OR WAIT null SECS
Compliance officers have risen into management's highest ranks, by choice in some organizations, and by government decree in others. Either way, their importance as a strategic partner can hardly be understated.
These days, headline-grabbing, reputation-damaging investigations by government into pharma business practices, at home and abroad, seem almost as frequent as new drug approvals. Just before this article went to press, Lilly announced a $29 million settlement with the Securities and Exchange Commission (SEC) for alleged violations of the Foreign Corrupt Practices Act (FCPA); this in addition to having signed a Corporate Integrity Agreement (CIA) in 2009, which included a payment of $1.4 billion to settle criminal and civil charges related to off-label promotion under the Food, Drug, and Cosmetic Act (FDCA), and the whistle-blower provisions of the False Claims Act.
Lilly's 2009 settlement and CIA also codified the company's pre-established compliance program, which includes "a chief compliance officer who reports directly to the board of directors and the CEO, and a compliance committee," according to the CIA. "The compliance program also includes a code of conduct (known as 'The Red Book') applicable to all employees that is regularly reviewed and disseminated, written policies and procedures, educational and training initiatives, a disclosure program that allows for the confidential disclosure and investigation of potential compliance violations and appropriate disciplinary procedures, and regular monitoring and internal auditing procedures." All this from the CIA's preamble, page one of 67.
At the time, Lilly's 2009 settlement represented the largest corporate criminal fine in history, according to the Department of Justice (DOJ). By the end of 2012, that record had been broken several times. When DOJ announced the "largest healthcare fraud settlement in US history" last summer, GlaxoSmithKline became the new record-holder, on the hook for a cool $3 billion, and a CIA that runs to 122 pages.
In addition to worrisome compliance areas like off-label promotion in the US and bribery in global markets, the Physician Payment Sunshine Act is expected to come online next year, which could put executives in the time-consuming position of having to defend legitimate business interactions with healthcare providers. Government has also signaled a growing interest in R&D and medical affairs, particularly in relation to clinical investigator controls, reporting from clinical programs, and how contract research organizations are and should be monitored.
All of this is to say that compliance issues, and by extension chief compliance officers, are gaining momentum and have moved from the background of business operations to the foreground, and for good reason. Government is taking an active interest in not only whether or not rules are being broken, but also whether companies have duly empowered compliance teams by creating programs, policies, and management structures designed to prevent compliance issues from arising in the first place. Organizations putting the correct structures and processes in place, before federal investigators come knocking, can save a lot of money and time by avoiding costly settlements and CIA negotiations, in addition to placing themselves in the exclusive company of other organizations unbound by looming litigation and the kinds of red tape that kills deals and collaborations.
Too often, "religion does not enter the fray until the administrative subpoena enters the building," says Tim Ayers, VP, chief compliance officer at Dendreon, a biotech focused on oncology drugs. News of a federal investigation tends to make the church bells audible, and if the proper compliance programs, processes and reporting structures are not in place when a federal investigation is launched, executives could end up like Tolstoy's Ivan Ilyich, regretting nothing up until they regret everything.
But there are ways to get right with government before it comes around to scythe company profits, or individual careers. In 2003, the Department of Health and Human Services (HHS) Office of Inspector General (OIG)—which is the office responsible for negotiating and administering pharma CIAs—released guidance on compliance programs, including seven core elements for program effectiveness (small sidebar). Every chief compliance officer ought to be able to name these off without hesitation, and some compliance officers, like Erik Eglite, VP, chief compliance officer and corporate counsel at Lundbeck, kick off quarterly meetings with senior management in the United States by "reporting on all seven elements of the OIG guidelines, what we're doing, where we are with that…to always cover [OIG's seven core elements] is a systematic approach and is also just good talking points," says Eglite.
Number two on the list of OIG guidelines states that a compliance officer should be given the "authority to report directly to the board of directors and/or the president or CEO" of the company. A report on compliance best practices for the pharma industry released by Cutting Edge Information last summer states that in the area of compliance, "appearances matter a great deal, and regulatory agencies want to see that companies are doing everything they can to ensure adherence to the rulebook." Chief compliance officers who report to "someone other than the CEO and the board of directors," like the general counsel or legal department, for example, are not doing "what the OIG and DOJ wants, although they never made it a mandate," says Ayers. "Anybody who gets a CIA, the first change is to put the compliance officer at a C-suite level, reporting directly to the CEO and board of directors."
Since a company's culture will always "trump any external rules," to get at the root causes of—and the root solutions to—compliance issues, "you have to go up to the top of the food chain," says Mary Bennett, VP, ethical leadership group, at Navex Global, a corporate ethics and compliance services firm.
Regardless of whether compliance structures are centralized through a global hub that dictates strategy to local units across the business, or separated into functional compliance divisions built around specific risk areas, it's important for the chief compliance officer to meet with the board of directors more than once a year, says Bennett.
And the responsibility of the board, when it comes to compliance issues, extends beyond staying awake during a program briefing. At the OIG-hosted Pharmaceutical Roundtable on Compliance last February, which convened 42 compliance officers representing 23 pharma companies currently working under CIAs, participants said that in addition to being trained and educated on compliance issues, board members should consult with third-party, independent compliance experts; provide review and oversight of audits and identified risk areas; interact routinely with internal compliance officers; and "convey messages about the value and importance of compliance (including as a competitive business advantage)," according to a report on the roundtable's findings.
On the subject of a third-party compliance consultant to the board of directors, Cynthia Cetani, VP, ethics and compliance, chief compliance officer at Novartis Pharmaceuticals Corporation, singled out the board expert provision in Novartis's CIA as a helpful one. "A board compliance expert is an interesting concept from the government (OIG) and it can be helpful to have an independent view that can aid the board," says Cetani. "It's another source of information and perspective, and I think the board should have various sources of information from which to assess the company's compliance program." As CIAs have expanded to include board responsibilities, compliance officers now are "very much involved in the education of their board of directors," says Eve Costopoulos, VP, chief ethics and compliance officer at Eisai. Formerly VP, global compliance and business practices at Schering-Plough, Costopoulos says she reports directly to the CEO, and meets with Eisai's board of directors on a quarterly basis. Eisai doesn't have a CIA, but company leaders decided to separate compliance from the legal department, and to have Costopoulos report to the CEO, at the beginning on 2011. Before that, "we were reporting on trends in the industry, and I think the CEO saw [restructuring] as one way to further elevate the compliance function" at Eisai, says Costopoulos.
While the board of directors shouldn't muscle its way into developing specific processes and solutions for mitigating risk—the remit of the compliance team—they should be getting regular progress reports from their compliance officers, says Bennett. "One of the biggest questions that a board member can ask the compliance officer when they meet is: 'what are you doing to mitigate our risks? What do you have in place, and how do you know it's working?'"
In addition to setting the tone on transparency and the importance of compliant business practices, top leadership also needs to be kept abreast of ever-emerging risk areas the company faces. This requires well-established lines of communication between the executive committee and the chief compliance officer. As the point person between business units and management, compliance officers must cast a wide net to capture information.
Companies must prioritize compliance functions based on budget and risk. Source: Cutting Edge Information
To properly assess and prioritize risk, compliance officers and their teams need lots of friends across the company. "The compliance officer has to be in lockstep with medical affairs, to know what's coming out in the literature," says Bennett. "The minute there's a new paper that comes out—you can use this adult drug on a baby, for example—everybody is going to want to talk about it." Knowing about the shifting areas of risk, and adjusting the compliance program to account for them is crucial to preventing non-compliant activity. If a product-related issue is surfacing repeatedly through helpline calls, for example, compliance should know about it.
The OIG is clear about wanting top compliance officials in the C-suite. Source: Cutting Edge Information
Human resources is another important trove of information, and a necessary strategic partner for compliance personnel. "Sometimes a flurry of HR activity will happen in a facility or a work group where there is a compliance problem simmering at the bottom of it all," says Bennett. "I know one compliance officer that has a monthly coffee date with the head of HR, the head of audit, and the head of legal, and she sits down and they have coffee talk for 30 minutes. And you wouldn't believe the amount of good information she gets from that, and it helps with trend analysis."
Creating processes to address and prioritize internal challenges is an important prophylactic for non-compliance. Source: Cutting Edge Information
Costopoulos says the head of HR at Eisai, who also sits on the executive committee, is a "very important relationship," in terms of promoting policy, and helping out on internal investigations and appropriate disciplinary measures. "All this boils down to holding employees accountable," says Costopoulos. "HR is interested in that, we're interested in fostering that, so I do tend to work very closely with our entire HR organization on a number of different projects."
Finding the right training and educational best practices for employees is important, and so is the establishment of a robust documentation process, which can be used to show regulators that a company has acted in good faith, and has promoted the right kinds of policies and practices, even when a single employee makes a mistake, or goes rogue. Following OIG guidance, in addition to PhRMA's code on interaction with healthcare professionals, and building a solid internal documentation process can also help protect executives from the Responsible Corporate Officer Doctrine, or Park Doctrine, which has recently come back into vogue with some regulators (including FDA and DOJ); Lundbeck's Eglite says the doctrine keeps him up at night, because as chief compliance officer, he's "on the hook for that."
Percentage of Companies
In compliance, defensive measures are part and parcel of a strong offense, inverting the old adage: the best offense can in fact be a strong defense against non-compliance. Employees must be certain that their superiors won't protect unlawful business practices, internally or externally. But compliance also needs to be able to defend company practices, if there is ever a question from regulators.
The compliance officer, still a relatively new position, continues to evolve, but already "we are viewed as strategic partners" at most pharma companies, says Costopoulos. "We're an important part of the process that champions ethics and compliance and accountability and responsibility and integrity." Reputational issues are important to pharma, and "there's very little that we don't know about in an organization, and I think we provide great value to the organization" as a result, says Costopoulos.
A good compliance function and a company with a good record is good for business, a point that's often underemphasized, says Eglite. "It helps in partnering with other companies. Companies with high compliance standards don't want to do business with a partner that has problems all the time, and is going to be paying fines," he says. "So it's worth the money to have a good compliance function that's reasonable and yet completely within the rules of law."
Compliance is no longer just a box to check. Its strategic function within the organization is more important than ever, which means that the compliance officer has a responsibility to "get all levels of management engaged," says Novartis's Cetani. "Have them involved in helping to shape [the compliance program], and build it into what they need it to be to meet any of the many standards that apply in a highly regulated business." Compliance is successful when it's "built for the needs of the business, which is really what these programs should be about."
Ben Comer is Pharm Exec's Senior Editor. He can be reached at firstname.lastname@example.org.