IT Governance – A Quality Boost with ISO 9001, ISO 27001 & ISO 20000

With the ISO triple certification, deploy the same Merck IT processes, with the same quality. Author: Philippe Leroy, IT Governance, Merck KGaA

Merck at a glance  Merck conducts its operations in four divisions: – Merck Serono: Prescription drugs – Consumer Health: Over-the-counter products for preventive health care and self-treatment of minor ailments – Merck Millipore: Products for protein research and cell biology; laboratory chemicals, consumables, services; products used in the production of chemical and Pützer Tower and Pyramid biopharmaceutical drugs at Darmstadt headquarters – Performance Materials: Materials for displays and lighting; pigments for the plastics, printing, coatings and cosmetics industries

 More than 40,000 employees in 67 countries  Merck manages its operating activities under the umbrella of Merck KGaA, which was listed on the Frankfurt Stock Exchange in 1995 and admitted to the DAX® in June 2007  Around 30% of the total capital is publicly traded, while the Merck family, as general partner, indirectly holds around 70% www.merckgroup.com 2

Merck KGaA - CIO Office - ISO 56K Certification

Facts and figures on IT @ Merck IS is organized as a global Group function.

 ~ 1100 employees worldwide  ~ 120 local IT units in ~60 countries  3 Corporate Service Centers  8 units reporting to CIO: - Business Processes, Data & Systems Harmonization - IS Pharmaceuticals, - IS Chemicals, - IS Group Functions - IS Global Shared Services, Technology & IS International - IS Strategy, Performance & Governance - IS Change & Value Management - Global IT Enterprise Architecture  30 core IT processes certified according to ISO 9.001, 27.001 and 20.000

3

Merck KGaA - CIO Office - ISO 56K Certification

Why best practices ? Why compliance ? Merck IT has 2 good reasons to deploy best practices and to ensure compliance:

Merck IT Vision: to become the best IT for Merck Best practices make sense

Compliance is part of Merck’s business mission  Compliance is part of the IT mission With best practices, let’s industrialize IT processes and compliance 4

Merck KGaA - CIO Office - ISO 56K Certification

Agenda An innovative way for ISO certification 2007-08: 1

… and why did Merck start this initiative ? … and how has Merck realized it ?

Keep, optimize and gain from the ISO certification 2009-11: 2

The value and competitive advantage over the years The continual improvements

The long and winding road: 3

Success stories and challenges during the certification process

Tools: 4

5

IT Governance, Project and Service Management tools

Merck KGaA - CIO Office - ISO 56K Certification

ISO Triple Certification for IT Services – Charter Merck Corporate Information Services (CIS) wants to become the best IT Organization of the Pharma and Chemical Industries. The ISO Certifications contribute through worldwide recognized norms. Program Setup: • Half a year for planning and communication in 2007 • 2008: a year for implementation • Final Certification Audit on December 3rd, 2008 • Certification cycle: - Surveillance for 2009 & 2010 - Certification of Millipore and recertification for 2011, and so on…

Program Scope: • ISO 9’001 Quality Management System • ISO 27’001 Information Security Management System

Program Team: • A Program Leader and 3 Norm Owners • 22 Process Owners for 25 core processes • 17 Internal Auditors

• ISO 20’000 IT Service Management (~ITIL) 9+27+20=56  ISO 56K Covering 1’100 IT staff in 90 sites / locations

• Colleagues from the HQ and the sites Project Team: ~ 200 people worldwide • With strong involvement of: - CIO and IT Senior Management - IT Regional Managers & Business

6

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K – Set the ISO Strategy Short dead line and focus on the result  Strong support from the CIO Make it global and sustainable Do a global certification (all Merck IT or no one)

Empower people and give them responsibilities Reveal departmental and local talents, and they are many Do a pilot to fine-tune the training and the internal audits Be pragmatic and provide the right support Start with the 80/20 rule Have a central repository - Do once, use many times

Keep it simple and respect the existing good practices 7

Merck KGaA - CIO Office - ISO 56K Certification

2007 Huge IT Transformation during M&A (Serono)

ISO 56K – Set the ISO Processes Central Quality Management System  Map the ISO requirements with 29 integrated processes Teach and deploy processes beyond the 3 norms Examples: -Incident Management is common to the 3 norms -Availability Management is common to ISO 27’001 and 20’000

 2/3 of our processes are common to the 3 norms

The SM processes are based on ITIL 8

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K – Set the ISO Target Level

Impact

The same 29 processes but an adapted way of deployment

Impact

What is new for 2009 Maturity

Planned Maturity and Risk Rules, P&P People

Planned improvements

Tools Measurem ent Deployme nt Likelihood

Impact

Implemented Controls

Maturity

0 1 2 3 4 5 na 1 Process Improvement Maturity and Risk Assessment Improvement Plan Tasks, Activities, Business Value, Impact and Risks

Rules, P&P People

Sub process

Tools Measurem ent Deployme nt Likelihood

Processes

Process Description

Input from audits / CAPAs / To Dos / Specific attention

Likelihood

FYI, in 2008, we had 5 NCs and 21 Findings on this process from the SGS. Get Management support. Effective date: 01-Apr-2007 MerckDocs. A. Quality Read the Quality Manual. ITQMS Management The CI Managers cascade and ensure the 5 4 5 4 5 0 1 5.0 Get all staff read the policies. Read the Continual Improvement Policy. System effectiveness of the Quality Management Ensure alignment of local Quality System to all CI Staff. documents to the ITQMS.

Organization chart of the Business and the IT shall be available. Management Review is perfomed using 5 5 5 4 5 0 1 5.0 ITQMS_5TPL_015 Local Management Review. It should be the conclusion of at least one meeting with the management. e-Learning post T3: Re-read all column Q "Planned Improvements".

Get Management support.

ITQMS B.10

Quality Manual is read and understood. ITQMS B.11

9

Merck KGaA - CIO Office - ISO 56K Certification

Management supports the ISO 56K. GMC's Management (at least the Line Manager of the IT Manager) is ready to welcome the auditor, do an introduction 5 5 na na 5 0 4 5.0 about the CMG at the beginning of the audit and participate to the closing meeting of the audit.

Why not taking the opprotunity of the 5 5 na na 5 0 4 5.0 certificates to raise the management support.

ITQMS_1PCY_001 is read, understood, communicated and applied accordingly and 5 4 na na 5 0 0 5.0 Get all staff read the policies. understood by CI Staff and CMG's Line Manager(s).

5 5 na na 5 0 0 5.0

Quality is hard to define, impossible to measure, easy to recognize. Quality means the customer comes back, not the product.

ISO 56K - Planning 2008-11

•16 training sessions for 150 people •75 internal audits and 25 internal reviews 4’000 actions closed 2009, 2010, 2011, etc… Jan 19

26

February 2

9 16 23

P Owners

HQ

6

May

13 20 27

4

June

11 18 25

1

8

July

15 22 29

6

August

13 20 27

3

September

10 17 24 31

Wksp

T3

T3

T1 T2

North America

T1 T2

Europe & ROW

T1 T2 T1 T2

I1

I1

Ip

T3

Ip

T3

Ip

Ip

Ip

I1

I1

I1

I1

Ip

Ip

Ip

Ip

I1

I1

I1

I1

I1

Ip

Ip

Ip

Ip

I1

I1

I1

Ip

Ip

Ip

Ip

Ip

I1

T3

T3

Training

S1

&

I1

I1

I1

I1

I1

I1

November 2

9

16

S2

S2

Ip

T3

&

12 19 26

S2

S1

S2

I2

S1

S2

I2

S2

I2

I1

I1

I1 S1

External Audits

I2

S2

S2

Europe

T1 T2

Latin America

October 5

NAM

Asia Pacific

14 21 28 Wksp

T1 T2

Pilot: Lyon

7

Latam

Merck KGaA - CIO Office - ISO 56K Certification

April

16 23 30

Asia P

10

9

Pilot

....and beyond

2010-11 another IT Transformation during M&A (Millipore)

March 2

ISO 56K – Certification Audit The ISO Auditors  2 senior auditors from the SGS  Expertise on the 3 norms  Huge experience on IT Business and Operations

The ISO Audits  25 External Audits – Stage 1 for Assessment  25 External Audits – Stage 2 for Certification  The same team for all the audits

11

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K – Results Beyond the Certification, we have improved our:

 Skills Knowledge / Know-how – The human factor was, is and will be the best result

 Way to work together: One global team – Consistent & integrated processes, common language – Sharing of the good practices, improve quality – Improving the team work and intercultural relationships, including making the HQ closer to the sites

 IT speed in Service Delivery – Strong support for the other IT programs and agility in changes

12

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K  A key structure for IT Agility

Agenda An innovative way for ISO certification 2007-08: 1

… and why did Merck start this initiative ? … and how has Merck realized it ?

Keep, optimize and gain from the ISO certification 2009-11: 2

The value and competitive advantage over the years The continual improvements

The long and winding road: 3

Success stories and challenges during the certification process

Tools: 4

13

IT Governance, Project and Service Management tools

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K – Optimization – Keep the pace  Optimize the benefits of ISO for IT & Business and reduce re-certification costs

 Shift from “on top of our job” (or “additional workload”) to become “part of our job” (or possibly “instead of” some former tasks)  From process maturity to organization maturity  ISO Rightscoping & Rightsizing  with more maturity, we can better optimize processes and their documentation

 IT Governance for Business Growth  2007 Harmonize IT processes

2009-10: Develop a Service Oriented Organization

2008: Obtain IT industry certifications

Business Unit / Customer

2011-12 Realize the CIS vision

End User

SLA

Relationship Mgr.

File & Print

Business IT Service

Demand

Supply

Service Category eWorkplace eConnectivity ERP Services Corporate Services Pharma Services Chemical Services

IT Projects:

14

Merck KGaA - CIO Office - ISO 56K Certification

Service Owner

1st

OLA …

Support

…

Service Desk

E-Mail

Database

Operation

Maintenance

Storage

Hosting

SAP Basis

BSD

Internet

WAN/LAN

IM / IT Manager

Group of Specialists

Best for Merck

ISO 56K – CEO’s feedback This video was recorded in March 2009 after the ISO Certification Dear Colleagues, Back in 2007, the GL has commissioned Merck’s IT to turn into a strong, corporate function, and to optimize the quality and costs of our global IT services. For me, IT is like the heart of the company and the basis for structures and business processes. Your work is therefore essential for the company’s growth and success! In this context, the ISO56K program has been a key contributor, and I would like to congratulate you and thank you very much for this outstanding achievement. You can be truly proud of having achieved these ISO certifications together as one global team – I consider this not just as a success for Corporate Information Services but for Merck as a whole. Quality is not a destination, it is a journey. I’m convinced that we will keep capitalizing on the benefits of the ISO56K program and improve even more through continual The video’s of the CEO recertification. Please keep with the pace of the program. I regret not being with you today but I personally wish you all the best for the future and for the audits to come. Dr Karl-Ludwig Kley, Chairman of the Merck Executive Board

15

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K - Sustainable Results Benchmark

Audit Results

CA IT Auditing: Half Year Report 2010

User Satisfaction Overall Satisfaction in 2011

IT Strategy Award Award criteria  Process of strategy development  Implementation status  Interplay between corporate & IT strategy  Involvement of departments and users  Adjustments of IT strategy

Overall Satisfaction in 2008

 Consideration of today’s technology standards  Strategy accelerators & barriers  Lessons learned

Interview SA Survey Report, 2008/2011

16

Merck KGaA - CIO Office - ISO 56K Certification

Handelsblatt „IT Strategy Award 2010“

Agenda An innovative way for ISO certification 2007-08: 1

… and why did Merck start this initiative ? … and how has Merck realized it ?

Keep, optimize and gain from the ISO certification 2009-11: 2

The value and competitive advantage over the years The continual improvements

The long and winding road: 3

Success stories and challenges during the certification process

Tools: 4

17

IT Governance, Project and Service Management tools

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K – A few challenges ‘World of Individuals’

Creativity?

18

Merck KGaA - CIO Office - ISO 56K Certification

‘World of Compliance’

ISO 56K – A few objections No I have worked for 20 years without this ISO framework and I never felt the need

Yes but we are different from the other companies. This framework does not fit to us

19

Merck KGaA - CIO Office - ISO 56K Certification

Yes but later, we currently have too much to do

Yes but we are already good enough and we do not need ISO to do well our work

ISO 56K – Do What worked well at Merck Management & Team Get CEO / CIO / Senior Management support

Recognize the achievements

Have a strong core team: Leadership, Expertise, Seniority, Motivation, Passion

Training certificates with a letter signed by the CIO

Act as a global team, involve everybody, go to see people

ISO certificates for all with a message from the CIO

Empower people and give them responsibilities Reveal departmental and local talents and there are many Be true, trust people and do what you say Have a team ready to jump to support who needs it (help / task force on request)

20

Merck KGaA - CIO Office - ISO 56K Certification

Video from the CEO

ISO 56K – Do (continued) What worked well at Merck Training & Communication Do a pilot for training and do Regional Training (Respect, Team, Efficiency) Deploy processes instead of norms Teach to get results instead  It is good to explain “Why” a process is important and “What” needs to be delivered  But to get effective results, teach “How” to achieve Do videos and get “funny” videos Involve Facility Management, HR, Procurement, etc…and the Managing Director / General Manager, CFO, etc. Communicate with the Business and keep a Business oriented mind set 21

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K – Do (continued) What worked well at Merck Scope and Strategy

Do a global certification (all or no one) and don’t change the (short) target date Stay firm on the goals but allow flexibility & innovation for the execution Build as much as possible on existing good practices and put them in a central repository Keep it simple, apply the 80/20 rule (but do not stop there), focus on the delivery Have Process Owners and a Team ready to support processes and people Have a continual improvement process and prioritize the implementation steps Use the audits as recognition and motivational means IT Governance to accompany the external auditors in each site

22

Merck KGaA - CIO Office - ISO 56K Certification

ISO 56K – Don’t do… How to prevent failing ? Don’t do:

Don’t fail the Audit:

 No fundamentalism

 Let IT Governance to accompany the external auditors in each site to ensure consistency.

 Don’t wait for any tool. Start as soon as possible. Excel/Word templates are fine. It is better to do an RFC on paper now than to wait for several months.

 Don’t reinvent the wheel.  Don’t let two Quality Management Systems exist together: - One to please the auditors - One to do the real work  Don’t plan too much but go ! Empower people, delegate and be ready to react fast. 23

Merck KGaA - CIO Office - ISO 56K Certification

 Perform training on audit behavior and communicate “areas of interest” of the auditors.  Don’t try to pretend being perfect – the auditors know you are not (especially at the beginning)  Cover each area with a reasonable set of controls and understand which gaps are the “no excuse”.

Agenda An innovative way for ISO certification 2007-08: 1

… and why did Merck start this initiative ? … and how has Merck realized it ?

Keep, optimize and gain from the ISO certification 2009-11: 2

The value and competitive advantage over the years The continual improvements

The long and winding road: 3

Success stories and challenges during the certification process

Tools: 4

24

IT Governance, Project and Service Management tools

Merck KGaA - CIO Office - ISO 56K Certification

Tools to support the processes HP Service Manager – Incident Management – Problem Management – Change Management – Configuration Management

•Incidents and Problems are recorded in HPService Manager •Change and Configuration Management are being deployed, as per the entities’ needs

– Service Level Management

HP-PPMC – Project & Portfolio Management Center 25

Merck KGaA - CIO Office - ISO 56K Certification

•Projects are managed with HPPPMC •Starting in 2010, HPPPMC is used to manage the IT Project Portfolio

Tools to support the Program • MerckDocs Web repository of Merck CIS Documentation: – Policies – Procedures – Templates – Annexes – Training Material – Records • ITGSS Web repository and tracking tool of the Risks and CAPAs (Corrective and Preventive Actions),

with e-mail notifications & workflow

26

Merck KGaA - CIO Office - ISO 56K Certification

Detail MerckDocs

27

Merck KGaA - CIO Office - ISO 56K Certification

Tools: the Statement of Maturity - SOM Maturity: – Effectiveness – Performance – Part / Top of the job

28

Merck KGaA - CIO Office - ISO 56K Certification

Risks: – Likelihood – Impact Improvement Plan

Questions ?

Philippe Leroy Program / Project Leader of ISO 56K IT Strategy, Performance and Governance Corporate Information Services Merck KGaA Email: [email protected]

29

Merck KGaA - CIO Office - ISO 56K Certification