Five questions on current trends in compliance risk management
When it comes to managing compliance risks, some companies take a decentralized, non-integrated approach. Because while nobody wants to run afoul of regulations, at the same time it can be difficult to understand the importance of enterprise-level consistency, much less centralized oversight, coordination and control.
But that may be changing. Following a particularly robust decade of regulatory rulemaking and enforcement, many organizations are exposed to compliance risks in ways that are unfamiliar – and anxiety-inducing. Noncompliance can be costly, can expose the organization to reputational risks, or, worse, can jeopardize the future of an entire business unit or organization. An aligned, integrated approach to compliance can protect against these outcomes and can even contribute directly to shareholder value.
That’s why many companies are reevaluating their entire approach to managing compliance risks, applying many of the same methodologies used for financial reporting to compliance issues. They’re putting formal governance and organizational structures in place, setting up freestanding compliance and risk committees at the board level, and more.
In this issue of Risk Angles, Robert Biskup, takes stock of some of the latest leading practices in compliance risk management. Then, David Hodgson, partner, Deloitte & Touche LLP, Global Leader of Enterprise Risk Services for Life Sciences, lends his perspective on compliance in the Life Sciences sector.
A closer look: Life science sector
|For companies that haven’t had any major compliance problems in the past, why change?||Regulatory mandates aren’t the only reason to change course. Advances in technology in areas such as social media have increased the spread and speed of bad news, putting many companies in reactive mode at a moment’s notice. Compliance problems can have a serious impact on reputation – within days or even hours. That’s a domino effect that was rarely seen years ago.|
|Are board-level compliance or risk committees inevitable?||They’re definitely a growing trend, and companies should carefully weigh the benefits of having a standalone committee even if they’re not mandated. Audit committees may already be overloaded, and regulatory expectations continue to increase. In this environment, some industries will be required to have standalone committees – and others may adopt them simply because they make sense from a risk management perspective.|
|What leading practices for governance are emerging today?||We’re seeing compliance officers steadily moving up the corporate ladder, with many reporting directly to the CEO, and a dotted line to a board committee chair (usually the audit committee). They may have more functional independence – both in appearance and fact. And with increased visibility, there’s a natural expectation that chief compliance officers deliver strategic value to the organization by deploying compliance controls and processes. This is a positive trend, reflecting a significant shift in the perceived importance of managing compliance risks more efficiently and effectively.|
|What are some of the more innovative approaches to compliance risk management you’ve seen?||Companies are definitely becoming more aware of the importance of getting compliance right, drawing from cross-industry leading practices whenever possible. They understand better how to use the right mix of internal and external resources to get the job done right. The days of a do-it-yourself, homegrown compliance program may be numbered, because the stakes are simply too high and the playing field is subject to dynamic change.|
|Where is technology playing a bigger role in compliance risk management these days?||In the pharmaceutical and medical device industries, advanced technology is playing an instrumental role in risk monitoring. These companies have monitoring tools that give them a real-time look at their compliance efforts in areas such as tracking spending and transactions with health care providers. Better information drives better compliance – and technology will increasingly be the key enabler that makes it happen. It’s an accelerating trend that companies in any industry would be wise to take note of.|
A Closer Look: Compliance in the life sciences sector
David Hodgson, partner, Deloitte & Touche LLP, Global Leader of Enterprise Risk Services for Life Sciences
For my clients in the pharmaceutical industry, the effectiveness of their compliance management capabilities can have a big impact on their bottom line. Imagine being on the receiving end of a multi-billion dollar fine for noncompliance, and you can see why it’s so critical to get compliance right. That’s one reason why some industries look to pharma for clues on what the future may hold for their own compliance management efforts.
So what are pharma firms doing in the area of compliance these days? One of the biggest trends that other industries may want to note is the move to clearly defined, enterprise-wide monitoring groups. These groups are charged with continually assessing compliance risks and related mitigation activities. This gives management the insight needed to understand and modify their approach while they can still affect the outcome, rather than reacting after the fact. This approach adds a layer of discipline to compliance risk management that simply didn’t exist before, when monitoring of control effectiveness typically was performed by internal audit, if at all.
Pharmaceutical firms are also turning to advanced analytics to keep tabs on what’s really going on in the far reaches of their business. For example, the issue of off-label marketing (when a drug is marketed for reasons other than its officially approved use) is a perpetual compliance risk. With analytics, drug makers can compare prescriber information with sales call strategies to identify red flags. For non-pharma companies, analytics can be a powerful tool for zeroing in on key compliance risks.
Perhaps the biggest takeaway is that in pharma, many have decided it’s worth pursuing stronger compliance risk management capabilities for their own sake, rather than to satisfy emerging legal requirements. Because stronger compliance makes for a stronger business. Leading companies in the industry should also lead by example in compliance. That requires a fundamental change of mindset, which can be harder to put in place than any individual risk management tool – but far more powerful in the long run.
Download the Risk Angle above.