working Party will meet post PRISME Members meeting (23rd May) to review minutes/feedback received (~June 2012) CSV Working Party is recommending the PRISME Members/Delegates attend a presentation on the VCAS model provided by PwC and Pfizer (~June 2012) PRISME Members to decide whether to pursue local adoption of the VCAS model or similar. If favorable the CSV Working Party (or delegates) will work independently to obtain local stakeholder approval and support (~June – July) CSV Working Party will meet to discuss progress on potential local adoption of VCAS model (~Jul-Aug) Review progress on the adoption of the VCAS model or similar at the PRISME Member’s Meeting ~ (~Oct 2012, US) Post Oct 2012 – leveraging potentially shared vendor profiles/assessments (across industry) (dependent on steps 3 -5)

More Related