Risk assessments need data. An assessment’s quality has a lot to do with the data that it uses, how it analyzes the data, what output the analysis generates and the utility of that analysis in identifying compliance issues.
The pressure has intensified
While scrutiny of the industry has increased, regulators have become more sophisticated at detecting fraud and abuse. Regulators have also raised their expectations of what companies should do to promote compliance and integrity within their own organizations.
In April 2019, the Criminal Division of the DOJ (pdf) updated its guidance for prosecutors on assessing an organization’s compliance program. The guidance sets out three fundamental questions:
- Is the program well-designed?
- Is it being implemented effectively?
- Does it work?
At the center of DOJ guidance (pdf) are three key elements: data, policies and procedures, and culture.
Data is at the heart of today’s compliance programs
Quantifying risk is a vital part of risk assessment, a key topic in the DOJ guidance. Risk assessments need data. An assessment’s quality has a lot to do with the data that it uses, how it analyzes the data, what output the analysis generates and the utility of that analysis in identifying compliance issues.
Pharmaceutical companies now have access to unprecedented amounts of data. Advancements in AI, data analytics and automation, aided by the gigantic leap in computing power, have made it possible to amass large amounts of data and to quickly identify hidden relationships and risk patterns.
AI and data analytics technologies can not only help detect existing risks, but also help predict and prevent future risks — thus enabling the compliance function to take a more proactive approach. Data is also crucial to address many other compliance issues, such as reporting, measuring training programs and vendor due diligence.
What compliance executives need to ask themselves next is: do we have a strategy
Policies and procedures need modernization
A good portion of the guidance touches upon policies and procedures — written statements of corporate intent. The DOJ emphasizes the need to “give both content and effect to ethical norms.”
“One hallmark of an effective compliance program is its capacity to improve and evolve.” What this means is that compliance officers need to keep abreast of evolving business models, organizational culture and market demands. Both external and internal factors can alter the organization’s risk profile, and those factors need to be continually assessed against existing compliance policies and procedures.
Policy guidance provided to employees needs to be more personalized and should happen in real time. In the digital age, employees are inundated with enormous amounts of information. Targeted and “just-in-time” compliance policy communication is critical so that the guidelines resonate with the employees and they stick with them. For example, leading companies are already using AI and automation technologies to deliver information about relevant compliance policies to employees ahead of a potential risk event.
Culture is the glue that holds the organization together
The DOJ guidance states that the company’s policies and procedures need to “incorporate the culture of compliance into its day-to-day operations. It is important for a company to create and foster a culture of ethics and compliance with the law.”
Leadership commitment, training and communication have long been acknowledged as indispensable to promote a culture of integrity. More and more companies are taking it further by using data and technology to help them gain insights into their organizations’ cultures. “Is culture quantifiable?” is a question that has been asked, tested and slowly put into practice by some of the leading global companies.
Implementing the Integrity Agenda
The message is clear: to improve their image among patients, providers and politicians, pharmaceutical companies must continue to enhance their compliance efforts. This includes modernization, continuous risk assessments and monitoring, and the use of sophisticated data analytics.
Companies must monitor the gap between corporate intention and actual employee behavior. Effective compliance programs can reduce that gap — this is the essence of the Integrity Agenda. An effective Integrity Agenda includes governance, culture, controls and data-based insights that align actions with the company’s goals.
Good governance means leaders setting the right example and tone from the top-down and everyone knowing who is accountable for what and why. Corporate culture should be focused on integrity with appropriate guidance and training. Effective controls for managing legal and regulatory risk should be embedded into daily operations, enabled by data and technology.
Finally, data is crucial to provide insights into potential misconduct and compliance risks, and how well behavior matches intent.
By promoting the Integrity Agenda, companies can bridge the gap between corporate intentions and actual behavior.
Leadership commitment, training, and communication have long been acknowledged as indispensable to promote a culture of integrity. More and more companies are taking it further by using data and technology to help them gain insights into their organizations cultures.