By Michael O’Connor and Isha Arora
November 17, 2020
Whether your company already has a data-driven compliance program in place or is contemplating building one, Michael O'Connor and Isha Arora outline four things the DOJ is now focused on that your compliance team needs to know.
This past June, the U.S. Department of Justice revised its guidance1 outlining how it evaluates corporate compliance programs. The guidance instructs prosecutors to question companies they are investigating on whether those companies’ compliance teams have at their disposal “relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” It also instructs prosecutors to determine whether compliance programs are “adequately resourced and empowered to function effectively.”
While pharmaceutical companies have long known the business case for building a data-driven compliance program, the DOJ’s revised guidance makes it clear that those in the industry who have yet to commit to such a program could face legal consequences for dragging their feet. Whether your company already has a data-driven compliance program in place or is contemplating building one, here are four things the DOJ is now focused on that your compliance team needs to know.
Effective data-driven compliance programs are led by compliance professionals employing a data-scientist mindset
Historically, compliance programs fundamentally have been legal functions, staffed with lawyers and other legal professionals. But this classic model overlooks the operational elements that compliance programs must incorporate now that the DOJ is prioritizing data-driven compliance programs.
The DOJ’s revised guidance signals the arrival of a paradigm shift away from lawyers as compliance professionals who exclusively employ a legal approach to their companies’ compliance programs. Now, lawyers must adapt and expand their roles so that they understand both the data they need from across their company’s operations in order to run an effective compliance program, as well as the processes and procedures they must build in order to ensure that their company’s data flows freely to a centralized compliance data repository.
For that reason, even though effective data-driven compliance programs depend on their lawyers’ legal guidance, they should be led by compliance professionals who can approach the compliance function with a data-scientist mindset, from the law up. Working collaboratively with their legal colleagues and operating a program where legal requirements are built in, this new generation of compliance professionals will know how to find and analyze the compliance data that provides their legal colleagues with accurate information on which to base their counsel.
The data your compliance program needs is likely already inside your company
In our experience, the majority of pharmaceutical companies already have the data that should be flowing into a centralized compliance data repository for monitoring and analysis. They just don’t know it.
For example, your company’s customer relationship management (CRM) and enterprise resource planning (ERP) systems are brimming with information relevant to the company’s compliance with applicable law. Data from these and other sources within your organization should be flowing into your compliance data repository so that it can be monitored and analyzed. When it does, something magical happens. Suddenly, your compliance program transforms from a reactive operation, blindly picking events to monitor, into a proactive one that flags potential problems before they arise.
For example, consider a pharmaceutical company’s use of a speakers’ program to boost sales. Without a data-driven compliance program, it’s difficult for the company to pick up on warning signs, such as the same doctor being treated to multiple meals over multiple months by attending the same presentation. But through a model that analyzes streams of information contained in expense reports, electronic sign-in sheets, and CRM data, that company could know as soon as a doctor registers for an event whether their attendance would pose a compliance problem. A similar model could be employed to eliminate marketing efforts directed at doctors who cannot prescribe medicine or do not prescribe the kind of medicine being marketed. The model would save money and prevent a practice that, while unintentional, could arouse the suspicions of regulators.
Data-driven compliance programs help you take stock of your data before the government does
Government-mandated reporting of data means that some of your company’s data will be publicly disclosed—and scrutinized. If that data suggests your company is engaging in illegal or unsavory conduct, your company might face negative publicity in addition to any legal exposure. An effective data-driven compliance program will spot such notable trends in the data before it is published so that your company can correct any problems the data is suggesting and prepare itself for any questions the data might raise.
For instance, with COVID-19 disrupting the pharmaceutical industry in 2020, large payments to certain third parties will stick out like a sore thumb as a result of a likely lower volume of those payments being made across the industry. Similarly, most events since March 2020 have been virtual (if they have occurred at all), which has changed the costs associated with them. Thus, disproportionately large marketing expenditures are likely to raise eyebrows. A data-driven compliance program will catch these problems before the data is made public.
Data-driven compliance programs can mitigate third-party engagement risk
Compliance departments at pharmaceutical companies are well aware that engagements with third parties carry risk. From the U.S. Anti-Kickback Statute and Foreign Corrupt Practices Act to the U.K. Bribery Act to France’s Sapin II law, a number of laws subject companies to harsh penalties when regulators determine that their transactions with third parties were not legitimate or conducted at arm’s length. Data-driven compliance programs can verify the legitimacy of third-party relationships and transactions, thus mitigating the risk associated with them, by helping companies understand who they do business with, ensuring those third parties did the work they were contracted to do and verifying they were paid fair market value for it.
For example, automated background checks can be prerequisites before payments to third parties are made. Processes can verify contracts are signed, work product is captured, and payments match the agreed-upon fee. Fair market value can be automatically determined and compared to the prices a company will pay for particular products or services to ensure those payments are above board. And centralized databases of global compliance laws can keep salespeople abreast of their compliance responsibilities based on the countries in which clients and prospects are based.
Where you should go from here
Through its revised guidance, the DOJ has given pharmaceutical companies a blueprint for how to build an effective compliance program, which, among other benefits, will serve as a mitigating factor should the DOJ ever investigate them for wrongdoing. The DOJ now expects compliance departments to have resources that give them direct or indirect access to data so that they can timely monitor, test, and analyze policies, controls, and transactions.
Pharmaceutical executives must understand that the DOJ’s guidance codifies an evolution in corporate compliance. Government regulators want companies to create compliance programs that provide a 360-degree view, through data, of those companies’ compliance efforts. The good news is that such programs reduce the risk that a company employing them will run afoul of the law—and suffer the loss of profits, revenues, and reputation that comes with accusations of wrongdoing.
As data-driven compliance programs become the baseline in the pharmaceutical industry, pharmaceutical companies must be sure they are collecting the right data from the right places and housing that data in the right kind of depository to allow for real-time risk management, review and analysis. For those pharmaceutical companies that have not already embraced a data-driven approach to compliance, the DOJ’s recent guidance just transformed that approach from “nice to have” to “need to have.”
Michael O’Connor and Isha Arora are the Vice President of Compliance Technology and Director of Compliance Technology, respectively, for Porzio Life Sciences.