Csv working party update
1 / 18

CSV Working Party Update - PowerPoint PPT Presentation

  • Uploaded on

CSV Working Party Update. PRISME MEETING 23 rd May 2012 Richard F Shakour – Merck Frank Gorski - Pfizer. Agenda – CSV Working Party. CSV Working Party Vendor Assessment Vendor Assessment/Audit Framework Inefficiencies/Problems Potential Solutions

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'CSV Working Party Update' - beck

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Csv working party update
CSV Working Party Update


23rd May 2012

Richard F Shakour – Merck

Frank Gorski - Pfizer

Agenda csv working party
Agenda – CSV Working Party

  • CSV Working Party

  • Vendor Assessment

  • Vendor Assessment/Audit Framework

    • Inefficiencies/Problems

    • Potential Solutions

  • Vendor Compliance Assessment Service (VCAS)

    • Overview of VCAS Phases

    • Benefits & Potential Return On Investment

  • Proposal & Next Steps

Prisme csv working party
PRISME CSV Working Party

  • Background: CSV Working Party formed during last PRISME Meeting in Cambridge, Massachusetts at BiogenIdec Oct 2011.

  • CSV Working Party: Various industry SMEs in attendance:

Prisme csv working party1
PRISME CSV Working Party

  • Objective:

    • Objective: To streamline and optimize (and where feasible harmonize) the vendor audit/assessment process across industry and vendor community thereby reducing cycle time, decreasing unit cost and increasing coverage.

  • Frequency: Bi-weekly meetings.

  • Obstacles:

    • There was a delay in folks obtaining local approval (legal) to share specific vendor assessment details and in some cases even to attend the CSV working party meetings.

    • Some membership concerns

Harmonization of vendor assessments
Harmonization Of Vendor Assessments

  • As part of the bi-weekly CSV Working Party Meeting - various companies provided information and/or presented around vendor assessment processes.

  • Vendor Assessments Common Categories

    • Security/Access Controls

    • Compliance

    • Infrastructure

    • Data Integrity

    • Privacy/Confidentiality

    • Availability of information/procedures/policies/training

  • Vendor assessment questions seem to be very similar between various companies.

  • The questionnaires can be potentially harmonized.

Common vendor assessment framework
Common Vendor Assessment Framework

  • Problem:

  • Extensive Questionnaires/Assessments places burden on both vendor and auditing groups.

  • Expectations are not defined on completing vendor assessment.

  • *Proposed Solution(s):

  • Establishing vendor assessment harmonization and defined expectations/criteria.

  • Establishing Vendor Risk Management/ Vendor Profiling.

Vendor Assessment Sent to Vendor

  • Problem:

  • Culture based vs. risk based approach to conducting vendor audits.

  • Onsite audits are frequently conducted that have high associated costs and effort.

  • *Proposed Solution(s):

  • Establishing robust vendor data collection, vendor risk profiling, leveraging vendor desktop/remote reviews vs. onsite.

Evaluation Of Results From Vendor Assessment

(High-Medium Risk)

Audit Required



Audit Is Not Required/Optional (Low/No Risk)

Audit Approved

Audit Not Approved

Follow Up Action/Re-Audit

* PRISME CSV Working Party discovered Pfizer/PWC VCAS Tool (or similar) could be utilized to implement solutions detailed above. VCAS tool and potential ROI will be discussed in the following slides.






  • Introduction

  • Vendor Audit Methods

  • Process Overview

  • Benefits

Problem statement vendor environment at pfizer
Problem Statement–Vendor Environment at Pfizer

Problem: Pfizer operates a complex business which requires the use of vendor services. Outsourcing and Information Security have been identified as the top concerns within the industry.

  • Increasing sensitivity of the information or data processed/held by business partners

  • BT 500+

  • Pan Pfizer: 50,000+

    • Diverse range of services provided

  • ‘In house’ tasks now being performed by outside companies

  • Timescales for project/service implementation reduced

Global Interdependence

Solution: Conduct vendor audits & assessments to understand, mitigate or accept risks from vendors


Prior vendor audit methods
Prior Vendor Audit Methods

  • Old Method: Onsite vendor audits were conducted to mitigate risks from utilizing vendor services or business partners.

  • Traditional onsite audits required:

    • 2 - 3 days onsite & 5 - 6 days of offsite activity therefore -

      • 500 vendors = 1000 man days of audit = 3+ years of a full time team

      • 5,000 vendors = 10,000 man days of effort = 30+ years of efforts

        (team of 20+ for 3 to 5 years!)

    • Old vendor audit method = $20K - $25K/audit plus travel costs*

      • Approximately 50 audits/year = > $1M Annual spend

      • 500 audits >10million $/year

  • Due to the volume and diversity of Pfizer’s vendors, this traditional method is no longer sustainable from a workload and cost perspective

    * (Illustrative example, not meant to represent actual Pfizer cost)

New vendor audit assessment methods
New Vendor Audit/Assessment Methods

  • New Method: Risk assessments or evaluations of vendors are conducted using a spectrum of review based on the entity’s estimated risk. This method is a more efficient use of resources and will provide an appropriate risk assessment.



No Action

Review Method Quantities

Amount of Effort & Cost





Spectrum of Review


Vcas scope
VCAS Scope

  • Who We Look At

  • Types of Audits

  • What We Look For

  • Risk or Regulatory Areas Covered


  • ERES ( Part 11)

  • Sarbanes Oxley

  • Privacy – general not country specific

  • IT security (Logical)

  • Physical Security

  • PDMA

  • HiPAA

  • PCI

  • Others (by request)

  • Software

  • Data Centres

  • IT hardware

  • Suppliers hosting Pfizer data

  • Suppliers accessing Pfizer data

  • Outsourced services e.g. Helpdesks ( usually processing or holding Pfizer data including Non BT activity)

  • Mixed scenarios e.g. Where supplier uses Pfizer processes and their own processes outside the Pfizer environment


Does Not

  • Test functionality of software

  • Perform intrusive technical testing e.g. penetration testing

  • Install any software into supplier environments

  • Review vendor financials

  • Vcas phases
    VCAS Phases

    • VCAS process consists of 3 phases:

      • Profile: Information is collected from the requestor to develop a vendor profile

      • Assess: Information provided by the vendor (questionnaires or documents) is analyzed against expectations and level of compliance is reported back to requestor

      • Review & Decide: Businessgroupleverages the VCAS assessment to determine next steps

    • Next we will look at each phase in detail……

    • VCAS


    1. Profile

    2. Assess

    • Vendor Data Collection

    • Business Sponsor

    • Previous Assessments

    • Vendor contacts

    • Contracts

    Preliminary Entity Profiling

    • VCAS Processes

    • VOA

    • VCA

    • VDR

    Preliminary Vendor Risk Profile and Rating

    Preliminary Service Profiling

    Technical Security Assessment

    • Output:

    • Assessment Type

    • Assessment Scope

    3. Review and Decide

    Assessment Report

    Residual Risk Rating and Score

    Remediation and Re-assessment

    • VCAS Report

    • Inherent Risk Rating and Score

    Periodic Review

    • Business Action:

    • Accept

    • Share / Transfer

    • Reduce

    Csv working party update

    Profile Phase: Categories

    Components of the Vendor Risk Profile

    Depicts approximate category


    Profile phase output example 1
    Profile Phase: Output (example 1)


    Onsite Audit


    Vendor Desktop Review

    (Remote Assessment via telephone/Webex)

    Entity Profile


    Self Assessment


    Vendor A

    & Service Z

    Vendor A

    & Service Y

    No Assessment


    20 40 60 80 100

    Service Profile

    Benefits of vcas
    Benefits of VCAS

    Cost Benefits of VCAS







    *Excludes PWC investment to build VCAS framework

    General benefits of vcas program
    General Benefits of VCAS Program

    • Enhanced Selection and Management of BT Suppliers - provides awareness of the compliance status of vendors

    • BT visibility into the state of compliance of vendors – allows BT to see reports & responses with quantitative analysis within an Automated Risk Tool

    • Periodic Vendor Monitoring - initiated throughout the engagement of BT suppliers based on vendor service or risk.

    • A Variety of Methods for Vendor Evaluation - via vendor self-assessment, remote assessment (audit) which are appropriate to the services and risks present by engagement of those vendors

    • Establishment of a Preferred List of Vendors - aligned to Pfizer IT control domains, thus further reducing administrative costs associated with numerous vendor engagements

    Proposal next steps
    Proposal & Next Steps

    CSV Working Party will meet post PRISME Members meeting (23rd May) to review minutes/feedback received (~June 2012)

    CSV Working Party is recommending the PRISME Members/Delegates attend a presentation on the VCAS model provided by PwC and Pfizer (~June 2012)

    PRISME Members to decide whether to pursue local adoption of the VCAS model or similar. If favorable the CSV Working Party (or delegates) will work independently to obtain local stakeholder approval and support (~June – July)

    CSV Working Party will meet to discuss progress on potential local adoption of VCAS model (~Jul-Aug)

    Review progress on the adoption of the VCAS model or similar at the PRISME Member’s Meeting ~ (~Oct 2012, US)

    Post Oct 2012 – leveraging potentially shared vendor profiles/assessments (across industry) (dependent on steps 3 -5)