Budgeting and measuring the success of compliance initiatives is a credibility issue for CIOs.
Feb. 11, 2005 | CIOs maintaining and documenting regulatory compliance in the life sciences have always had a complex and challenging job, but in the past couple of years the problem has reached new proportions. Expanding regulations mandate good clinical, laboratory, and manufacturing practices (GxP) as well as privacy and fiscal rules. They have implications for all IT systems, both transactional and informational, in addition to the IT work practices for the system life-cycle management. Corporate governance issues can compound compliance issues.
To better understand the plethora of compliance demands, CIOs should first avoid focusing narrowly on single initiatives when there may be broader issues that are addressed more efficiently at the global enterprise level. This will allow them to address overlapping compliance regulations that govern a process in conjunction with each other when necessary, and to eliminate confusion when not.
In this regard, Life Science Insights' recent publication "Worldwide Regulatory Compliance Issues in Life Science"* creates a working taxonomy of regulations that affect life science organizations. Armed with this information, CIOs can, with regulatory experts, evaluate current compliance projects and create an informed strategy to meet organizational goals.
The next step for CIOs is to create a strategic plan for addressing organizational compliance initiatives, including prioritization based on the current status quo and the highest-risk areas. When creating a compliance strategy, they need to consider the cost of different options while weighing factors such as outsourcing, resource availability, and risk management. Cost information is difficult to obtain, and benchmarking data are slim, which makes budgeting and measuring the success of compliance initiatives a credibility issue for CIOs. They must also take into account fiscal, product, and privacy concerns. Outsourcing has inherent risks, but outsourcing the right projects to capable contractors may enable life science organizations to improve their compliance risk profile.
CIOs should keep in mind that overlap in regulations may be functional or geographical. For example, regulatory compliance for data collection in clinical trials in the United States is governed functionally by GCP, 21 CFR Part 11, and HIPAA. But trials are increasingly conducted on a global scale, so CIOs should also consider compliance with the EU Clinical Trials Directive.
Power of Ownership
Appropriate corporate governance can facilitate compliance. To maximize the efficiency of compliance efforts, organizations should consider approaches such as centralizing the ownership of compliance policy and compliance technology standards, and coordinating monitoring and auditing.
With a strategy in place, CIOs can move on to upgrading, selecting, and implementing the appropriate technology. Technology is essential in meeting compliance requirements and ensuring ongoing monitoring. IT vendors have recognized the opportunities in this niche market, and are beginning to develop architectures and frameworks that minimize compliance efforts.
However, the available regulatory compliance toolsets still vary widely. Enterprise technology includes emerging compliance-friendly components and architectures such as IBM's Risk and Compliance Framework, HP's Reference Information Storage System (RISS) for e-mail archiving, HP's picture archival communication system (PACS) for medical image management, and EMC's Centera storage systems. All of these frameworks and components have been developed specifically with compliance in mind, and, as such, their developers say that they require less time to validate, and provide improved security and higher confidence of data integrity and transaction auditing. CIOs should consider introducing automated testing tools to help validate applications that are likely to require regular upgrades.
Achieving compliance shouldn't be a significant drain on resources. By taking a best-practice approach to compliance, regardless of the source of the regulation, CIOs can meet objectives while maintaining the ability to respond flexibly to changing compliance requirements.
Judy Hanover is a research analyst with Life Science Insights. E-mail: firstname.lastname@example.org.
*Hanover, J.; Carri, D.; Golden, J. "Worldwide Regulatory Compliance Issues in Life Science," Life Science Insights; December 2004.