4 signs your compliance program is out of date
Life sciences companies tend to consider themselves leaders when it comes to compliance policies.
In one sense they’re right. The close sales relations between their distribution agents and state-linked doctors and hospitals have long made them vulnerable to corrupt practices and put a target on their back for enforcement under the Foreign Corrupt Practices Act or other legislation. As such, life sciences companies — especially those with markets abroad — were among the first to really get organized around third-party compliance, setting up systems to research and monitor compliance practices among their partners.
But that first-mover advantage is inexorably fading as they persist with third-party compliance systems that are between five- and 15- years-old and are no longer best in class. Other sectors, such as software providers, have leapt ahead by taking advantage of technology advances.
Even as their compliance systems age, pharmaceutical and medical devices companies are facing an ever more complex and dynamic business environment and growing risks from enforcement agencies globally. The GlaxoSmithKline bribery scandal in China is the most recent high-profile example of the risks of lax compliance, resulting in a heavy fine and a jail sentence for the company’s China head. The sector now also has to contend with rapidly growing regulatory attention from Europe, particularly under the UK Bribery Act and the French SAPIN 2 legislation.
There are four broad areas where a company’s compliance system could be showing its age and creating unnecessary risks. Asking yourself some tough questions and addressing possible lapses now can save your company millions of dollars in fines and reputational damage.
It’s crucial to have a recertification methodology that keeps pace with the rapidly evolving world of third parties. Life sciences firms operate in a very dynamic market where their third parties often undergo changes that affect their compliance practices, such as coming under new ownership or taking on major new clients. A distributor that may have been compliant when the partnership began 10 years ago, may have significantly higher compliance risk due to intervening switches in its business relationships, operations or new regulations. At the same time, recertification practices that were adequate a decade ago may not be up to the task now. Companies need a system that keeps pace with the rapid changes in the sector and which fully leverages internal knowledge about third parties, particularly in the sales team.
Outdated research methodology
Many companies are persisting with outdated methods of researching their third parties that rely heavily on source inquiries.
Using human intelligence has its place in investigations and evaluating extremely high-risk relationships. But now, most information needed to properly assess third-party risk can be gathered more efficiently and less expensively. Technology, which is improving every year, provides new risk-based assessment models that can keep pace with regulatory changes and monitor the changing risk profiles of third parties. This gives firms access to higher-quality research to hone in on riskier relationships and avoid “boiling the ocean” by wasting time and resources on every partner.
Limited due diligence
Some older compliance programs focus only on their high-risk third parties, leaving themselves vulnerable to dangerous breaches among the bigger field of partners considered low or medium risk. While the principle of not boiling the ocean should still apply, it’s important your system ensures certain criteria are met across the whole universe of third parties. An up-to-date system, combined with technology, allows companies to consistently monitor all of their third parties while still devoting the lion’s share of attention and resources to the riskiest ones. Another common limitation of old compliance systems is that they focus on one type of partner, such as sales agents. A modern system should cover the whole gamut of partners, including suppliers and contractors.
Having five-to-10-year-old technology — as many firms do — doesn’t mean you have a bad compliance program. But if those platforms haven’t been significantly upgraded in recent years, it means you’ll be missing out on running a compliance program with much more nuance, speed and sophistication. Advances in artificial intelligence, automation, and integration have created a leap forward in the coverage and efficiency of compliance. AI has helped programs monitor more third parties and reduce the incidence of false positives. Better integration has helped enormously in getting a whole organization on the same page on compliance, linking the sales CRM with finance and compliance in real time. As soon as a third party hits a certain deal level in the CRM, the compliance team can be alerted immediately and run database checks on the company to ensure it meets standards and doesn’t raise red flags.
Many players in life sciences and other sectors balk at updating their compliance systems because of the cost and resources involved. However, long-term efficiencies and technological advancements in the ease in integration and automation more than offset these efforts. A state-of-the-art program should reduce expenses over time by sharpening the focus of compliance efforts and reducing wasted time and resources.
Credit: NicoElNinom, Getty Images