Integrated Risk Management with GAMP 5 – manage ... - we.CONECT
18.03.2015 Views
Share Embed Flag

Integrated Risk Management with GAMP 5 – manage ... - we.CONECT

Integrated Risk Management with GAMP 5 – manage ... - we.CONECT

Integrated Risk Management with GAMP 5 – manage ... - we.CONECT

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
we.conect.com

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>Integrated</strong> <strong>Risk</strong> <strong>Management</strong> / July 2012<br />

<strong>Integrated</strong> <strong>Risk</strong> <strong>Management</strong> <strong>with</strong> <strong>GAMP</strong> 5 –<br />

<strong>manage</strong> risks effectively!<br />

Autor:<br />

Thomas Halfmann<br />

Halfmann Goetsch Peither AG<br />

With <strong>GAMP</strong> 5 in 2005, the risk-based approach was introduced into the validation of<br />

computerised systems. <strong>Risk</strong> <strong>manage</strong>ment was not a new discipline or technology in<br />

this field, ho<strong>we</strong>ver <strong>GAMP</strong>5 <strong>we</strong>nt one significant step further than before: it took<br />

current trends from the healthcare industry and implemented them into the practice of<br />

validation. Today, the methods and procedures as described in <strong>GAMP</strong> 5 have long<br />

since become everyday practice. The current challenge in validation is to effectively<br />

<strong>manage</strong> compliance and risks in heterogeneous organisations <strong>with</strong> numerous<br />

computer systems.<br />

IT Compliance and <strong>Risk</strong> <strong>Management</strong><br />

The aim of validating computerised systems is to ensure that their operation does not<br />

pose any risk to patients, the quality of the products or the integrity of the data. Due<br />

to GxP requirements, the validation of computerised systems is, for most businesses,<br />

only one of many demands placed upon IT compliance. In addition to GxP, there are<br />

other requirements that must be met by the operators of the IT systems, for example<br />

• data protection, e.g. use of personal data<br />

• regulatory requirements, e.g. SOX<br />

• information security, e.g. ISO 27000<br />

• in-house compliance, e.g. quality <strong>manage</strong>ment and internal audits.<br />

In addition to other changes from the previous version of <strong>GAMP</strong> 4 in 2001, in<br />

<strong>GAMP</strong> 5 the emphasis is much more on the following aspects of validation:<br />

• focus on the risk to patients<br />

• integration of validation activities into a quality <strong>manage</strong>ment system<br />

• greater involvement of the supplier in validation activities<br />

• integrated risk <strong>manage</strong>ment in all life cycle phases<br />

www.hgp.ag<br />

© 2012 HGP AG, CH-Basel, All rights reserved Page 1 of 6

<strong>Integrated</strong> <strong>Risk</strong> <strong>Management</strong> / July 2012<br />

<strong>Risk</strong> <strong>manage</strong>ment, as also required in <strong>GAMP</strong> 5, helps to meet compliance<br />

requirements in a focussed and efficient way. <strong>GAMP</strong> 5 suggests a five-step risk<br />

<strong>manage</strong>ment process (<strong>GAMP</strong> 5, Appendix M3, Science Based Quality <strong>Risk</strong><br />

<strong>Management</strong>), whereby this article focusses mainly on the last two steps of the<br />

process:<br />

Figure 1: <strong>GAMP</strong> 5 risk <strong>manage</strong>ment process<br />

Based on the compliance frameworks (e.g. GxP, SOX etc.) and an appropriate risk<br />

analysis, controls are specified that ensure the regular review and monitoring of<br />

identified risks. In the classic approach, these controls are introduced and monitored<br />

separately for all compliance frameworks.<br />

Figure 2: <strong>Risk</strong> <strong>manage</strong>ment for different compliance requirements<br />

www.hgp.ag<br />

© 2012 HGP AG, CH-Basel, All rights reserved Page 2 of 6

<strong>Integrated</strong> <strong>Risk</strong> <strong>Management</strong> / July 2012<br />

Many of the controls, ho<strong>we</strong>ver, occur more or less identically in the various<br />

compliance frameworks (GxP, SOX etc.), meaning that they are checked several<br />

times in various cycles. Consequently, the introduction and maintenance of a change<br />

process as a control, for example, occurs in almost all compliance requirements.<br />

Added to this is that many controls are related to processes, which in turn apply to a<br />

variety of computer systems, e.g. the change process.<br />

Subsequently, <strong>we</strong> can therefore conclude that <strong>we</strong> have introduced appropriate risk<br />

<strong>manage</strong>ment processes to the fullest extent possible, but that these have been<br />

implemented redundantly and at a considerable cost throughout the entire<br />

organisation due to numerous compliance requirements and their application to a<br />

number of IT systems.<br />

Generally, this leads to high yet unnecessary additional costs for the specification<br />

and implementation of the controls. It can even lead to contradictory evaluations of<br />

individual controls, as these are not standardised throughout the various frameworks<br />

and so are evaluated differently by the different departments. A lack of transparency<br />

in the actual compliance status <strong>with</strong>in the organisation then also contributes to the<br />

system falling short of expectations.<br />

The desired compliance is indeed achieved, but only at considerable expense and<br />

the risk of unpleasant surprises during audits and inspections due to this complexity.<br />

<strong>Integrated</strong> <strong>Risk</strong> <strong>Management</strong><br />

One solution for implementing these risk <strong>manage</strong>ment processes in an efficient way<br />

into the entire organisation is the introduction of an integrated risk <strong>manage</strong>ment<br />

system:<br />

Figure 3: <strong>Integrated</strong> risk <strong>manage</strong>ment<br />

www.hgp.ag<br />

© 2012 HGP AG, CH-Basel, All rights reserved Page 3 of 6

<strong>Integrated</strong> <strong>Risk</strong> <strong>Management</strong> / July 2012<br />

Instead of specifying and monitoring controls for each individual compliance<br />

requirement, the controls are summarised in a unified system. The challenges of an<br />

integrated risk <strong>manage</strong>ment system such as this are that the context and timing of<br />

the requirements are not uniform, e.g. the SOX controls are revie<strong>we</strong>d at a different<br />

time and possibly by other organisational units to the GxP requirements. The<br />

integrated approach requires a certain degree of abstraction of the controls to make<br />

them applicable to all compliance frameworks. These necessary abstractions can<br />

lead to various interpretations by the different organisational units <strong>with</strong>in the<br />

business.<br />

On the other hand, the integrated approach allows for a unified business-wide basis<br />

for the controls, and thus a significant reduction in costs. Concurrently, this enables<br />

the comparability of results across organisational and system boundaries and<br />

achieves the necessary transparency.<br />

In practice, <strong>we</strong> first specify the controls for the various frameworks and unify those<br />

controls that occur in several frameworks. The specification and application of a<br />

change process, for example, can be expected in all frameworks (GxP, SOX etc.).<br />

Tool Support<br />

In order to <strong>manage</strong> the controls efficiently, Microsoft Excel is available as a tool for<br />

the simplest cases. Excel is ideal for organisations that only need to assess a few<br />

applications for compliance. As soon as one has to <strong>manage</strong> a larger number of<br />

applications, or wants to consolidate multi-organisational results, using Excel<br />

becomes extremely time-consuming and/or no longer feasible.<br />

Database applications specialising in risk & compliance <strong>manage</strong>ment represent an<br />

alternative to Excel. These provide an advantage over Excel, in that the entire risk<br />

<strong>manage</strong>ment work flow is displayed in an integrated tool:<br />

• specification of the assessments and controls<br />

• implementation of the assessments and evaluation of the controls<br />

• identification of compliance deviations<br />

• assessment of the risks<br />

• <strong>manage</strong>ment and monitoring of risk mitigation measures<br />

www.hgp.ag<br />

© 2012 HGP AG, CH-Basel, All rights reserved Page 4 of 6

<strong>Integrated</strong> <strong>Risk</strong> <strong>Management</strong> / July 2012<br />

Another advantage is that the relevant reports and <strong>manage</strong>ment dashboards are<br />

integrated and do not have to be painstakingly pulled together from numerous Excel<br />

spreadsheets:<br />

Figure 4: <strong>Risk</strong> <strong>manage</strong>ment tool dashboard (RicoLution)<br />

If one carries out the assessments on an annual basis (keyword Periodic Review,<br />

<strong>GAMP</strong> 5 Appendix 08), a tool allows access to the history of all previous<br />

assessments. This means that trends can be quickly recognised and potential for<br />

improvement easily identified. This would not be possible in this way <strong>with</strong> Excel.<br />

The applied compliance framework generally has a wide range of uses combined<br />

<strong>with</strong> these tools, meaning they are not limited to the compliance and risk<br />

<strong>manage</strong>ment system for IT systems and can, for example, also be used for<br />

managing GMP compliance and risks.<br />

Conclusion<br />

When it comes to numerous processes and IT applications, the ‘classic’ approach to<br />

managing risks and compliance becomes extremely expensive or even impossible.<br />

<strong>Integrated</strong> risk <strong>manage</strong>ment is a solution for meeting the compliance requirements of<br />

businesses <strong>with</strong> complex organisational structures and numerous IT applications.<br />

The use of suitable tools provides the view from above and the necessary<br />

transparency, as <strong>we</strong>ll as efficient <strong>manage</strong>ment of the controls and compliance<br />

assessments – even in a multi-organisational context.<br />

www.hgp.ag<br />

© 2012 HGP AG, CH-Basel, All rights reserved Page 5 of 6

<strong>Integrated</strong> <strong>Risk</strong> <strong>Management</strong> / July 2012<br />

References<br />

1. <strong>GAMP</strong> 5: A <strong>Risk</strong>-Based Approach to Compliant GxP Computerized Systems<br />

ISPE 2008<br />

2. <strong>GAMP</strong> Good Practice Guide: A <strong>Risk</strong>-Based Approach to Operation of GxP<br />

Computerized Systems<br />

3. GMP Manual Online<br />

Maas & Peither AG GMP-Verlag<br />

4. <strong>GAMP</strong> 5 <strong>Risk</strong>-Based Approach - Risiken global <strong>manage</strong>n<br />

Vortrag auf der Vision Pharma 2012 [Managing risks globally, paper presented<br />

at the Vision Pharma, 2012], Karlsruhe<br />

Thomas Halfmann<br />

Author<br />

Thomas Halfmann<br />

Partner of the <strong>manage</strong>ment consultancy Halfmann Goetsch Peither AG,<br />

Switzerland, Germany ISPE 2009, Singapore<br />

www.hgp.ag<br />

© 2012 HGP AG, CH-Basel, All rights reserved Page 6 of 6

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!