What is a Well-Designed Compliance Program in the Eyes of the DOJ
What is a Well-Designed Compliance Program in the Eyes of the DOJ
When the DOJ evaluates corporate compliance agenda within pharma and healthcare businesses, it applies a set of criteria to determine the program’s adequacy and the company’s investment in establishing internal controls. While recognizing that each company’s risk profile is unique, the DOJ always asks several fundamental questions before concluding if the company’s internal mechanisms can effectively prevent or detect violations.
During its audit, the DOJ assesses compliance programs against pre-defined criteria to determine if such programs are adequately designed and resourced and how they work in practice. This report focuses on the first question of what is a well-designed compliance program in the eyes of the DOJ, according to its latest internal manual.
Framework for Risk Assessment
According to its internal guidelines, the DOJ always starts an evaluation of any compliance agenda by checking how the company addresses its risk profile. The prosecutors seek to evaluate how effectively the company identifies and accesses its risks and whether the compliance program is appropriately tailored to mitigate them.
In particular, the DOJ seeks to determine:
- the methodology and metrics the company uses to identify and evaluate the risks,
- whether the company allocates adequate resources to monitor high-risk areas and transactions compared to lower-risk operations,
- if the compliance program is regularly or continuously updated, reflecting the external changes in its internal procedures and policies,
- if the compliance agenda is continuously modified according to lessons learned from the company’s own experience or from the experience of other businesses in the industry.
For example, the DOJ may seek to evaluate how the company addresses the risks presented by the regulatory landscape, its business partners, the location of its operation or manufacturing base, cross-border transactions, and third parties.
Existing Policies and Procedures
A well-designed compliance program should include effective policies and procedures tailored to address the company’s risks. Such policies need to reflect the whole risk profile of the company and be immediately accessible to all employees and other actors, including external teams and third parties.
The DOJ criteria for a well-designed compliance program presume the involvement of all relevant business units in developing internal policies and defining responsibilities for implementation. In particular, this should include an appointment and training of gatekeepers responsible for detecting and preventing violations and taking remedial actions.
Training and Communication
The company should take necessary steps to ensure full understanding of its policies by all employees, units and entities. The DOJ guidance on compliance program evaluation highlights the importance of training on corporate policies and ensuring communication throughout the organization at all levels, including agents and partners.
In accessing the compliance program, the DOJ will seek to determine if the training provided was tailored to the level of risk handled by each team or employee. The evaluation also includes checking the availability of additional guidance and the presence of communication channels for reporting violations.
Whistleblowing Mechanisms Within the Organization
The availability of effective and confidential mechanisms to report alleged breaches is critical for any compliance program. The DOJ stresses the importance of having such mechanisms and considers them as one of the key indicators of the efficiency of company’s compliance efforts.
In particular, the DOJ internal manual suggests to check:
- if the company publicized the reporting procedures to employees and third parties,
- if the whistleblowing mechanisms were actually used to report violations,
- how the company reacted to such reports,
- whether the company has a process for overseeing the investigation and ensuring accountability,
- if the company runs periodic checks of its hotline and other reporting channels to test their efficiency.
Managing third-party relationships is critical for any company, especially pharma and healthcare businesses, in light of regulatory, reputational, ethical and quality concerns. An effective compliance program should detect and prevent violations by providers, agents, consultants, and distributors, ensuring their regular due diligence and training in company policies.
Specifically, the company should have an established third-party management process integrated into its procurement and vendor management. The company must establish efficient controls to ensure contract fulfillment by providers, possess audit rights to analyze transactions with third parties and implement mechanisms to report and address any identified red flags.
Effective Due Diligence for Mergers and Acquisitions
Since many pharma and healthcare companies actively engage in acquisitions to explore synergies, expand their portfolios and introduce innovations, a well-designed compliance program should have a process for comprehensive due diligence for M&A deals. If due diligence is ineffective, addressing non-compliance after acquisition may prove less effective and potentially result in reputational and financial losses.
In evaluating whether the company has adequate mechanisms to scrutinize its acquisition targets, the DOJ seeks to analyze the due diligence process as a whole and the way the risk review was conducted and integrated into the M&A deal. The DOJ stresses the importance of tracking and remediating violations identified during due diligence as well as implementing procedures to conduct post-acquisition audits.
Designing a Comprehensive Compliance Agenda with MedCompli
Compliance in highly regulated industries such as pharma and healthcare has many moving parts which need to be properly identified, addressed and integrated. The regulators expect healthcare and pharmaceutical businesses to maintain robust compliance programs and take into account the effectiveness of such programs when investigating potential violations and imposing penalties.
Today, businesses need technology and tailored solutions, such as legal compliance software, to effectively address regulatory challenges while running and expanding their operations. For more information on designing a comprehensive compliance program, please don’t hesitate to contact the MedCompli team for a free consultation and demo.