Compliance is the art of ensuring obligations are met according to the risks they pose. Businesses in the pharmaceutical industry have a myriad of obligations placed on them by governments, regulators, customers and many other sources. These obligations range from industry specific topics such as manufacturing practices and licensing restrictions to general topics like data privacy and accounting controls. Due to a number of recent scandals in China and elsewhere, the current hot topic for many compliance professionals in the pharmaceutical industry is corruption.
Corruption is generally defined as offering, giving, requesting or accepting bribes or kickbacks, as well as any abuse of power for private gain. The bribes might take the form of an expensive gift or lavish travel and entertainment, and it doesn’t matter what form the bribe takes, as long as it was intended to induce a certain behavior. The function of compliance is then to put policies, processes and controls in place to ensure that any gifts or entertainment that employees do give are not intended to influence the recipient. In any large company, the implementation of these policies, processes and controls needs to be supported by some form of technology to be successful.
Compliance software can be a great solution to some of the problems encountered by compliance officers; however, in order for the software to have a positive impact, a number of common, though significant, issues must first be overcome.
Compliance software can include any technology which is used to aid a compliance officer in the daily running of their compliance programs. The technology itself can range from simple emails and spreadsheets through to an enterprise-wide governance risk and compliance solutions, and anything in between.
Why would a company need compliance software at all? The answer to this depends on a number of factors, including the size of the company and its culture. Take, for example, a program to manage the registration of gifts and entertainment within a company. Implementation of such a program can happen in a number of ways. Assuming that there is buy-in from the board and management and those resources are available, at the cheapest and simplest end, there could be a policy stating that all gifts must be reported to line managers. The policy can be posted on a notice board and training can be provided in a classroom environment so that no further technology is required. The scalability of this simple program could be supported by the use of generic technology, such as emails to announce the policy or a spreadsheet to track training. However, it can be seen that beyond the smallest company with the simplest programs, more technology will be required, and the use of systems specifically designed for compliance will be of greater use than those designed for general office purposes.
While this low-technology-based implementation has a number of advantages (not least of which are low cost and speedy deployment), it also has a number of drawbacks. These drawbacks include difficulty to scale the technology to large numbers of employees in several locations, and a lack of documentation (which is necessary to confirm that employees have read the policy, that they have been trained on its contents and that they are actually following it).
The benefits of using software that has been specifically designed for compliance issues go beyond just scale. The software can also provide advantages in areas such as:
• Speed – the rollout of communications, training, policies and processes can be managed far more quickly via tools that know the user population (via a connection to a human resources system or email address book), which will allow for the easy segmentation of target audiences (so specific instructions can be given to individual groups) and the management of those who don’t respond.
• Cost reduction – using an electronic platform means that more people can be informed of new policies and trained for less cost than in classrooms (although the quality of the training may not be the same).
• Certainty of process – the processes defined in the compliance program can be built into the system, forcing the users to follow a fixed path. This may include keeping messages within the system (rather than email) or building a workflow to ensure that decision-making is always done at the right level and with the right information.
• Monitoring and measuring – the effectiveness of the program can be tracked more easily when metrics can be taken directly from the systems running the program (e.g. determining the number of people who have completed a training program or the number of people who have registered a conflict).
• Documentation and audit trails – the biggest advantage of software solutions is the document trail, which not only confirms that the program is being adhered to, but also means that a compliance officer can easily find previous versions of policies, records of training and information about any registered conflicts and decisions made pursuant to conflicts (which is of great assistance in the event of an audit or an incident).
Once you have established your reasons for the technology, the next step is to determine which functions will allow you to achieve those aims. This analysis needs to go beyond the obvious, “I need a system to manage my gifts and entertainment policy.” You will need to consider the complexity of your overall processes and determine where the technology-based compliance system will start and stop.
The types of solutions needed to manage corruption may include:
• A policy management system to ensure that everyone knows the rules they need to abide by;
• A location for disseminating training and communications about the policy;
• A system to require managers to certify that they have trained their teams and will comply with the policies;
• A register for gifts and entertainment, which will allow approvals to be given and reporting to show where issues may lie;
• A system to manage the screening and monitoring of third parties, which are often the conduit of indirect bribes.
It is often the case that you will be looking for a solution to whatever issue is currently most pressing. When selecting a technology solution, however, it is wise to consider the functions you may need in the future as well as those you need today, either in terms of new compliance programs or building out the current program. The worst solution is to have a number of independent systems managing different aspects of what should be a single compliance program.
It is rare that a full suite of compliance tools will run without any interaction with your existing systems. Regardless of where the system is hosted, you should consider whether you could benefit from integration with:
• Human resources systems to ensure new users are added and old ones removed;
• Authentication systems which allows for a single sign-on to simplify the log-on process for users;
• Enterprise resource planning (ERP) systems to ensure new partners are effectively screened;
• Travel and expense systems to support gifts and entertainment tools;
• Learning management systems (LMS) to support central recording of training.
Once you have determined the type of data to integrate, you should then consider the level of integration which can often have a significant cost implication. Types of integration include:
• Manual uploads using a defined template;
• Manual or automated file transfers using a secure protocol over the Internet;
• Fully automated transfers on demand via an application programming interface (API).
Decisions on the automation and level of integration require a cost-benefit type review to weigh the time and resources of a manual process versus the cost of building and maintaining an automated process. Vendors should be reviewed not only on the integration options they provide, but also on their flexibility in allowing integration to grow as you better understand your processes.
So how do you actually go about implementing software to support your compliance program? The first step is to gain commitment. This includes commitment from executive management as well as those who will be involved in the process. To achieve this, you must be clear about the risks and obligations that the system is being designed to manage and focus on how the system will support the strategic goals of the organization. Having issues such as those surrounding GSK and Sinopharm fresh in the minds of your senior managers can help.
Additionally, there also needs to be a consideration of the question of whether to build or buy. You will need to think about your company culture, budget, size and geographic locations, and whether you have the necessary resources to complete an internal build project. If you are able to build internally, you will need to ensure that there is a plan to meet the challenges of supporting and maintaining software once the initial budget has been exhausted. Should you decide to purchase a system, test the market and select a vendor who understands the goals of compliance and has built a flexible system that allows you to fit their software around your processes.
The next stage is to implement your system. This entails more than the basic parts of designing the processes, purchasing or building the system, then implementing and testing the processes. The key element, which is often overlooked, is communication, since a major risk for any system is that people won’t use it. A clear strategy for communications is required, and it must include a detailed training program (either in the classroom or online) that covers the reasons for the system (e.g., corruption or health and safety) and when the system will be available as well as how to use it.
The final stage of the system implementation is to ensure that the technology is actually being used. This can be achieved in a number of ways, such as monitoring access to the system after the rollout, reviewing the information entered into the system and asking users for their feedback. Where issues are found, a review will need to be conducted to understand the root cause — whether the processes were not well designed, the communications were ineffective or the technology was not suited to the needs. In each case, remedial action should be taken on each of the causes so that the system and programs do not fail or be seen as failing.
The last review that needs to be carried out is to establish whether the overall system meets the goals set out in the planning phase. This might consider things such as whether the budget was sufficient, whether the technology choice was appropriate, and whether the risks and obligations have been managed.
It is clear then that software systems can, and should, be an integral part of solving compliance challenges. The key to making them work, however, is ensuring that the software is selected and configured to fit the program rather than the other way around, and not ignoring the soft skills of management buy-in, communications and training.