How To Build A Compliance Program That's Rightsized For Your Organization

By J. Mark Farrar, MSJ, CPA, CFE, CFF and Kelsey Mullady, CFE

Unfortunately, too often organizations treat the compliance department as an afterthought and scramble to get practices into place just in time. Worse yet, many organizations silo the function, with sales and marketing teams seeing compliance members largely as too quick to say “No!” or as the “office of sales force prevention.” Ironically, however, rather than focusing on running a successful business, companies without a culture of compliance often deal with more enforcement actions and investigations than their compliance-rich peers. In other words, an effective compliance program saves critical resources, spanning people, time, and money.

Realistically, establishing a foundation of compliance is a company’s best protection to minimize risk, while increasing business efficiencies and creating evidence of conformity to governing rules and regulations. As such, compliance should be revered as the internal insurance policy that it is — and life sciences companies should work to create an effective program.

ESTABLISHING A FOUNDATION OF COMPLIANCE

Many companies start with the adoption of “The Seven Elements of an Effective Compliance Program” under the framework established by the Office of Inspector General (OIG) released in 2003. These principles have become generally accepted and adopted globally to help guide companies in day-to-day operations, while aligning with global laws, regional codes, and industry best practices.

The seven elements comprise:

1. Implementing written policies and procedures that apply to and are shared with all employees and any representative of the company (i.e., agents, distributors, contractors, etc.) with regard to the compliance program, code of conduct/ethics, corrective action plans, etc. These should address significant areas of concern for a company, including compliance with laws, integrity of data used by state and federal governments to establish payment amounts, as well as kickbacks and other illegal remuneration.

Keep in mind, all policies and procedures should be written in a common language, not legalese, to make them easy to understand and follow. They also should be written in a digestible, easy-to-reference format to encourage people to read them.

2. Designating a compliance officer and committee.The officer should be someone dedicated to and well-versed in compliance and positioned as a partner, not an arbitrator. Oftentimes, companies will appoint their general counsel to the compliance function early in the company life cycle. While some general counsels have strong backgrounds in compliance, it’s not a given or a guarantee. It’s also not a given who the chief compliance officer should report to. They often report up to the general counselor under the legal department or the chief executive officer or president. That said, corporate integrity agreements usually require the chief compliance officer to report to the CEO and routinely present to the board of directors.

Meanwhile, ideally, a committee is selected composed of cross-functional roles to promote buy-in and organizational alignment. The idea is that these department leaders will set a positive compliance tone at the top and cascade the importance of it through to their direct and dotted-line reports.

As part of the oversight rigor, a company’s board should regularly ask questions regarding three critical compliance areas: adequacy and effectiveness of the program, performance of the function, and ownership for compliance at all levels of management.

3. Conducting effective training and education. This means institutionalizing a training program for new employees, as well as creating a system for providing updates and refreshers to ongoing employees. It’s important that content is relevant and on point for users, with specific types of training for each role and department in the organization. In addition, be sure to track the training programs as completed in a referenceable system to create an appropriate audit trail for evidence.
4. Developing effective lines of communication, so staff and other stakeholders know how to get information and clarification regarding compliance measures, as well as where and how to report violations without fear of retaliation.
5. Conducting internal monitoring and auditing to ensure compliance policies and guidelines are being followed appropriately, as well as to gauge your compliance program’s performance in practice. For example, you can leverage aggregated monitoring results to identify, assess, and rectify potential weaknesses in your program for continuous improvement.
6. Enforcing standards through well-publicized disciplinary guidelines by outlining a distribution plan for sharing policies and procedures, including new ones, as well as for establishing the actions to be taken for noncompliance. Keep in mind, companies with the most effective compliance programs hold upper management accountable — through tone and action — for modeling and promoting compliance enforcement standards, as well as clearly communicating the consequences of noncompliance.
7. Responding promptly to detected problems and undertaking corrective action. This includes creating a plan for addressing any issues that arise, as well as adjusting current policies to prevent issues from reoccurring. In addition, it is critical that compliance issues be investigated and mitigated as quickly as possible, especially those involving adverse event reporting or inappropriate sales activity. A detailed triaging process for event types should be predetermined and shared to help ensure appropriate actions of investigation and remediation are taken and documented as addressed.

The starting point for a strong compliance program is the adoption of “The Seven Elements of an Effective Compliance Program” under the framework established by the Office of Inspector General (OIG) at Health and Human Services.

Building on these seven elements, the U.S. Department of Justice, Criminal Division, Fraud Section (herein “DOJ”) issued an industry-agnostic “Evaluation of Corporate Compliance Programs” guidelines in 2017 and updated that guidance in April 2019. The DOJ guidance describes specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges and negotiating plea agreements or other enforcement actions (e.g., an appointed monitor). These factors include whether an organization had an effective compliance program in place and whether the organization took remedial actions to implement an effective compliance program or to improve an existing one. These provide an expanded perspective for companies trying to determine areas of risk assessment to emphasize.

The updated DOJ guidance organizes its 12 elements around what prosecutors assess to determine the effectiveness of a compliance program and how that translates into penalties and fines. While DOJ’s guidance does not specify any industry, it has been widely accepted in the life sciences. The DOJ guidance and its 12 elements can be easily mapped to the OIG’s seven elements, with some overlap.

As a best practice, compliance officers who historically have been following the OIG’s guidance should review the DOJ’s and determine additional elements to incorporate to further minimize key risks. The DOJ provided many caveats when it released its guidance, but the framework makes sense and builds upon the OIG guidance to be more specific and targeted. Several of the noteworthy DOJ elements are defined expansions of the OIG’s elements. These include:

• Autonomy and Resources — This element speaks to the “tone at the top,” meaning ensuring a culture of compliance is institutionalized and followed from leadership throughout the organization. This also outlines that adequate resources, including budget and personnel, be allocated to fully develop and sustain an effective, proactive compliance program.
• Risk Assessment — In practice, risk assessments are the diagnostic tool for compliance programs. Conducting a risk assessment creates a proactive, rather than a reactive, compliance culture. Risk assessments inform how a compliance program will ultimately be structured or how it should be altered and personalized based on the organization.

Because even the most effective compliance program cannot protect a company from all risks, it’s a best practice to conduct a risk assessment at least every other year to identify potential risks and determine the severity and possibility of occurrence for each. A thorough risk assessment process also evaluates both the level of control in existence related to business processes within an organization, as well as the magnitude of impact the organization would face in the event of a compliance violation.

Organizations should gather information from all departments, not solely compliance. The more diverse the sources of information, the more accurate the view will be of the risk potential. Once potential risks are assessed and rated, then appropriate prioritization of remediation activities can take place. Risk assessments also drive the creation of the annual compliance auditing and monitoring plan.

Timeline for Effective Compliance

• Third-Party Management— Organizations are responsible for the compliance of third-party vendors, as these vendors represent the company and therefore must perform appropriate compliance due diligence and monitoring during contracting. That means companies must decide which policies and procedures these vendors will follow, train them through main policy procedures, and ensure that risk is minimized as much as possible.

DOJ Guidance for Effective Compliance

CONSIDERING LEGAL MATTERS

Life sciences companies operating in the United States must comply with several federal and state laws, all of which aim to protect the safety of product and integrity of business being conducted with federal programs. Several of these federal laws include:

• The Food, Drug, and Cosmetic Act, which gives the U.S. Food and Drug Administration the authority to oversee the safety of drugs and medical devices.
• The False Claims Act, which is a federal law that makes it a crime for any person or organization to knowingly make a false record or file a false claim regarding any federal healthcare program. Note: Enforcement of this law has manifested in a number of billion-dollar settlements.
• The Anti-Kickback Statute, a healthcare fraud and abuse statute that makes it illegal for providers to knowingly or willfully accept renumeration, e.g., offering or giving anything of value, for referrals for services that are payable by a federal healthcare program, such as Medicare or Medicaid. A violation of this law automatically triggers a false claim.

Beyond specific statutes, it’s helpful to evaluate enforcement trends, such as deferred prosecution agreements and corporate integrity agreements, for additional insights and considerations being assessed as part of current enforcement actions. For example, the OIG increasingly leverages corporate integrity agreements (CIA) as a mechanism to mandate the creation of effective compliance programs, which has amassed billions of dollars in fines from offending life sciences companies. The first CIA wave focused heavily on government pricing infractions, while the next emphasized off-label sales and marketing. In progress, the third wave spotlights patient support programs and third-party charity organizations in violation of the Anti-Kickback Statute.

Evolving Enforcement: The OIG leverages corporate integrity agreements as a mechanism to mandate the creation of effective compliance programs. The following are the three waves of this enforcement tactic.

In the near future, privacy issues will likely come to the forefront as the global landscape of technology continues to change what privacy is and should be to an individual. Last year, the European Union drew global attention when it adopted GDPR. With the EU now setting the global tone for privacy, many countries are looking to adopt their own version of privacy laws.

Meanwhile, in the U.S., the Constitution does not grant any inherent right to privacy, but precedent exists for it in case law, as well as industry-specific statutes, such as healthcare’s HIPAA.

MOVING COMPLIANCE FORWARD

The most effective compliance programs create a culture and understanding that compliance is everybody’s responsibilities. While a company’s maturity will in part dictate its compliance needs, a rigorous compliance program should be built into a company’s framework early on and be amenable to shifting with business milestones and legislative requirements. No matter the size or stage of a company, the compliance officer and extended team should be well regarded as a trusted business partner.

Keep in mind, building an effective compliance program takes time and should be built within an appropriate and relevant time frame. Compliance departments need to be “rightsized” for the organization, and determining that size depends on the organization’s risk profile and tolerance. No company can completely eliminate compliance violations, no matter how much they invest. The key is to be smarter with your investment dollars to target risk, utilize data analytics and automation to streamline and optimize the program, and create a culture of compliance.

Different rules and regulations apply at different business stages for the organization. For instance, major milestones, such as NDA submission and FDA approval, trigger new compliance needs. Consider and discuss at the highest levels of the organization how to balance “having everything at once” vs. steadily building an appropriate and effective compliance program over time.

J. MARK FARRAR, MSJ, CPA, CFE, CFF, is a managing director and the global practice leader of the Life Sciences Governance, Risk Management and Compliance practice for Navigant.

KELSEY MULLADY, CFE, is a senior consultant within the Life Sciences Governance, Risk Management and Compliance practice for Navigant.