Calculating Risk

Over the last decade, pharmaceutical companies have increasingly employed technology in every aspect of their businesses, generating huge volumes of electronic information necessary-and unnecessary -to managing their business. That information is increasingly being sought in lawsuits and investigations, and a company that is unable to respond quickly and effectively to such a request exposes itself to significant risk. As a result of its failure to search and produce email in a civil lawsuit, one pharmaceutical company paid $6.72 million in attorney fees and plaintiff's costs, and was subjected to a range of other sanctions,.

The heart of the problem is that many records and information management programs have not kept pace with the transition from paper to electronically stored information. Programs that worked well managing paper can be inadequate to the task of managing electronically stored information. As a result, the costs associated with the process of identifying, collecting, reviewing and exchanging electronic information during a litigation or investigation -a process generally known as “discovery” -have increased at an alarming rate. A risk-based approach to records and information management can be an integral part of the effort to reduce these costs.

Courts Turning Up the Heat
Reducing electronic discovery costs is an important goal for any company, but companies should also be concerned with reducing risks related to the storage-or inadequate storage-of electronic information. Courts and regulators are turning up the heat on companies that are unable to respond effectively to a discovery request by imposing costly sanctions and penalties. In one case involving a major pharmaceutical company, the court found that failure to produce databases and electronic documents for 80 personnel was sanctionable conduct, exposing the company to a range of fines and other penalties.

Yet the consequences of a failure to respond effectively to discovery requests are not limited to legal sanctions; they may also include investigations or inquiries, public relations difficulties, and a loss of shareholder value. A company’s failure to manage its records properly can be newsworthy. Companies can experience legal, regulatory and operational risks resulting from an inadequate information management strategy. Moreover, those risks are increasingly global in nature.

Legal risk. Companies involved in civil litigation must comply with the Federal Rules of Civil Procedure (FRCP), which were amended in December 2006. The amended rules clarify that electronically stored information is discoverable, and also establish requirements intended to ease the burden of electronic discovery. Whether the FRCP succeeded in that regard is still a matter of debate, but companies should consider their potential obligations under the FRCP as they mature or enhance their information management strategy.

Pharmaceutical companies are frequently subjected to investigations and litigation stemming from alleged conduct involving patient and product safety, “off-label” promotion, data privacy infringement, and improper conduct and reporting of clinical trials, among other activities. In today’s global business environment, companies may be subject to lawsuits and investigations brought outside the United States. A global company’s information management practices must pay particular attention to the risks involved in collecting information in countries with strict data privacy laws or blocking statutes.

Regulatory risk. Pharmaceutical companies, of course, operate in a highly regulated environment, and must retain a large amount of information to demonstrate compliance. Food & Drug Administration, Health and Human Services, and state regulations related to sales and marketing activities-direct-to-consumer advertising, marketing to physicians and health care providers and pricing practices for federally funded and private insurance programs -may have documentation requirements that support the demonstration of compliance with those regulations.

If information supporting regulatory compliance is not effectively managed and controlled, it may be retained well past its useful life, in multiple versions or copies. This can create unnecessary risks and costs in the event that it is the subject of a discovery request or government subpoena.

Operational risk. Inadequate or faulty information management practices can lead to failed internal processes, potentially resulting in adverse internal and external events (such as investigations and litigation) and other operational incidents triggered by the original failure. For instance, if product information such as serial numbers, lot numbers, expiration date, dosage strength, and other information is not properly tracked through the manufacturing and distribution system, it may be more difficult to implement a recall or to identify a fraudulently manufactured drug.

Developing a Program to Address Risk
Records and information management programs are an important aspect of a sound information management strategy. Effective processes for the creation, use, protection, retention and disposition of business information and records are critical to mitigating legal, regulatory, financial, reputational and operational risks, and eliminating unnecessary costs.

Reducing electronic discovery costs demands a strategic, risk-based approach that reduces the volume of information potentially subject to discovery while retaining valuable business assets and complying with laws and regulations. A few steps should be considered when developing a program that will manage risk and ultimately reduce costs.

Step 1: management, retention and disposition of information
An effective information management strategy retains electronically stored information only as long as it is useful to the business or as required for legal and regulatory purposes. Once information has reached the end of its required retention period, it should be destroyed in accordance with applicable requirements to avoid creating unnecessary risks for the company.

For example, one pharmaceutical company was recently exposed to allegations that it had “cherry-picked” the results of favorable clinical trials, ignoring unfavorable data after the emergence of company emails that were years old. These days, electronically stored information management is an important part of any overall information management strategy that is meant to reduce risks and costs, while still supporting compliance with laws and regulations.

A phased approach works well for many companies. In the first phase, the company identifies information management risks, and defines a vision for the company’s future information management posture. The second phase may include the development of policies, processes, procedures, instruments (such as retention schedules) and controls (such as records management assessments) consistent with that vision. The third phase usually involves implementation of records and information management policies, processes, and controls. The fourth phase may focus on instituting a sustainable program that monitors compliance and implements continuous improvements.

Companies should give special attention to business units and processes that are highly regulated and in which inadequate information management could have, a major impact on company resources or performance, or that have a historically high volume of litigation. The implementation of enhanced information management practices in those business units and processes can balance the time, staff, and resources required against potential risks they must manage.

Step 2: development of a discovery response plan
An essential component of any information management strategy is a plan for responding to discovery requests, including input from the company’s records management group, legal department and IT organization. These discovery response plans should support the identification of potentially relevant electronically stored information in the custody or control of individuals (custodians) or the IT organization. The plan also should incorporate processes and procedures to implement a “legal hold”. A legal hold is a communication instructing information custodians to preserve potentially relevant information related to actual or anticipated litigation.

When electronically stored information is subject to a legal hold, it is identified, collected, processed, reviewed, and produced as evidence to the government or an opposing party in litigation. Each of these steps creates additional risk, which is why the discovery response plan should include procedures to manage and mitigate those risks, and establish the defensibility of the overall electronic discovery process. For example, the company may want to establish a process to trace information from collection through production, so that it can demonstrate to a regulator that it can account for all the information.

Step 3: establish controls to monitor compliance
A company typically will establish controls to validate compliance with its information management program and discovery response plan. These controls may include an evaluation of sample documents against business unit retention schedules to determine whether documents are managed according to the schedule. A review of the preservation activities of recipients of a legal hold notice may also be included to determine if custodians are preserving information as required.

Once controls are established and implemented, ongoing monitoring of the effectiveness of the information management program and discovery response plan is critical. Monitoring can ensure that the right controls have been put in place and that company managers have an appropriate understanding of each particular control.

By balancing business risks against the time, staff, and budget required for effective information management, a pharmaceutical company can create a robust, risk-based information management program. Over time, this program will prove to be far more effective than a “boil the ocean” approach that frequently is unrealistic and unattainable. As information management risks in the pharmaceutical sector continue to mount, a risk-based approach to managing a company’s information assets should be an important component of an overall strategy to reduce business risks and costs.

The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP.