Skip to main content

Maintaining value in pharmaceutical compliance

How can companies modernise programmes through digital to deliver strategic value?

Rapid changes in the pharmaceutical industry call for a compliance upgrade. Adoption of digital technologies such as automation and machine learning can help compliance maintain its position as a strategic partner to the business.

Executive summary

WITHOUT modernising compliance operations at pharma companies, it will likely become increasingly difficult, if not impossible, for compliance to remain a strategic partner to the business—a position that took years to achieve. Regulatory requirements are increasing, regulators’ capabilities to identify risks and bad behaviours are growing in speed and sophistication, internal pressure to cut costs and do more with less is intensifying and digital technologies themselves can be a source of risk as the business adopts new tools and ways to engage with customers.

Deloitte Center for Health Solutions’ interviews with industry executives at 10 pharma companies found that:

  • Many compliance activities require significant manual effort; adoption of digital technologies is nascent; and with few exceptions, implemented use cases support reactive activities, such as identifying and reporting past events.
  • Technology deployment is variable: For instance, one organisation has implemented a sophisticated digital tool for policy inquiries while still struggling with real-time monitoring and continuous control of financial transactions.
  • Though compliance executives have digital technologies on their radars, traditional approaches to compliance operating models and existing workflow systems impose constraints on what interviewed executives think is possible.
  • Finally, compliance departments can get overlooked as other functions are targeted for digital investments.

In this article, we propose a view of digital maturity to help organisations assess their current state and ambition and recommend action steps to consider in modernising their compliance operations.


As an enabling function, compliance at pharma companies covers multiple areas, including human resources, foreign corruption and bribery, patient assistance programmes, communications with patients and health care professionals (HCPs) and reporting to regulatory bodies.1 Given the need for specialised expertise in each of these areas and a dependence on other parts of the organisation for data, compliance operations have traditionally relied on manual processes. And this means that a compliance programme can only be as powerful as the number of people assigned to it.

Digital technologies can make it possible to move away from rote tasks, keep up with the growing amounts of data and transform compliance into a value-creating organisation that anticipates what can go wrong and prevents it from happening.2

“Our minds are faster than our work allows us to be. We couldn’t do certain things because the capability wasn’t there. Now we can.”

—Sales force planning executive, large pharma company

But are pharma companies taking advantage of the opportunities afforded by digital technologies to modernise their compliance operations?

We set out to answer this question by understanding current levels of technology adoption and future opportunities for compliance modernisation. We interviewed 16 executives from compliance, commercial and medical affairs functions at 10 pharma companies (see Appendix 1). We found that the use of digital technologies is still in the nascent stage, but interest and opportunities are growing.


Resource-intensity of basic compliance operations limits focus on strategic issues

Our findings suggest that the resource-intensive nature of many of the operational activities limits the time compliance executives can dedicate to strategic tasks. While this is not unique to the pharma industry,3 it does suggest that companies may not be getting the value they expect out of their compliance operations.

Respondents said that identifying and customising training needs, generating reports, and developing and managing compliance policies require considerable resources. Monitoring and auditing involve manual data extraction from multiple documents and data systems and dealing with inefficient processes for document management. And ad hoc activities such as attending meetings, reviewing promotional materials and answering queries from business colleagues can be time-consuming.

When executives from the business side (commercial and medical affairs) engage in compliance-related activities, they too find many of them resource-intensive. Examples include reviewing promotional materials, customer relationship management (CRM) tool management, managing product samples and performing administrative tasks required by policy.

Use of digital technologies in compliance is an exception rather than the rule

Our research has found that though digital technologies promise to improve efficiency and quality, their adoption in compliance by pharma companies is nascent. And even when they are used, the levels of adoption and types of technologies vary. For example:

  • Some companies use complex algorithms such as natural language processing (NLP) to create policy apps and mine text in emails for potential red flags.
  • Most companies have built reports and dashboards, but these tools do not comprehensively address all analytic needs in routine compliance operations.
  • For many other tasks, compliance professionals rely on generic software such as Microsoft suite (Word, PowerPoint, SharePoint, Excel).

Most of the implemented use cases we heard about in this research support reactive activities, such as identifying and reporting past events. Below we provide a few examples of implemented solutions categorised according to what they are used for.

  • Monitoring. Compliance functions spend considerable time on the retrospective review of emails as part of risk monitoring. A large pharma company deployed an NLP tool for initial email screening to identify potential risks. This approach reduced the number of emails that compliance officers needed to review from 2,500 to 20. Now, the officers can spend time investigating those 20 emails and narrowing them down further to find true risk to the business and perform employee retraining to improve their understanding of what constitutes risks and how to avoid or minimise them in the future.

  • Reporting. Another company identified the need for a mileage-calculation solution in its expense reporting, as employees subject to this requirement had to exit the company’s application to calculate mileage. The compliance analytics team automated this process through an algorithm that captures employees’ inputs (for example, home address and customer address) and calculates the distance between the two locations, using external data that the algorithm pulls from Google Maps. The respondent described this as a parsimonious solution requiring minimal amount of code and yet, has saved employees a lot of time.

    One of the responsibilities of the compliance function is to monitor marketing spend. During an internal audit, a pharma company found that employees inaccurately reported the expenses incurred during HCP interactions. These errors typically occurred when attendance was lower than planned, resulting in overstating of costs per HCP and exceeding allowable limits. The company built real-time prompts that come up when the cost per person exceeds the limit. This encourages the employee to seek advice from compliance during expense report completion. Thus, reporting errors are prevented as opposed to being found months later and corrected retroactively.

  • Policy. Two companies we spoke with use chatbot-based policy apps to help field-based professionals find answers to policy-related questions. With this app on their smartphones, professionals can get answers to their queries in real time. The app also provides a reference to the specific language in policy documents. Told of this during our interviews, several other companies expressed interest in implementing a similar solution.

Despite these examples, our conclusion is that there is much more opportunity to implement digital technologies. For many reasons, compliance organisations at pharma companies do not have a well-developed strategy around taking advantage of opportunities.4 One way to get started is to consider a digital maturity model that can be useful in designing that strategy.

Digital maturity model for pharma manufacturers to leverage digital capabilities in compliance

The model we describe in figure 1 can help organisations assess their current position and ambition for the future.5 It also serves as a reminder that strategy, not technology, drives digital transformation.

The fundamental stage involves preparatory work: to make systems and processes analytics-ready and put in place and/or streamline basic analytic capabilities. At the next stage of insight generation, compliance professionals spend more time on analytics than on data management: automating routine processes, implementing continuous controls and performing root-cause analyses. As more compliance and analytic work is automated, the compliance function can move beyond backward-looking analysis and reporting towards generating foresights—anticipating and preventing future risks.

Opportunities abound to digitise compliance operations

Respondents offered many ideas for using digital technologies to improve compliance and business processes. We have categorised use cases along the digital maturity continuum (see figures 2, 3 and 4) and for each level of digital maturity, we offer a detailed description of a use case applicable to most pharma companies’ compliance operations.


Fundamental: Use cases from interviews

Detailed use case: Automated risk assessment across a product portfolio. Interviewing business owners is one way in which compliance officers assess risks for products or portfolios. But this in-person approach means that risk assessments do not happen as regularly or as often as they should.

An automated risk assessment process for a product portfolio, built on an existing risk management platform, can capture data from stakeholders (product owner, brand team) through a standardised survey. Survey questions could cover risk domains based on the company’s requirements and an automated schedule could ensure the desired frequency of data collection. And more stakeholders can contribute survey data than through the traditional approach. Additionally, risk weighting and scoring algorithms can be added to automatically score survey results and provide an objective view of compliance risk that drives ongoing monitoring plans and activities.

With data collection automated, compliance activities can shift from gathering to analysing data and providing meaningful insights. Furthermore, the solution can help compliance teams become more targeted, paying greater attention to higher risk areas with in-person visits.

Insight generation: Use cases from interviews

Detailed use case: Automating compliance reviews of HCP engagement requests. Pharma companies process numerous HCP engagement requests (for speaker or education programmes, for instance), a process that can be labour-intensive. Algorithms that combine ML with NLP and NLG can help improve the efficiency of this process.

When the business submits a request through a CRM portal or similar system, an algorithm performs the first level of review and the results are routed to compliance. A dashboard showing all HCP requests in the queue includes a confidence score and reason for rejecting or approving each request. Exceeding budgets, inconsistencies in the request, or failure to substantiate the business need could be reasons for rejection.

The compliance professional can either accept the algorithm-proposed dispositions for the requests or perform a secondary review. Certain parts of the text in the request are colour-coded to facilitate secondary review: for example, green identifies key terms and phrases that justify approving the request, red signifies risks associated with the request or potential reasons to disqualify the HCP in question from participating and yellow points to areas that are unclear or warrant further review.

The results from the secondary level of review feed back into ML algorithms that continue to learn as the system is used. Over time, the accuracy of the first level of review increases. Potential labour savings in the first year can be up to 50 per cent and increase to 70 per cent over time.

Using outputs of one process as inputs for another

Efficiency is more than just about saving time and labour: When generation of analytical outputs is accelerated, they can be used as inputs in other analyses.

Our respondents described possible scenarios. Imagine using the following monitoring findings to predict risky behaviours by reps:

  • Data from CRM to understand the degree to which reps’ activities are concentrated in one or two accounts versus distributed
  • Data from accountancy systems to cross-cheque client interactions captured in CRM and track the flow of money (meals, speaker fees, research grants) to specific HCPs
  • Email communications to flag potential issues
  • Reps’ compliance with training requirements
  • HCP history (eligibility for engagements, amount of product samples received, fair market value rates and exceptions)

Using such monitoring findings for risk assessments is an unlikely option in traditional compliance operations due to lag times of six to 12 months. Digital technologies are accelerating data generation close to real time and making new approaches to risk assessment a reality.

Show more

Power of foresight: Use cases from interviews

Detailed use case: Continuous monitoring of third parties. A risk-sensing solution uses NLP to mine unstructured text from hundreds of thousands of external data sources in multiple countries and languages, to provide early warnings of potential third-party risks. The examples of risk domains the solution can track for a specific third party include:

  • Compliance: Legal citations, class action lawsuits, policy violations, fines, regulatory actions and environmental violations
  • Financial and reputational risk: Financial crimes, tax evasion, fraud, general company information and reputational issues
  • Operational risk: Service payments to vendors and employees, due diligence, supply chain issues, commodity pricing, labour disputes
  • Strategic risk: Future of the industry, macro trends affecting the third party, political landscape, localised perspective

The solution generates a risk profile, a summary of the signals to support the risk profile, a risk score based on the number and strength of the warnings, and potential implications. The information is organised into a dashboard for compliance professionals to periodically review third-party risks. The solution helps the compliance function to anticipate and prepare for these risks weeks or even months in advance.


How should compliance executives think about activities that merit technological solutions, especially given their budget constraints? We recommend that companies approach them thoughtfully and evaluate the following within the context of their organisational structures and business needs:

  • Value: The value to the organisation can often be expressed in terms of risk impacts. Digitising processes associated with the highest risks, where improved speed and accuracy can help prevent, detect, or respond to those risks could deliver the greatest value.
  • Impact on internal compliance operations vs. business line processes: Because many first-line-of-defence activities occur at the business level, changing existing processes or implementing new ones can require co-ordination and buy-in from business.
    • When a business line process is affected, the proposed changes should create benefits not only to compliance but also to the business. In an ideal scenario, a new solution would solve an existing business need. An example from our research involves medical information request forms (MIRFs). All medical affairs executives we spoke with identified this as a lost business opportunity: By the time they answer a customer’s question that triggered the MIRF in the first place, the customer has moved on. Ideally, they would like to reduce turnaround time on MIRFs to under 24 hours and use a chatbot to help field representatives answer customer questions that would normally generate a MIRF is one of the ideas they offered.
    • On the other hand, changes to business line processes can create opportunities for compliance. For instance, when the business is implementing a new technology or system (such as a new CRM system), it creates an opening to implement new business rules, controls, or reports to support compliance activities.
  • Feasibility: Assessing the feasibility of a technological solution in a specific scenario can yield a go/no-go decision; for instance, when the technology is not ready, or the data and systems environment cannot support it.
    • Speed and ease of implementing: Attacking an easy problem first can be a low-risk approach that helps build confidence in the technology and deliver an early win.
  • Resource use: Evaluating activities for resource-intensity could be a useful prioritisation exercise when multiple use cases are considered.

In Appendix 2, we provide an example of a prioritisation matrix to illustrate how companies may inventory and evaluate their compliance processes against multiple criteria.


In all the 10 companies we interviewed, compliance departments play a strategic role, and most respondents admit it took a great deal of work and relationship-building to get there.

Demands on compliance departments will likely continue to grow: Regulators’ capabilities to identify risks and possible bad behaviours are evolving, internal pressure to cut costs and do more with less is intensifying and digital technologies themselves can be a source of risk.

Compliance functions should continue to modernise their processes, or they may find it difficult to retain their hard-earned positions as strategic partners to the business. As their work gets harder, they may find it challenging to be effective with blocking and tackling alone. The time to invest in digital transformation is now; every company can take steps today to modernise its compliance operations regardless of where it is on the digital maturity continuum. These steps include (figure 5):

  • Understanding and aligning with existing digital transformation initiatives at the corporate level
  • Defining success
  • Going fast by prioritising compliance processes for which digital solutions make sense
  • Scaling up once the results are proven

Appendix 1: Study objectives and methodology

In spring 2019, the Deloitte Center for Health Solutions conducted interviews with 16 executives from compliance, commercial and medical affairs functions at 10 pharma companies (see figure 6). Nine were large-cap companies, with revenues greater than US$10 billion, one was a start-up. During the interviews, we focussed on compliance-related activities. The objectives were to:

  • Understand current use of technologies
  • Identify new opportunities digital technologies might present
  • Understand leading practices for collaboration between compliance and business functions, particularly within the context of digital transformation and future role of compliance

Appendix 2: Illustrative prioritisation matrix for evaluating technology opportunities

In this illustrative example, we chose to focus on automation technologies because they are applicable to most companies at the fundamental and insight generation stages of digital maturity.

After inventorying all compliance processes, stakeholders identify those processes for which automation approaches are feasible and plot them on the matrix along the dimensions of automation potential, ease of implementation and value to the organisation.

Appendix 3: Glossary of technology terms

Regulatory, Risk and Programme Compliance

To design and implement an effective and efficient enterprise systemswide ethics and compliance programme, a company needs to create and maintain their people, processes and technologies. Deloitte Risk and Financial Advisory's understanding of all these issues can help the chief compliance officer and other compliance stakeholders, lead in their industry, navigate risks and opportunities, and disrupt the status quo.

Learn more

Debanshu Mukherjee assisted with secondary research, project management, and writing of the report.

The authors would like to extend special thanks to Amry Junaideen, Dan Ressler, and Jack Tanselle for their expertise, support, and guidance.

The authors would also like to thank Sarah Thomas, Surya Valisetty, Adam Wisnieski, Michael Crowthers, Neal Gregory, Kirk Petrie, Dilip Krishna, Timothy Cercelle, Marcy Imada, Michele Fleming, Nikhil Gokhale, Lauren Wallace, Mark Linver, and the many others who provided ideas and insights to this project.

Cover image by: Kevin Weier

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey