Compliance Disruptors

July 15, 2019

Pharmaceutical Executive

Volume 39, Issue 7

Big pharma compliance leaders discuss the strategic move to principles-based policies at their companies and the impact of other emerging forces influencing industry compliance practice, including data analytics and security and training approaches adaptable to new workplace dynamics.

Pharm Exec sits down with a pair of big pharma compliance leaders to discuss the strategic move to principles-based policies at their companies and the impact of other emerging forces influencing industry compliance practice, including data analytics and security and training approaches adaptable to a changing workplace dynamic

 

 

At CBI’s recent 16th Annual Pharmaceutical Compliance Congress (PCC), over 300 compliance professionals from all sizes of pharmaceutical companies came to Washington, DC to discuss the latest developments in their function. Conference Chairperson Bryant Aaron, vice president, chief compliance officer, US country head, ethics and compliance for Novartis, noted that more than half the companies represented at the meeting were smaller pharma organizations. He also noted that the docket of topics at PCC was diverse. 

Aaron joined colleague Jennifer McGee, vice president, chief compliance officer for Otsuka America Pharmaceutical, Inc., in a sit-down with Pharm Exec during PCC to discuss the current disruptors in compliance, including the transition to principles-based policies, training and data, and analytics usage as a risk predictor for compliance professionals. 

 

PE: Many functional departments in pharma are seeing disruptors or innovations that are coming, or are here, for the compliance function. What are you currently facing?

BRYANT AARON: We moved to principle-based policies and, though we were not the first, we have found it to be very beneficial for our company. It takes some training for people to get used to it, because it’s a move from rules-based policies, where all the rules are spelled out. So they aren’t looking for rule 12 anymore. You can’t have a rule for every potential eventuality, instead you have principles that are built into the policy.

We still need rules, but the principles really help guide people when there isn’t a rule. It gets them thinking in the right way. I tell them that you’ll always have the compliance team to help you-we aren’t going away-but the principles help to guide your decision-making. We are all leaning toward the same goal, which is to have the business involved in compliance. 

JENNIFER McGEE: We also are moving to principles-based policies. I liken it to teaching people how to fish, rather than giving them the fish. Rather than having a 30-page policy, with paragraph 1.2.3.5, with a million different rules, we’re actually distilling all of our policies down to a very short length to provide examples on how to apply the principles. 

What I’m very excited about is that we just moved all of our policies and procedures to an app, so everyone in our company can access the web-based and searchable information. So even if they are out in the field, they can search in the app, for example, what is the meal limit, how to report a potential conflict of interest, etc. 

AARON: We approached ours very similarly. We provide the principles upfront, so that we could start a discussion about it, and as we developed the principles-based policy, it was co-developed with folks across the business and from every level, from sales to marketing to quality, and everyone was involved in it. We had many collective discussions and created a policy that was easy for our colleagues to understand and apply in the real world.

The discussions became great engagement sessions...people really began to think about the policy, and “why” we do certain things. The policy became much more than a rule that is dictated from legal or compliance. During the meetings, we discussed why we have certain rules, and the basis for the principles. Then associates get it-they understand it and internalize it and they become ambassadors back to others in their organization. 

McGEE: It becomes a culture of integrity. 

AARON: You are absolutely correct. The seven principles of compliance have been around for a long time, but how do you make a compliance program sustainable? How do you drive toward development of a compliance culture? You can’t have a compliance person every place. You can’t audit and monitor every potential activity you engage in. But a principles-based policy, where everyone in the organization has complete buy-in, helps to drive a culture of compliance and develops compliance champions throughout the organization.

PE: Where are you in moving the organization to the principles-based policies?

AARON: We’ve had it in place for a little over a year now. And it’s a lot of work-it requires change management to help people think past just the rule, and to consider the purpose and intent of an activity. Also, it’s not a one and done. As with any policy, you need to constantly revisit it and revise it as necessary.

McGEE: It is a lot of work. We are still in the process of changing ours, and we started at the beginning of last year. We hope to be done by the end of this year. But we tried to do it on a change management schedule that was sustainable. Just for one example, we took our Conflicts of Interest policy from 11 pages to two. It was challenging to do that, but that reduction alone has gotten us huge buy-in.

AARON: We cut our policy page count in half. Associates were very engaged in the process of the co-creation and development of the policy. If you think back only a few years ago, when associates were hired and on-boarded and given a large compliance book, with rule after rule (and many subparts), it was daunting. But when an associate is on-boarded and is trained on our five basic principles, which are supported by guidelines and rules, it’s much more palatable and easier to understand.

The change management piece cannot be underestimated. In our industry, we have primarily operated with a strictly rules-based approach for a long time. But once associates understand how a principle-based policy enables better decision-making, more often than not, there is huge buy-in. And there is certainly huge buy-in from the senior executives in the company because they recognize the value of associates, in the absence of a clear rule, using professional judgement and thoughtfully considering the purpose and intent of an activity.

McGEE: The most difficult part of change management in changing to principles-based policies is in investigations and disciplinary actions. You invariably will have someone that will say “well, where does it say that’s a rule?” and you have to be willing to stand behind that you trained them on the principles, that you trained them on how to apply the principles and they didn’t act in accordance with the principles, even if there wasn’t a specific rule. 

For us, that was a big barrier because there were a lot of people who had angst around that aspect of the change.

 

 

PE: How do you manage that change? How do you train your employees on principles-based policies?

McGEE: The training is so very different from what we did in the past. When we were under a CIA (corporate integrity agreement), we had a very prescriptive two-hour training, so much so that people told us how dreadful and boring it was. 

 

Now, every month, we do a three-to-five-minute micro-learning course that talks about a couple of our principles. We keep them fresh throughout the year, and every month they get an animation or video with links to the policy with a couple of questions. These teach them how to apply the principle, provide commonly-asked questions about the principle, and that has received huge response from our stakeholders.

AARON: We do something similar. We’ve gotten away from simply having the talking head on a training video. In our online training, we allow associates to select upfront their level of confidence about the topic being presented, so the information that follows is geared toward that selection. For example, if the associate feels confident about a topic, there is a very challenging mini-quiz upfront, and if the associate gets those all correct, the balance of the course goes a lot faster. People love that. 

We still have some training videos as part of our online training, but they are much more interactive and include elements of gamification and cartoons as well. Speaking of training, 50% of our workforce are millennials. Their expectations around training are YouTube-esque. We found it effective and impactful when we talked to them to find out their views of training. Of course, like everyone, we have vendors that pitch us on new ideas about how to develop more impactful training, but when you engage with your own people in the organization and ask them how they would do training, they are very helpful in how they think training could work better. We’ve incorporated some of those ideas. It’s been very beneficial and it’s the first time we’ve gone deeper into the organization for those viewpoints. It’s been very educational for the team, a really good process.

McGEE: We’ve found that different parts of the organization have very different learning styles and requests. We did a video mini-series that was created with Second City (comedy production), and our sales and marketing teams loved them. But other teams in the organization did not find them as engaging. It is very interesting to see how others perceive them; so, not only generationally, but functionally. 

PE: What other disruptors do you face?

AARON: Another potential disruptor, in a good way, is data analytics. One day we will have the ability to perform predictive analytics. In the future, we will have mined enough information and artificial intelligence will have developed to the point that machines will predict that, for example, based on the upcoming launch of product X, in geographic area A, and factoring in the training that was provided,  and other results from prior monitoring/analytics, you may experience certain types of issues and you may want to consider additional training on a particular topic or increased auditing and monitoring. We are making very good progress along the analytics journey. We have developed a pretty robust data analytics program that is also tied into our risk management process, and looks at not only what has happened, but helps to inform what we should do next. A very basic example is from the training arena. When there is a sales meeting, we are able to tailor our training based on what we are seeing in our online training statistics.

To me, data analytics is one of the most exciting things that will transform the compliance function, because we will really be able to focus our efforts and resources in the right places. Going forward, I believe having a data analytics program, combined with a robust risk assessment and mitigation program, will be an absolute requirement of an effective compliance program. 

McGEE: I agree completely. I think we have three disruptors…one is moving to the principles-based policy, and two is clearly data analytics. The government is already expecting us to be doing those data analytics, so if you as a company are not doing data analytics, your program needs to consider strongly whether you are appropriately resourced and need to do them because, to me, exactly as Bryant said, it allows us to better use

our resources to monitor and audit where our real risk areas are. Because pulling a random sample is just not enough anymore. And it’s not a good use of our resources.

The third disruptor that has changed the field of compliance and will continue to be a big disruptor is-it goes along with the data-privacy and information security. Any company that says its top risk is not information security, is not being very insightful. At this point, we are collecting so much more data than we ever have and collecting a lot more personal data than we ever have-and even from an IP perspective, information security is going to become more and more critical.

AARON: All of this data also brings huge responsibility. Now that we have more of an idea of the amount and types of data we have, even when it is stored in disparate systems, we have to make sure we protect that data and use it appropriately.  

McGEE: Here’s a good example. We collect a lot of clinical trial patient data. And we have consents on how that data can be used for certain specified purposes. And you as a company may have that data stored all in one place, but each data set has a different consent for a different purpose. 

So how do you ensure that when all that data is put together, you are only using it in accordance with the specific consent? And even now, we are expected, at least in Europe, to provide clinical trial results and patient lay summaries, and data sets for research purposes. We have to check each data set to see if we are allowed to provide all of that data in that set or not. There are a lot of moving pieces. 

In addition to clinical trial data, we have employee data, we have former employee data, we have customer data, patients that sign onto patient assistance programs data-we have a lot of data coming from disparate sources. 

For the smaller companies, they have the opportunity to put controls in place from the outset. We are at a disadvantage because we are trying to cobble something together after the fact because we’ve been collecting data for so long. But a smaller company is in a great place to do privacy-by-design and information security-by-design, and that’s the ideal way to do it. You have all those controls upfront.

AARON: Agree. Sometimes in larger companies, you may have legacy systems that are not fully integrated. That can be a challenge. And that’s why I think it’s great that there are a lot of smaller and larger companies here at the conference sharing best practices. 

McGEE: Many of the small companies are pioneering in the rare disease space and they don’t have the developed compliance programs that some of the larger companies do, so I think we can all learn from each other as this space moves forward. 

 

Lisa Henderson is Pharm Exec’s Editor-in-Chief. She can be reached at lhenderson@mmhgroup.com

download issueDownload Issue : Pharmaceutical Executive-07-01-2019