Maintaining compliance beyond the pandemic

Oct. 21, 2021
Investing in employee readiness will be crucial to present and future success

The challenges the pharmaceutical industry faced in 2020 — from the COVID-19 pandemic to the chaotic economy to political pressures — look more and more like a new normal rather than a temporary crisis.

For example, the Biden administration invoked the Defense Production Act to speed up the production and distribution of COVID-19 vaccines, all but ensuring that pharma manufacturers will be busy for months, even years ahead. Industry business practices are transforming, with less travel and more remote work possibly remaining — even after the current crisis finally ends.

Subsequently, risk and exposure for the pharma industry are permanently changing, including in the areas of employee health and safety, data privacy and cybersecurity, and virtual interactions. A fundamental shift to other communication channels (e.g., email, video chat) opens up compliance concerns that pharma may not have previously flagged as a considerable risk.

Another potential risk that has emerged during the pandemic across a range of industries is the greater tendency for employees to not speak up when they see or learn of something that’s noncompliant. Amid the ongoing economic crisis, people don’t want to raise their hands out of fear of losing their jobs, and remote work has made it more difficult to immediately tell a manager about a problem. Without a strong “speak up” culture, both new and old risks become greater threats that could turn into something more catastrophic.

In this new normal, pharma manufacturers must address emerging risks, prioritizing prevention and mitigation strategies within organizational constraints. This includes training employees on appropriate behaviors now that they must conduct business differently.

Assessing, reassessing risk

Because so many stakeholders are suddenly facing new and updated exposure to risk amid the pandemic, an organizational approach to addressing risk must be a priority. Compliance teams should follow three steps in their strategies:

  1. Partner with risk area owners and business leaders to understand what’s changed since the pandemic began.
  2. Update each exposure in your organization’s risk registry and identify corresponding operational process changes to reflect the current reality.
  3. Share and confirm alignment on these changes with all risk stakeholders, and take care to ensure communication doesn’t get siloed — an ongoing process that can easily stall if you’re not proactive.

Tapping technology for training

More than ever, measuring the success and failure of compliance training — especially with high- er-risk topics and activities — is vital for pharma manufacturers.

Technology can help assess where employees have a solid understanding of appropriate behaviors as well as where clarity issues or behavioral gaps exist around important concepts. In the pharma industry, in particular, it is critical for employees deemed to be performing higher-risk activities (e.g., sales reps interacting with providers) to receive tailored training based on simulations about their day-to-day, and for compliance teams to ensure understanding by segmenting the resulting behavioral data based on role or function.

In addition to identifying microcultures, this data can be provided to managers and function leaders to drive targeted, focused conversations on the ground and reinforce critical concepts.

Deep behavioral insights — something more than counting how many employees merely completed a course — go a long way toward measuring efficacy. When compared side by side with operational and transactional data, including helpline cases, audit findings and expense tracking, behavioral data can provide a window into hidden risk that is percolating within the organization.

For example, if you see behavioral insights coming from training simulation indicating employees in a particular function don’t understand adverse event reporting, you check the corresponding helpline trends for the same risk. If you see zero reported incidents, underreporting is likely. Simply sending a targeted communication to this audience can surface self-reported issues that have previously gone unflagged.

The compliance program’s ability to detect wrongdoing in this manner is a perfect example of a program working in practice per the updated Department of Justice guidance.* The guidance, which is intended as a reference of information and questions for prosecutors to ask companies when evaluating their compliance programs amidst investigations and subsequent charging decisions, provides a lens into how we should be structuring our programs.

In recent years, artificial intelligence has also emerged as a valuable tool within compliance training technology. AI can leverage an employee’s prior interactions and behavioral insights from a course to tailor the current training experience — ensuring the time is spent on each person’s individual needs and building upon past knowledge.

Humanizing training strategy

Many companies view compliance training as teaching employees an amalgamation of laws and regulations. This approach ignores the most important factor in the training process: the person experiencing the learning. Compliance must be more than rules. It needs to focus on human behavior and emotions in the real-world situations that employees may encounter on the job.

Summarized updates from the 2020 DOJ Evaluation of Corporate Compliance Programs

Risk assessment

Endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how it has evolved over time.

  • Updates and revisions: Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?
  • Lessons learned: Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographic region?

Policies and procedures

  • Addition to design: What’s the company’s process for designing and implementing new policies and procedures and updating existing ones? Has that process changed over time?
  • Accessibility: Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?

Training and communications

  • An acknowledgment that training programs may contain shorter, more targeted training sessions to first identify timely identification and reporting of issues
  • Form/content/effectiveness of training: Whether online or in-person, is there a process for employees to ask questions arising out of the trainings? Has the company evaluated the extent to which the training has an impact on employee behavior or operations?

Confidential reporting structure and investigational process

  • Effectiveness of the reporting mechanism: How is the reporting mechanism publicized to third parties? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?
  • Resources and tracking of results: Does the company periodically test the effectiveness of the hotline?

Third party management

  • Assess whether the company knows the risks posed by third party partners
  • Management of relationships: Does the company engage in risk management of third parties throughout the lifespan of the relationships, or just during the onboarding process?


  • Ensure a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls
  • Due diligence process: Was the company able to complete pre-acquisition due diligence and if not, why not?
  • Connecting due diligence to implementation: What has been the company’s process for conducting post-acquisition audits at newly bought entities?

This fresh approach requires training that engages and empathizes with users, rather than trying to make them into junior lawyers. The right messaging can deliver important compliance knowledge and develop EQ as well as IQ and make the information stick long after a digital course ends. Even during a pandemic, people aren’t necessarily tuning out training; they simply require content that is relevant to and resonates with them. Treat them with humanity and they will absorb and take action on what’s being taught. Approaches such as spoken word, humor or sitcom-style microlearning reinforcement can be powerful here.

Senior leadership must take an active role in setting the tone for compliance and a culture of learning. During any crisis — and especially this one — employees take their cues from the executives making the big decisions. Leaders who continually promote value-based messages and connect with their employees inspire those employees to care about learning because, ultimately, compliance is good for the organization. This effort also promotes the “speak up” culture that is so essential in the permanently altered workplace. Managers may struggle to figure out how to do this on their own — this is why compliance teams must make it a simple lift by providing them with behavioral insights and a library of microlearning resources that can be utilized to drive conversation, conduct small team challenges, and deliver a consistent message across the organization.

Mid-level managers — the leaders who most often guide and interact with the employees expected to execute the principles learned in training — must also contribute to this humanized compliance. If teams and departments become too insular, microcultures can form, and the actions and ethics of employees may stop conforming to compliance best practices and the organization’s mission. (A “speak up” culture can also disappear in this scenario.) Managers can be instrumental in countering these microcultures with the examples they set as well as by encouraging two-way communication when compliance challenges arise with their reports.

Compliance for now, training for the future

All eyes have been on pharma manufacturers as the world looked to them to help end the pandemic. The industry has responded with unprecedented innovation and efficiency. This success inevitably means faster decisions, higher pressure to perform, more scrutiny and more room for error to go unnoticed, which means pharma manufacturers must update their risk strategies as well as rethink how they approach preparing their workforces through training and communications.

Over the years, compliance training tactics such as video and narrated PowerPoint that were once thought to be groundbreaking have stopped resonating with users. A new, humanized strategy in which employees are valued rather than lectured to, and learn by doing instead of watching or reading, offers the best path.

A new, unknown normal awaits on the other side of the pandemic. Investing in employee readiness will be crucial to invest in the present and the future. Is your compliance program and employee training up to the challenge?

About the Author

Harper Wells | Director of Compliance Insights and Strategy