Beyond the Basics - Building Business Value through an Effective Compliance Program

For Medical Device


Through the recent overhaul of the AdvaMed Code of Ethics, medical device companies gained the opportunity to use the renewed emphasis on ethics to revamp their approach to compliance. Most companies quickly integrated the updated Code provisions into their compliance policies and trained their employees to follow explicit guidelines about appropriate and inappropriate interactions and arrangements with healthcare professionals. Now they stand ready to take the next steps to build global compliance programs that create business advantage, foster innovation, and contribute to long-term viability.

Leading medical device companies ... weld compliance into the framework of their corporate culture.

In addition to assimilating the new AdvaMed guidelines, medical device companies are striving to get ahead of stepped-up enforcement actions from the Department of Justice (DOJ), Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), Department of Health and Human Services Office of Inspector General (OIG), Centers for Medicare and Medicaid Services (CMS), and Food and Drug Administration (FDA). Investigations and prosecutions from this alphabet soup of regulators drain an enormous amount of financial and human capital from individual companies; but the consequences of not devoting adequate resources to address compliance issues can cost even more. Financial penalties, imprisonment of company officers, and reputational damage can have a lasting negative impact on business value.

Medical device companies should understand the minimum requirements of a compliance program that builds business value:

  • Clearly established written policies
  • Executive oversight
  • Careful delegation of responsibility
  • Effective training and communication
  • Robust auditing and monitoring
  • Consistent enforcement
  • Prompt response to violations

Leading medical device companies move beyond these basics to weld compliance into the framework of their corporate culture. To achieve this integration, they assess risks, audit their compliance efforts, and reinforce compliance through ongoing monitoring of key performance indicators (KPIs).

Assess Risk

A recent PricewaterhouseCoopers survey revealed that almost 60 percent of medical device companies polled do not use risk assessments to determine whether their monitoring programs effectively match limited resources to the most relevant risks. Failing to set such priorities limits compliance effectiveness from the outset.

Leading companies manage — rather than eliminate — risk, knowing that they need to analyze and balance an array of sometimes competing elements before formulating an appropriate response. To effectively assess risk, companies must establish a compliance baseline and then identify the risks associated with that target. Before deciding on a tactic, prudent companies examine their risk tolerance, cost-benefit ratio, and the effects of various potential actions on business performance.

After identifying risk tolerance, companies should examine business processes to see where risk lies and determine how they want to manage it. Good candidates for assessment include marketing and promotional campaigns, charitable contributions, research grants, consulting arrangements with health professionals, and educational conference sponsorships.

Yet many processes go unchecked. For example, the PwC survey revealed that most of the participating medical device companies (90.6 percent) do not require their compliance departments to review sales compensation plans for incentives that could conflict with compliance laws and regulations. Compensation processes are often vulnerable to risk and lend themselves to enhanced controls, such as required completion of annual compliance training or tying bonuses to ethical behavior.

For each process, the compliance assessment should identify risks and ask if an infrastructure of people, process, and technology exists to manage them. Are controls in place? Is available data sufficient to monitor compliance?

Assessment tools might include personal interviews or written questionnaires for staff who carry out the process, flow charts showing the activities involved and who is responsible for them, benchmarking of practices against industry standards, and site visits to see how the process works in practice.

Once the assessment is complete, companies should empower process owners to take corrective action when they detect a change in the risk environment. Such empowerment enables companies to respond more effectively to their changing risk profile and move ahead of companies that are slower to react to new risk issues.

Audit Compliance Activities

Auditing goes hand in hand with assessment. Medical device companies take differing approaches to compliance auditing, with the responsibility most often placed with their compliance staff, designated compliance auditors, or external auditors.

At high-performing companies, the audit function offers independent, objective analysis to evaluate and improve the effectiveness of risk management. Auditors work with functional departments to consider how new company initiatives might affect risk management controls. Their audits also inform management and the board about how well key risks and compliance priorities are addressed.

Establish Governance

Although written disciplinary policies and procedures should govern the resolution of compliance policy infractions, more than one third of respondents to the PwC survey said their companies did not have them. Additionally, more than one third did not have formal procedures for notifying the board of pending investigations or compliance mishaps.

In every company, a governing board or committee should provide compliance oversight, following written policies and procedures. Ultimately the board should assume responsibility for risk management, investigations, and response.

Setting the proper tone at the top and following through to all levels of management will help establish a culture of compliance. Frequent and consistent communication by leaders to employees should emphasize the role each person plays in living the values of the organization.

Monitor Compliance Progress

Monitoring completes the cycle that assessment and auditing set in motion. To effectively monitor compliance, companies must designate KPIs to serve as formalized reporting mechanisms. KPIs can provide early warning of deviations from accepted practices. Common KPIs include:
  • Training metrics
  • Expense reporting violations and anomalies
  • Number and type of investigations and hotline calls
  • Metrics for committee activities
  • Measurement of development and completion of compliance plans
  • Metrics for due diligence on vendors
  • Tracking of patient complaints and their resolution
  • Use of a compliance incident reporting database
  • Tracking of number of contracts reviewed
  • Self assessments by business units

Companies must clearly assign responsibility for monitoring KPIs. Although the compliance department is ultimately accountable, the business process owners should track KPIs and monitor the effectiveness of internal controls on a daily basis.

In the PwC survey, about 40 percent of respondents said they have not defined and measured KPIs to determine the effectiveness of their compliance programs, and another 40 percent are still developing KPIs. About 19 percent, however, have forged ahead in using KPIs and dashboard metrics to improve compliance reporting.

Use Technology to Aid Monitoring

Technology can streamline compliance monitoring. Automated software that monitors and reports on business processes can make monitoring more efficient and less labor-intensive. Real-time automation can enable timely compliance with regulatory demands, enhance control of internal operations, and lessen the risk of missing profit opportunities.

Implementing monitoring systems using business process management (BPM) technology allows companies to track transactions and apply controls in gaps between stand-alone IT systems. When rules within the BPM detect an abnormality in the KPIs that the system monitors, it can send color-coded alerts to reporting dashboards and generate e-mail notifications to predetermined recipients. With so many legacy systems already in place, companies that choose to pursue BPM concepts can profit best by integrating them with their existing systems. Conversely, small companies with simple IT infrastructures can benefit from the installation of pure BPM-enabled technologies designed to monitor their most important business processes.

Investigate, Report and Respond

How companies choose to use the information they gain from assessing, auditing, and monitoring can be critical to their survival. Highly ethical companies always document and act on compliance deficiencies, no matter how insignificant they seem.

Whether uncovered by internal monitoring, whistle-blowers, or external regulators, when misconduct or aberrations from accepted practices occur, companies must investigate and respond immediately. Proactive investigations help companies lessen the impact of noncompliance incidents. Moreover, they can use the information gained to improve controls and training so that the same type of incident will not recur.

In addition, management should encourage employees at all levels to report ethics violations and equip them with procedures and authority to handle ethical breaches. The identity of employees who report through hotlines or other channels should always be protected. Leaders should communicate to employees that they will not suffer repercussions for reporting violations.

Companies that take responsibility for wrongdoing or damage to customers and pursue corrective action quickly also decrease negative impact to their reputation and financial strength. Voluntary disclosure to authorities can reduce the likelihood of criminal prosecution and lessen monetary and other penalties. Accepting responsibility for correcting noncompliance — even when the company itself is a victim of fraud or abuse in violation of strict policies — sends the right message to investors and customers.

Boost Reputation Through Compliance

Moving forward, companies need to solidify their compliance by taking the next steps to fully assess, audit, and monitor their programs.

AdvaMed will publish a list of companies certifying that they have implemented the stricter Code of Ethics on its website beginning Jan. 1, 2010. In addition, these companies may apply for a license to use AdvaMed's "Code of Ethics Supporter" logo. The companies on this list should aspire to serve as role models; they have the ability to lift the ethical culture of the industry beyond what is required by law.

In the eyes of the OIG and of many prosecutors, compliance plans are effective only if the corporate culture clearly reflects adherence to the plan. Companies that live their code of ethics day to day benefit from stronger corporate reputation, better execution of their strategic goals, fewer ethics violations, greater trust in business relationships, higher employee satisfaction, and lower compliance costs.

Peter Claude is a partner in the San Francisco, CA office of PricewaterhouseCoopers, where he leads our practice serving West Coast life science advisory clients. Peter brings an in-depth knowledge of the life sciences industry to his extensive process and controls background as well as an international perspective from a four-year tour of duty in Switzerland.

Peter's clients have included a broad range of large and small domestic and multinational pharmaceutical, biotechnology and medical device manufacturers as well as pharmacy benefit managers. His engagements have covered corporate, commercial and R&D compliance issues, channel strategy and commercial contracting and performance improvement, pharmacy benefit manager and wholesaler relationships, government price reporting, and strategic alliances. He can be reached at (415) 606-2781 or

Jean Sands is a manager out of the PricewaterhouseCooper's Chicago office with the Pharmaceutical and Life Sciences Advisory Services practice. Her experience capitalizes on ten years of pharmaceutical and medical device industry experience coupled with an educational background in business and communications. Her healthcare background includes experience with corporate ethics and compliance, marketing (analytical and contracting) and sales. Prior to joining PricewaterhouseCoopers, she worked for Hospira and Abbott Laboratories' Hospital Products Division (HPD).

Jean Sands' compliance experience includes implementing global compliance programs with corporate policies, procedures and training programs for interactions with healthcare professionals, the Foreign Corrupt Practices Act (FCPA), anti-bribery / anti-corruption laws and anti-kickback laws. In addition, her experience includes streamlining complex compliance policies, developing innovative ethics and compliance training programs and working with federal and state marketing disclosure requirements. Because of her commercial experience, she has a particular compliance focus on the Commercial Organization and the Global Medical Affairs Organization, specializing in the key risk areas of Sales and Marketing, Medical Education and the Clinical Grant-in-Aid process. She may be reached at (312) 298-3026 or