Compliance at the Cross-Border Crossroads

Compliance, across all industries, thankfully no longer occupies its 1980s position as a "corporate backwater." Back then, a senior banker recalled for the Financial Times (FT, April 24, 2014), the compliance specialist at one London firm "was also charged with looking after the boss's wine cellar," such was the general vagueness and perceived irrelevance of his nominal role. In pharma around the same time, a chief compliance officer (CCO) was a rare commodity indeed. As Ilyssa Levins and Eve Costopoulos write on the Pharmaceutical Compliance Monitor website, before the late 1990s, US companies, for example, simply formulated their business practices on their understanding and interpretation of an anti-kickback statute that was exceptionally broad.

In banking, what the FT calls "the tsunami of regulatory initiatives" that followed the 2007–2009 global financial crisis saw compliance move out of the shadows and toward center stage. Transported through time to 2013, that 1980s banker would no doubt have been astounded to hear a major UK bank (HBSC) announce its plan to hire more than 3,000 compliance officers.

Pharma, of course, has also intensified its compliance activities in the last few years, even if this has been, as with banking, as much a reaction to external regulatory and legislative pressures as a desire to get its house in order.

Photo: Thinkstock

Recently, we have seen the rollout of the Sunshine Act's Open Payments database and the European Federation of Pharmaceutical Industries and Associations' (EFPIA) call for its 33 national member organizations to disclose details of payments made to named individuals and publish them in open registries by 2016. Add to these initiatives a growing emerging market crackdown on bribery and corruption, and it's fair to say that compliance is an industry hot topic. The Economist Intelligence Unit has predicted that more than 70% of pharmaceutical sales this year will be made in countries with transparency regulations. And aside from GlaxoSmithKline's widely reported woes in China, pharma companies are currently under investigation for corruption in countries as unlikely as Syria, Iraq, and Lebanon.

In January 2013, Pharm Exec wrote that compliance "is no longer just a box to check-its strategic function within the organization is more important than ever." By extension, we added, "chief compliance officers are gaining momentum and have moved from the background of business operations to the foreground."

So, two years on, can we confidently say things have moved on for the CCO?

Compliant with compliance?

For David Eves, director of medical affairs and compliance at Chugai Pharma UK, there is a much greater understanding across companies of the centrality of compliance to everyday business activities such as the separation between promotional and non-promotional activities. "Everyone knows the importance of the Code," he says. "No one has come to me recently and said 'Can I do this? I'm not sure if this is within the scope of the Code.' Everyone knows what they can't do. But there's a general view now that compliance should not be a business disabler-it should be about finding solutions. There's an increasing awareness that it's vital to be an ethical business that is top-down, bottom-up and about perception."

However, Garineh Dovletian, chief risk officer at The Medicines Company (Parsippany, NJ), a mid-size pharma focused on the acute/intensive care hospital market, believes the boundaries of what fall within compliance are less clearly delineated than they were 10 years ago. "I find it harder to define where compliance begins and ends," she says. "I can recount what the Office of Inspector General (OIG) guidance says, or what the US Sentencing Guidelines say, or what the Organization for Economic Cooperation and Development (OECD) says about what the role should be, but that's just the starting point." Whether it's working with finance and procurement team in terms of Foreign Corrupt Practices Act (FCPA) compliance and proper controls, or with clinical team and activities surrounding research and post-approval, Dovletian believes the role of the compliance officer is getting broader.

But is it taken more seriously? On this point, Siemens' CCO Dr. Klaus Moosmayer told C5's online blog (September 2014): "I am optimistic, but I'm not naïve ... we are certainly not at the end of the way to achieving this." He said that the question of whether compliance is seen as bringing business value is still a developing topic. Even now, the major day-to-day challenge of a compliance officer is getting support from middle management. Dovletian agrees: "If you don't have buy-in from the organization's mid-level leaders, you're dead in the water from a compliance perspective," she says. Mid-level managers are close enough to their employees to set the tone of the day-to-day operations; getting their backing is an issue that, for some companies, still needs more attention.

These struggles are endemic, however, and, perhaps, to be expected; after all, most heads of department have to be inventive in getting their organization on message. For Polaris Management's Marc Eigner, a vendor who has long worked with pharma compliance departments, CCOs are now more ensconced in the c-suite than they were a few years ago. He points to the rise of Actavis head Brent Saunders, who began his career in pharma compliance. "To see someone with a compliance background become CEO sends a clear message," he says. Much of the CCO's increasing recognition has been down to importance of commercial compliance. "In the past, the commercial aspect of compliance was not as big a deal to the CCO as, say, manufacturing compliance or government pricing," says Eigner. "But now we're finding that it has become the most significant part of the CCO role."

Data from the PwC report Compliance in 2025 reveals that 84% of pharma companies now have a CCO, reporting directly to the CEO. PwC's Sally Bernstein and Andrea Falcone picture the CCO as "the c-suite star of 2025;" by that time, they write, "the chief compliance officer will sit right at the very center of the seismic shifts reshaping business [and] will be a much closer confidant to the CEO, a permanent member of the leadership team, and a sought-out risk advisor when strategies are being set. Their voice will hold sway, and their wisdom will contribute to the resilience of the organization."

That all sounds promising, but 2025 is still 10 years away; in the meantime, many compliance departments do still have mountains to climb-even the biggest of big Pharma is a long way from matching HSBC's pledge for 3,000 compliance officers. Mid-sized Mundipharma, for example, has one full-time compliance officer and 11 part-time. But The Medicine Company's Dovletian resists the urge to differentiate the compliance officer role based on the size of the organization. "We're a company of approximately 700 people and we have the same kind of transactional complexity as you would in a large company," she says.

From a compliance-solution vendor perspective, Eigner agrees: "You might think it is harder for a small company with a smaller budget to get a compliance system in place, but the reality is they have far fewer roadblocks." Big companies may have larger budgets, but they also have "many more systems and many more people who have been used to doing things the same way for 30 years." Consequently, explains Eigner, getting things done in a big company can involve a lot of politics.

Eigner notes how, in smaller companies, customer master systems and finance systems are often "in their infancy," so getting the requirements embedded into these systems upfront can be easier. He points to venture capital-backed pre-approval companies "that are automating the entire end-to-end engagement process even before they have a product." If you're a specialty pharma company that wants to eventually be purchased, "the one thing that can thwart your chances is the threat of a $2 billion CIA or FCPA violation."

For Dovletian, it is "a bit naïve to define the CCO job based on the size of the organization. Whether you have one transaction or 100, you still require competency to do it right." Indeed, a big company could still be confined to one therapeutic area in one market and have a simple structure. But a smaller firm like The Medicines Company, Dovletian explains, is active in many different countries, many different therapeutics areas, and in different phases of development. Consequently, like the biggest pharma companies, it needs a compliance strategy that can be effectively rolled out globally.

Is a global compliance strategy possible?

With regulation of the disclosure of healthcare professional (HCP) spend an increasingly cross-border activity, the question remains of whether a global compliance strategy is really achievable, particularly in high-risk markets such as Syria, Yemen, or Russia, for example.

"It's very hard to manage a customized approach to each country," says Dovletian. "So templates should be standardized, and a code of conduct should apply consistently. You need to give people some predictability; if you want adherence to process it can't be too disjointed." Dovletian advocates the "grandmother test" as a "go-to test that can be applied consistently" across borders. Basically, you ask yourself the question: "How would I feel about a certain activity if it was affecting my grandmother?" This "helps you think a little more carefully about the long-term impact of your activities," she says. But, she adds, if there's a will to circumvent, it will happen no matter how strict the rules are. "If your incentive structures reward behavior that encourages short cuts or is aggressive, you're putting people in a day-to-day dilemma."

The global-standard theory sounds sensible enough, but in practice there remain significant obstacles to streamlining compliance across borders. Europe alone presents enough challenges to keep compliance officers awake at night. Inconsistencies across the region in terms of definitions, templates, and, not least, languages and cultures, will make the integration of the new EFPIA code something of an ambitious task to say the least.

Central to how a European country responds to new disclosure requirements depends on its "historical baggage," says David Eves. "If you look to Scandinavia and the Netherlands, those countries appear to be more OK with transparency, but elsewhere this can create a major concern at a personal level." (The Netherlands' national body, Nefarma, had set up its central database and published its first register by April 2013, more than three years ahead of the required EFPIA deadline). One senior UK compliance officer commented recently that Central and Eastern Europe (CEE) is the region that "makes me most nervous." She added: "Everyone has a moral compass, but trying to get a message across to staff in CEE that something is wrong when they in fact believe it is OK would take a very long time. You have a brick wall to break through if they think it doesn't affect them."

The biggest challenge in Europe is having databases of physicians that are reliable and regularly updated. Where, in the US, "you did not tend to see redundant multiple systems within one company," says Eigner, "in Europe it's the norm for a company in one country to have, say, three to five financial systems." He goes on: "I don't think I've seen a single large company yet that has less than four or five customer masters within Europe."

Even Western Europe's heterogeneity and multilingualism can work against it. "Someone from Switzerland could be engaging with a French HCP and not realize it," says Eigner. "The HCP might have a residence in Switzerland, and everyone is speaking French there, but he or she is a licensed French physician and subject to the demands of the Loi Bertrand (France's "Sunshine" Act). This is something we're going to start seeing in the next couple of years."

All this, adds Eigner, is new territory, even for major pharma companies. "This is the first time you're really seeing major companies moving to put a global transparency and global HCP engagement strategy in place," he says. "Even though there might be a global policy in place, the specifics have not been standardized." CCOs, then, have to ask themselves some questions: Are they solving a specific issue within compliance such as transparency? Or, for example, are they trying get HCO/HCP engagement standardized across the globe? The biggest challenge before formulating a global strategy, says Eigner, is addressing fundamental questions like these.

IT solutions

There is an increasing amount of software available to help companies streamline their payment-tracking processes, manage their sales forces, resolve their legal disputes, and adapt to new code provisions and updates across borders, but Dovletian says the question of what IT tools are available is just one aspect of the process. "There is a lot of software out there, but that's not really the issue. The issue is: have you stepped back and looked at all the silos and at what your infrastructure looks like generally?" she says. "Do you have a common language for information to flow into your system? Have you identified and connected with all the areas that should be feeding into your systems?"

Certainly, good technology is welcome; the better the systems, the better they can be audited readily and easily. Again, though, smaller companies can face challenges when it comes to equipping staff with the latest IT solutions. Eves says it would be "nice if staff had the means to access guidance in a way that would support decision-making in real time (e.g., via a tablet app for staff in the field). Having access to all the necessary information means that we would be supporting staff at the time since training will not necessarily cover every situation. Compliance often exists within a grey zone where there is not a simple black and white that can be covered in training."

At a technology-focused compliance event in 2014, one speaker-a vendor of IT solutions-pertinently reminded his audience that "IT solutions don't solve cultural problems." In Eigner's experience, however, a way to make these solutions work across cultures is "to present them as tools to make the business process more efficient rather than specifically a 'compliance tool.'" Then, he says, the level of acceptance is much higher, especially in countries that do not have direct transparency requirements.

Technology is all well and good, but it seems that time is a commodity that compliance officers need more of. Eves has faith in a patient, organic approach. He is confident that the EFPIA guidance on transparency and member state code changes are right and that, eventually, full disclosure will become the norm. "As an industry we need to work together to be sure there is consistency. The pick-up may be slow, but in time it will be accepted."

The same can be said about the CCO in pharma. PwC's State of Compliance Survey 2014 reminds us that the CCO role is only "roughly a decade old and has evolved rapidly." If it takes another 10 years for the CCO to become, as PwC predicts, "the c-suite star of 2025," it will still have been a fairly momentous rise to prominence, especially given the plodding pace at which pharma likes to advance. But, increasingly, as US healthcare lawyer Christopher Parrella wrote recently, "The chief compliance officer is viewed as the gatekeeper of a company's reputation." In this observation alone we can see the enormity-and importance-of the task ahead.

Julian Upton is Pharm Exec's European and Online Editor. He can be reached at jupton@advanstar.com.