The New World
In 2002, responding to public outrage over a series of corporate accounting scandals, the US Congress enacted a law now generally referred to as “Sarbanes–Oxley” or SOX (2). Under this law, the US Securities and Exchange Commission (SEC) issued regulations defining new requirements. Promulgated for misdeeds arising in the financial sector and driven by the SEC, most analysts now view this legislation as financially unifunctional. The growing complexity of business organizations, however, and the interdependency of their operating systems warrants a more expansive view than SOX offers. The integrity of financial statements — or more appropriately, the “quality” systems supporting financials — may be the real issue at hand.
Simply stated, SOX requires the chief executive (CEO) and chief financial (CFO) officers of a company to sign off on its quarterly financial statements. Executives who knowingly sign off on financials that contain any false statement(s) are subject to fines or imprisonment. This suggests that companies need accurate and precise paper/electronic trails of their procedures for compiling financial information to give those officers the confidence that they can rely on the data set before them. Senior management will certainly demand that effective processes have been used and that all calculations can be documented. SOX also requires that CEOs and CFOs sign off on their companies’ internal controls once a year, and the SEC has further stipulated that they do so every quarter. Based on the financial impact of quality noncompliance, a simple interpretation of all this could be that each company’s financial health depends on the health of its related quality systems and supporting documentation.
Within the pharmaceutical industry, the requirement to conduct internal quality assurance audits is well established and recognized under US regulations. Beyond the requirement to establish procedures for and to conduct such audits, drug company management has the responsibility to review the results of such audits. When audit findings reveal a state of noncompliance with quality system requirements, corrective action must be taken. Under the quality system regulation (QSR), which is presently relevant only to medical devices, managers with executive responsibility are required to establish a commitment to quality (3). Manufacturers must provide adequate resources, including internal quality audits, to meet the expectations of this regulation. The QSR also requires verification or validation that corrective and preventive actions are effective. FDA inspectors are trained to solicit information regarding senior management’s involvement as a routine part of their investigations.
Most pharmaceutical companies perform quality assurance audits of their internal operations, contractors, and suppliers. Additionally, numerous business organizations and consultants provide professional, independent, third-party audits. Practices are well recognized within the industry and inspections follow a systematic approach. Such audits, however, are focused in both their performance and application. Consequently, the information they produce never leaves the protection of an “operations” group and rarely is reviewed at the executive level — thus it is missed by the very individuals who are on the Sarbanes–Oxley liability firing line.
Future regulatory compliance specialists must be capable of performing independent risk assessments — taking elementary GxPs to the next level — and incorporating business process risks. These specialists would identify gaps that, when corrected, significantly reduce risk exposure. Unfortunately, large pharmaceutical organizations many times feel that they have more than adequate resources to manage their operations. Consequently, corporate culture drives the process while an organization slips into a risk-exposure mode without even realizing it. When that happens, the outcome is usually a consent decree.
An example comes to mind of why it is so important to interface the regulatory compliance and financial operations of an organization. In a consulting capacity for a financial services firm, one of us performed a regulatory assessment of a large pharmaceutical manufacturer as part of a loan-guarantee review. After assessing the regulatory actions that had been taken against that company by the FDA, the consultant made recommendations to the parties of the loan guarantee. Standard inspectional observation form (FDA 483s) were cited and explained because, as it turned out, there was no awareness within the financial arena of what such a form was and what operational risk it represented. That regulatory information allowed the participants to complete their financial assessments and change the company’s internal processes to capture 483 information for all future transactions.
Managing Risk
Sarbanes–Oxley establishes a critical legal linkage between the regulatory sanctions arising from operational risk and financial reporting. The message is that compliance with regulatory requirements and ethical conduct standards must be visible (and transparent) to boards of directors and senior executives because they could be held accountable and could be held personally liable for violations. The challenge will be to focus compliance on covering the real danger points without expensive blanket coverage of every possible risk. So regulatory risk assessment needs to be established in the context of broader business risks such as product recalls, failure of key development projects, and process quality or marketing practices that fall below industry standards. It must measure an organization’s ability to bridge high-level objectives with low-level execution. The skills necessary to accomplish this have not been (nor can they be) taught in business schools. They are the product of experience.
A poignant example of other legislative risk goes back to the early 1990s, when the FDA was at odds with a certain large pharmaceutical company. Discussions were going nowhere when the agency raised the specter of the Racketeer Influenced and Corrupt Organizations Act (RICO) (4). The company ceased argument, closed down several facilities, and undertook voluntary efforts to resolve the problems. RICO is a 1970 law originally aimed at busting “criminal enterprises.” It allows plaintiffs (the US Government) to receive triple damages and extends the statute of limitations to 10 years after a crime is committed. The law was designed by the US Congress to crack down on organized crime, drug dealers, and smugglers. But it has been used against street gangs, health-maintenance organizations (HMOs), tobacco companies, law firms, and medical practices. It is conceivable that actions or inactions of some directors or officers could be so egregious as to achieve conspiratorial intent.
Concern is rising within the insurance sector as state courts expand interpretations of the Fortuity Doctrine, an insurance clause that denies coverage when a policyholder should have been aware of likely exposure to losses (the insurance industry’s “would’ve, should’ve, could’ve” defense against coverage). Under the doctrine, insurance coverage is barred for losses that a court feels should have been foreseen by policyholders. This troubling trend raises such questions as whether or not purchasing loss-prevention services from insurance companies is ever a means of protection against the fortuity defense.
Some early indicators suggest that a company is potentially getting into trouble with the FDA. Publicly available early warning signs include 483s, drug recalls, seizures, and warning letters, but the ability to assess and interpret such documents (their severity, underlying issues, and potential risks) is reserved for experienced professionals. For example, repeated offenses at the same facility are particularly troubling to the agency. In a warning letter to Pharmacia dated April 2002, the agency stated, “similar deficiencies were reported to your firm in a warning letter… dated January 31, 1997…. We consider the recurrence of the deficiencies found during our most recent inspection to be recidivist.” The characterization of Pharmacia’s noncompliance as recidivist may be an indicator of future intent. Even more to the point, independent assessments of all facilities and operations can provide information before regulatory authorities detect it. The insurance model could be likened to safety inspections and the Occupational Safety and Health Administration (OSHA).
ANOTHER FINANCIALLY SIGNIFICANT REGULATION
On 2 February 1999, the US FDA’s Financial Disclosure Rule for Clinical Investigators (www.fda.gov/oc/guidance/financialdis.html) became law. This rule broadly expands the agency’s regulatory reach (and sanction) into the financial sector. There is a specific requirement for a product sponsor’s CFO or other appropriate senior official/delegate to certify the absence of certain financial interests of clinical investigators and/or disclose certain financial interests of clinical investigators at the time of application for product approval. The FDA intends to extend these requirements to human foods, animal foods, and animal drugs in the future.
These requirements have substantially complicated the drug approval process. The rules apply not only to the investigators and all listed subinvestigators, but also to their spouses and dependent children. Sponsors must now solicit personal information from a large population of individuals who may or may not feel compelled to disclose their private holdings (note also that personal portfolios are dynamic and often under independent management). Furthermore, the FDA has retained the discretionary right to publicly disclose such information under the Freedom of Information Act (www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htm).
Our Proposal
The insurance industry should expand its core processes to include regulatory risk as an element of coverage. When properly constructed, administered, and delivered, regulatory risk assessments and reports would provide downside protection to liability carriers and tangible assurance to the insured companies that their internal processes are working and reliable. Such an undertaking on behalf of an insurer cannot be accomplished without subject-matter expertise. The regulations provide a framework, but many areas still require expert judgment. No quantifiable models are available, and more often than not, interpretation is an amalgamation of knowledge, experience, and (often) serendipitous timing. An appropriate analogy might be the driver’s license. There are many licensed drivers, but as the insurance industry knows all too well, having a license does not correlate with expert driving skills.
We envision the path forward as a two-step process. The objective at the first step is to preclude unexpected loss. A corollary could be drawn to the regulation of medical practitioners. State medical boards and professional associations are less effective in eliminating “bad” doctors than the insurers that revoke their coverage. In very real terms, insurance companies regulate the medical profession. Denial of coverage is the equivalent of censure. The long-term objective of our proposal would be to ultimately present resulting reports as evidence of compliance to regulatory authorities having jurisdiction. Each of these pathways is predicated upon the leadership of seasoned industry professionals, individuals who have earned their stripes on the “front lines” of the pharmaceutical industry. As in the military equivalent, staff officers may rise to high rank, but the top job always goes to a combat veteran who has been tested under fire.
The system we propose could work as follows: An FDA-regulated customer would apply for coverage from an insurance carrier. A professional team would visit that customer’s site(s), assess the company’s regulatory status against established standards, and issue a report to the insurer’s underwriter. If the report and other insurance-related issues are acceptable, a policy would be issued and the report sent to the customer. If remediation were warranted, the customer would work with the assessors on a program to reduce its potential for losses through improved compliance with government regulations. The same approach to prioritization of issues would be made by correcting the worst problems first before tackling lesser ones. Finally, the team would certify completion.
Over the long term, if such practices were to achieve credibility with regulators, the insurance industry could approach government with a new proposal of its own. The FDA’s primary directive is to ensure consumer safety so that the health and the well being of the citizens of the United States are protected and preserved. That is an extraordinary mandate. The agency also has a continuing interest in implementing regulations at minimum cost to society. That’s where the insurance industry has a major self-regulating interest as well: Every time a covered loss occurs, the insurance industry writes the claim check to pay for resulting damages. So that industry has a significant financial interest in preventing liability losses. Its vested self-interest also works to the benefit of society by encouraging and often mandating the conditions of retaining insurance coverage. Insurance companies exercise their financial power through credits/debits to premiums — or in extreme cases the threat of policy cancellation. Such financial incentives can be extraordinarily powerful motivation.
The insured client could send the report it receives to a regulatory authority, which could accept that as prima facie evidence of a facility’s compliance with the current regulations. Regulators could obtain credible reports of a customer’s compliance without a government inspector ever having to visit the facility. The authority would then hold in abeyance further inspections of such customers. Thus these customers receive advice from well-trained professionals, and the insurance industry acquires a new service it can offer in partnership with the government. Compliant customers could be rewarded with a premium credit on their insurance policies.
A key point here is that until a company passes the risk-assessment process and submits a report to the appropriate regulatory authority, it remains on the same level of regulatory inspection scrutiny as any other company deciding not to get inspected at all. This process has significant benefits for the regulatory agencies: It creates a broader base of survey data and helps regulatory agencies focus their limited employee resources on companies that do not demonstrate regulatory compliance. An alliance for cross training — with the FDA teaching drugs and insurance companies teaching business — would seem eminently appropriate, and a certification program could be developed jointly with the agency that would terminate with industry employment.
It is important to understand that separation of industry and government remains sacrosanct under the proposed system. Customers would send their reports to the authorities. Insurance companies would conduct their studies and risk-improvement visits for their own underwriting purposes. They would be under no duty or obligation to share their reports with anyone. In fact, it is the confidentiality of their visits and reports that make the system at all feasible. In many circumstances, customers would not want insurers to reveal negative findings to any government policing agency.
So the insurance industry would focus its resources on high-quality and cooperative companies. The FDA would redeploy its resources focusing on those companies without acceptable reports. As more and more companies choose to be inspected through their insurance companies, those not participating would increase their likelihood of being audited by the agency. Rather than facing such potential government scrutiny, they too would lean toward the insurance company option, thus creating a virtuous cycle. The more customers are inspected by insurance companies instead of the FDA, the more others would choose this path.
The key here would be to ensure independence of the insurance inspectorate. Clearly, individuals would need to learn their skills in industry. But as we have sadly learned from the “big five” consultancies, conflicts of interest or their potential must be avoided. Existing focused regulatory consultancies would be inappropriate because they derive financial benefit from their services to industry. The final rules (SOX) explicitly identify several categories of nonaudit services that cannot be provided to an audit client. And the same restrictions promulgated for financial auditors would be extended to “compliance” inspectors.
A Partnership for Protection
Although the government may have the public interest in mind, the insurance industry has its own financial interests at stake. Both interests complement each other and beg synergy for the benefit of all concerned. Indeed, the insurance industry is already underwriting health care, anyway. Industry, for its part, finds it easier and would prefer to respond to market forces than regulatory forces — particularly, responding to understood financial considerations rather than to a command-and-control regulatory process. Thus, the insurance industry provides an alternative method to improve and verify regulatory compliance.
A major benefit of this approach would be that it is generally self-funded. No funding would be needed from any governmental agency to pay for the process. All that would be needed is recognition and acceptance by the appropriate authorities that the reports already being generated are credible and valuable. From an insurance industry point of view, the costs are not significantly higher than they are already today: Risk assessments are already being paid for through the underwriting process.
This concept opens the door to a unique kind of government–public–industry partnership. Traditionally, there has always been a healthy distrust between government and industry in regards to this kind of cooperation. Insertion of a third party with a vested self-interest, such as the liability carrier, would break new ground in getting the various groups to work together for the common goal. Under this paradigm, the insurance industry would identify acceptable insurance candidates and by doing so help the FDA focus its energies on noncompliant businesses nationwide.
There is a compelling financial driver for the insurance industry to immerse itself into the regulatory compliance status of its customers. Our proposal would create an environment wherein the authorities could accept qualified loss-prevention reports from certified insurance industry representatives as “proof” of compliance. Such reports are a normal part of the underwriting process and could be undertaken at no additional cost to the regulatory community. This coverage would not rob other types of coverage and would preclude or mitigate an unintended cascade of consequential liabilities. Our proposal both addresses the immediate needs of the insurance industry (vis-à-vis Sarbanes–Oxley) and opens the door for a new regulatory paradigm.