At the recent Pharmaceutical Compliance Congress (PCC), Zane Memeger, U.S. Attorney for the Eastern District of Pennsylvania stated that one of the key questions that a company should ask about its compliance program is whether the company is taking steps to evaluate the program’s effectiveness. The Office of Inspector General (OIG), through recent Corporate Integrity Agreements (CIAs), also has stated its expectation that companies evaluate the effectiveness of their programs. But neither Mr. Memeger, in his comments at the PCC, nor the OIG, in its CIAs, has provided guidance on how one goes about measuring the effectiveness of a compliance program.
A 2013 survey that asked leaders in the pharmaceutical and life sciences industry to rank the most important metrics in evaluating the effectiveness of a compliance program found that 32 percent ranked audit results as number one. Hotline metrics, at 16 percent, were a distant second. Training data (11 percent) and employee questionnaires (3 percent) were further down the list.
Interestingly, a qualitative assessment of a company’s policies and procedures – encompassing both a gap analysis to ensure that a company’s policies and procedures address the specific risk areas faced by the company and a substantive evaluation of the actual controls put in place by the policies and procedures – did not even register in the survey. This, despite the fact that the PhRMA Code encourages a company to periodically verify that it has policies and procedures in place to foster compliance with the Code.
Two recent CIAs involving Endogastric Solutions, Inc. and Endo Pharmaceuticals Inc., both require that the boards of directors of those companies adopt resolutions concluding that the companies have implemented an effective compliance program. Such a requirement is typical of CIAs over the past couple of years. The Endo Pharmaceuticals CIA further states that the company may rely upon “independent outside experts engaged to assist the Board” in evaluating its compliance program. While not requiring Endo to use independent outside experts as do other CIAs, the language of this and other CIAs suggests that engaging independent experts to evaluate the effectiveness of a compliance program is a best practice.
When evaluating the effectiveness of a corporate compliance program, a company should take a holistic approach. Rather than focusing on any individual metric – such as audit results, hotline calls, or training data – a company should evaluate the design of the entire program and test its success in shaping behavior within the company.
This approach demands asking a number of probing questions and testing the controls put in place by a company to manage risk and prevent wrongdoing. It also requires examining the commitment of senior management to the compliance program and gauging whether company employees are aware of, understand, and buy into the program.
Such an evaluation is essential to ensure that a corporate compliance program actually has the intended effect and is a prerequisite to getting credit in an enforcement action, should something go wrong despite a company’s compliance efforts.