Compliance Effectiveness Review: What's a Board to Do


Published on

This article, co-authored by Navigant’s Saul Helman and Richard Eschle, Senior Director of Compliance at Eisai Inc., explores guidelines and responsibilities, the Board's role and the structural and operational concerns to consider in the context of creating a stable internal compliance environment.

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Compliance Effectiveness Review: What's a Board to Do

  1. 1. HEALTHCARE AND LIFE SCIENCES DISPUTES, REGULATORY, COMPLIANCE AND INVESTIGATIONS SAUL B. HELMAN Managing Director 317.228.8726 About Navigant Navigant Consulting, Inc. (NYSE: NCI) is a specialized, global professional services firm that helps clients take control of their future. Navigant’s professionals apply deep industry knowledge, substantive technical expertise, and an enterprising approach to help clients build, manage and/or protect their business interests. With a focus on markets and clients facing transformational change and significant regulatory or legal pressures, the Firm primarily serves clients in the healthcare, energy and financial services industries. Across a range of advisory, consulting, outsourcing, and technology/analytics services, Navigant’s practitioners bring sharp insight that pinpoints opportunities and delivers powerful results. More information about Navigant can be found at COMPLIANCE EFFECTIVENESS REVIEW: WHAT’S A BOARD TO DO? Since 2003, guidance on corporate compliance has stressed that boards must be fully engaged in the oversight process. Most recently, the Federal Sentencing Guidelines were updated (2010) to reflect PPACA expectations. In 2015, the Health and Human Services OIG collaborated with Association of Healthcare Internal Auditors, the American Health Lawyers Association and the Health Care Compliance Association to publish Practical Guidance for Health Care Governing Boards on Compliance Oversight. In short, the board of directors of healthcare and life sciences companies must ensure there is an effective compliance program in place, established through appropriate due diligence and reinforced through their governance and oversight. While all employees are required to uphold compliance policies, the board sets the direction for the entire company. The board must actively demonstrate its commitment to reducing risk, particularly with prosecuting authorities around the globe eager to hold individuals criminally responsible for noncompliance. DUTY OF CARE The basic fiduciary duty of care principle, which requires a director to act in good faith with the care an ordinarily prudent person would exercise under similar circumstances, is being tested in the current climate of heightened corporate responsibility and government enforcement action. Personal liability for directors includes removal and civil and reputational damages. Directors must have a basic understanding of their fiduciary obligations and how the duty of care can be exercised in overseeing the company’s compliance systems. Embedded within the duty of care is the concept of reasonable inquiry. Directors must obtain information from organization leadership that is necessary to ensure the compliance program is indeed effective. Board Oversight should include (but not limited to) securing an understanding of the: •• roles of, and relationships between, the organization’s audit, compliance, and legal departments; •• mechanism and process for issue- reporting within an organization; •• approach to identifying regulatory risk; and •• methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.
  2. 2. 2 STRUCTURAL AND OPERATIONAL CONCERNS Despite all the compliance guidance and requirements, there is no explicit description of how an effectiveness review should be structured. Experience suggests that a basic approach, one that meets the individual board member’s fiduciary responsibility and government requirements, reflects the seven core elements of a compliance program. A well-designed compliance and ethics program is only half the picture. Critical to the program’s success is its ability to meet the challenges of constant change, increasing complexity, rapidly evolving threats and the need for continuous improvement. Programs are consistently challenged as organizations expand their reach around the globe. Risk expands exponentially as the distance between the chief compliance officer and emerging markets grows, particularly if the business requires working through intermediaries. Insufficient training and cultural differences make program enforcement difficult. Boards need a clear strategy for implementing policies and procedures throughout the organization—from executive leadership to country managers, sales leads, production lines and back office functions—globally. FINANCIAL PRESSURES AND DEMANDS Management at all levels is expected to deliver sales and increase profit margins to meet annual corporate goals for growth and return on investment. Hence, compliance programs are frequently considered a hindrance to achieving firm-wide objectives. The board and senior management must effect a visible, structured compliance program that provides direction for and resonates throughout the organization. The program must address the balance between corporate responsibility and complying with global regulatory standards versus the achievement of financial and economic goals. INDEPENDENT REVIEW— BEYOND THE BOARD Corporate Integrity Agreements (CIAs) are the number one mechanism for government enforcement of compliance requirements for companies, their boards and individual board members. In addition to remedial steps to address conduct that led to the settlement, CIAs usually require a targeted compliance review performed by an independent review organization and, on occasion, the appointment of a board-level compliance expert to conduct an independent compliance effectiveness review on behalf of the board and the government. 7 Core Elements of a Compliance Program •• Oversight & Governance: Hiring a compliance officer to work with a compliance committee •• Written Standards: Developing Code of Conduct and compliance policies, procedures, working practices •• Training and education: Implementing and tracking a comprehensive employee compliance training program •• Communication: Establishing a confidential “whistleblower” disclosure program and reinforcing through Tone at/from the Top •• Risk-based auditing & monitoring: Maintaining regular risk- based compliance reviews •• investigating and corrective action: implementing an investigations process and related corrective and preventative action plans •• Disciplinary guidelines: Enabling a structured disciplinary process and guidelines Sample Operational Inquiry •• How is the board apprised of significant regulatory and industry developments affecting the organization’s risk? •• How is the compliance program structured to address such risks? •• How are “at-risk” operations assessed from a compliance perspective? •• Is conformance with the organization’s compliance program periodically evaluated? •• Is the effectiveness of the program systematically assessed? Baseline Activity Risk: Represents the overall industry-wide compliance risk associated with conducting various research & development, marketing, sales and promotional activities, as well as other relevant interaction with Healthcare Professionals. Audit History Risk: Represents the rist to an organization regarding each activity as documented in previous internal auditing and monitoring reviews. Spend Risk: Reptresents the risk associated with the relative proportion of promotional spend associated with each particular activity identified. Product Risk: Represents the risk associated with various factors that might be relevant throughout the life cycle for each product.
  3. 3. ©2016 Navigant Consulting, Inc. All rights reserved. 00005708 Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See for a complete listing of private investigator licenses. The initial review is a sort of “meta-analysis” that provides a review of the program design/mission, identifies areas of reinforcement/improvement and serves as a baseline for future reviews. Subsequent reviews confirm program implementation and the effectiveness of the program’s controls. The value of effectiveness reviews also includes qualitative enhancements and consistency/continuity throughout the organization. Consistency and continuity ensure a rational program designed to meet regulatory/ethical considerations and foster ownership of compliance and confident, informed decision-making. A critical foundation to an effective compliance program is establishing a process to understand the company’s fundamental compliance risk environment, and determining where risk mitigation activities (across the seven elements of compliance) need to be focused. Navigant’s Compliance Assessment & Risk Evaluation (C.A.R.E.) process takes a risk- based approach to evaluating an organization’s compliance controls—quantifying what has historically been a qualitative assessment. The process evaluates compliance risk across the matrix of risk-based activities and risk by product. Submitting to the C.A.R.E. process helps socialize the concept of compliance risk and empowers the business to evaluate this risk against current and planned activities.