Evaluating the Effectiveness of a Corporate Compliance Program: A Holistic Approach
21 October, 2014 Brian A. Dahl Dahl, Compliance Consulting
Now more than ever, pharmaceutical companies must not only have an effective corporate compliance program in place, but senior management and boards of directors at these companies must ensure that they evaluate the effectiveness of those programs. The best reason to evaluate the effectiveness of your compliance program is so that you know whether or not the program is managing the particular risks facing your company. If you are responsible for protecting your company from risk, shouldn’t you want to know that your compliance program is working?
Apart from giving you assurances that your compliance program is working, government enforcement and regulatory officials expect that a company will evaluate the effectiveness of its compliance program. The United States Federal Sentencing Guidelines require that a company periodically evaluate the effectiveness of its compliance program. Furthermore, the Office of Inspector General (OIG) – through both its compliance program guidance documents and its corporate integrity agreements (CIAs) – has repeatedly stated over the past several years its expectation that a company evaluate the effectiveness of its compliance program and that the highest levels of a company’s leadership must participate in this process.
|Evaluating the effectiveness of your compliance
program validates whether the program is managing
the risks your company is facing.
Corporate Integrity Agreement Requirements
In its pharmaceutical company CIAs, the requirement to evaluate the effectiveness of a corporate compliance program can be traced back to the OIG’s CIA with Bayer in 2008. The Bayer CIA requires the company’s board of directors to retain three independent experts, referred to in the CIA as the Compliance Expert Panel, to perform a Compliance Program Review to evaluate the effectiveness of the company’s compliance program. Based upon the panel’s evaluation, the CIA further requires that the board pass a resolution concluding that the company has implemented an effective program.
The Bayer CIA is so far the only CIA to require that a company’s board of directors engage multiple independent compliance experts to evaluate the effectiveness of a company’s compliance program. It is not, however, the only CIA to require that a company engage an independent expert for such an evaluation. Prior to 2013, at least four other CIAs required companies to do so.
In its 2013 CIA, the OIG also required Johnson & Johnson (J&J) to engage a single “Compliance Expert” to evaluate the effectiveness of the J&J compliance program. In a bit of a twist, however, the J&J leadership team, rather than the company’s board, must arrange for the evaluation of the effectiveness of the J&J compliance program by engaging the compliance expert. By also requiring the company leadership to review the “Compliance Program Review Report” as part of its obligation to assess the company’s compliance program, the J&J CIA creates a joint responsibility between the board and senior leadership to evaluate the effectiveness of the program.
A Holistic Strategy for Evaluating Effectiveness
When evaluating the effectiveness of a corporate compliance program, a company should take a holistic approach. Rather than focusing on any individual metric or set of metrics, a company should evaluate the design of each element of the program (Element Evaluation) , which should include an evaluation of any risk assessment conducted by the company.
A company also should evaluate the program’s overall success in shaping compliant behavior and attitudes within the company (Success Evaluation).
This approach requires both (1) asking a number of probing questions about each element of a company’s compliance program and (2) examining the effect that a compliance program has on the company as a whole as well as the individuals within the company. It also involves assessing the program on both a quantitative and qualitative basis. Examples of quantitative measures include analyzing statistics on such things as training completions, hotline calls, and disciplinary actions. Examples of qualitative measures include examining whether the compliance officer has the necessary authority and autonomy to effectuate change within the company and evaluating whether a company’s policies and procedures adequately address the specific risk areas faced by the company.
The PhRMA Code provides insight on how a company should go about evaluating its policies and procedures. The Code encourages a company to periodically seek “external verification” to ensure that it has policies and procedures in place to foster compliance with the Code. Guidance on PhRMA’s website enumerates how the organization believes a company should go about such verification. PhRMA Code external verification is but a starting point in the evaluation of the effectiveness of a compliance program. A company must extend this sort of in-depth examination to each of the other elements of its program to get a more complete picture.
Moreover, a holistic approach to evaluating the effectiveness of a compliance program also requires examining how well the program as a whole is working create a culture where compliance is an integral part of the business, rather than a function bolted onto the company. A senior management team that expresses its commitment to the compliance program and employees who understand and buy into the program are indicative of success. A successful compliance program should change behaviors. To do this, senior management must set the tone and an evaluation must be able to discern unambiguous statements about the importance of compliance made to an employee population that is both receptive to and understanding of the compliance message.
Are you wondering how to improve your compliance program? "MasterControl Quality and Compliance Consulting Overview" is a free download that may provide you with new inspiration.
Brian Dahl is an independent compliance consultant whose practice focuses on assisting pharmaceutical, biotech, and medical device companies with their Corporate Compliance needs. He is the architect of the Corporate Compliance Programs at two top tier pharmaceutical companies – Teva Pharmaceuticals and Takeda Pharmaceuticals – and brings that experience to the service of clients who are developing, implementing, or evaluating the effectiveness of their Corporate Compliance Programs. Prior to becoming a pharmaceutical compliance professional, Brian practiced health law at the law firm of Baker & Daniels. He began his legal career practicing advertising law in Washington, D.C., first at the Federal Trade Commission and later at the law firm of Collier, Shannon, Rill & Scott.
You can reach Brian at 847-800-1753 or at DahlComplianceConsulting@gmail.com