The Seven Highly Effective Habits of Closed-Loop Compliance

Today’s life sciences companies face a spiraling quagmire of compliance challenges as regulations continue to multiply. And there has never been a more litigious age in history. Unchecked and undetected, risk can tarnish a reputation for honesty, competence and integrity that took years to build.

Staying on top of new legislation, reinterpretations of existing regulations and a maddening rise in lawsuits requires the constant attention of firms. An emerging trend in Life Sciences companies is to consolidate the management of compliance under a single person called a Chief Compliance Officer (CCO). Life sciences companies must consistently and scrupulously maintain, update and revisit their compliance processes and procedures.

But simply revisiting and revising old policies isn’t enough. Increasingly, companies are looking for an ongoing means to document that any potential compliance issue is an isolated, one-off incident attributable to one individual or one incident rather than a systemic problem indicative of a lax corporate culture.

While the compliance needs of life sciences companies vary by niche, maturity and market position, they all share a universal need to prove to regulatory bodies and the public at large that they have done everything possible not only to comply with the letter of the law, but also with its spirit. Compliance is not rocket science, but it is mission critical. For high-performing companies, failure is not an option.

As anyone who has been the target of a regulatory probe knows, telling investigating officials that you have policies and procedures in place does not suffice. Regulators will want to see that these policies have been communicated to the affected employees and that these employees have seen, understood and promised to follow the latest policies and procedures. This process must be repeated as often as necessary, documented every step of the way.

This forms the foundation for the closed-loop model of compliance. Applying a closed-loop compliance model minimizes the risk of disruptive investigations, reduces reputation risk and increases the probability of negotiated exemptions. The closed-loop compliance model highlights interdependencies across the enterprise and provides a proactive way to capture, identify and remediate regulatory violations and compliance risk.

Recognizing that compliance and governance require constant vigilance and maintenance, standard-bearing compliance and risk officers employ seven habits that form the closed-loop model of compliance. These habits provide a strategic way of looking at compliance that ensures a closed-loop model.

The seven habits of closed-loop compliance help companies (1) track and interpret regulations and (2) document policies and procedures. After embedding the first two habits in the corporate culture, Chief Compliance Officers must ensure that information reaches the affected parties through (3) effective training programs. Once you have communicated your policies, what follows is (4) monitoring for deviations, (5) aggressively auditing and investigating red flags and, where necessary, (6) managing exceptions and deviations. This piece in the puzzle requires (7) implementing and measuring change.

These are links or habits in a closed-looped chain that ensure companies can make risk-based decisions. Let’s look closely at each of these habits individually.

1. Track and Interpret Regulations

Has your company developed a clear ownership policy for tracking and identifying the regulations that affect your firm? After determining the regulations your company must follow, it is critical to have a list detailing who is responsible for interpreting the obligations. With clear guidelines about who needs to review and interpret new legislation, you will need to set up processes whereby business and process owners agree on interpretations. Completing the loop, your interpretation committee needs to provide feedback to regulators on proposed or draft rules and on their final interpretations. At this stage, you must also evaluate the impact these interpretations will have on risks and training across the organization. With constant vigilance in mind, the committee must periodically review interpretations for each regulation.

2. Document, Policies, Procedures.

All decisions must be documented and traceable. Of course, all documentation needs to be supported electronically and maintained in a central repository dedicated to policy and procedure documentation. By setting up a central repository for all policies, procedures, controls and systems, Policies & Procedures can be automatically issued across the organization in a consistent and cohesive manner. After identifying owners for the business procedures and using approved templates for capturing processes, the organization must follow a defined workflow – create, review, approve, distribute, consume and retire/supersede – to manage the new content and any subsequent regulatory changes. Part of the documentation process requires procedures that ensure the integrity of the material in question, including version control, security, acceptance and audit trails.

3. Training

Companies that take compliance seriously have formal and documented training programs. They have training materials that are recorded and mapped against the company’s core values. They have programs for introducing new employees to the company and for disseminating information to employees who have been promoted. They have a standardised, clear and recorded feedback loop that provides assurance that the responsible employees are aware of updates to policies and procedures. In marking these documents as read and understood, employees attest to their commitment to following the Policies & Procedures as laid out by the organisation. Many high-performing companies also link their external training records to internal procedures.

4. Capture Exceptions and Deviations

In practice, the best plans, policies and procedures are toothless without monitoring, follow up and continued oversight. Testing needs to be proactive and automated whenever possible to ensure that it takes place as required. At the very least, the scheduling and assignment of tasks must be automated to reduce the possibility of human error or fraud. In the end, effective compliance means being able to identify and view the results of the testing program as applied to any business unit, jurisdiction, topic and/or regulation.

5. Audit and Investigate

Proper management of compliance activities requires a clear process for logging exceptions and issues that occur, followed by investigating and categorizing issues according to their severity and potential impact. Reducing human error, a well-designed automated system alerts the relevant people to incidents, exceptions and material weakness. Anomalies are flagged, documented and pursued.

6. Manage Exceptions and Deviations

Successful investigations take advantage of the electronic data and audit trails maintained on the company’s system. Proactively following a remediation or corrective action plan guarantees that issues will not fall through the cracks, providing you with the ability to communicate with regulators about what you’re doing to satisfy compliance directives with regards to addressing issues. It assures regulators that noted issues were competently resolved. Effective governance means proactively resolving all anomalies and documenting the action taken. By addressing issues and resolving them, you are continually minimizing risk and improving your organization’s business practices.

7. Measure, Assess, Implement, Change

A closed-loop compliance process ensures that all identified issues are resolved. All issues or weaknesses that may have a material effect are escalated to proper levels and are resolved by the person charged with that oversight. For effective risk management, you must be able to implement and manage change simultaneously across all of the sites in your organization. Change Management Plans should be created for every alteration and an automated system must be in place to route changes to the necessary parties.

Closing the Loop on Risk

The key to the seven habits of effective compliance is that you recognize that issues will occur (regardless of how well you build Policies & Procedures). When they do happen, your goal must be to remediate these issues and use them to further improve your business processes.

Following these seven habits enable you to:

• conduct risk assessment;
• make risk-based decisions; and
• use the information and data from each of the habitual steps to operate in compliance with your regulatory landscape.

In highly regulated industries like life sciences, compliance is an ongoing concern and is too important to monitor and administer in an ad hoc, one-off basis. Companies merge, laws are written, agencies reinterpret and so compliance officers must be proactive in managing risk. Regulations need to be identified, interpretation agreed upon, information dispensed and procedures monitored. Issues need to be addressed as they arise and they need to be fed into the processes improvement element of regulatory interpretations.

The loop needs to be closed and the process repeated on an ongoing basis. A closed-loop risk model promotes a sustainable and cost-effective risk program, which is the only way to accurately capture and manage compliance risk, as well as remediate regulatory violations across the enterprise.

Compliance officers who ignore the seven habits of closed-loop compliance may as well walk a tightrope blindfolded over a lion pit. It can be done, but not without incredible risk and only the foolhardy need apply.

About the Author

Patrícia Santos-Serrão is a Regulatory Advisor in the Life Sciences practice at QUMAS with focus on Clinical and Regulatory Affairs processes. She has been in the Life Sciences industry since 1994 starting her career at Schering-Plough in Kenilworth, NJ, and later joining Boehringer Ingelheim Pharmaceutical in Ridgefield, CT, both in RA. Having had experience with global submissions both paper and electronic over eight years, Santos-Serrão moved into the solutions provider sector joining CDC Solutions, which was later acquired by Liquent, and CSC as a Business Process Specialist and Regulatory Specialist. She has assisted various customers during her time at CDC Solutions, Liquent and CSC in compiling eCTDs, and other submission format filings worldwide.