Life after a CIA: How to Position Compliance in a Life
Sciences Organization
Companies operating under Corporate Integrity Agreements (CIAs)
spend five to six years preparing for and responding to their CIA
obligations. During this time period life sciences companies of all sizes
face the monumental task of incorporating CIA requirements into a
company’s daily operations.
While plenty of attention and guidance exists around meeting CIA
obligations and rapidly ramping up the size of the compliance
department to meet these obligations, less attention or focus is given
to the equally difficult task of managing through the conclusion of
a CIA.
Transitioning out of a CIA affects the entire company, but it may have
the most impact on the compliance department. Many Chief Compliance
Officers (CCO) face pressure, whether directly or indirectly, to reduce
costs following the last reporting period under their CIA. They are often
asked to justify “why” all those FTEs are still needed. “One key challenge
for every compliance executive is to maintain the culture of compliance
without the proverbial CIA ‘hammer,’” says Sarah diFrancesca, an
associate in Cooley LLP’s Health Care and Life Sciences Regulatory
group. “In addition, there is often pressure from business units to scale
back some of the processes and procedures that were put in place
under the CIA so they can operate more efficiently,” says Stefanie
Doebler, special counsel in Covington & Burling LLP’s healthcare and
food and drug practice groups. With the focus shifting away from CIArelated compliance requirements, it can be difficult to ensure a strategic
balance of risk and value in a post-CIA organization.
First and foremost, leaders must ensure that risk issues are still
adequately addressed in the face of changing requirements. For
companies that are not ready for such a transition, it may mean a loss
of infrastructure or processes that can lead to future significant
compliance issues and financial impact. For instance, companies
required to enter into a subsequent CIA have paid a price. Approximately
two-thirds of the time, a second or third CIA was accompanied by a
larger settlement than the CIA settlement preceding it, and more
onerous terms and conditions. “If a company faces another government
investigation, prosecutors will question why controls put in place by a
previous CIA did not uncover or address problematic activity. Companies
need to demonstrate a good faith effort to maintain an effective
corporate compliance program post-CIA,” says Ms. diFrancesca.
By strategically planning and transitioning out of a CIA, companies can
mitigate the risks and costs of inefficient or insufficient operations.
Consider these two scenarios:
––A company decides not to make any changes because the CIA already
built compliant operations. By choosing not to make changes the
company may be at risk of compromising future value and efficiency
by continuing compliance requirements that may be superfluous or
outdated. A transition plan allows for strategically streamlining
compliance policies and procedures that are not only compliant, but
adequately address the business needs of the company. In fact, our
experience is that CIA processes can often be more complex than
necessary once they are institutionalized, but often can be streamlined
without raising the risk profile of the company.
In order to effectively address these questions, companies should
approach the completion of a CIA as part of an evolutionary process
that is the life cycle of a mature compliant organization. The following
questions should be strongly considered:
––What lessons has the company learned from the CIA that should be
carried over into the future?
––Which policies, procedures and operations are currently working well?
Are there additional policies not part of the original CIA that also need
to be streamlined or eliminated?
––Conversely, a company decides to change or remove most if not all
compliance operations created to meet CIA requirements with little
to no review or overall evaluation of the ramifications. This option may
leave the company open to the same risks that led to a CIA in the
first place. Lessons learned and effective operations should be
identified and maintained as a positive outcome of the CIA. A CIA is
a long process from which a company can learn many lessons and
develop valuable controls and processes that reduce development,
commercial, manufacturing and regulatory risk for the company. By
reviewing CIA-related processes and gathering feedback from key
stakeholders companies can adequately assess what works for the
company and what does not while still reducing risk going forward.
––How will your monitoring and auditing plan change, if at all, post CIA
requirements?
––Are there currently committees in place that were created based on
CIA requirements? Do those committees’ responsibilities or members
need to change?
––What existing resources within the compliance department will still
be needed going forward? Should certain positions be reassigned to
other areas of the organization (e.g., business, quality assurance,
internal audit)?
This brings up another point: it is important to “functionally integrate”
ongoing compliance obligations into key operating group growth plans
so effective compliance is seen as more than just risk avoidance. Risk
Management must become an integral component of company growth
criteria so that operations like Development, Regulatory, Manufacturing,
Business Development and Commercialization are not unduly
constrained by compliance, but are executing growth strategies within
compliant boundaries.
––Will the company still want periodic independent, third-party reviews
in certain compliance areas now that Independent Review Organization
(IRO) services are no longer provided?
––How can current data be leveraged to proactively manage compliance
requirements going forward? How can the compliance department
partner with commercial operations to provide the best value to the
organization?
By making the compliance effort a “functions up” process – starting
with operating function initiatives and then overlaying compliance – the
potential to retain key growth programs is higher. Commercial operations
can no longer afford to retreat to a binary “yes let’s not do this program
due to compliance risk.” Instead, safe harbor-like corridors of compliant
activities can provide the operating functions with maneuvering room
without raising corporate risk.
––How can the operating function objectives and strategies be codified
so that they can be evaluated against compliance requirements and,
in so doing, allow a “functions-up” driven compliance process?
––Without a CIA in place, how does the organization continue to drive
a compliance-driven culture?
Lessons Learned:
Consider establishing a strategic framework for compliance operations
that includes “life after a CIA:”
In a progressive post-CIA organization, proactive leaders evaluate the
new upcoming landscape and ask:
––Assign a CIA transition leader
––What should be retained, what should be changed and what should
be removed?
––Create a cross-functional leadership team (or leverage an existing
cross-functional compliance committee) to evaluate and develop key
aspects of a plan; staff this team with both compliance and operating
function management
––What is the best way to support these decisions and gain support
from other senior management and key stakeholders in the process?
2
huronconsultinggroup.com/lifesciences
How to Position Compliance in a Life Sciences Organization
––Evaluate the current compliance landscape
the CIA is lifted, they think they can return to the old best practices,
when they really should be looking closely into the current best
practices.”
––Evaluate on-going compliance operations affected by the
current CIA
Recently negotiated CIAs provide valuable insight into the government’s
expectations regarding companies’ compliance obligations and
monitoring. As the industry becomes more sophisticated through
implementation of comprehensive data systems and robust compliance
infrastructures, the government is increasingly focused on requiring
compliance auditing activities to help identify and mitigate compliance
risks. For example, CIAs executed prior to 2010 required very little
monitoring outside of sales representative ride-alongs when compared
to CIAs executed from 2010 to present, which often include broad
monitoring provisions of both promotional activities and non-promotional
activities such as medical affairs, healthcare-professional consultant
arrangements, advisory boards, publication activities and grants.
Companies nearing the end of their CIAs should consider looking closely
at current CIAs and monitoring requirements to determine how they
plan to address promotional and non-promotional monitoring activities
not previously required.
––Consider the functional objectives and strategies and evaluate
against compliance requirements
––Create a transition plan with contingent arrangements
––Gain support from senior management and the appropriate board
committee
––Create a communications plan to inform organization of new rules
and process
––Help drive implementation of changes
––Each of these steps is spelled out in further detail below:
Assign a CIA Transition Leader
Often companies operating under CIAs assign an individual to oversee
the CIA implementation process and coordinate with the IRO. Similarly,
companies should dedicate an individual to manage the transition as
the organization moves past the term of its CIA (life cycle management
is well understood at companies). Preferably this should be a senior,
well-respected individual who understands the scope of the CIA and
the impact it has had on different functional areas of the organization.
This individual should also have enough leadership support and respect
within the organization to sponsor major policy and procedural changes
and have the resources to coordinate the overall transition effort.
Pharmaceutical companies transitioning off of a CIA should also
consider re-familiarizing themselves with the OIG’s Compliance Program
Guidance for Pharmaceutical Manufacturers, which provides a set of
guidelines that pharmaceutical manufacturers should consider when
developing and implementing a compliance program or evaluating an
existing one. This guidance is illustrative of the OIG’s expectations of
a robust compliance program even in the absence of a CIA.
Create a Cross-Functional Leadership Team to Evaluate
and Develop Key Aspects of a Plan
Evaluate Ongoing Compliance Operations Affected by the CIA
Requirements set forth by CIAs often result in company-wide changes
that affect daily operations. It is important to evaluate the changes
triggered by the CIA in order to determine if they are of value in a
post-CIA organization. It is recommended that companies capture
lessons learned and identify best practices through discussions with
key stakeholders impacted by the current CIA. Therefore, instead of
removing all the changes put in place under the CIA or keeping
everything in place, companies will be able to strategically re-evaluate
roles and responsibilities and update policies and procedures
incorporating lessons learned and best practices. “For example, CIAs
typically require management personnel to certify to OIG that the
company is in compliance with all applicable laws,” says Ms. Doebler.
“After a CIA, those same employees obviously do not need to continue
Evaluate the Current Compliance Landscape
Strategically transitioning a company after a CIA involves balancing
value and risk. Company compliance-related operational changes
implemented during the span of a CIA were mandated by the Office of
the Inspector General (OIG) in light of the compliance landscape at the
time the CIA was executed. Years later, that compliance landscape and
the OIG’s enforcement focus often have changed. Therefore, it is
recommended that companies develop a risk mitigation strategy that
incorporates both lessons learned as well as the current industry
guidance and enforcement focus. “Sometimes companies forget that
the enforcement climate, and expectations of industry have continued
to evolve while they were under their CIA,” says Ms. Doebler. “So when
3
huronconsultinggroup.com/lifesciences
to submit certifications to OIG. But establishing an internal certification
process can help the company ensure personal accountability and
maintain an overall culture of compliance.”
––Determining communication vehicles and methods to keep the
compliance “message” positive, proactive and relevant
––Providing findings and recommendations on operational changes, if
any, to be made to senior management
Evaluate the functional objectives and strategies and juxtapose against
compliance requirements
––Determining potential contingent arrangements should transition
whether plan timing should be delayed or accelerated due to
unforeseen enforcement activities
With a template of key, streamlined or even enhanced compliance
practices, the next step is to pivot the team to key operating functions:
Development, Regulatory, Business Development, Manufacturing, and
Commercialization. The compliance team should work closely with the
operating functions, initially one on one, and then evaluate each
function’s key objectives, strategies and tactics against the new
compliance processes. Give-and-take is required, iterating both the
compliance processes (without raising risk) as well as approaches the
function is taking to achieve the objectives. Then, armed with individual
function plans somewhat optimized within compliance, a cross functional
work session is required to look for potential inefficiencies where
compliance risk points and functions interact. The benefit will not only
be operating function strategies optimized for compliance – this often
results in improvements in operating strategies.
An effective transition plan will ensure a timely, effective and managed
evolution of the commercial and compliance operations beyond the
expired CIA requirements.
Gain Support from Senior Management and the
Appropriate Board Committee
As noted above, CCOs operating under a CIA may feel pressure to
reduce costs in the compliance department once the CIA ends. Certain
costs such as professional fees incurred annually by the IRO will end
but what about non-IRO costs incurred by the compliance department?
Non-IRO costs historically incurred under the CIA requirements may
often have the potential to be reduced or in some cases, stay the same
or even increase due to new or changing enforcement priorities or
other external factors such as entering a high-risk market.
Create a Transition Plan with Contingent Arrangements
A transition plan should contain clear measureable objectives, a timeline
with milestones, identified work streams, key stakeholders and process
owners, and potential contingent arrangements. Additionally, the
transition plan should touch on other key activities such as:
CCOs need contingency plans that demonstrate a balance of risk with
value. They will need to use strong data to demonstrate the potential
compliance and financial risks of not ensuring a strategically
implemented compliance transition plan. To be successful, the revised
compliance plan needs to drive operating function improvement. This
will enable management to provide a fact-based analysis of areas
described above, along with a thoughtful transition plan. Taken together,
those will go a long way toward helping educate and gaining support
from senior management in a post-CIA world.
––Gathering feedback from key stakeholders to identify best practices
and an understanding of the positive outcomes achieved from
responses to CIA requirements as well as the challenges or ineffective
results of CIA-mandated operational changes
––Re-evaluating policies and procedures affected by CIA obligations to
determine their relevance and necessity
Create a Communications Plan to Inform Organization
of New Rules and Process
––Re-evaluating roles and responsibilities of compliance department
staff and other personnel affected by CIA obligations to determine
their future need and optimization
A communications plan for relevant departments should be developed
prior to implementing any changes within the compliance department
or business. This plan should outline the analysis, its results and
approval process. The communications plan will assist with the
implementation of the transition plan and also assist with potential
buy-in for those groups potentially affected.
––Determining how the company can utilize ongoing data collection and
analytics to help prioritize future compliance risk
––Reprioritizing monitoring and auditing needs based on the overall
company compliance risk map
4
huronconsultinggroup.com/lifesciences
How to Position Compliance in a Life Sciences Organization
Implement Changes
After the company’s CIA transition leader and CCO sign off on findings
and recommendations, and gain support from senior management,
the company should plan and execute work streams led by functional
area members to reorganize roles and responsibilities, update policies
and procedures, develop corporate communications around the issue
of CIA transitions, and continue to update the corporate compliance
strategic plan.
Conclusion
Companies emerging from a CIA face a myriad of challenging issues.
With the dynamic industry compliance landscape, companies will feel
the need to create more cost-effective and streamlined reviews, even
as they use this as an opportunity to enhance functional area
processes. CCOs must take a leadership role in defining the resources
and infrastructure required after the CIA ends.
Failure to take a proactive stance may allow the organization to either
increase its compliance risk by not integrating lessons learned from
the CIA, or slow down business activity by continuing processes that
are no longer effective or useful. Either way, an opportunity to drive
value across the organization and within operating functions will
be lost.
A well thought-out proactive transition plan that incorporates buy-in
of senior management, clear priorities and rationale, as well as solid
execution will help ensure that companies which have been under a
CIA can shift smoothly to a risk-mitigation model driven by company
needs, current industry practices, and enforcement trends.
About the authors
Mark DeWyngaert, a Managing Director with Huron Life Sciences,
specializes in assisting medical device, pharmaceutical and biotechnology
manufacturers with identifying and mitigating regulatory risks, and with
valuation of services and intellectual property.
646-277-8817 [email protected]
Barry Frankel, a Huron Life Sciences Managing Director, has more than
35 years of experience in the life science industry, including investment
research, strategic planning, merger & acquisition, marketing, and
strategy consulting.
212-896-1602 [email protected]
Paul Silver, a Managing Director, leads the Huron Life Sciences practice.
He has 26 years of experience in the pharmaceutical, medical device, and
consumer products industry, specializing in compliance and regulatory
matters. Paul leads many different CIA projects including helping companies
prepare for their CIA obligations and serving as a company’s IRO.
678-672-6160 [email protected]
*Significant research contributions provided by Peter Lux and Elie Elian
of Huron Life Sciences.
1-866-229-8700 | huronconsultinggroup.com/lifesciences
Huron Life Sciences partners with pharmaceutical and medical device companies to improve regulatory compliance, increase efficiencies in clinical research
enterprises, and achieve financial and operational objectives. We have a balanced perspective and unparalleled experience with identifying issues and
developing solutions in a manner that serves the best interests of the entire enterprise.
The data presented in this summary should only be used for directional purposes and should not be relied upon for advisory or legal guidance.
© 2015 Huron Consulting Group Inc. All RIghts Reserved. Huron in a management consulting firm and not a CPA firm, and does not provide attest services,
audits, or other engagements in accordance with standards established by the AICPA or auditing standards promulgated by the Public Company Accounting
Oversight Board (“PCAOB”). Huron is not a law firm; it does not offer, and is not authorized to provide, legal advice or counseling in any jurisdiction.
Innovative Life Sciences Strategies and Risk Mitigation.
It’s in our DNA.