Compliance Programs FAQ
The complex regulatory landscape in which life science companies operate provides many opportunities for missteps, which can be critical to a company’s long-term success. Implementing and enforcing a formal compliance program is vital; however, the process for doing so poses challenges for organizations of all types and sizes. Below are some frequently asked questions and answers that may act as a guide for your company as you undertake this process.
Who is responsible for implementing and overseeing a company’s corporate compliance program?
A company’s Board of Directors is responsible for implementing and overseeing a company’s corporate compliance program. The Board should adopt a formal resolution to signify their commitment to a corporate compliance program, as well as allocate the necessary resources and support to ensure the program remains viable. The Board also should provide ongoing oversight and any necessary changes to the program as regulations and laws continue to evolve.
It’s also important for the Board and other company leaders to set the proper tone with regard to enforcing and maintaining the program. This includes operating in a transparent and ethical manner, modeling the proper behavior, reinforcing the importance of the compliance program, and making proper decisions in the face of adversity or difficult circumstances.
What resources are needed for building a corporate compliance program?
It is essential that a company to be willing and able to devote the proper resources, including personnel and funding, in order to build an effective corporate compliance program. While the depth of the program will be influenced by a number of factors – including the company’s size, operations, and product portfolio – the company must ensure they provide the proper support if the program is to remain effective.
The Compliance Officer also must maintain access and working relationships with the Board of Directors and other company leaders. The Compliance Officer should have a designated Compliance Committee who can assist in the daily operations of the compliance program. Finally, the most effective companies operate within an integrated compliance structure, with compliance resources operating throughout each level of the organization. This structure enables a steady and centralized approach to general compliance strategies while also allowing for modifications and tailoring based on local rules, guidelines and procedures.
What is the appropriate scope of a corporate compliance program?
While circumstances vary, companies may be liable for misconduct by business partners, vendors, agents, and/or other third parties. Compliance programs should provide procedures for comprehensive due diligence before engaging business partners, vendors, agents, and/or other third-parties, and effective internal controls and audit rights must be established.
Background checks, both for employees and business partners, must be conducted prior to a new relationship, as well as at regular intervals moving forward. Employees and business partners should fully disclose to the company any information of misconduct or criminal activity, including debarment, exclusion, and/or suspension.
What is the role of the compliance officer?
The compliance officer is responsible for the day-to-day interaction of the compliance program. This includes regular interactions with all departments and company employees to build rapport, establish best practices, and construct a culture throughout the organization. The compliance officer should establish branding for the compliance program so that it is easily recognized as a critical element of the company’s operations. The compliance officer also should work to integrate the compliance program into all business operations to ensure all employees understand its importance and incorporate compliance measures into their daily responsibilities.
The compliance officer also may have certification responsibilities that should be understood, such as providing external certifications relating to the compliance program. This will require a variety of processes, disclosures and audits to ensure the information is up-to-date and reliable.
What are some best practices for operating a corporate compliance program?
An effective program is built on a foundation of communication and transparency. Compliance concerns and questions should be able to be communicated clearly, without cause for concern of inaction, retribution or retaliation.
Programs should also be efficient and user-friendly, including all reporting procedures and documentation encompassed within it. Policies and processes should be clearly explained and communicated to all employees, and a variety of training and education on a regular basis to reinforce the critical importance of compliance.
Another vital component is effective auditing and monitoring protocols to identify potential concerns and weaknesses. These audits can be used to minimize risk to the organization and continually strengthen the compliance program.
Additionally, companies must be willing to conduct swift and detailed internal investigations whenever a concern is identified. The investigation must determine whether a violation occurred, the cause of the violation, and provide guidance on corrective actions to ensure similar concerns do not arise in the future.
Why is it important to continue improving a company’s compliance program?
Companies need to understand that a compliance program is not something that is put together and declared “done.” In order to be effective, it must continue to evolve to address emerging risk areas and changes in the company’s risk profile, such as new business activities, new products/services, and new business arrangements. Building a strong culture of compliance and continuing to utilize best practices will enable your organization to adapt to changing times and maintain a robust compliance program.
How do you evolve a corporate compliance program?
One critical step is undertaking a comprehensive risk assessment each year to identify potential risk areas within operations, products and services within the company. A risk assessment should identify potentially problematic areas and prioritize compliance efforts and resources.
Organizations should have their corporate compliance program regularly reviewed and assessed by third parties to align the program with recent regulatory developments, enforcement trends, and industry best practices. The third party can identify weaknesses, provide suggestions for improvements, and ensure the program is adapting to changing industry practices and trends.
Similarly, all documentation related to the program should be maintained and organized in an accessible manner. It is important to take into consideration factors such as version control and privilege, as well as abiding by applicable privacy and data protection laws, when maintaining and storing documents.
Where can I find additional resources regarding implementing and maintaining compliance programs?
The United States Department of Health and Human Services Office of Inspector General (OIG) has published a significant number of compliance sources, including:
Organizations also should stay current on industry developments, including: