This post is Part I of a three part series on building a compliance program by Chris Cobourn and Clarissa Crain of Compliance Implementation Services (CIS). For your convenience, the entire whitepaper is available for download at the bottom of the page.
“Drug companies that do not have a compliance strategy in place may soon pay a very high price.” Deborah Autor, Director of Compliance at FDA’s Center for Drug Evaluation and Research (CDER)
The concept of Commercial Compliance in U.S. manufacturing has evolved very quickly over the past five or six years, resulting in increased regulatory requirements and investigation activity. While the security of the supply chain and the ethical promotion of drugs has been a significant focus, recent investigative trends show a shift in the Government’s focus. The U.S. Federal Government and various State Governments are becoming increasingly interested in sales, marketing and distribution activities that ultimately affect the sales or prices witnessed by the Government.
The need for a manufacturer to understand and mitigate the risk of doing business with U.S. Federal Government is real. Various enforcement agencies exist across State and Federal Government. The Office of the Inspector General (OIG) which supports the Health and Human Services (HHS) is one of the most common enforcement agencies representing the Federal Government in the Commercial Compliance space. Responsible for the prevention and detection of fraud, waste, abuse and mismanagement in programs legislated by the Social Securities Act, the OIG conducts and supervises audits, evaluations and investigations within Commercial Compliance.i
The best, most appropriate measure of the effectiveness of a manufacturer’s risk management program is to evaluate it against a standard of enforcement agency audit. Utilizing OIG Audit Readiness as a standard of measure helps develop the highest level of compliance.
With senior management aligned on risk, and by establishing your audit and monitoring programs to manage risk, you can develop transparency and a roadmap that will demonstrate that you take compliance seriously and have developed an effective Compliance Program. So don’t make monitoring and audit the “tail of the dog” that you apply at the end; use it up front to define your strategy and develop better compliance.
I. Developing a Risk Profile and Risk Management Program
Through a series of steps, you can develop a Risk Profile and a Risk Management Program, with monitoring and audit as key components.
Step one is to understand the Government’s view of risk. A manufacturer can get a clear understanding of the OIGs view of risk by reviewing the following:
- The OIG Recommendations to Pharmaceutical Manufacturers, April 2003.ii This document creates an outline of “Commercial Compliance,” by defining the Government’s view of the three key risk areas, and provides an outline for a Corporate Compliance Program.
- The OIG Work Plan. The annual Work Plan outlines areas where the OIG intends to put its audit focus, and includes sections specifically for manufacturers. (Remember, the OIG is now budgeted for proactive audits!)
- Recent Investigations and CIA’s. These show the trends in investigative activity, how
- the Government interprets statutes, such as the False Claims Act and FDA guidelines on Off Label promotion, as well as the evolving and complex nature of CIA’s (including audit and monitoring provisions).
- The new PhRMA code. Although this is not an OIG or Government document, it does show the industry’s focus on developing guidelines to manage key risk areas, such as interactions with healthcare professionals.
- Applicable Regulations and Guidance – it is also important, to follow the actual guidance in the Commercial areas.
Step two is to conduct an initial assessment. The initial assessment activity must be deep enough and broad enough to look at all of the potential risk areas. The initial assessment can be used as the basis for developing your Risk Profile and your Risk Management Plan, and will identify compliance gaps so that you can develop a management action plan.
Step three, develop the plan and roadmap. As a result of the assessment activity, you will be able to identify compliance risks which may require immediate attention, develop a Risk Profile based upon the findings (matching the defined Government risk areas to your company), and develop a Risk Management Plan and a roadmap.
Step four is alignment. This is often the hardest step, as it can involve a change in the corporate culture. This involves bringing the results of the assessment to senior management and the Compliance Committee. This can be done in a coordinated effort between Internal Audit, the Compliance Officer, and Internal Counsel. Alignment on the Risk Profile and Risk Management Plan is necessary for the Compliance Officer and Internal Audit to develop a plan that is achievable, and has management agreement.
With an evaluation of risk complete and prioritized, a company must now develop a Risk Management Strategy. Commercial Risk Management is a strategic program designed to decrease compliance risks by using one or more evaluation techniques to identify potential risk. Evaluation techniques may vary, however the most effective Risk Management programs use two or more techniques/tools to proactively identify and mitigate potential risk.
The OIG defines Risk Management as seven elements of compliance, with core elements defined as: Auditing and Monitoring, Enforcing Standards through Well-Publicized Disciplinary Guidelines and Responding to Detected Offenses and Developing Corrective Action Initiatives.
OIG’s Seven Elements of a Successful Compliance Programii
- Implementing Written Policies and Procedures
- Designating a Compliance Office and Compliance Committee
- Conducting Effective Training and Education
- Developing Effective Lines of Communication
- Conducting Internal Auditing and Monitoring
- Enforcing Standards through Well-Publicized Disciplinary Guidelines
- Responding to Detected Offenses and Undertaking Corrective Action
i – Mission. http://www.oig.hhs.gov/. Accessed February 15, 2009.
ii – iiOIG Compliance Program Guidance for Pharmaceutical Manufacturers. Federal Register. Volume 68. Number 86. April 23, 2003.
Editor’s note: Over the next few weeks, we will be posting Part II and Part II of this whitepaper. If you would rather not wait, follow the link to download the entire CIS whitepaper, Building a Compliance Program.
About Compliance Implementation Services (CIS)
Compliance Implementation Services (CIS) is a consulting firm specializing in compliance strategies for pharmaceutical companies, from Global Clinical Research & Development through U.S. Commercial Compliance and Government Programs. Founded in 2004, our deep understanding of industry laws and regulations, innovative and practical applications and custom solutions help our clients establish a “Culture of Compliance” that is both meaningful and practical.
For more information, please see our website: http://www.cis-partners.com
About the Authors
Chris Cobourn is the VP of Regulatory Compliance. He has worked with the industry in Commercial and Government Contracting for over a decade, from the policy and procedure development perspective, as well as systems and audit.
Chris works closely with pharmaceutical manufacturers in areas related to management of Government Programs, including policy review, methodology development, policy and procedure documentation, systems implementation, as well as Class of Trade and related commercial systems.
Clarissa Crain is a consultant specializing in Commercial Compliance at Compliance Implementation Services (CIS), a consulting firm specializing in compliance strategies for pharmaceutical companies.
Clarissa’s background includes Corporate Compliance, Distribution Compliance and Government Programs Compliance.