Life after a corporate integrity agreement

Medical device and life sciences companies operating under corporate integrity agreements (CIAs) spend years responding to regulatory obligations. During this period, companies of all sizes face the monumental task of incorporating CIA requirements into their daily operations. While plenty of guidance exists around meeting CIA obligations and rapidly ramping up the size of the compliance department to meet them, less attention is given to the equally difficult task of managing through the conclusion of a CIA and the ramp-down that follows.

Chief compliance officers (CCO) face significant pressure to maintain a compliant culture while still reducing costs following the end of their CIAs.

“One key challenge for every CCO is to maintain the culture of compliance without the proverbial CIA hammer,” says Sarah DiFrancesca, an associate in Cooley LLP’s Health Care and Life Sciences Regulatory Group.

“In addition, there is often pressure to scale back some processes and procedures that were put in place under the CIA so they can operate more efficiently,” states Stefanie Doebler, special counsel in Covington & Burling LLP’s Health Care and Food and Drug Practice Groups.

With focus shifting away from CIA-related compliance requirements, it can be difficult for management to balance the risk and value in a post-CIA organization.

Leaders must ensure that risks are still appropriately addressed in the face of changing requirements. For companies that have not fully considered transition, it may mean losing of infrastructure or processes that can lead to significant compliance issues and financial impact.

When considering a reduction in compliance infrastructure, companies should keep in mind that if they are required to enter into a subsequent CIA, they will likely pay a price. Approximately two-thirds of the time, a second or third CIA was accompanied by a larger settlement – and more onerous terms and conditions – than the CIA settlement preceding it.

“If a company faces another government investigation, prosecutors will question why controls put in place by a previous CIA did not uncover or address problematic activity. Companies need to demonstrate a good faith effort to maintain an effective corporate compliance program post-CIA,” DiFrancesca says.

By strategically planning and transitioning out of a CIA, companies can mitigate the risks and costs of reverting to inefficient or insufficient operations. Consider two scenarios:

• A company decides not to make any changes because the CIA already built compliant operations. By choosing not to make changes, the company may be at risk of compromising value and efficiency by continuing compliance requirements that may be superfluous or outdated. A transition plan allows for strategically streamlining policies and procedures that are compliant and adequately address current business needs.
• Conversely, a company decides to change or remove most, if not all, compliance operations created to meet CIA requirements with little to no review or overall evaluation of ramifications. This option may leave the company open to the same risks that led to a CIA in the first place. Lessons learned and effective operations should be identified and maintained as a positive outcome of the CIA.
   

Functional integration of compliance obligations into operations demonstrates that effective compliance is seen as more than just risk avoidance by senior leadership. Risk management must become an integral component of company growth criteria so that commercial operations such as sales, manufacturing, business development, and product development are not overly constrained, but are executing growth strategies within compliant boundaries.

In a progressive post-CIA organization, proactive leaders evaluate the upcoming landscape and ask: What should be retained, what should be changed, and what should or can be removed? What is the best way to support these decisions and gain support from other senior management and key stakeholders in the process?

In order to address these questions, companies should approach the completion of a CIA as an evolutionary process that is part of the life cycle of a mature compliant organization. The following questions should be considered:

• What lessons has the company learned from the CIA that should be remembered in the future?
• Which policies, procedures, and operations are working well?
• What should/can be streamlined or eliminated?
• How will monitoring and auditing change?
• How will committee structures and responsibilities change?
• What compliance resources will be needed?
• How will the company use periodic, independent, third-party reviews?
• How can current data sources be leveraged to manage broader compliance requirements?
• Without a CIA in place, how does the organization continue to maintain a compliance-driven culture?
  
   

Lessons learned

Consider establishing a strategic framework for compliance operations including:

1. CIA transition leader
2. Cross-functional leadership team to:
   • Evaluate the current compliance landscape
   • Evaluate ongoing compliance operations affected by the current CIA
   • Consider future business objectives and evaluate against compliance requirements
   • Create a transition plan
3. Support from senior management
4. Communications plan to inform organization of new and continuing processes
5. Plan to embed compliance integration within functional business areas
   
    

Conclusion

Companies emerging from a CIA face many challenging issues. Within the dynamic regulatory and business landscape, CCOs must take a leadership role in defining the resources and infrastructure required after the CIA ends.

Without a proactive stance, organizations may increase their compliance risk by not integrating lessons learned from the CIA, or impede business activity by continuing processes that are no longer needed. Either path is a lost opportunity to drive value.

A well thought-out transition plan that incorporates senior management buy-in and support, clear priorities and their rationale, and solid execution will ensure that companies that have been under a CIA shift smoothly to a risk-mitigation model driven by company needs, current industry practices, and enforcement trends.

Huron Life Sciences
www.huronconsultinggroup.com

About the authors:

Gary Keilty, a managing director with Huron Life Sciences, specializes in providing forensic investigation, dispute resolution, regulatory compliance, and acquisition due diligence services to health care and life sciences organizations and their legal counsel. He can be reached at gkeilty@huronconsultinggroup.com or 813.309.1139.

Mark DeWyngaert, a managing director with Huron Life Sciences, specializes in assisting medical device, pharmaceutical, and biotechnology manufacturers with identifying and mitigating regulatory risks, and with valuation of services and intellectual property. He can be reached at mdewyngaert@huronconsultinggroup.com or 646.277.8817.