Automating the governance, risk and compliance (GRC) process

Managed-service-based platform allows manufacturers to automate GRC communications with third parties

For pharma companies operating under Corporate Integrity Agreements (CIAs) or self-imposed GRC programs for anti-bribery rules, HIPAA compliance or contracts involving fair market value (FMV) assessments, documenting the compliance of third parties can be a headache. With outsourced vendor agreements numbering in the hundreds or more, each vendor’s internal processes need to be documented and reported. Avior Computing (Nashua, NH) has developed a software platform, called BenchMark, to automate this process; now the company is offering it as an outsourced service to manufacturers, healthcare providers and others.

Using a portal that Avior sets up, a company can build a database of suppliers or other partners and run the program according to its own specifications. Avior provides a library of predesigned rules libraries, addressing such industry requirements as the Foreign Corrupt Practices Act, HIPAA, ICD-10 (the schema for reporting billable medical interventions) and other rules. Libraries include medical affairs, marketing compliance, pharmacovigilance and others. “Instead of a company sending out assessments manually to third parties hand-picked as offering the highest risk, staff can send them out to all their third parties at once,” says Todd Martin, Avior’s director of life sciences. The service flags noncompliant items, reducing the administrative burden because staff has to deal only with a relatively small number of exceptions. The service allows staff to create a remediation for a third party to address by a selected date.

Companies also can create their own assessments. For example, with training from Avior, a company can create questions for assessment of employees’ compliance with its standard operating procedures (SOPs), with Avior mapping the questions to items in the control; ie, the SOP. The service will flag noncompliant responses, allowing appropriate staff to address the issues. The managed-services arrangement requires a month-to-month subscription based on the number of entities being monitored; for example, 50 third parties for $4,000 per month.