In a recent article, Risk Management and Disaster Recovery in the Age of COVID-19, we discussed how we can gain valuable risk management insights by first looking at the likelihood and impact of a given risk and then drilling down another level and assessing the likelihood and impact of each risk’s specific consequences. In this article, we’re going to explore that concept further by putting these ideas into practice. Using a simple Risk and Consequences Excel spreadsheet (available for download at the end of this article), you will be able to identify and mitigate the hidden consequences that can severely and negatively impact your project.
For this example, let us imagine that we are planning out a product release and we are assessing what risks could impact our delivery date. We identify three high-level risks that could have an adverse impact on our release: pandemic, flood and fire. The table below shows our assessment of the likelihood of each risk, and it also lists out the possible consequences for each risk if they were to eventuate. Each of those consequences assumes its own unique row, which means the Pandemic risk has four associated rows – one for each consequence identified. Next, we look at the likelihood of each consequence occurring and the relative impact of that consequence, all assuming that the associated parent risk occurred. Finally, we calculate the relative severity of the consequence using the following formula:
Relative severity of a risk consequence = (likelihood of the associated risk) * (likelihood of this consequence) * (impact of this consequence)
The higher the severity level of a consequence, the more important it will be to identify mitigating activities to address it.
As the example above shows, water damage to the building has the highest severity because the risk of a flood is high, the likelihood of water damage to the building is high if the flood occurs, and the consequences of water damage to the building are also high. We can conclude that developing a mitigation plan for water damage to the building would be prudent. This is a good start – but there is yet another layer of risk hidden in this data that merits our attention.
Consequence Analysis: Targeting the data across risk categories
Note that in this example all three of our risks include the consequence, “Staff must work from home.” The second tab of the risk mitigation log, Consequence Analysis, is a pivot table that sums up and charts the Severity of Consequence column from the first tab for each of the likely consequences.
Why is this interesting, and why is it important?
On the prior tab, “water damage to building” had the highest severity of consequence score for a specific, individual risk.
However, this tab scores the severity for consequences across all three risk categories. Imagine the aggregate score this way: If a pandemic occurs OR a flood hits OR a fire damages the building, which of my consequences is most likely to occur, and with what severity?
When adding those scores across all risk categories in the other tab, “staff must work from home” (pandemic 28.0 + flood 48.0 + fire 48.0 = 116) is designated the most likely and has the most severe impacts. As such, this is a high priority consequence that merits mitigation. By identifying consequences that are shared across multiple risks, companies can take steps to mitigate those consequences so that when ANY of the associated risks become a reality, they know what steps to take for that consequence. Think about companies that had proactively established mitigation plans in the event their staff needed to work from home due to a flood or a fire (much more likely risks); they looked pretty smart when a once-in-a-century pandemic hit.
This risk mitigation log is offered as a high-level stepping stone to begin the discussions for developing a risk management strategy with your key stakeholders and the executive teams. More sophisticated tools can expand on this data and show the interrelationships between certain risks, consequences and their impact and help you develop appropriate mitigation strategies.
We invite you to download this spreadsheet and start identifying and prioritizing the “big hitter” consequences of specific risks that can have serious, detrimental effects on your organization should you wake up tomorrow face-to-face with another disaster.
As we have observed with the COVID-19 pandemic, a lack of preparation may cause serious consequences for your organization.
We have created a Risk and Consequences Log to help you identify and mitigate the threats that can severely and negatively impact your project or your organization. This tool will help you examine each risk’s consequences and their relative severity, enabling you to make educated decisions about your risk mitigation strategies.
We encourage you to download our Risk and Consequences Log and begin discussing the development of risk management strategies with your key stakeholders and executive team.
While we self-quarantine, practice social distancing and adjust to the new world order wrought by the COVID-19 virus, we can take away multiple business lessons from this pandemic. Today, the topic is risk management.
The practice of risk management has been a cornerstone of project management for decades. It involves the identification, assessment, mitigation strategy and tracking of risks that can have an adverse impact on an organization.
It is important to note that “organization” in this context can refer to a project team, a company or even an entire country. For the purposes of this article, we’ll discuss the first two, as the COVID-19 pandemic has provided a fascinating (albeit grim) platform for illustrating the strengths—and limitations—of key risk-management strategies related to project teams and a company at large.
The answer is out there… in the matrix
The risks of any given event are commonly quantified by assessing two key characteristics:
- The likelihood of an event actually occurring
- The severity of the consequences of an event if it does occur
Looking at the risk-assessment matrix, we see that risks that are deemed both likely to occur and have severe consequences would justifiably garner the most attention.
Before the current COVID-19 virus hit, many firms—and even industries—would have classified the risk of a pandemic as severe in consequences, but very unlikely. As we’re learning amid our economic shutdown, most enterprises put very few risk-management efforts in place to deal with such a pandemic.
Those that did have risk-management plans in place related to the broader consequences of a disaster like a pandemic were far better prepared to react to and survive our current reality than companies that had no disaster recovery plans in place at all.
Understanding how probability can lead to greater risk management
To illustrate how this subtle but important shift in risk definition can (and should!) influence how you develop your risk-mitigation plans, I’ll start with a quick review of the theory of probability.
Let’s say you are flipping two coins and recording the outcomes of each. (For the more persnickety reader, assume that the coins are evenly weighted, cannot land on their edge, etc.) You have four potential outcomes (A, B, C or D):
Now, to make it a little more interesting, let’s say that I offered to buy you dinner if Coin 1 AND Coin 2 come up heads, but you had to buy me dinner if they didn’t. That would be a bad bet for you to take, as the probability of both coins coming up heads is only 25%:
But if I said, “OK, I’ll buy you dinner if Coin 1 OR Coin 2 comes up heads. Otherwise, you buy.” How would this influence your decision on taking that bet? Your chances of winning jump from 25% to 75%, just by changing that “AND” to an “OR.”
With this example in mind, let’s circle back to risk management and how the probabilistic theory could apply. Instead of coins, let’s look at three potential risks that could impact an office building:
While the probability of any three of these risks actually occurring may be moderately low, the probability that the staff may need to work from home for one of these three reasons is significantly higher because it is a consequence that is shared by the three risks—and any one of these risks eventuating would trigger this consequence.
Specifically, a pandemic OR a flood OR a fire would force the staff to work from home, making this particular consequence more likely to occur than any of the other consequences identified in the example. To that end, it would be reasonable for the risk-mitigation plan to identify and address any mitigating activities in the event that the staff would be required to work from home.
The lesson? By focusing on the likely consequences of high-level risks, project managers can identify common patterns in these consequences and develop mitigation plans to address them. These plans can then be repurposed when extremely unlikely, but extremely consequential risks to your project suddenly become your reality.
Adapting risk mitigation to disaster preparedness
While it’s a bit late to start planning for the COVID-19 pandemic, it’s always the right time to start identifying the likelihood of other severe risks and start strategizing how to mitigate their effect on your organization.
Starting with what you’ve learned from this current crisis, I suggest you create and maintain a risk log of those factors (should they occur) that could negatively impact your business, your customers and your employees. Then answer the following two questions for each risk identified:
- What is the probability of this happening?
- What is the impact it will have in the worst-case scenario?
Next, chart the consequences (as in the grid above or in a Venn diagram) to identify those consequences that overlap. The most severe overlapping consequences should be at the top of your risk mitigation planning list. Over time, you can work your way down to the less severe, but still mission-critical consequences so that you are well prepared for a host of calamitous events that may occur.
In my next article, I will show you how to develop a simple spreadsheet that takes consequences into account. As this pandemic has made abundantly clear, risk mitigation is not optional. You can’t stop the next catastrophe, but if you have a comprehensive mitigation plan in place, you can most assuredly blunt its impacts. Stay well, everybody!
In a perfect world…
- Every company would have unlimited budgets to fund every project that its managers envision as strategic relative to the company’s success.
- Every project funded would see all of its intended outcomes achieved and promised benefits realized.
In the real world, however, unlimited budgets are not realistic. That is why astute companies use benefits realization to select which projects to undertake and to identify which completed projects were actually successful.
It’s hardly a new concept. Benefits realization refers to the planning, structuring, assessing and tracking of the benefits that a project generates during and after its completion. These benefits can be tangible (e.g., measurable cost savings, increased productivity or software that prevents phishing from penetrating an organization) or intangible (e.g., customer satisfaction, alignment to the corporate mission or risk mitigation).
An old concept, applied only sparingly
Many organizations, even those that consider themselves “mature” project management shops, overlook this critical component in their planning and execution. They spend tremendous sums of money funding scores of projects every year and declare a project successful because it was completed on time and on budget. Yet they fail to track whether the project met its measurable goals at six months, a year or more down the road.
Did Project A save the company $1.5 million by eliminating IT redundancies? Did Project B achieve the 6% reduction in expenses in year two as projected? Did Project C result in fewer product returns and increased repeat purchases?
If you cannot answer questions like these, how can you accurately determine whether your projects achieved its maximum return on investment (ROI)? You cannot—and if you cannot, there is a strong likelihood you have squandered at least some of your limited resources on projects that have not delivered measurable value to your organization.
Now think about the potential missed opportunities for funding projects that could have maximized their ROI.
What process does your organization use to decide which projects get the green light? How much of it is personality-driven? Did last year’s golden child’s or the perpetual squeaky wheel’s project get the rubber stamp over other solid ideas? Did the business case they presented have clearly defined and measurable benefits? Your organization needs a formal process of accountability in place to track and optimize the benefits they can achieve from a project and calculate the value delivered to the business.
“OK, Houston, we’ve had a problem here.”
Launching a benefits realization program in an established organization can be difficult, at best. It requires a conscious decision to create a structure that tracks project outcomes over months and/or years.
It requires a shift in culture. Benefits realization means holding your executive sponsors accountable for the value their projects are supposed to generate. Shocking as this may sound, not every executive is enthusiastic about having their projects interrogated in this manner. . You will most certainly meet with some initial resistance by adding a layer of discipline to the creation of project plans. But this is a crystal-clear case of the ends justifying the means.
There are logistical/staffing considerations. Project teams are typically comprised of individual employees or consultants across functional groups, from multiple geographies, who come together for only a defined period of time. Each member has a specific job to do, and unless you specify which team member is responsible for post-project tracking and analysis, that role—and the process—goes unfilled.
Realistically, many companies are not willing to make the necessary investments.
But if you want it, there is a path to implementation
If you’re unsure whether your company has the bandwidth to implement a benefits realization program, consider the following three-phased approach:
1. Obtain leadership commitment/backing. The decision to integrate a benefits realization program in your organization MUST come from the top. If your leadership team is not entirely on board, consider your program dead in the water.
Be prepared to sell the benefits (no pun intended) and the critical importance of a benefits realization program to your CEO and/or other senior executives. Emphasize how tracking project ROI can reduce the funding of bad projects and increase the value recognition of good ones.
2. Select uniform benefits realization metrics. Your company should agree on a list of both tangible and intangible measurements that will be applied to all projects, so an apples-to-apples analysis of candidate projects can be conducted at specific time points, not just at project completion.
With defined metrics, you can begin vetting and ranking the projects that offer the highest potential value and should be considered first during the next planning cycle. When that sexy $10 million project brought in from the squeaky wheel shows only a promise of $1 million in return, it’s easy to deem it low-value and not worth pursuing.
Metric measurements may be translatable (dollars versus percentage points), and they may change or be adapted over time. But they should continue to be uniformly applied to all projects up for funding consideration.
3. Establish a benefits realization team. The final step is typically more complex in nature and more long-term to formalize. Your organization will identify a specific group with the responsibility for tracking and reporting on the ongoing benefits realization for every project funded.
Once the team begins building a dossier of project benefits realization reports, it establishes its own value to the organization by creating a dashboard that lets senior executives easily identify which projects yielded the greatest ROI. The results can help companies avoid funding the types of projects that show low or limited value.
In a perfect world, every company would follow all three steps in creating a comprehensive benefits realization program. However, if you can implement even just steps one and two, you will have a strong foundation to begin identifying and tracking high-value projects in your organization.
The first step is getting started
No, that’s not a Yogi Berra bon mot. It’s a recognition that nothing is going to change in your organization without agreeing that change is needed. Once you take that first step, there are defined processes you can follow and outside consultants who can help you establish a benefits realization program so your organization can begin achieving greater value on the projects it funds.
If your company is like the many that run an annual project cycle, you’ll begin your project planning for 2021 in late summer/early fall. That makes now the perfect time to take that first step.
The Value of an Open-Door Policy, a Phone Call and a Handshake
Put down the smartphone. Step away from the email. Take a break from the emojis. Give your indoor voice some exercise and say something…out loud.
When it comes to communicating in 2020, it’s so easy to send a text, an email or an instant message (IM). Really, why would anyone pick up the phone or knock on a door to start a conversation when they can tap away on their smart device or laptop? I know I’m guilty of this, as I’m sure most of us are.
While I understand there is a time and a place for digital communications, they also offer a much too easy way out of engaging in live conversations and interactions. We are missing opportunities to learn and bond as a result. As business leaders, we have a responsibility to role model what effective communication looks like with our teams—which, in my mind, includes more live interactions.
I want to share five reasons why I encourage live interactions.
- They build trusting relationships.
I have an open-door policy in my office, which has helped foster an environment where my employees know they can come to me in person to discuss things that may be sensitive in nature, inquire about new opportunities or share concerns about a project, client or coworker.
Some things are just better said in person; doing so helps to build connections that just cannot be formed through the filter of digital technology.
- Engaging with coworkers creates deeper bonds.
Workplace communication doesn’t always have to be about work. It’s nice to learn about someone’s weekend, see pictures of the kids or gripe about the morning commute. But those asides don’t occur much over text, email or IM. With digital communications, our brains are wired to get our messages across in as few words as possible and move on to the next task. We’re missing the opportunities to relax, engage and connect with others in deeper, more significant ways.
Let’s not forget the power and team-building benefits of brainstorming, where everyone sits around a table and no idea is a bad idea. One person feeds off another’s suggestion until we have more opportunities on the board, in less time than it takes the same team to respond to an email chain. Employees leave these meetings empowered by their collaboration, having built stronger working relationships with their colleagues in the process.
- Your voice conveys inflection and emotion.
Have you ever read a text or an email from someone and taken offense when none was intended? Or not realize how serious an issue was because the Arial 11-point font didn’t leap off the page? We’ve all been there. That’s the nature of the digital beast: too much gets lost in translation.
In my experience, it’s hard to form genuine connections and meaningful bonds without voice intonations, facial expressions and even gestures that emphasize our ideas beyond words.
- Talking helps foster more effective conflict resolution.
While it’s much easier to send a stern email in response to a challenging situation rather than do it in person, when was the last time you actually looked someone in the eye and shared what’s on your mind? It’s the real-time exchange of dialogue with body language and voice inflection that paves the way to healthy conflict resolution. This is a mandatory practice in my book.
I truly believe that hiding behind a computer screen is one of the most ineffective ways of getting to the heart of the matter. Next time a situation arises, bring those well-thought-out, typed-up notes you were planning to send with you as you meet your colleague(s) or manager face to face. Keep them on hand for reference, for clarification or even to steel your nerves and give you the confidence to state your case.
And be sure to give the other person or persons the same attention and heed they give you. Understanding both sides of a situation and holding constructive conversations in real-time leave little room for ambiguity, which ultimately leads to a more productive resolution.
- Face-to-face conversations save time.
Raise your hand if you’ve ever been stuck in a lengthy back-and-forth email dialogue only to pick up the phone to finish the discussion. While I generally try to avoid this scenario, it does happen—and it always serves as a reminder that email is not the most prolific way to communicate. The truth is, when you talk it out, you can accomplish the same objective (or better) in a fraction of the time.
Text, email and IMs are great, and I will always depend on those forms of communication in some aspects of my life. But the more I grow as a leader, the more I value authentic and meaningful connections. A smiley face emoji will never replace the real thing. Exclamation points after a “congratulations” do not feel nearly as good as hearing it said out loud—with feeling.
What are your thoughts on effective communications? Stop by or give me a call and let’s talk about it.
The success of a business depends in large part on the quality of its leaders. A strong leader has the power to motivate, energize and drive results. They know how to get the best out of their team and build trust while making a marked impact on the business. The question is, how do you define a “strong” leader? And what is it that employees look for in a leader?
While there may be no right answer to that question, per se, I’d like to explore one leadership trait in particular that holds great transformative power but is all too often overlooked: transparency.
Why does transparency matter?
Gone are the antiquated leadership styles of the past where leaders ruled with an iron fist, expected employees to do as they were told with no questions asked and communicated with their teams only on a need-to-know basis. (Sound familiar?) The workplace has evolved; employees want more. They want authentic interactions and two-way communication up and down the hierarchy. They want to understand how they fit into the bigger picture of the business. They want a satisfying work experience built on a foundation of trust with their leader. Without transparency, none of that can exist.
The question is, if transparency is such an effective leadership strategy, why isn’t it more widely used? In my experience, it really comes down to perception (and maybe a bit of ego). Many leaders believe that being transparent with employees will strip them of their authority status, and thus, their power. Not so. Transparency, as a matter of fact, offers the potential to make you a more powerful leader, not less.
Does transparency make you slightly more vulnerable? Yes—a bit, but that’s a good thing. It makes you more of a human being in the eyes of your employees—not just “the boss.” While most of us are naturally geared towards self-preservation and an appearance of strength, it’s important to note that transparency is not a sign of weakness. Just the opposite, in fact. It’s about bringing others in the loop on what’s real, authentic and true to create an environment that’s conducive to collaboration, productivity and success.
Here are six ways transparency can benefit your organization:
- Stronger team relationships: In a transparent environment, each member of the team can learn more not just about you, but about each other as well. When you all get to know one another’s strengths and weaknesses, likes and dislikes, and successes and challenges, you form chemistry and create synergies.
- Better problem solving: When you’re open with your team about the happenings in the company, they can help you overcome business barriers. Don’t problem-solve in a vacuum; more minds are better than one.
- Positive, open environment: The honest interaction between you and your team sets the tone for authentic relationships. When employees are in the know, they feel more empowered to share their own insights, ideas, concerns and more. An environment where creative suggestions are valued is one that fosters openness, acceptance and trust.
- A more engaged team: According to a Harvard Business Review survey1, 70% of respondents said they are most engaged when senior leadership continually communicates on company strategy, while another 70% cited a clear understanding of how their job contributes to the company’s strategy as a key driver. Need I say more?
- Employees who want to excel: When you openly communicate employees’ accomplishments to the team, you naturally infuse them with an energy and excitement that compels them to continue to do better. When they know what they’re doing well, where they need to improve and how they’re contributing to the bigger picture, they not only have a clearer path forward, but also gain the respect of their fellow team members in the process.
- Improved productivity: The culmination of each of the above elements will naturally give way to higher productivity with improved outputs. When you work together with your team in an open and honest way, together you will inevitably drive positive results that impact the business.
Lessons learned: It’s not cut and dry
Adopting any new leadership behavior is rarely a linear process. It takes some trial and error, honest self-reflection and a touch of humility. Throughout my own leadership journey, I’ve learned what works and what doesn’t, and I’ve had to course correct along the way.
Yes, you want to communicate openly and forge genuine relationships. You want to give employees information they need to do their job well (and feel good about it in the process), but there is a shutdown point. Don’t allow your team to confuse transparency with friendship. You are still in a position of authority and you are the leader. Work towards authentic relationship-building—but do so in way that allows you to maintain that level of respect.
In the end, it comes down to what works for each of us individually as leaders. I do believe that transparency is one of the most effective ways to build a culture of trust—and I will continue to employ this leadership tool on a regular basis. But as I do so, I will continue to assess what I’m doing, how I’m doing it and the impact I’m having on employees, myself and the business—and make changes as needed. Along with everything else in life, it’s a work in progress!
Effective performance metrics depend on a healthy culture and communication
“No one will ever use red” is always the first comment at the start of every product launch kickoff when discussing how the team will report performance status. Followed immediately by laughter, the second response. And both will probably be the most honest and genuine communications in the launch process from then on out until approval.
Whether it is the launch of a pharmaceutical product, an implementation of a new technology platform, or the integration of two companies, organizations have been utilizing the traffic light approach for decades when reporting project status. Color-coded readiness deliverables at pre-identified points in time organize, prioritize, and reduce the risk of not achieving key strategic objectives. Whether utilizing traffic light signal colors or the words that define them, signals are required and need to be defined, socialized, and, actually used.
What are traffic-light metrics and why do they matter?
Traffic light colors are simple and universally understood. Drivers know the three standard colors on traffic lights allow vehicles to proceed safely through intersections and cross streets. Green means ‘go’, yellow means ‘slow down’ (unless you are in the state of NJ), and red means ‘stop’.
This color-coding approach is used in many fields, from road intersections, to airport departure boards, terrorist threat levels, factory production lines, hospital occupancy, and even the healthiness of prepackaged food. When launching pharmaceutical products, traffic lights provide a simple and clear way to quickly convey the launch status to stakeholders. Green means ‘on track’, yellow means ‘at risk of going off track’ and red means ‘off track’ and needs attention quickly.
Why is red the loneliest color?
Patients quickly answer physicians’ questions about pain using the intuitive 1-10 pain scale. And everyone understands the purpose of the ‘check engine’ light in their car’s dashboard or the red ‘low gas’ message. Yet using traffic light colors, particularly the color red, to measure launch readiness evokes a different reaction. And, it prompts a counterintuitive behavior, which is rarely using ‘red’ or not using it at all.
One reason for this is ambiguous definitions, leaving their interpretations up to the users with the assumption they know what the colors mean. For example, many teams note milestones or deliverables as green since they are confident they can complete it by the agreed-upon deadline. However, when it is 30 days to launch, and a deliverable generally takes more than that timeframe to complete, coupled with multiple go-to-market priorities, designating a deliverable as ‘green’ is inaccurate. Though this may seem like an obvious example of something that should be considered ‘red’, human nature guides us to apply our own perspectives including how confident we are in our ability to get something back on track within prescribed time frames.
Another reason is that team members may be reluctant to use the color red since they perceive ‘red’ may reflect poorly on their job performance. If their project is off track, does that mean that their launch team members will think they are not doing a good job? And/or that their manager will perceive their performance at professional performance review time is off track as well?
So how do we remove these barriers?
It is not difficult. It requires a disciplined but not complicated approach including the creation of team norms and definition of colors before kicking off the launch. The result is worth it – key stakeholders trust the readiness colors and are confident that there are “no surprises” since they are provided genuine status at specific scheduled time points. The approach I take includes:
- Aligning with stakeholders regarding the definition of each traffic light color prior to kicking off the launch. This includes defining the colors with specific examples and reinforcement so that use of the red color metric is not construed as being punitive. The converse — not raising concerns — is much more concerning.
- Communicating traffic light definitions at the launch kick-off meeting and training new launch team members upon point of entry
- Establishing and fostering healthy team norms during the kick-off meeting. Team norms, including trust and accountability, are created and agreed upon, and may include mantras such as ‘we win together as a team” and “communicate early so there are no surprises and we can pivot and course correct effectively.”
Defining traffic light colors and establishing a culture that supports accurate metrics will help ensure your team is set up for success. Let me know what your best practices are!
A pharmaceutical technology company originally created a tool to validate the safety of medications, and while the tool effectively met the initial goal, after two years of use, many end-users wanted more automation, less paperwork and greater efficiencies. The process intended to help manufacturers determine whether their business processes met the standards defined by the FDA’s Risk Evaluation and Mitigations Strategies (REMS)—a drug safety program that helps ensure that the benefits of certain medications outweigh their risks.
The pharma tech company approached CMK Select to help streamline the REMS process for their drug manufacturing customer base. CMK worked with the client’s internal teams to implement an automated REMS tool that could be customized to each end-user while offering a standardized, paperless process across the entire user-base. The tool was also integrated into a common software program used by the drug manufacturers to significantly cut down on the steps required to complete the process.
Additionally, CMK worked with the client’s technology and business teams to help familiarize them with the in-house resources available to them and clarify each department’s role in implementing the new tool so that they could effectively maintain the new validation process and onboard new clients.
Not only did CMK Select create a more efficient process for the end-user, but the team also created a better internal process for the client to onboard those users. What’s more, following the launch of the new tool, the client onboarded three new major clients—with three more expected by 2020. By delivering greater efficiencies, the new process has resulted in an increase in order volume to approximately 1,200 per day.
A biotechnology company was preparing for a merger and had no formal M&A processes in place for IT specifically. Most of its existing company-wide standard operating procedures and templates were hard to locate, many out of date, and couldn’t be leveraged for this effort. The company was faced with the need to rationalize its commercial IT applications – including onboarding, retiring and/or enhancing existing applications – as part of the merger process. In order to meet the needs of regulators and shareholders, a proper management plan for the full IT portfolio integration needed to be created over a short period of time.
CMK Select coordinated a number of different groups and departments to give everyone who had a stake in the acquisition an opportunity to voice their opinion on determining the application rationalization requirements. CMK recognized an opportunity to bring together a team of industry experts alongside key stakeholders in each of the affected departments within the organization – legal, compliance, security, digital marketing, patient services, etc. – to incorporate the assessments of all parties.
Drawing upon the consensus of each group, CMK then constructed a set of requirements for the various applications and brought forward a concrete plan detailing how to rationalize each one, whether retiring or decommissioning, onboarding or enhancing. The plan also required the team to assess data and outlined how to ensure it adhered to data retention requirements.
Over a period of six months, CMK rationalized approximately 50 applications; and with each rationalization, we provided the pharma corporation with an additional means of cost savings by reducing the number of month-to-month contracts they had to maintain.
A Top 10 global pharmaceutical company had been hacked as the unintended target of a malware attack that left their global network of business and lab devices unconfigured and inaccessible. Every department was affected, and all commercial, financial and laboratory operations were brought to a standstill. The outage also meant that the client would be unable to continue with ongoing drug submissions and clinical activities that relied on the complete availability of data in its native environment.
The first priority was to restore service to all employees where poor network and device inventory processes compounded the difficulty of the task. CMK Select utilized an industry-standard inventory tool to complete and improve the data quality, which ultimately provided a foundation for more complex solutions that could be added later. This included an automated system restore and restart tool.
CMK Select also managed several proof of concept projects that would demonstrate which of the many network security tools on the market was best suited and easiest to implement with the client’s existing infrastructure. These prototyping projects allowed the trial of features in the client’s own environment including quarantining and traffic redirects, to see if and how they worked. The entire process entailed the initiation of contractual relationships with new partners, significant vendor management and the establishment of benchmarks, plans and metrics by which to gauge results.
CMK Select introduced a cost-effective customized network security solution. Because of the carefully targeted reporting developed to gauge the new security solutions, the client was able to gain senior management acceptance of the goals set and the results obtained. The client also realized that resiliency did not just mean having a disaster recovery environment to fall back on, it also meant having a sustainability strategy enabling Operations to identify and repel intrusions in real-time, and to recover from any future attacks more seamlessly.
Over the first year the solution CMK Select provided comprehensively updated the client’s inventory system and reduced the error rating from as high as 78% down to 15% or less.