Alcon Laboratories is the global leader in eye care, with a history spanning more than seven decades. The company offers a broad portfolio of products to enhance sight and improve people’s lives. Each year, more than 260 million people in 140+ countries rely on its surgical and vision care products to address conditions such as cataracts, glaucoma, retinal diseases, and refractive errors.
Accurate and timely data classification is a major challenge for most companies in the medical device industry. Regulatory requirements such as GDPR. HIPAA, and GxP can impose significant fines for companies that can’t adequately track and protect data.
Assess once, satisfy many
Alcon’s objective was to reduce operational risk, and harmonize seven siloed business functions and related processes using integrated data classification via an engine powered by ServiceNow. The goal: assess once and satisfy many. Specifically, Alcon needed to assess confidentiality, integrity, availability, and regulatory compliance requirements as the organization migrated applications into the cloud and onboarded new applications using a single engine. The project had diverse stakeholders, including:
Ethics and Compliance
Collaboration game plan
Alcon enlisted the team at Edgile to help them transform their approach to data classification with ServiceNow at the center.
To achieve the quick wins that help build momentum and lay the groundwork for future success, the two companies collaborated on a process built on Edgile’s “5-Pass Model” that included the following elements:
Pass 1: Risk Register - Define risk and compliance requirements
Pass 2: Applicability Matrix - Apply requirements to the operating environment
Pass 3: Diagnostics - Rapidly identify capabilities and potential gaps and document findings
Pass 4: Deep Dive Assessment - Document actual controls to rate risks and identify policy exceptions
Pass 5: Control and Testing - Perform testing with evidence and sampling and document remediation plans
A specific “build philosophy” also guided the project and helped optimize the use of resources and effort.
Reporting first - Confirm the solution addresses management’s objectives and answers hard questions quickly
Rapid build with multiple walkthroughs- Reduce surprises and confirm that the solution is ready for user acceptance testing
Training and communication - Confirm that the needed organization change management occurs and that users will have the skills they need to ensure adoption
Workflow last - Automate through workflows, notifications, and other alerts to confirm the smoothest possible processes
Other best practices that contributed to the success of the project included a commitment to configuration versus customization, early previews of builds, and a solid plan for User Acceptance Testing (UAT).
Lessons learned, results achieved
The Alcon and Edgile teams found that strong communication and awareness early in the project was vital to its ultimate success and keeping multiple stakeholders and agendas aligned. Having a team member with deep familiarity in GxP validation process, forms, and protocols also proved extremely valuable. Finally, the emphasis on rapid build and review cycles helped identify needed changes early and prevented delays.
Most importantly, a single engine now satisfies privacy, GxP, ethics and compliance, procurement, and IT and information security—ultimately resulting in a 70% reduction in reporting and analytics time. Automated ratings, consistent reporting, and clear actions and accountability through workflow tickets for follow-on activities are all now consistently tracked and managed via the Now Platform.
Tami Gieder, IT compliance service delivery manager at Alcon, has also seen the project pay off in other ways: “The most surprising benefit has been the culture shift,” she says. “We have a much more collaborative relationship with the other teams involved in projects.”
Watch the ServiceNow Knowledge 2020 session “Learn how a Global Life Sciences Company leverages Now for Data Classification” to find out the details.
Learn more about ServiceNow Governance, Risk and Compliance.
© 2020 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.