How to Build a Compliance Program That's Rightsized for Your Organization

By J. Mark Farrar, MSJ, CPA, CFE, CFF and Kelsey Mullady, CFE, Life Science Leader

Unfortunately, too often organizations treat the compliance department as an afterthought and scramble to get practices into place just in time. Worse yet, many organizations silo the function, with sales and marketing teams seeing compliance members largely as too quick to say “No!” or as the “office of sales force prevention.” Ironically, however, rather than focusing on running a successful business, companies without a culture of compliance often deal with more enforcement actions and investigations than their compliance-rich peers. In other words, an effective compliance program saves critical resources, spanning people, time, and money.

Realistically, establishing a foundation of compliance is a company’s best protection to minimize risk, while increasing business efficiencies and creating evidence of conformity to governing rules and regulations. As such, compliance should be revered as the internal insurance policy that it is — and life sciences companies should work to create an effective program.

Establishing a Foundation of Compliance

Many companies start with the adoption of “The Seven Elements of an Effective Compliance Program” under the framework established by the Office of Inspector General (OIG) released in 2003. These principles have become generally accepted and adopted globally to help guide companies in day-to-day operations, while aligning with global laws, regional codes, and industry best practices.

The seven elements comprise:

1. Implementing written policies and procedures that apply to and are shared with all employees and any representative of the company (i.e., agents, distributors, contractors, etc.) with regard to the compliance program, code of conduct/ethics, corrective action plans, etc. These should address significant areas of concern for a company, including compliance with laws, integrity of data used by state and federal governments to establish payment amounts, as well as kickbacks and other illegal remuneration.

Keep in mind, all policies and procedures should be written in a common language, not legalese, to make them easy to understand and follow. They also should be written in a digestible, easy-to-reference format to encourage people to read them.

2. Designating a compliance officer and committee.The officer should be someone dedicated to and well versed in compliance and positioned as a partner, not an arbitrator. Oftentimes, companies will appoint their general counsel to the compliance function early in the company life cycle. While some general counsels have strong backgrounds in compliance, it’s not a given or a guarantee. It’s also not a given who the chief compliance officer should report to. They often report up to the general counsel under the legal department or the chief executive officer or president. That said, corporate integrity agreements usually require the chief compliance officer to report to the CEO and routinely present to the board of directors.

Meanwhile, ideally, a committee is selected composed of cross-functional roles to promote buy-in and organizational alignment. The idea is that these department leaders will set a positive compliance tone at the top and cascade the importance of it through to their direct and dotted-line reports.

As part of the oversight rigor, a company’s board should regularly ask questions regarding three critical compliance areas: adequacy and effectiveness of the program, performance of the function, and ownership for compliance at all levels of management.

3. Conducting effective training and education. This means institutionalizing a training program for new employees, as well as creating a system for providing updates and refreshers to ongoing employees. It’s important that content is relevant and on point for users, with specific types of training for each role and department in the organization. In addition, be sure to track the training programs as completed in a referenceable system to create an appropriate audit trail for evidence.

4. Developing effective lines of communication, so staff and other stakeholders know how to get information and clarification regarding compliance measures, as well as where and how to report violations without fear of retaliation.

5. Conducting internal monitoring and auditing to ensure compliance policies and guidelines are being followed appropriately, as well as to gauge your compliance program’s performance in practice. For example, you can leverage aggregated monitoring results to identify, assess, and rectify potential weaknesses in your program for continuous improvement.

6. Enforcing standards through well-publicized disciplinary guidelines by outlining a distribution plan for sharing policies and procedures, including new ones, as well as for establishing the actions to be taken for noncompliance. Keep in mind, companies with the most effective compliance programs hold upper management accountable — through tone and action — for modeling and promoting compliance enforcement standards, as well as clearly communicating the consequences of noncompliance.

7. Responding promptly to detected problems and undertaking corrective action. This includes creating a plan for addressing any issues that arise, as well as adjusting current policies to prevent issues from reoccurring. In addition, it is critical that compliance issues be investigated and mitigated as quickly as possible, especially those involving adverse event reporting or inappropriate sales activity. A detailed triaging process for event types should be predetermined and shared to help ensure appropriate actions of investigation and remediation are taken and documented as addressed.

Read full article: How To Build A Compliance Program That's Rightsized For Your Organization
Back to top