Two sides of the coin: Proactive versus reactive compliance management

Calvin London

Calvin London

Calvin London (calvin@thecomplianceconcierge.com, linkedin.com/in/calvin-london-36a57311/) is Founder and Principal Consultant of The Compliance Concierge in Perth, Western Australia.

By Calvin London, PhD

There is virtually no activity conducted by pharmaceutical and biotechnology companies that is not monitored for compliance. Requirements such as good laboratory practices, good clinical practices, and good manufacturing practices affect nearly every aspect of the discovery, development, clinical testing, manufacturing, labeling, marketing, and distribution of products. On top of this, there are also requirements to meet the Foreign Corrupt Practices Act (FCPA) and the United States Department of Justice (DOJ) guidelines and requirements.

If you were ever in the Boy Scouts, you would know all too well the motto, “Be prepared.” When it comes to compliance programs and their management, history has shown it is much better to be prepared and proactive with these programs than to be reactive and under pressure to meet some objective.

If you have ever been under pressure to respond to audit observations and remediate these to a timeline, then you will understand the benefits of proactive compliance management. This discussion explores the benefits of proactive compared to reactive compliance management. These represent two sides of the same coin. The target is to establish and maintain compliance to a particular standard to avoid costly regulatory action, but how companies get there can profoundly affect the result and the company’s culture.

Proactive versus reactive management

Before getting into compliance management, it is opportune to consider proactive and reactive management as a process. Proactive managers control their destinies by thinking ahead and controlling both risks and results. Reactive managers only act when something happens, waiting until an event has occurred before making any changes. They consider that by waiting to perform, they are not making changes unless something is wrong.

Analyzing the pros and cons of proactive management compared to reactive management (see Table 1) demonstrates some important concepts as they apply to managing compliance programs or systems. Don’t companies want compliance managers in control, planning to mitigate disasters, minimize risks, and have a good understanding of the business?

Table 1: Pros and cons of proactive and reactive management

Proactive management

Reactive management

Pros

Cons

Pros

Cons

  • You are in control

  • Allows planning

  • More productive

  • Problems are minimized

  • Teams are motivated

  • Permits a greater understanding of the business

  • Time-consuming

  • Forces continual change

  • Can derail day-to-day activities

  • Can be overwhelming for teams

  • Analysis paralysis

  • Work well under pressure

  • Good problem-solving skills

  • Spontaneous decision-making devoid of management by census

  • Often expensive

  • Always under pressure

  • Causes uncertainty

  • Can damage reputation

  • Damages morale

  • Results in a lower quality of work

  • Teams need to change tasks regularly

Companies also want compliance managers that work well under pressure because there will always be demands associated with compliance and compliance programs. Thoughtful, planned decision-making must be better than spontaneous decisions regarding compliance.

Proactive compliance management

A proactive compliance manager will be fundamentally different in their approach. Recognizing that changes in regulations and standards will drive continuous improvement in compliance throughout an organization is a valuable attribute. Proactive compliance managers will review their compliance systems continually to ensure they reflect current requirements. They will conduct audits and risk assessments to find where improvement is required or where it could enhance the systems and map these back to the regulation or standard. This approach is all part of building improvement into a compliance program, which I have written about previously.[1]

This, in turn, will mean the company has a much better chance of always being compliant, and the employees will always know the latest requirements because policies and procedures are up to date. Furthermore, you will have a trail that demonstrates you have always attempted to be compliant, even if not always successful—an important consideration in DOJ’s decisions on penalties for noncompliance.

One of the key benefits of being proactive is that senior management can be informed of their compliance status. This can work in two ways. First, conscientious and concerned executives will want to know this so that they can make educated decisions about resources and costs that might be needed to drive enhancements. Those executives who think compliance is a waste of time (and are more likely to support a reactive than a proactive approach to compliance) will not be able to hide in ignorance.

This is also an essential advancement in compliance management, especially considering the DOJ’s latest direction to hold white-collar workers more accountable.[2]

Proactive compliance management, in essence, is about planning, prevention, and minimizing risks. By taking a forward-looking approach, teams are prepared and trust in a leader with confidence and the ability to plan around issues.

Reactive compliance management

It would be wrong to assume that there is no place for reactive management in compliance; in fact, much of compliance management is reactive. In an ideal world, reactive managers also have some beneficial attributes. If COVID-19 taught us one thing, it is that we need to be reactive sometimes because things don’t always go as planned. Compliance requires a certain degree of reaction to something: a standard, a regulation, or an audit response, for example. Focusing on whatever issues arise as soon as they emerge is also important from a compliance management perspective, as companies often face the same issues year after year.

However, there is a balance between reactive and proactive compliance management that is underpinned by learning from regulatory experiences and transitioning compliance efforts to prevent problems. This not only makes good business sense, but it can also reduce costs involved in regulatory actions or remediations to serious regulatory compliance breaches. Top-performing companies that take a more strategic and proactive approach, instead of treating compliance as a cost of doing business, extract the business value from regulatory and quality imperatives to assist in transforming to a culture of compliance.

On the one hand, companies must deal with the direct costs of compliance, developing and maintaining compliance programs and rectifying cited failures. On the other hand, in the event of citations or compliance breaches, companies must also endure the business costs that accrue from not achieving compliance—delayed approvals, potential loss of product, market share, or credibility, missed market opportunities, and reputational damage; not to mention the actual costs of expensive remediation. A conservative estimate from several years ago states that the cost of noncompliance is 2.71 times the cost of maintaining or meeting compliance requirements. The noncompliance costs come from the expenses associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.[3]

According to a recent article in The FCPA Blog, there have been four FCPA enforcement actions totaling $865 million as of June 2022. The article goes on to say, “Since the FCPA was enacted in 1977, there have been 259 FCPA corporate enforcement actions with an average value of $95.4 million. From 1977 to 2010, total FCPA settlements amounted to $3.6 billion. From 2011 to 2022 (June), total FCPA settlements climbed to $21.2 billion.”[4]

Often companies that have not had a structured compliance program, or have management with a disdain for compliance, run into regulatory issues. The initial response is reactive. This transpires in those companies that learn their lesson into proactive remediation under forced rebuilding, such as a deferred prosecution agreement, consent decree, or similar. For some, however, the improvement or transition takes time. Stryker, Orthofix, and Novartis are notable examples, having had at least two enforcement actions each.[5]

A case in point is the pharmaceutical company Novartis. Novartis was prosecuted across multiple countries (China, Greece, Vietnam, and South Korea) between 2016 and 2020, with $360 million in enforcement actions.[6]

Compliance issues have plagued Novartis: payments to lawyers of government officials, data manipulation, bribery of physicians, price-fixing, and kickbacks to healthcare professionals. When the problems are endemic from the sales force to the top executives, it is a systematic problem and takes considerable time and effort to fix.

One could easily believe that Novartis has been so heavily engaged in reactive compliance that it has not had any time for proactive compliance. Time will tell. It does raise an interesting point: How do you change from a reactive to a proactive compliance mindset?

This document is only available to members. Please log in or become a member.
Become a Member Login
 

What to read next...

An audience-driven view on compliance


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings