Earlier this year, the Officer of Inspector General (OIG) put smaller life sciences companies on notice that they should put in place a risk assessment process as part of their corporate compliance program. In its Corporate Integrity Agreement (CIA) with EndoGastric Solutions, Inc. (EGS), the OIG required EGS to establish a risk assessment process to allow the company to:
The risk assessment requirement in the EGS CIA is one more example of the OIG clearly signaling that its expectations with respect to smaller company corporate compliance programs are not significantly different than its expectations of Big Pharma compliance programs.
Unlike many other CIAs, the EGS CIA did not provide any definition around what the company’s risk assessment process should look like. On one hand, this gives EGS flexibility in defining its process. On the other hand, this lack of definition leaves other smaller companies that are contemplating putting in place a risk assessment process wondering what such a process should entail.
Companies contemplating putting in place a risk assessment process need look no further than the more detailed Risk Assessment and Mitigation Process (RAMP) requirements in other CIAs for guidance, including the CIAs entered into in 2013 by Johnson & Johnson (J&J) and Par Pharmaceutical Companies.
The J&J CIA requires the company to annually undertake its risk assessment process. As part of that process, J&J must identify risk areas by soliciting information from “all relevant business units and functions” which includes the following:
J&J must use the information collected from these business units to develop annual Risk Mitigation Plans that identify risk mitigation activities that J&J must conduct in the following year, including monitoring activities. Activities to monitor include speaker programs, speaker training, advisory boards, sampling, verbatim reviews, medical information requests, and ride alongs with sales representatives. To request a table comparing the monitoring requirements of recent CIAs, click here.
The Risk Mitigation Plan must detail:
The company’s various leadership teams must review and approve these plans.
The J&J CIA requires that the company track all risk monitoring and risk mitigation activities and make quarterly reports on such activities to the North American Compliance Officer, who must evaluate the activities to ensure that they appropriately mitigate the identified risks. The Compliance Officer, in turn, must report quarterly on the status of these activities to the North American Compliance Committee, business unit leadership, and compliance personnel at J&J affiliates and annually to the overall J&J Chief Compliance Officer.
The Par CIA requires a similar risk assessment process as that set out in the J&J CIA. Like J&J, Par had already implemented a risk assessment process prior to the effective date of its CIA. As part of that process, Par also must solicit risk information from “key operating areas” that include most of the business units mentioned above.
Unlike the J&J process, however, Par’s Enterprise Risk Management Committee must produce a “relative risk ranking report” or Risk Evaluation Report that makes recommendations to the company’s Compliance Committee regarding which products may require increased attention in the form of “enhanced risk mitigation plans” (Enhanced RMPs). The Committee must also provide the Risk Evaluation Report to Par’s Board of Directors.
Par products identified as requiring Enhanced RMPs are subject to risk mitigation activities beyond those activities contemplated by the J&J CIA. The Par CIA states that Enhanced RMPs “will consist of activities tailored to the risks identified during the risk ranking process” and provides the following examples:
As with the J&J CIA, standard risk mitigation activities are performed regardless of a product’s relative risk ranking and include the monitoring activities described above.
In addition to drawing a distinction between standard and enhanced RMPs, the Par CIA requires that Risk Mitigation Plans specify metrics by which both risk monitoring results and risk mitigation activities will be evaluated and/or measured.
The three key elements of the risk assessment processes set out in the J&J and Par CIAs – identify, plan, and track – should guide smaller companies looking to implement such a process. In the current enforcement environment mitigating risk is essential. Heeding the OIG’s guidance can go a long way toward protecting a company from the ramifications of an enforcement action.