Preventing Fraud—9.Compliance Programs: Building a Culture of Integrity and Accountability

9. Compliance Programs: Building a Culture of Integrity and Accountability

A compliance program is a formal system of policies, procedures, and processes designed to prevent, detect, and correct violations of law, regulations, and company policy. In the pharmaceutical industry, compliance programs are essential for managing the numerous legal and ethical risks associated with developing, manufacturing, marketing, and distributing drugs.

9.A. Elements of an Effective Compliance Program :

The U.S. Department of Justice (DOJ) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) have provided guidance on the elements of an effective compliance program. While these guidelines are not specific to the pharmaceutical industry, they are widely used as a benchmark. The core elements are often referred to as the “Seven Elements of an Effective Compliance Program”:

1.    Written Policies and Procedures:

2.    Compliance Leadership (Designated Compliance Officer and Committee):

3.    Training and Education:

4.    Communication (Effective Lines of Communication):

5.    Monitoring and Auditing:

6.    Enforcement and Discipline:

7.    Response and Prevention (Corrective Action Procedures):

However, a more nuanced and comprehensive view expands on these, incorporating a stronger emphasis on culture and continuous improvement. This expanded view is what we will explore:

9.B. Leadership Commitment and Tone at the Top :

·         Fundamental Importance: This is arguably the most critical element of an effective compliance program. Without genuine commitment from leadership, the program will likely fail, regardless of how well it is designed on paper. “Tone at the top” sets the ethical climate for the entire organization.

·         Key Aspects:

o    Visible and Active Support: Senior management (including the CEO, Board of Directors, and other executives) must visibly and actively support the compliance program. This includes:

§  Regularly communicating the importance of compliance.

§  Allocating sufficient resources to the compliance program.

§  Participating in compliance training.

§  Holding themselves and others accountable for compliance.

§  Making compliance a factor in performance evaluations and promotions.

o    Ethical Leadership: Leaders must model ethical behavior and demonstrate a commitment to integrity in all their actions.

o    Zero Tolerance for Non-Compliance: Leadership must make it clear that non-compliance will not be tolerated, regardless of the individual’s position or performance.

o    Open Communication: Creating a culture where employees feel comfortable raising concerns about potential compliance violations without fear of retaliation.

o    Compliance as a Business Priority: Integrating compliance into the company’s overall business strategy and decision-making processes. Compliance should not be seen as an obstacle to business, but as an essential part of doing business ethically and sustainably.

o    Board Oversight: The Board of Directors should have active oversight of the compliance program, including:

§  Regularly reviewing the program’s effectiveness.

§  Receiving reports from the Chief Compliance Officer.

§  Ensuring that the program has adequate resources and independence.

o    Incentivizing Compliance: Consider positive incentives for ethical behavior and compliance, not just penalties for non-compliance.

·         Examples of Positive Leadership Actions:

o    The CEO regularly discusses compliance in company-wide communications.

o    Senior executives participate in compliance training alongside other employees.

o    The company publicly recognizes and rewards employees who demonstrate ethical behavior.

o    The Board of Directors has a dedicated Compliance Committee.

o    Compliance metrics are included in executive performance reviews.

·         Examples of Negative Leadership Actions (to be Avoided):

o    Senior executives ignoring or downplaying compliance concerns.

o    Pressuring employees to meet unrealistic sales targets, potentially leading to unethical behavior.

o    Retaliating against employees who report compliance violations.

o    Failing to allocate sufficient resources to the compliance program.

o    Viewing compliance as a “check-the-box” exercise rather than a core value.

9.C. Risk Assessment and Management :

·         Foundation of the Program: A comprehensive risk assessment is the foundation of an effective compliance program. It helps the company identify and prioritize the areas where it is most vulnerable to compliance violations.

·         Key Steps:

o    Identify Risks: Identify all potential compliance risks facing the company. This should be a broad and comprehensive assessment, considering all aspects of the company’s operations.

§  Examples of Risks in the Pharmaceutical Industry:

§  Off-label promotion

§  Kickbacks and bribery

§  False claims

§  Data integrity violations

§  GMP violations

§  Clinical trial misconduct

§  Privacy violations

§  Conflicts of interest

§  Improper interactions with healthcare professionals

§  Misleading marketing

§  Anti-competitive practices

§  Environmental violations

§  Cybersecurity breaches

o    Assess Risks: Assess the likelihood and potential impact of each identified risk. This involves considering:

§  The probability of the risk occurring.

§  The potential consequences if the risk occurs (e.g., financial penalties, reputational damage, legal liability, patient harm).

§  The effectiveness of existing controls.

o    Prioritize Risks: Prioritize the risks based on their likelihood and potential impact. Focus resources on mitigating the highest-priority risks.

o    Develop Mitigation Strategies: Develop and implement strategies to mitigate the identified risks. This may involve:

§  Developing or revising policies and procedures.

§  Implementing new controls.

§  Providing training.

§  Increasing monitoring and auditing.

§  Changing business practices.

o    Regular Review and Updates: The risk assessment should be reviewed and updated regularly (at least annually), and more frequently if there are significant changes in the company’s business, the regulatory environment, or the industry.

·         Tools and Techniques:

o    Interviews: Interviewing employees at all levels of the organization to gather information about potential risks.

o    Surveys: Conducting surveys to assess employee awareness of compliance policies and procedures.

o    Document Review: Reviewing policies, procedures, contracts, and other documents to identify potential risks.

o    Data Analysis: Analyzing data (e.g., sales data, expense reports, audit findings) to identify potential patterns of non-compliance.

o    Benchmarking: Comparing the company’s compliance program to those of other companies in the industry.

o    External Resources: Consulting with external experts (e.g., lawyers, consultants) to identify and assess risks.

o    Failure Mode and Effects Analysis (FMEA): A structured approach to identifying potential failure modes and their effects.

o    Root Cause Analysis (RCA): Used to identify the underlying causes of identified risks.

·         Documentation: The entire risk assessment process should be thoroughly documented, including the methodology used, the risks identified, the assessment of those risks, and the mitigation strategies developed.

9.D. Policies and Procedures :

·         Foundation of Compliance: Clear, concise, and comprehensive policies and procedures are essential for guiding employee behavior and ensuring compliance.

·         Key Characteristics:

o    Written: Policies and procedures must be in writing.

o    Clear and Concise: Easy to understand and follow, avoiding legal jargon.

o    Comprehensive: Cover all relevant areas of compliance risk.

o    Specific: Provide specific guidance on how to comply with applicable laws, regulations, and company policies.

o    Accessible: Readily available to all employees.

o    Regularly Reviewed and Updated: Policies and procedures should be reviewed and updated regularly (at least annually), and more frequently if there are significant changes in the law, regulations, or the company’s business.

o    Version Control: Maintain clear version control to ensure that employees are using the most up-to-date versions.

o    Training: Employees must be trained on the policies and procedures that are relevant to their jobs.

·         Types of Policies and Procedures:

o    Code of Conduct (or Code of Ethics): A foundational document that sets forth the company’s ethical principles and expectations for employee behavior.

o    Compliance Policies: Specific policies addressing particular areas of compliance risk, such as:

§  Interactions with healthcare professionals

§  Marketing and promotion

§  Clinical trials

§  Data integrity

§  Conflicts of interest

§  Gifts and entertainment

§  Anti-bribery and anti-corruption

§  Privacy

§  Cybersecurity

o    Standard Operating Procedures (SOPs): Detailed, step-by-step instructions for performing specific tasks or processes.

o    Reporting Procedures: Procedures for reporting potential compliance violations.

o    Investigation Procedures: Procedures for investigating potential compliance violations.

o    Disciplinary Procedures: Procedures for disciplining employees who violate compliance policies.

9.E. Training and Education :

·         Critical Component: Training is a critical component of an effective compliance program. It’s not enough to simply have policies and procedures; employees must be trained on how to comply with them.

·         Key Principles:

o    Regular and Recurring: Training should be provided on a regular basis, not just once. Re-training should be conducted periodically, and more frequently if there are changes in regulations or company policies.

o    Job-Specific: Training should be tailored to the specific roles and responsibilities of each employee. Generic training is rarely sufficient.

o    Interactive: Training should be interactive and engaging, using a variety of methods (e.g., case studies, role-playing, quizzes).

o    Documented: All training must be thoroughly documented, including the date, trainer, topics covered, attendees, and assessment results.

o    Effectiveness Checks: The effectiveness of training should be regularly evaluated (e.g., through post-training assessments, on-the-job observations, performance monitoring).

o    Targeted: Training should be targeted to address specific compliance risks identified in the risk assessment.

o    Accessible: Training should be accessible to all employees, including those who work remotely or have disabilities.

o    Multilingual: Training materials should be available in the languages spoken by employees.

·         Types of Training:

o    General Compliance Training: Covers the company’s code of conduct, basic compliance principles, and key regulations.

o    Specific Compliance Training: Covers specific areas of compliance risk, such as:

§  Anti-bribery and anti-corruption

§  Interactions with healthcare professionals

§  Marketing and promotion

§  Data integrity

§  Clinical trial conduct

§  Privacy

o    Role-Based Training: Tailored to the specific roles and responsibilities of different groups of employees (e.g., sales representatives, medical affairs personnel, manufacturing personnel).

o    New Hire Training: Provided to all new employees as part of their onboarding process.

o    Refresher Training: Provided periodically to all employees to reinforce key compliance concepts and address any changes in regulations or company policies.

o    Remedial Training: Provided to employees who have been involved in compliance violations or who have demonstrated a lack of understanding of compliance requirements.

·         Training Methods:

o    Classroom Training: Traditional instructor-led training.

o    Online Training (E-Learning): Computer-based training modules.

o    On-the-Job Training (OJT): Supervised training in the actual work environment.

o    Workshops: Interactive training sessions that focus on specific skills or topics.

o    Case Studies: Using real-world examples to illustrate compliance issues.

o    Role-Playing: Having employees practice how to handle different compliance scenarios.

o    Gamification: Using game-based elements to make training more engaging.

9.F. Internal Reporting Mechanisms (Whistleblower Protection) :

·         Essential for Detection: An effective internal reporting system is essential for detecting potential compliance violations. Employees are often the first to know about misconduct.

·         Key Features:

o    Multiple Channels: Provide multiple channels for employees to report concerns, such as:

§  A confidential hotline (often operated by a third-party vendor).

§  An email address.

§  A web-based reporting portal.

§  Direct reporting to a supervisor, manager, or compliance officer.

§  Open-door policy.

o    Confidentiality: Allow employees to report concerns confidentially, to the extent permitted by law.

o    Anonymity: Allow employees to report concerns anonymously, if they choose.

o    Non-Retaliation: Prohibit retaliation against employees who report concerns in good faith. This is absolutely critical.

§  Strong Policy: Have a strong, written non-retaliation policy.

§  Training: Train all employees on the non-retaliation policy.

§  Enforcement: Enforce the non-retaliation policy strictly.

§  Monitoring: Monitor for any signs of retaliation.

o    Prompt Response: Respond to all reports promptly and thoroughly.

o    Investigation: Conduct a thorough investigation of all credible reports.

o    Feedback: Provide feedback to the reporter (if known and appropriate) on the outcome of the investigation.

o    Documentation: Document all reports, investigations, and outcomes.

·         Whistleblower Protection Laws:

o    Sarbanes-Oxley Act (SOX) (US): Protects whistleblowers who report financial fraud at publicly traded companies.

o    Dodd-Frank Act (US): Provides financial incentives for whistleblowers who report violations of securities laws to the Securities and Exchange Commission (SEC).

o    False Claims Act (US): Protects whistleblowers who report fraud against the government.

o    Other Laws: Many other federal and state laws provide whistleblower protection.

·         Promoting Reporting:

o    Regular Communication: Regularly remind employees about the reporting mechanisms and the non-retaliation policy.

o    Positive Reinforcement: Publicly recognize and reward employees who report concerns (where appropriate).

o    Leadership Example: Leaders should model the behavior of reporting concerns.

9.G. Monitoring and Auditing :

·         Proactive Detection: Monitoring and auditing are proactive methods for detecting potential compliance violations. They are essential for assessing the effectiveness of the compliance program and identifying areas for improvement.

·         Monitoring:

o    Definition: Ongoing, real-time review of activities and transactions to identify potential compliance issues.

o    Examples:

§  Reviewing expense reports for compliance with company policy.

§  Monitoring sales representative interactions with healthcare professionals.

§  Monitoring social media for off-label promotion or misinformation.

§  Reviewing call notes from sales representatives.

§  Monitoring data for unusual patterns or trends.

§  Using data analytics to identify potential compliance risks.

·         Auditing:

o    Definition: A systematic, independent, and documented examination of a company’s operations, processes, and systems to assess compliance with internal procedures, standards, and regulatory requirements.

o    Types of Audits:

§  Internal Audits: Conducted by the company’s own internal audit department.

§  External Audits: Conducted by an independent third-party organization.

§  Compliance Audits: Specifically focused on assessing compliance with laws, regulations, and company policies.

§  Financial Audits: Focus on the accuracy and reliability of financial statements.

§  Operational Audits: Focus on the efficiency and effectiveness of operations.

o    Audit Process:

§  Planning: Developing an audit plan, including the scope, objectives, schedule, and audit team.

§  Opening Meeting: Holding an opening meeting with the auditees to explain the purpose and scope of the audit.

§  Conducting the Audit: Gathering evidence through document review, observations, and interviews.

§  Closing Meeting: Holding a closing meeting with the auditees to discuss the audit findings.

§  Audit Report: Preparing a written report summarizing the audit findings, including any non-conformances (observations).

§  Corrective and Preventive Actions (CAPA): The auditees are responsible for developing and implementing CAPA to address any non-conformances.

§  Follow-Up: The auditors should follow up to verify that the CAPA have been implemented effectively.

·         Key Areas for Monitoring and Auditing in the Pharmaceutical Industry:

o    Interactions with healthcare professionals (payments, gifts, consulting arrangements).

o    Marketing and promotion (fair balance, off-label promotion).

o    Clinical trials (informed consent, protocol adherence, data integrity).

o    Manufacturing (GMP compliance).

o    Data integrity (ALCOA+ principles).

o    Privacy (HIPAA compliance).

o    Cybersecurity.

o    Anti-bribery and anti-corruption.

9.H. Corrective and Disciplinary Actions :

·         Essential for Accountability: A compliance program must include procedures for taking corrective and disciplinary actions in response to compliance violations. This is essential for demonstrating accountability and deterring future misconduct.

·         Corrective Actions:

o    Purpose: To correct the immediate problem and prevent it from recurring.

o    Examples:

§  Revising policies and procedures.

§  Providing additional training.

§  Implementing new controls.

§  Terminating contracts with third parties.

§  Recalling products.

§  Making restitution to affected parties.

§  Self-reporting violations to regulatory authorities.

·         Disciplinary Actions:

o    Purpose: To hold individuals accountable for their actions and to deter future misconduct.

o    Examples:

§  Verbal warnings.

§  Written warnings.

§  Suspension.

§  Demotion.

§  Termination of employment.

§  Referral to law enforcement (for criminal violations).

o    Principles:

§  Fairness: Disciplinary actions should be fair and consistent.

§  Due Process: Employees should be given an opportunity to be heard before disciplinary action is taken.

§  Proportionality: The disciplinary action should be proportionate to the severity of the violation.

§  Documentation: All disciplinary actions should be thoroughly documented.

§  Consistency: Similar violations should result in similar disciplinary actions, regardless of the individual’s position or status.

o    Progressive Discipline: A system where the severity of the disciplinary action increases with repeated or more serious violations.

9.I. Continuous Improvement and Adaptation :

·         Not Static: A compliance program is not a static document; it must be a “living” system that is continuously improved and adapted to changing circumstances.

·         Key Activities:

o    Regular Review: Regularly review and update the compliance program, including policies, procedures, training, and risk assessments.

o    Monitoring and Auditing: Use the results of monitoring and auditing to identify areas for improvement.

o    Lessons Learned: Incorporate lessons learned from compliance violations and near misses.

o    Benchmarking: Compare the company’s compliance program to those of other companies in the industry.

o    Industry Best Practices: Stay up-to-date on industry best practices and regulatory guidance.

o    Feedback: Solicit feedback from employees on the effectiveness of the compliance program.

o    Technology: Leverage technology to improve the efficiency and effectiveness of the compliance program (e.g., data analytics, automation).

o    Adaptation to Change: The program must be able to adapt to changes in:

§  The company’s business (e.g., new products, new markets, mergers and acquisitions).

§  The regulatory environment (e.g., new laws, new regulations, new guidance).

§  The industry (e.g., new technologies, new business models).

§  The external environment (e.g., economic conditions, geopolitical events).

·         Culture of Continuous Improvement: The most effective compliance programs foster a culture where continuous improvement is expected and encouraged. This involves:

o    Open communication about compliance issues.

o    A willingness to learn from mistakes.

o    A proactive approach to identifying and mitigating risks.

o    A commitment to ethical behavior at all levels of the organization.

An effective compliance program is a comprehensive and dynamic system that requires ongoing commitment, resources, and attention. It is not a “check-the-box” exercise, but rather a fundamental aspect of doing business ethically and responsibly in the highly regulated pharmaceutical industry. A strong compliance program not only helps to prevent legal and regulatory violations, but it also protects patients, enhances the company’s reputation, and fosters a culture of integrity and accountability.