Who should pay attention to the Big Pharma compliance settlements like Johnson & Johnson’s eye-popping $2.2 billion penalty for off-label marketing? Everyone.
Last month Securities and Exchange Commission enforcement official Stephen Cohen posed a simple question to a room of 1,200 cross-industry compliance professionals in Washington, D.C.: Why do companies wait until trouble is at their door to “elevate” their compliance programs?
Conveniently, though not altogether voluntarily, Big Pharma has developed a roadmap for how it’s done. The announcement last week of J&J’s big payout highlights one of the largest health care fraud settlements in U.S. history. But it’s the 101-page corporate integrity agreement (CIA) that should command the attention of boards and C-suites across all industries. That’s because it is the latest set of important messages from enforcers and regulators: Reform your compliance structures and programs. Do this. Not that. Start now. These messages have begun to reverberate across industries outside the health care field as well.
As with other recent health industry CIAs, some of the J&J undertakings are nothing more than a government imposition of generally accepted compliance best practices already in place in other companies. The difference for J&J is that these are now being imposed by a five-year CIA with additional costly (and sometimes vaguely worded) kickers, rather than voluntarily as a proactive, fit-for-purpose approach to compliance. No doubt J&J wishes it had taken the latter route.
Since the 1990s, whether by government mandate or voluntary invention, the health care industry has led the way in compliance innovation. But these innovations have impact and import well beyond Big Pharma. Compliance-savvy boards and CEOs in all sectors ought to start measuring their own programs against the roadmap being provided by Big Pharma. They might be in for a shock.
A good conversation in the boardroom (during the executive session with the chief compliance officer) should go something like this: How does our compliance structure measure up against those required by these settlement agreements? Do we have the right governance structures for compliance? Do you have the requisite independence, empowerment, line of sight, seat at the table and resources to do the job? How do we monitor and enforce management accountability? What is our compliance risk assessment program? The answers might be worrisome.
Perhaps the board has already received advice that these Big Pharma settlements have nothing to do with their industry and therefore are irrelevant to their oversight duties. That would be horrible advice. In fact, we’ve already seen at least one very commonsense feature of these CIAs—the separation of the compliance and legal functions—being incorporated into serious compliance programs in industries far beyond health care.
Let’s review. In 2006, the Tenet Healthcare CIA first set the standard that the chief compliance officer “shall not be or be subordinate to the General Counsel or the Chief Financial Officer.” Who can forget Senator Chuck Grassley’s (R-Iowa) colorful observation in that case: “It doesn’t take a pig farmer from Iowa to smell the stench of conflict in that arrangement” (of the GC also acting as CCO)? This language has now become a pillar of virtually every health care settlement since Tenet.
But notably many companies (both within and outside health care) are moving to separate their compliance and legal functions before the government arrives to do it for them. This is supported by a number of recent surveys in the field that indicate a strong momentum for more CCOs to report to the CEO and fewer to the GC.
For example, behold the compliance restructuring taking place at the big banking institutions such as JPMorgan Chase & Co., Barclays PLC, Goldman Sachs Group Inc. and HSBC Holdings plc. In the case of HSBC, the CCO position was not only made independent from legal, but it was also elevated to the ranks of the firm’s top 50 execs and given a clear line of sight to all the key compliance risks of the organization. Not too long ago one well-respected commentator dismissed the CCO role as a mere “process integrator” not even worthy of a seat at the CEO’s table. Even pig farmers in Iowa know that’s so 10 years ago.
Instead of waiting to be shocked (shocked!) that bad things have happened in their establishments, companies that are serious about compliance are reforming their compliance programs now rather than later. Here are some additional compliance program features from recent Big Pharma settlement agreements that responsible boards and C-suites in all industries should be carefully noting:
Board Oversight and Training
Regulators are scrutinizing not only how boards exercise their compliance oversight role (i.e., at least quarterly, via independent committees) but also how they are being trained to exercise that role. Boards are tasked to be “knowledgeable” about their firm’s compliance program, including organizational culture, and exercise “reasonable oversight” of its implementation and effectiveness.
And here’s the kicker: compliance-savvy board members are developed, not born. That’s why recent CIA’s including J&J require a minimum of two hours targeted board training by a qualified expert. Although that seems like a bare minimum, many boards today wouldn’t meet this standard.
Hint #1: governance training is not compliance training (OIG, please take note). Hint #2: a 10,000-foot helicopter lecture from a law firm partner is not good enough. Instead, boards should schedule sessions with experienced compliance professionals who understand compliance from the trenches, bonus points for interactive scenario training.
