Risk Assessments Mitigate Risk for Bigger and Smaller Companies Alike

May 21, 2014

Earlier this year, the Officer of Inspector General (OIG) put smaller life sciences companies on notice that they should put in place a risk assessment process as part of their corporate compliance program. In its Corporate Integrity Agreement (CIA) with EndoGastric Solutions, Inc. (EGS), the OIG required EGS to establish a risk assessment process to allow the company to:

  • Identify and assess risks associated with the sale, marketing, detailing, advertising, and promotion of products reimbursed by government healthcare programs; and
  • Devise and implement specific measures to mitigate identified risks.

The risk assessment requirement in the EGS CIA is one more example of the OIG clearly signaling that its expectations with respect to smaller company corporate compliance programs are not significantly different than its expectations of Big Pharma compliance programs.

Unlike many other CIAs, the EGS CIA did not provide any definition around what the company’s risk assessment process should look like. On one hand, this gives EGS flexibility in defining its process. On the other hand, this lack of definition leaves other smaller companies that are contemplating putting in place a risk assessment process wondering what such a process should entail.

Companies contemplating putting in place a risk assessment process need look no further than the more detailed Risk Assessment and Mitigation Process (RAMP) requirements in other CIAs for guidance, including the CIAs entered into in 2013 by Johnson & Johnson (J&J) and Par Pharmaceutical Companies.

The J&J CIA requires the company to annually undertake its risk assessment process. As part of that process, J&J must identify risk areas by soliciting information from “all relevant business units and functions” which includes the following:

  • Sales
  • Marketing
  • Regulatory Affairs
  • Medical/Scientific Affairs
  • Legal
  • Audit
  • Compliance

J&J must use the information collected from these business units to develop annual Risk Mitigation Plans that identify risk mitigation activities that J&J must conduct in the following year, including monitoring activities. Activities to monitor include speaker programs, speaker training, advisory boards, sampling, verbatim reviews, medical information requests, and ride alongs with sales representatives. To request a table comparing the monitoring requirements of recent CIAs, click here.

The Risk Mitigation Plan must detail:

  • The risk areas identified for mitigation;
  • The activities to be conducted to mitigate the identified risks; and
  • The individual responsible for conducting each activity.

The company’s various leadership teams must review and approve these plans.

The J&J CIA requires that the company track all risk monitoring and risk mitigation activities and make quarterly reports on such activities to the North American Compliance Officer, who must evaluate the activities to ensure that they appropriately mitigate the identified risks. The Compliance Officer, in turn, must report quarterly on the status of these activities to the North American Compliance Committee, business unit leadership, and compliance personnel at J&J affiliates and annually to the overall J&J Chief Compliance Officer.

The Par CIA requires a similar risk assessment process as that set out in the J&J CIA. Like J&J, Par had already implemented a risk assessment process prior to the effective date of its CIA. As part of that process, Par also must solicit risk information from “key operating areas” that include most of the business units mentioned above.

Unlike the J&J process, however, Par’s Enterprise Risk Management Committee must produce a “relative risk ranking report” or Risk Evaluation Report that makes recommendations to the company’s Compliance Committee regarding which products may require increased attention in the form of “enhanced risk mitigation plans” (Enhanced RMPs). The Committee must also provide the Risk Evaluation Report to Par’s Board of Directors.

Par products identified as requiring Enhanced RMPs are subject to risk mitigation activities beyond those activities contemplated by the J&J CIA. The Par CIA states that Enhanced RMPs “will consist of activities tailored to the risks identified during the risk ranking process” and provides the following examples:

  • Increased compliance messaging;
  • Modifications to or limitations of promotional programs; and
  • Enhanced training requirements.

As with the J&J CIA, standard risk mitigation activities are performed regardless of a product’s relative risk ranking and include the monitoring activities described above.

In addition to drawing a distinction between standard and enhanced RMPs, the Par CIA requires that Risk Mitigation Plans specify metrics by which both risk monitoring results and risk mitigation activities will be evaluated and/or measured.

The three key elements of the risk assessment processes set out in the J&J and Par CIAs – identify, plan, and track – should guide smaller companies looking to implement such a process. In the current enforcement environment mitigating risk is essential. Heeding the OIG’s guidance can go a long way toward protecting a company from the ramifications of an enforcement action.

Learn more about ProPharma Group's Corporate Compliance services.
Contact us to get in touch with Brian for a customized Corporate Compliance presentation



Mitigating Compliance Risk with Your Quality Management System

In the first blog of this three-part series, “Overlooking Your QMS Could Cost You,” we discussed the cost of “good” versus “poor” quality, and the importance of investing in a “good” Quality...

Pen lying on a paper graph.

Risk-Averse Schedule for Project Management

Is your project schedule ready to pass the Project Management Institute’s (PMI) "litmus test"? Not sure? Well, the Project Management Team at ProPharma is here to lend a helping hand. Below are some...

Risk-Based Computer System Validation and Rational Testing

Introduction Risk based approaches to validation of computerized systems have been heavily promoted since the publication of GAMP 5 and ASTM E2500. Yet we continue to see examples of validation...