Now that we are two months into the new year, this is a good time to reflect and examine the effectiveness of healthcare compliance programs. The measure of what “effective” means has changed dramatically in recent years.
When the PhRMA Code on Interactions With Health Care Professionals was published in 2002, and for many years after, effectiveness was essentially defined by a company’s compliance department as adhering to the OIG’s 7 Elements of an Effective Compliance Program, as well as providing review and approval of individual activities or transactions. It was essentially the compliance department’s responsibility to “police” the organization and prevent them from making poor decisions. Today’s measure of effectiveness still hinges on decision-making, but the accountability is more squarely placed on the shoulders of the decision makers.
In large part, industry made this shift on its own as the compliance office matured. However, enforcement and regulatory authorities such as the DOJ, SEC and HHS have also fostered this transformation through their emphasis on individual accountability and liability for inappropriate company actions. If it is to be agreed that accountability has shifted to decision-makers, then what does this imply about the transformation of compliance programs? In short, it is not enough to say “job well done” when a company adheres to the Code and the 7 Elements. That is the bare minimum. It is like asking a car salesman for a car with seatbelts when seatbelts are now a matter of course and required by law, not a luxury or an option.
Given these changes in the role of compliance, the focus of the modern compliance department must be on risk management. Risk management is not a program or project, but rather it is a management discipline that we must embed in our culture. It is a governance framework that can support the communication of a true principles-based compliance program, and enable the principles to cascade to all decision-makers. It also allows for an effective delegation of authority that is not based on financial approval limits, but rather on corporate actions that expose or bind us to varying degrees of risk.
The accountability for ensuring that risk exposure remains within the organization’s tolerable boundaries lies with the business managers making those decisions. Compliance professionals who now play the role of risk manager, should also be accountable in this governance structure. They are accountable for ensuring several aspects of this framework, which represents the new focus of the compliance departments. These elements can serve as a benchmark for assessing compliance program effectiveness in 2017:
- Ensuring the risk management framework is embedded in company culture and governance documents such as the Code of Conduct
- Ensuring that management decision-makers are provided with tools and training to effectively apply the framework
- Ensuring that risk-based decision-making informs compliance monitoring programs
- Auditing programs to ensure that risk-binding decisions are being made at appropriate levels of management with sufficient expertise
- Communicating the compliance risk exposure to the executive-level compliance committee
- Providing transparency on compliance risk exposure to the audit committee of the board of directors
In principle, the compliance department’s most important responsibility is to ensure that an ethical code of conduct is effectively established to govern business activities. From the code of conduct, principles-based compliance expectations can be established within a network of policies that are owned by functional business leaders. Compliance leadership must be diligent in ensuring that the policies are tailored to the specific needs and realities of the business, and that they establish the specific guidelines for ethical conduct within their respective discipline. When executed in this manner, the responsibility for “translating” the code of conduct to the business is placed on business leaders.
As business leaders operationalize their compliance with the code of conduct, the accountability shifts to become a shared obligation of compliance and the functional decision-makers (e.g. commercial, medical affairs, R&D, etc.). The shared obligation is to the executive compliance committee, while compliance maintains the obligation to the board. The enforcement authorities as well as corporate boards have been clear on this point – individuals will be held accountable for their own actions, as is stipulated in the Yates Memo from the Department of Justice. Business leaders are expected to understand and apply the principles that embody adherence to the code; as such, they must be held accountable for their decisions. It is the role of compliance professionals to examine business activities and ascertain the risk-binding inflection points, which will help compliance professionals to educate business leaders and empower them to make effective and calculated risk-balanced decisions.
KOL tiering, for example, is managed in different ways, but generally under the auspices of Medical Affairs. This methodology must be adhered to consistently by all departments that engage with HCPs to ensure they are not overcompensated. Similarly, industry sponsorships and contributions to patient advocacy or support organizations must be assessed against a risk-based set of internal guidelines. The thresholds and limits on risk-taking must be negotiated, where necessary, with the compliance department, the risk experts. It is then the role of compliance to play a risk oversight role through monitoring and communication to management and the board.
Business leaders’ increased engagement in day-to-day compliance begs the question: how has the role of compliance changed? The transactional level and preventative internal controls are not the responsibility of compliance; rather, as risk managers, they must ensure that they do not become the control. This requires compliance to remove themselves from day-to-day routine transactions, as their responsibility is that of risk oversight. Compliance should consult the business on process design and incorporate key risk indicators (KRIs), which can identify those higher risk transactions that warrant compliance review. For example, every business needs assessment for an HCP engagement may not need compliance review. However, a variety of indicators can be used to flag higher risk transactions, such as highly-compensated KOLs, repeat advisory topic categories, and events with a higher than average number of participants. KRIs can also be used to flag transactions for preemptive compliance review, as well as to support risk-based sampling for monitoring programs. Moreover, with regard to sampling, monitoring programs that utilize a random sampling methodology are no longer justifiable given the accessibility of rich commercial data. If management has established their threshold for tolerable risk, then the monitoring program needs to assess the adherence to that limit, as well as identify factors that may allow it to clandestinely scale beyond the tolerance.
As we consider the risk-based compliance oversight framework, it is important to incorporate both monitoring of transactions and auditing of the system. Monitoring programs should be risk-based and informed by KRIs for preemptive and/or retrospective review.On the other hand, auditing should focus on the system of internal controls established by management. Specific attention must be paid to third party vendors managing higher risk activities, such as HUBs and any vendor in the reimbursement cycle. Business leaders are accountable for the five risk governance competencies below and compliance is responsible for auditing their efficacy:
- Policies – Have policies been established to enforce the code of conduct by establishing program-specific guidelines?
- Processes – Have routine and repeatable processes been established to ensure consistent execution of responsibilities?
- People & Organization – Are the individuals making risk-binding decisions at the appropriate level of management? Are they appropriately trained? Are they effectively supported by upper management?
- Systems & Data – Are auditable records being maintained for decisions? Is relevant information being effectively captured and recorded, including data necessary for transparency reporting?
- Reporting – Is there effective reporting of decisions and ongoing business operations to the responsible decision-makers and other relevant stakeholders, potentially including compliance, regulatory or medical affairs? Are stakeholders receiving reports on KPIs or KRIs?
From the corporate governance perspective, if compliance is serving as the risk manager, then they must provide meaningful updates to the compliance committee. Furthermore, they must ensure that the assessment of risk-bearing activities are reported to the committee. The role here is not to disagree with or challenge the business decision, but rather to ensure that executive management is informed and aligned.
Recognizing that the Life Sciences industry is fraught with risk, there must be disciplined risk management which necessitates open discussion about risks. Compliance professionals need to monitor the external environment, including new decrees or enforcement actions that may alter the risk calculus in key decisions. Having open and transparent accounting of risks will allow compliance to effectively identify those decisions that must be reconsidered as the environment changes. It is also important to note that the reporting responsibility does not stop with management. The board of directors, and specifically the audit committee, also have a risk oversight duty to shareholders. It is key to facilitate dialogue and risk updates to enable them to fulfill this obligation.
The evolution of the role of compliance and associated accountability has resulted in dramatic organizational changes not only to compliance but also to the enterprise. For example, historically the business would ask compliance to create FMV guidelines, whereas external advisors are now more commonly engaged for these matters. The skillset of the compliance professional has shifted to be more of a risk steward and advisor who can consult with the business on establishing disciplined business practices. For many organizations, this has also resulted in reduced budgets and headcount for compliance. The compliance officer today needs to evaluate the portfolio of risks and strategically determine when and where to insert themselves in a transactional discussion, while simultaneously overseeing a monitoring and auditing program that tracks and follows at-risk activities.