Want better protection against regulation breaches? Build a system that engenders 'grassroots' compliance
By Steve Lefar
January 12, 2004 | Compliance is no longer about simply responding to the person who pesters you about regulations. The government has made "accountability" a verb. Failure to comply with regulations has resulted in corporate fines that rival the cost of new drug development, and penalties involving time behind bars.
Under federal sentencing guidelines announced in October 2003, for example, even life sentences without parole are now possible for white-collar crimes related to corporate malfeasance. A company's compliance program must not only involve everyone who may have an impact on the system — a company must create a "culture of compliance."
Achieving such a culture requires a systematic approach to providing all responsible parties with the appropriate information and resources for their specific job functions.
Ad hoc approaches to managing and distributing compliance information — surfing public Web sites and managing large collections of bookmarks, monitoring listservs, cutting and pasting information into e-mails, and maintaining intranet policy and procedure collections — have their place, but they're risky. They certainly are no substitute for a systematic approach. A model for regulatory compliance is needed that leverages the intersection of organizational structure and technology.
| Start here: Most organizations can begin to map the best architecture for their regulatory system by assessing users' compliance needs. Once those requirements are defined, the system can be deployed using commercial or in-house technology.
Successful models have a common set of infrastructure components and features that enable "grassroots" compliance information management. Foremost is access to the right information through a single and flexible interface. The "right information" means that it's multidisciplinary, covering all the following areas: discovery and development; production and manufacturing; enforcement, inspection, and monitoring; transportation, safety, environmental, and business practices; sales, marketing, and reimbursement practices; and international, federal, and state jurisdictions.
The system architecture must also be able to support multiple types of information, including documents, databases, and a range of media, including training videos. Likewise, the system interface should be accessible through a single Web address or internal database, properly secured, and provide tailored profiles for individuals based on company roles and needs.
The ability of the system to disseminate information automatically and reliably to the right people in the right way is key. For grassroots compliance to work, the system needs alert mechanisms that automatically select and link relevant source documentation directly into a company's standard operating procedures and corporate policies.
Who Needs Regulatory Info
Whether a company uses a commercial product or builds its own, it is best to begin by mapping the required architecture via a simple assessment of users' compliance needs. Here are three key user categories to consider, but many more departments will likely need access:
COMPLIANCE TEAM — These people need information covering federal and state anti-kickback laws; reimbursement procedures; sales, marketing, and advertising practices; employment issues related to Medicare sanctions; compliance guidance; and more to piece together appropriate policies, procedures, and enforcement. The team must also be able to simply forward — and then verify the reading of — key advisories from the Office of the Inspector General (OIG), Centers for Medicare & Medicaid Services (CMS), the FDA, and states.
R&D TEAM — These people need full-text searching of regulations such as 21 CFR Part 11, new drug applications, abbreviated new drug applications, 510(k)s, pre-market approvals, and other information on approved products, along with FDA developments affecting areas from clinical trial privacy to marketing practices.
BUSINESS STRATEGY TEAM — These people apply regulatory and compliance information to improve due diligence and strategic planning as well as develop sales strategies based on competitor activities.
Once user information needs have been defined, off-the-shelf technology may be deployed to implement a grassroots compliance system. In any case, the time for aggressive management of this information has arrived. Intent matters!
Steve Lefar is president of MediRegs, based in Wellesley, Mass. He may be reached at firstname.lastname@example.org.