Friday, March 5, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Risk Assessments Mitigate Risk for Bigger and Smaller Companies Alike

by Brian A. Dahl
June 4, 2014
in Risk
Risk Assessments Mitigate Risk for Bigger and Smaller Companies Alike

Earlier this year, the Office of Inspector General (OIG) put smaller life sciences companies on notice that they should put in place a risk assessment process as part of their corporate compliance program.  In its corporate integrity agreement (CIA) with EndoGastric Solutions, Inc. (EGS), the OIG required EGS to establish a risk assessment process to allow the company to:

  • Identify and assess risks associated with the sale, marketing, detailing, advertising and promotion of products reimbursed by government health care programs
  • Devise and implement specific measures to mitigate identified risks

The risk assessment requirement in the EGS CIA is one more example of the OIG clearly signaling that its expectations with respect to smaller company corporate compliance programs are not significantly different than its expectations of Big Pharma compliance programs.

Unlike many other CIAs, the EGS CIA did not provide any definition around what the company’s risk assessment process should look like.  On one hand, this gives EGS flexibility in defining its process.  On the other hand, this lack of definition leaves other smaller companies that are contemplating putting in place a risk assessment process wondering what such a process should entail.

Companies contemplating putting in place a risk assessment process need look no further than the more detailed risk assessment and mitigation process (RAMP) requirements in other CIAs for guidance, including the CIAs entered into in 2013 by Johnson & Johnson (J&J) and Par Pharmaceutical Companies.

The J&J CIA requires the company to annually undertake its risk assessment process.  As part of that process, J&J must identify risk areas by soliciting information from “all relevant business units and functions,” which includes the following:

  • Sales
  • Marketing
  • Regulatory Affairs
  • Medical/Scientific Affairs
  • Legal
  • Audit
  • Compliance

J&J must use the information collected from these business units to develop annual risk mitigation plans that identify risk mitigation activities that J&J must conduct in the following year, including monitoring activities.  Activities to monitor include speaker programs, speaker training, advisory boards, sampling, verbatim reviews, medical information requests and ride-alongs with sales representatives.  To request a table comparing the monitoring requirements of recent CIAs, click here.

The risk mitigation plan must detail:

  • The risk areas identified for mitigation
  • The activities to be conducted to mitigate the identified risks
  • The individual responsible for conducting each activity

The company’s various leadership teams must review and approve these plans.

The J&J CIA requires that the company track all risk monitoring and risk mitigation activities and make quarterly reports on such activities to the North American Compliance Officer, who must evaluate the activities to ensure that they appropriately mitigate the identified risks.  The Compliance Officer, in turn, must report quarterly on the status of these activities to the North American Compliance Committee, business unit leadership and compliance personnel at J&J affiliates and annually to the overall J&J Chief Compliance Officer.

The Par CIA requires a similar risk assessment process as that set out in the J&J CIA.  Like J&J, Par had already implemented a risk assessment process prior to the effective date of its CIA.  As part of that process, Par also must solicit risk information from “key operating areas” that include most of the business units mentioned above.

Unlike the J&J process, however, Par’s Enterprise Risk Management Committee must produce a “relative risk ranking report” or Risk Evaluation Report that makes recommendations to the company’s compliance committee regarding which products may require increased attention in the form of “enhanced risk mitigation plans” (enhanced RMPs).  The committee must also provide the Risk Evaluation Report to Par’s Board of Directors.

Par products identified as requiring enhanced RMPs are subject to risk mitigation activities beyond those activities contemplated by the J&J CIA.  The Par CIA states that enhanced RMPs “will consist of activities tailored to the risks identified during the risk ranking process” and provides the following examples:

  • Increased compliance messaging
  • Modifications to or limitations of promotional programs and
  • Enhanced training requirements

As with the J&J CIA, standard risk mitigation activities are performed regardless of a product’s relative risk ranking and include the monitoring activities described above.

In addition to drawing a distinction between standard and enhanced RMPs, the Par CIA requires that risk mitigation plans specify metrics by which both risk monitoring results and risk mitigation activities will be evaluated and/or measured.

The three key elements of the risk assessment processes set out in the J&J and Par CIAs – identify, plan and track – should guide smaller companies looking to implement such a process.  In the current enforcement environment, mitigating risk is essential.  Heeding the OIG’s guidance can go a long way toward protecting a company from the ramifications of an enforcement action.

This piece was originally run on the ProPharma Group blog and is republished here with permission from the site.


Previous Post

Anti-Corruption and Bribery: Vigorous Enforcement Continues

Next Post

3 Accidental Whistleblowers (Fired for Doing their Jobs Well)

Brian A. Dahl

Brian Dahl is the Principal at Dahl Compliance Consulting LLC. His consulting practice focuses on assisting life sciences companies with their corporate compliance needs. He is the architect of the corporate compliance programs at two top-tier pharmaceutical companies – Teva Pharmaceuticals and Takeda Pharmaceuticals.  As a consultant, he has built the compliance programs at two startup companies that recently launched their first products. Brian brings that real-world experience to the service of clients who are developing, implementing, or evaluating the effectiveness of their corporate compliance programs. Brian spent six years as the Compliance Director at Teva, where he built the company’s compliance program from the ground up while leading all aspects of the company’s compliance efforts across multiple branded divisions. Brian’s career in pharmaceutical corporate compliance began at Takeda in 2001, six months before the government’s seminal settlement with TAP Pharmaceuticals. Prior to becoming a pharmaceutical compliance professional, Brian practiced health law at the law firm of Baker & Daniels. He began his legal career practicing advertising law in Washington, D.C., first at the Federal Trade Commission and later at the law firm of Collier, Shannon, Rill & Scott. Brian received his J.D. from the University of Iowa College of Law and his Master of Health Administration degree from the College of Public Health at the University of Iowa. You can reach Brian at 847-800-1753 or at DahlComplianceConsulting@gmail.com.

Related Posts

blue road sign with arrow on black asphalt background

Dynamic Risk Governance: Linking Strategy and Risk Management

February 15, 2021
three red dice on green felt tabletop

The COVID Trio: 3 Top Risks from a Year of Upset

February 4, 2021
Deloitte: Global Risk Management Survey, 12th Edition

Deloitte: Global Risk Management Survey, 12th Edition

February 2, 2021
illustration of businessman holding giant shield to protect him from falling arrows

Is Your Risk Culture Aligned With the Realities of the Digital Age?

February 2, 2021
Next Post
3 Accidental Whistleblowers (Fired for Doing their Jobs Well)

3 Accidental Whistleblowers (Fired for Doing their Jobs Well)

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights