Feature

Mix of Frameworks and GRC Satisfy Compliance Overlaps

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."

Download it now to read this article plus other related content.

MENDED SOX LEADS WAY
"It's definitely our approach to create a strategy that will be all-encompassing," says John Sapp, senior manager, IT governance, risk and compliance at McKesson Corp., the country's largest pharmaceutical distributor. "Whether it's regulatory compliance or compliance with our own internal policies, it's basically building that big picture first, and then deciding how we're going to approach it and ensure that we're doing it in a way that allows us to be really integrated across-enterprise and move away from the siloed approach that we so often see."

McKesson, with $101.7 billion in revenue in FY2008, has a mature Sarbanes-Oxley compliance program, and this is the model Sapp and his team are following to build a one-stop enterprise-wide compliance program.

Sapp, who has a development and project management background, says his organization isn't unlike much of the Fortune 500 in wanting to develop a set of repeatable processes to address compliance. He has taken steps to identify and understand McKesson's IT environment, map out and automate the testing of controls, assess and report on risk and increase the overall maturity of the organization's risk and compliance program. Right now, he says, McKesson is in an ad-hoc state, moving toward repeatable, and eventually standardized and optimized,

    Requires Free Membership to View

    Login

processes.

"In three years, I would expect that we are at a standardized state," Sapp says. "That, for me, has us where we have a set of standards, processes and controls that are applied across the enterprise universally and consistently, moving toward optimized where we really almost get to a plug-and-play environment where regardless of who we acquire, we can plug them in, or if we choose to sell off an entity, it makes it an easy process for us."

Formerly, as McKesson's senior consultant for risk services (see "What's in a Title?," below), Sapp was business unit SOX coordinator in charge of the IT controls for the SOX program. Upon moving to his broader role, he quickly discovered how McKesson's numerous acquisitions had created a situation where the company operated in silos, with precious little in the way of standardized processes or a lifecycle approach for addressing regulatory mandates. His goals quickly became clear: overcome the siloed approach and build a program that will allow him to drive corporate performance through these activities.


Management
WHAT'S IN A TITLE?

IT GRC may be suffering from some hype overload, but McKesson's John Sapp doesn't see it that way. In fact, he buys into the concept so much, he baked it into his title: senior manager, IT governance, risk and compliance.

Sapp is one of the first to hold a senior GRC title, though Colgate-Palmolive has a manager in a similar position, and Apple Computer is advertising to fill a similar role.

Sapp formerly was senior consultant for risk services at McKesson, but as the company dedicated more resources to GRC and its overall compliance initiatives, it needed a senior manager in the role.

"Working with our VP of IT risk management, I wrote the job description and title two months ago in response to the GRC movement," Sapp says. "We found we wanted to create a single point of contact for all compliance and risk management activities, and be able to deliver some level of reporting--the governance piece--to be able to monitor the entire program across the enterprise."

--MICHAEL S. MIMOSO

This was first published in September 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top