January 21, 2009

What's it like to run a global IT organization that's not only responsible to executive management and other traditional stakeholders, but a whole host of regulatory bureaucrats? That's the daily experience of Jim Barrington, CIO of Novartis, a global pharmaceutical and healthcare company that operates in 140 countries.

Jim recently spoke to News@Cisco about compliance and risk management in one of the world's most heavily-regulated industries, and why every CIO should look at ways to build it into IT operations.

To get started, what's the compliance and risk management landscape look like for Novartis?

Jim Barrington: I think most people are aware that the pharmaceutical industry faces a compliance and risk burden second to none. The only other industry I can think of that even comes close is financial services. Like them, we come under the jurisdiction of various financial regulations, like Sarbanes-Oxley in the US. Then, on top of that, we must comply with a host of regulations specific to the medical industry, such as those imposed by the U.S. Food and Drug Administration. We estimate that the cost of compliance can add as much as 40% to the cost of developing an IT solution.

And that's only the compliance side of the equation. Risk management is even more challenging in some ways, because much of it involves interpretation of these regulations. They don't define which controls we should implement-that's our call. How much risk is acceptable, and at what cost? Mind you, the technology side of this is the easiest part to deal with: that's child's play compared to trying to anticipate the attitude of lawyers and regulatory bureaucrats to a given compliance failure-which is a major determinant of its cost!

As CIO, what do you consider the most critical components of mitigating risk and ensuring compliance?

Jim Barrington: I think that if you try to handle risk and compliance as a lot of moving parts, as your use of the plural "components" implies, you'll go mad. It's certainly not something you can solve by just throwing a bunch of technology at it. Instead, you have to approach it as a change in philosophy supported by appropriate processes.

In the old paradigm, compliance is simply viewed as a burden imposed on you by regulators, and so your response to it is event-driven, reactive. New regulation? Well, let's see what we have to change to adapt. It's not built into your IT process, and responsibility is spread all over the company. That's a huge management burden, and pretty much guarantees that something will slip through the cracks. But our philosophy is that compliance, viewed rightly, is fundamental to good operations, so why not build it into our IT operations and use it to clarify our responsibilities and accountability all across the company?

What does this philosophy mean for IT operations at Novartis?

Jim Barrington: We have pooled all the compliance and security issues into a single accountability framework, called "IT in Control," that covers both the external requirements imposed by regulators and the internal requirements such as security, business continuity planning, and the like. The development and implementation of this framework is the responsibility of a new position: the Head of Compliance and Risk Management, and he has a counterpart in every division in the company, worldwide, who is accountable for that division's implementation of the framework, as well as for contributing to its ongoing development. So we have an organizational structure, a framework, and the processes to support it, like monitoring, auditing, feedback, remediation, and the like.

You might think of all this as a kind of "ITIL for compliance," if you like. It's no longer necessary for all the different business units to understand how all these regulations affect them in terms of compliance or risk management. They know that if they follow the framework, they'll automatically be in compliance with every regulation they need to be concerned about.

What are the benefits of the "IT in Control" framework? Have you seen cost savings from this approach?

Jim Barrington: I haven't actually costed it out-we're about 2/3rds of the way through implementation company-wide-but I know it has removed a huge management burden from the IT organization. Before any new control is added to the framework it will have been thoroughly checked and validated by domain experts, and signed off on by our external auditors. So my IT staff doesn't need to keep up-to-date with regulations and their interpretation. They just need to implement the controls in the framework. This gain in efficiency significantly reduces our risk of not being in compliance.

And that is by far the biggest benefit: we now know, and can assure our business partners, that we are in compliance with all relevant regulations. A related benefit is increased agility: IT's response-indeed, the entire company's response- to regulation is now far more anticipatory, proactive, and focused.

There's another upside, which is not one we expected. As a global concern, we're doing more and more off-shoring and outsourcing than ever before, and you can just imagine the nightmare of enforcing compliance with remote vendors in the absence of a framework. But now all we have to do is hand them the controls manual, which includes the processes we'll use to audit them for compliance. They know what's expected, and we know what we're getting.

How do you see your role as CIO changing in regards to compliance and risk management?

Jim Barrington: Well, the new framework has certainly made a difference there, which is why I'd recommend this approach to any CIO faced with similar challenges. There's a kind of paradox to it. Before we started implementing "IT in Control," I didn't have responsibility for all these areas of compliance and risk management, and yet they had a huge impact on my organization as various departments threw new requirements at me when new regulations were imposed.

Now, of course, it all lands on my desk by way of the Head of Compliance and Risk Management, who reports to me. But with this increased responsibility comes a great deal more clarity. There aren't so many moving parts to keep track of, which means a great deal more peace of mind. Like my organization, I don't have to be reactive any more-it's nice to be able to see things coming and have time to prepare for them.

Finally, I can be more confident about new initiatives. I think that in any heavily-regulated industry you can become intimidated by the risks involved in growing IT. Sometimes it may seem safer to maintain legacy systems even if they stand in the way. But with this framework, compliance is just part of the development process. It's really no longer an issue-you don't have to worry about an "oops" moment six months down the road when it turns out that a new system has introduced a compliance loophole.

Is there any final advice you'd have for a fellow CIO?

Jim Barrington: Well, I don't claim to have a crystal ball or anything, but I think I can pretty much guarantee that the future holds only more regulations, no matter what industry you're in. So even if you don't think you need a compliance and risk management framework today, you should start thinking about it. It's not something you can do overnight, but when you realize you need it; you may wish you could have.