Compliance: The Critical Cog in Pharma Machine

Getting ahead of legal and compliance issues requires more these days. At CBI’s Pharmaceutical Compliance Congress, experts gathered to discuss new ways to navigate the many currents in the industry when it comes to the crucial task of assessing business and risk

Like most instances in corporate compliance, hindsight is 20/20. Unfortunately, for the biopharma industry, any number of negative compliance issues can cause political, legal, public image, and reputation problems that potentially could take a number of years from which to recover.

However, pharmaceutical compliance covers such a broad spectrum of potential problems, from day-to-day HR compliance, to foreign corruption and bribery, patient assistance programs, drug pricing and transparency, off-label communication, manufacturing, opioid and Department of Justice

(Left-right) Seth Lundy, of King & Spalding; Michael Shaw, of GlaxoSmithKline; Tom Gregory, of Ernst & Young; and Evan Bartell, of KPMG, pose at CBI’s PCC 2018 in Washington. Not pictured, but incorporated into the roundtable discussion, were Patrik Florencio and Ellen Rosenberg of Amicus Therapeutics. Both were presenters at the event.

(DOJ) issues, and so much more. Changing regulations and laws, as well as potential business practices that aren’t yet deemed illegal, keep compliance executives and pharma counsel on their toes. 

Recently, the DOJ has placed attention on the practice of pharma companies donating money to charitable patient assistance programs, specifically those that help patients defray drug co-pays or total drug costs. Regulators have noted that when such donations aren’t managed in an appropriate way, they can raise concerns under the Anti-Kickback Statute. Recent settlements between pharma companies and the DOJ were discussed and analyzed in sessions at CBI’s Pharmaceutical Compliance Congress (PCC) to help others navigate these new waters.

At PCC 2018, held at the end of April in Washington, DC, Pharmaceutical Executive, with our meetings partner CBI, held a roundtable discussion to assess the state of the compliance role within the biopharma industry.

PE: In your experience, how does compliance get a seat at the table? Do they have a seat at the table? Or is it a mix?

MICHAEL SHAW, GlaxoSmithKline: You have to earn it by value. We know that our business leaders will resource what they value. We need to understand the environment, the associated risk, and, more importantly, apply it to the business practices in a relevant way so that we can enable the business to be competitive and compliant. When you do that, business will want compliance at the table.

TOM GREGORY, Ernst & Young: With the clients that I work with, it’s very varied. By and large, at multinational companies, compliance is very mature, sophisticated, and has access to executive management, which is clearly adding value. Where I see gaps is in the less-mature companies-the start-up space or certain non-US markets-where compliance hasn’t received the attention and the resources that it has in the United States.   

SETH H. LUNDY, King & Spalding: What we mean when we say access to a seat at big tables is access to the board and executive teams on major decision-making within the corporate realm. The challenge that compliance as a function continues to have is the staffing abilities of compliance or legal departments, which means they can’t have a seat at all of the tables that are ongoing simultaneously within a company. 

But having said that, sometimes you see start-up companies, when the compliance officer is the 15th employee at the company, and 15 people are always sitting around the table, you’re getting compliance input at every germinating thought and seed.

But what if you have a 5,000-person commercial force and 40 compliance personnel to oversee them? There are meetings and ideas that are coming up all the time where compliance isn’t a part or invited or being asked the questions. And compliance can only address questions that are effectively asked or that are within its visibility. So, oftentimes you only see that through later auditing and monitoring.

SHAW: Seth, I somewhat agree. But I think we’ve got to be careful because compliance should not need to have a seat at every table or at every discussion. If we want compliance to be sustainable in an organization or an industry sector, then ultimately the business has to own compliance. And, just like a CEO looks to their leadership team to deliver certain performance objectives during a year, they should hold their management team accountable to also know ahead of time what the big risks are and what they’re going to do to mitigate them.

LUNDY: The fact of the matter is this industry has become so incredibly complex, that even within your compliance departments you must have different experts to address different areas, because one person can’t possibly be able to retain all of the information. Therefore, in any given business meeting, expecting that the business is going to have information that even trained compliance personnel don’t have in every instance is a challenge unto itself. Some companies use liaisons who are not in the compliance department but are more specifically trained through compliance, and delegating them responsibility, is in and of itself a compliance function.

PE: We just touched on the resource issue for smaller companies as a benefit and a challenge. What is your experience in regard to the smaller biopharma?

EVAN BARTELL, KPMG: In large and small organizations, it’s really about the relationships. In a small company, with a single compliance officer or a compliance team of maybe two or three, they can enhance their effectiveness when the right relationships are created with the right people within the business. So, it’s not, “Hey, just tell me everything that’s happening”; but it’s, “Hey, you understand what my goals and objectives are, I understand what your goals and objectives are, let’s help each other.” 

ELLEN ROSENBERG, Amicus Therapeutics: You need collaborations with finance, legal, regulatory, HR, QA, and others that have compliance responsibilities in any company, but it is especially important if you are in a smaller company, with more limited resources; you can rely on strong collaborations to achieve compliance objectives. 

PATRIK FLORENCIO, Amicus: Well-trained business executives who are committed to compliance become an extension of compliance and legal and the values these functions represent. I’ve worked with many business partners over the years who have become extremely knowledgeable about compliance risk and who think about compliance when they are rolling out innovative new ideas. To some, it comes naturally. To others, less so. But the key is to spend a lot of time having conversations, explaining the “why,” so business partners can self-identify issues and bring them to us. That creates awareness within the business, the function that’s conducting the activities.

PE: Is an ethical and compliant company built up with good people that you hire? Is it an attitude? Or is it from the top down?

SHAW: Management needs to drive it. That’s the differentiator in so many decades hearing about tone at the top or tone at the middle. Management needs to drive, because most good leaders know “you get what you inspect.” If their message is all the time, “Perform, perform, perform and, oh, by the way, comply,” then you should not expect to get a culture like you would if the message was, “We’re going to do this the right way and make sure we effectively navigate the risks that will challenge business performance and our organization’s mission and values.”

LUNDY: The tone that we’re talking about is set in three different ways. When we talk about tone at the top, that means not just verbal messaging, but also action and budget. And you have to have all three of those things happening simultaneously for the tone to be most effective.

FLORENCIO: It is helpful when a company’s leadership believes in an overarching concept of performance with high integrity. Nobody wants to work at or for a company that doesn’t perform. Everybody wants to be with a successful company. But to do it with high integrity can sometimes be challenging because everyone comes at it from different perspectives or different levels of risk tolerance. 

On an individual level, risk tolerance is greatly impacted by the past personal experiences of the people you are dealing with. The people who have been deposed or have gone through a formal investigation see compliance in a very different light. They are much more open to hearing the advice of the compliance officer and legal because they don’t want to go through it again. And they are much more willing to work with you to achieve the objectives they want to achieve. The goal is never to just say no, but to take a different route or take the same route with different controls to make it safe.

ROSENBERG: There is an element of who you hire in the key roles in your company. Compliance and legal should be involved in the interview process for those who are going to be in potential key stakeholder positions so that people who are like-minded are hired. People who are committed to business ethics. If you don’t want a mixed bag and are looking to build a culture of integrity, then you have to have that in who you hire, and you have to have that in who you involve in the hiring process. I think that’s an important element in building a compliance-minded culture.  

PE: How do you stay on top of, or ahead of potential problems? For example, the issues coming up with patient assistance programs. How could compliance mitigate that before it becomes a problem?

GREGORY: It’s a question of not fighting yesterday’s battles. If you’re just doing what a CIA* requires, you’re maybe only chasing the bad conduct of a decade or two decades ago. How do you spot things that are going to be the subject of enforcement actions in the future but maybe have not been in the past? 

With patient assistance, did anybody see that coming? I think that’s debatable. But there are probably five to 10 other similar practices where there’s not historically been enforcement action, but the government will at some point turn to that and start suggesting that the practice is violative of some law or regulation.

LUNDY: When we talk about things like patient assistance as a growing area of risk, it is easy to have some level of compliance ignorance. As a defense attorney, every case that I handle is involving conduct that happened a minimum of three years ago and oftentimes eight to 10 years ago. If you’re looking for only-as Tom was indicating-those things that someone has already demonstrated that this was the wrong path, you’re looking back at things that people did five to seven to 10 years ago. And that’s not novel or instructive of where the risk is today and what someone’s going to be looking at five years from now.

FLORENCIO: Looking to the future, I think businesses should partner closely with compliance and legal in building out their patient engagement programs. This is such an important area and one that is poised to deliver increasing value back to patients and communities as time goes on. That said, because patient advocacy departments are growing and engaging in new and innovative activities at every phase of a medicine’s lifecycle, these activities must be thoughtfully structured so as to deliver value to patients without sacrificing compliance.

We already know that patient-related activities are a focus of DOJ enforcement, albeit on the hub side for now. But enforcement could expand to other areas like patient field interactions in the future. We know, for example, that HCP (healthcare professional) field interactions has been a huge area of enforcement for years. So, when you put it all together-increased patient interactions, including in the field, at a time when DOJ is already focused on patient-related activities-we know this is an area where we should be careful. The compliance function should be thinking about patient field activities and helping the business to appropriately structure those interactions while still serving the overarching goal of patient centricity. 

ROSENBERG: You also have to have some common sense about this. If you understand that the government in the past has been focused on following the money, for example, the focus on HCPs, and if you follow the money and you are putting a lot of money into patient-related activities, whether it’s foundations, hubs, patient support services, or other interactions, then you need to look at those things to predict where the enforcement has been in the past. I just think you need to be practical and smart to get the right kinds of controls in place and the right visibility in place for these activities.

BARTELL: It’s also being plugged into the business and knowing what their challenges are, particularly within patient access. There’s a lot going on now in the industry in terms of how patient access works, how co-pay programs are going to work or look in the future. The more that compliance professionals understand the challenges that the commercial and business folks are facing coming up with solutions to potential barriers and problems that their brands are going to be facing, the more successful compliance will be. Because if you understand that fundamental challenge that your business is facing, then you can help them navigate from a risk management standpoint.

LUNDY: You also need to be plugged in with the various communities, by coming to congresses like PCC, to be able to identify what’s going on with peers, what other professionals are seeing in the marketplace, or interacting with panels like we had with prosecutors to hear what’s on their mind. You need to have an outside resource that you can check in with. The value of consultants, attorneys, and peers are to see what else is going on in the industry that you wouldn’t know about just by being back at home.

* The Corporate Integrity Agreement, or CIA, is an enforcement tool of the US Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) and is part of a settlement agreement arising from allegations of healthcare fraud.

PE: What about the nuances of third-party involvement? Some programs evolve very quickly, and how does that get managed?

GREGORY: The framework is basically four pillars: 1) conducting due diligence on your third parties; 2) contractual protections making clear what their obligations and responsibilities are; 3) audit rights that you exercise to monitor what they’re doing; and 4) back-end monitoring or analysis of data and such to oversee what they’re doing. 

LUNDY: I would use the fourth as a way to help to ensure that there is an ability to cut bait or terminate-walk away, when necessary. And that goes back to setting the tone of compliance. If you don’t come back and audit, if you’re never willing to terminate an independent contractor arrangement, then it sends a message or tone throughout the company, and other suppliers as well.

BARTELL: I do think in terms of the patient-support programs-your hubs, reimbursement services, co-pay vendors-that a trend is historically these programs were built out in silos, within certain therapeutic areas and franchises. These teams would go to their preferred vendors and manage the programs their way. I think the industry has taken a step back and looked at that to say that system needs to be more efficient and consistent. We need to consolidate. There’s a movement to bring things together and consolidate across departments and functions, especially in large organizations. 

FLORENCIO: Two keys are visibility and partnership. Visibility comes when business functions develop strategic plans and share those plans with compliance and legal. Just like marketing develops marketing plans, advocacy can develop a yearly patient engagement plan and share it with compliance and legal. The same is true for medical. This allows innovative ideas to be discussed at the conceptual stage, and any compliance considerations to be woven in, before they are implemented in the real world. The yearly strategic plan is only the first step to visibility and partnership. As strategies evolve throughout the year and as new ideas arise, these should be shared with compliance and legal through a process of ongoing concept reviews. That’s good partnering. 

PE: How do you review or reinforce compliance throughout the company?

SHAW:Compliance should be more than just straight compliance with the law. Each organization should have a meaningful risk management approach. And that means taking a moment out of time and thinking about what those risks are based on the environment, based on the practices of any one company, and then asking, “How well are we doing here?”

Part of that answer comes with checking out what the most recent guidance has been, what the most recent investigations have been, and what the most recent practices have been.

LUNDY: It’s the continuous part of the process that has to happen. If you do something once, that’s great; but if you haven’t done it in some regular period of time thereafter, the world continues to change and it can pass the corporation by. There isn’t a prescribed period, but there ought to be some regular process that occurs so that you’re constantly doing a checkup. 

SHAW: And the continuous process is not only just adding on or being more conservative. It’s revisiting processes and finding undue complexity, where we thought the way to manage a few years ago on a particular topic was one way and we realize it’s totally hampering the business and may not even be mitigating the risk we thought it was in the first place.   

I have a fond memory working with you, Tom, at one point, when EY was our independent review organization. Even we had very positive results; at times when you would share with me minor deviations of a process, you looked at us and said, “Listen, your process has 10 steps to it. The process only needs two or three steps to address the risk. But if you have the 10 steps and you miss one of them, we’re going to cite you for a deviation.”

LUNDY: I think companies get inappropriately faulted, though, too, because awareness doesn’t necessarily mean that the issue has been fixed or addressed. When you become aware of a risk, there’s an entire process that necessarily needs to take place to be able to understand, address, and mitigate that risk. And that process takes time, particularly when the risks are new. Even when compliance is working 100 percent as it should, you can’t necessarily snap your fingers and immediately mitigate risks as soon as they’re identified. That’s an unfair expectation to put on corporations and certainly compliance departments.

FLORENCIO: As chief compliance officers grow to view themselves more as chief risk officers who look past the current enforcement landscape toward what is likely to be enforced next, we may become a more proactive profession. But even so, it’s hard for compliance officers to convince their business not to do something or even to do it in a different way when three factors are present. Competitors are doing it. There is no existing enforcement to point to. And the only argument to adopt a different practice is the compliance officer’s prediction of future enforcement. If those three things are present, even today, it’s difficult to win the day unless you have a very strong culture of compliance. 

Lisa Henderson is Pharm Exec’s Editor-in-Chief. She can be reached at lisa.henderson@ubm.com