The 2017 Compliance Monitoring Conference that took place recently in Philadelphia defined a path for Life Sciences companies seeking to use internal and publicly available data to proactively monitor risk.
The conference emphasized the significance of developing risk based monitoring programs supported by retrospective and real time data analytics.
Strong governance structures require compliance departments to undertake an oversight role and drive accountability for compliance from business managers across the organization. Speakers shared key insights about developing risk based monitoring plans as valuable tools that address these challenges. The insights included the role of risk assessments and assurance groups, such as internal audit or quality assurance, in developing risk based monitoring plans, structuring data analytics to drive monitoring efforts, and using data gathered both internally and externally (open payments) during monitoring to inform retrospective reviews like risk assessments.
The conference began with a workshop on best practices for compliance monitoring programs. Panelists discussed the monitoring life cycle, and illustrated how risk assessments and monitoring plans are complementary, showing how they inform each other to make the compliance program more effective. The workshop examined how incorporating risk-based data into monitoring planning fosters a more tailored and risk-based approach that accounts for the realities of the business, such as launching a new product or an acquisition, as was how transactional and activity-based monitoring occur continuously, and as such, should be informed by findings from an annual risk assessment. Moreover, results from a monitoring program can, in turn, expose new risks that influence the next risk assessment. This cycle continuously improves the efficiency of monitoring programs, allowing them to be proactive and based on current risks, rather than randomized and reactive.
The group agreed that compliance departments should look to other assurance groups to coordinate long term plans and strategies, and that compliance could highlight ineffective processes identified by the internal audit function as a guide to enhance their monitoring efforts. For example, Internal Audit may identify weak grants reconciliation process controls triggering an emphasis to monitor grants post funding. Additionally, involving multiple related departments leads to better coverage and decreases duplicative work. For an organization, this may mean creating a common risk scoring system among assurance groups, placing information on shared risk registers, or even regular meetings to share information and adjust monitoring plans accordingly.
Other workshops emphasized that adopting a risk based approach involves finding the right data, integrating the data into risk assessments, and defining outliers, commonalties, and trends. This data should be used to design and incorporate a data analytics structure that creates triggers to identify high risk activities that warrant further investigation. How compliance departments should leverage existing systems (T&E, sales, CRM, etc.) to create dashboards for monitoring was also examined. For example, a dashboard to monitor speaker programs could be used to measure adherence to policies involving minimum attendance to speaker programs, and to find gaps in on-site monitoring programs, such as neglecting to monitor a speaker with high activity but a limited geographical scope. For non-HCP engagements, it was recommended that organizations start their monitoring plans by considering risk factors to structure key compliance data points. Examples of key compliance data points are:
- How many grants or third party engagements exist?
- What value-added activities are reimbursement programs tied to?
- At what level are engagements vetted and approved?
- What guidelines are in place for business and approval rationale?
These data points should then be grouped by areas of highest exposure and be prioritized accordingly in the monitoring program. In short, companies should conduct risk based, data driven due diligence for their HCP and non-HCP engagements to inform and drive their compliance monitoring programs.
Similarly, identifying risk factors is a key component of monitoring third party vendor engagements as well. The volume and diversity of these engagements create a challenging environment for compliance monitoring. Polaris Senior Consultant, Amy Greenstein, and Director, Gil Rodriguera, led a session entitled “Vendor Monitoring and Management for Anti-Bribery and Anti-Corruption Risk”, in which they explored how compliance officers can utilize data collection efforts to reveal their riskiest vendors and conduct risk based monitoring accordingly. Other insights included how companies can leverage existing business practices to support their data collection efforts by:
- Developing an initial questionnaire to screen vendors within vendor applications
- Establishing risk based business rules that trigger review/renewal of initial screening
- Using business data to track outliers in KPIs, expenses, and payments requests
- Implementing post assurance activities into training programs and risk based audits
- Adding specific clauses regarding monitoring, auditing, and investigations in contracts and ensuring vendors are aware of these clauses
By embedding data collection within existing business practices compliance can minimize business disruption and create a team approach to vendor monitoring. Furthermore, effective data collection identifies risk factors that set criteria to decide which vendors require monitoring. This criterion can include geographic locations with a high corruption index, value of the contract, operations with no contact/unusual payment practices, and a poor compliance program. Efficient and scalable risk based vendor monitoring programs create key compliance data points to identify risks despite the volume and diversity of vendor engagements.
Companies can use CMS open payments data to identify risk “hot spots” and tailor their data to specific risk management needs, like benchmarking to other companies in their space to identify data points outside of the industry norm. This was a focal point during the enforcement panel as they discussed the use of data to track manufacturer funding of prescriber activity. For example, agencies are utilizing open payments data, such as outlier prescriber activity in Medicare Part D data, to support conclusions of inappropriate influence. With increasing coordination between agencies, such as the DOJ and the HHS, and more publicly reported data available, Polaris expects this trend to grow. It is increasingly important for companies to identify outliers in data that could raise a flag for authorities, as well as consider this data when conducting risk assessments.
As the healthcare compliance landscape continues to evolve, companies can no longer rely on randomized sample-based compliance monitoring approaches. With reduced resources across compliance departments, companies are increasingly looking to external advisors with an expertise in data analytics to drive their risk-based monitoring efforts. Proactively addressing risks will require a framework that leverages data analytics to inform monitoring programs retrospectively and adjusts monitoring programs in real time. Thus, developing risk based monitoring plans that leverage data analytics will help compliance professionals better understand their data and stay ahead of the curve.