Regardless of the compliance area (Quality Systems, Health Care Compliance, Government Contracting or SOx….I have worked in all areas), you will need to obtain and integrate three key inputs.
|
An understanding of the business needs |
|
An understanding of the people needs |
|
An understanding of the external requirements |
Armed with these three key inputs, you can leap into your Plan-Do-Act-Check approach with enthusiasm. Without these three tools, you will most likely find yourself in a constant state of churn.
Understanding the External Requirements
Start with, and hold tight to, the intent of the requirements that are driving your efforts. Naysayers often argue that compliance shackles a business…that the regulations inhibit the ability to nimbly meet the changing commercial landscape. Those of us who have experienced a good compliance program know that this is false. A solid compliance program that integrates the needs of the business while embracing the intent of the requirements is a business asset. A well-considered, well-designed compliance program is also much easier to sustain over time.
External requirements are generally designed to protect the masses and, by and large, they are based upon the concept of control. As they must be applied to differing businesses and products, they tend to be broadly written and subject to interpretation. There is no way around this core of ambiguity. You must first identify the relationship between the intent of the regulation and your specific business model. If, for example, you make a medical device that requires terminal sterilization, you know that the packaging and sterilization mechanisms you deploy must be adequately validated. “Adequately validated” becomes the process endpoint but the road to that endpoint is yours to engineer. Certain aspects of the path you design will reflect established best practices, such as those communicated by the FDA via thousands of issued Form 483 reports. A multitude of industry standards provide a solid definition of success but the path is still yours to define. It is a solid understanding of the intent of the requirement that maximizes your freedom to design the optimal solution.
Compliance professionals in other areas of focus, such as Health Care Compliance (HCC), don’t benefit from years of activity and a library of standards. The interpretation applied by enforcement agencies shifts over time as settlements, Deferred Prosecution and Corporate Integrity Agreements sculpt the environment. Areas such as Sales and Marketing, historically exempt from compliance controls, are suddenly required to navigate within defined “safe harbors”. Requirements within the commercial compliance arena are even more challenging to embrace as the criteria for success is rarely data driven. For example, sales interactions with health car providers must not “induce” the purchase of product. Such a requirement forces a business to define internal limits and to draw a line in the sand. When does a meal cross the line from allowable Sales activity to inducement? What limits should be established on consulting arrangements with customers?
- Getting your hands on the intent can be a bit like trying to pinch a watermelon seed but there is no point in trying to design a compliance program until the intent is well understood. In my daily challenges, I seek intent keeping the end in mind. When I get stuck, I often ask, “What’s the worst case outcome if we/I…..?”
Lastly, a clear understanding of the intent will add long term value to your training program. Compliance training is largely a selling activity and intent will be a powerful tool in your bag.
The Art of Compliance 