![Page 1: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/1.jpg)
Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D
Third Annual Medical Research Summit – Session 2.01Michael Swiatocha
March 6, 2003
![Page 2: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/2.jpg)
2
Agenda
• Introduction to Compliance
• Traditional Compliance Assessments
• Enterprise Wide Risk Management (EWRM) in R&D
• Risk Assessment Approach
• Pharmaceutical Case Study
• Questions & Answers
![Page 3: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/3.jpg)
3
Compliance Program
A compliance program is a management process comprised of formal reporting structures and risk mitigation systems designed to motivate, measure, and monitor an organization’s legal and ethical performance around complex business practices.
![Page 4: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/4.jpg)
4
Seven Elements of a Compliance Program
• Standards & Procedures
• Oversight Responsibility
• Education & Training
• Lines of Communication
• Monitoring & Auditing
• Enforcement & Discipline
• Response & Prevention
![Page 5: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/5.jpg)
5
Information Technology
Pharmaceutical & Medical Products Value Chain
Infrastructure Support
Sales &
Marketing
Research &
DevelopmentOperations
Human Resources, Finance, Legal
Compliance Programs Address All Components of the Value Chain
![Page 6: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/6.jpg)
6
Transitioning from Traditional Compliance Programs
• Standards & Procedures
• Oversight Responsibility
• Education & Training
• Lines of Communication
• Monitoring & Auditing
• Enforcement & Discipline
• Response & Prevention
QAU
Internal Audit
EWRM
![Page 7: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/7.jpg)
7
Enterprise Wide Risk Management
• Best in class organizations are embedding their compliance programs into an expanded view of enterprise wide risk management (EWRM)
• Compliance transitions from a reactive, process intensive activity to a dynamic program enabling the organization to manage a broad range of changes that can impact its performance
• EWRM defines risks as events or activities that can affect the achievement of an organization’s goals
• EWRM addresses all organizational goals, objectives and relationships with key stakeholders including R&D
• EWRM is an anticipatory, proactive process that becomes a key part of strategy and planning. EWRM helps mitigate surprises and ensures all organizations are aligned with key objectives
![Page 8: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/8.jpg)
8
Enterprise Wide Risk Management
Reactive
Proactive
Strategic
Building in an Enterprise Wide Risk
Management program: Current best practice
Pulling together the disciplines that address both sides of risk – minimizing uncertainty and maximizing
opportunities – the concept pushes an organization to address risks and their management explicitly – as
part of everyday businessMost
Organization’s Today?
• Risk & Compliance External Reporting
• Strategy Building
• Enterprise Risk Assessment
• Control Self Assessment
• Enterprise Wide Risk Management Program
• Complying with known laws and regulations
• Seeking to meet industry compliance requirements
• Managing crisis
![Page 9: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/9.jpg)
9
An Approach to EWRM
Risk Assessments
• Potential Impact of Risk
• Probability
• Primary Exposure
• Control Mechanisms
• Accountability
![Page 10: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/10.jpg)
10
An Approach to EWRM
Rating the Potential Impact of Risk
• The Impact on financial, operational and/or legal implications can be considered as well as the ability to achieve the stated objective in the face of that risk.
Low - if the impact of the risk would have some financial, operational and/or legal implications and require attention, but is no greater than an irritant to the organization
Medium - if the impact of the risk would have significant financial, operational and/or legal implications, and/or would significantly delay the ability to achieve the objectives or otherwise affect it
High - if the impact of the risk would have major financial, operational and/or legal implications and/or it is so significant one would need to abandon the objectives
![Page 11: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/11.jpg)
11
An Approach to EWRM
Rating the Probability of Occurrence
• For rating the Probability of risks, the frequency of historical events can be considered as well as current outlook.
Low - occurrence is unlikely
Medium – occurrence is somewhat likely
High - occurrence is very likely
![Page 12: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/12.jpg)
12
An Approach to EWRM
Identifying the Primary Exposures
• Identify the Primary Exposure to indicate the direct exposure facing an organization using categories such as:
Government Enforcement
Regulatory Violation
Financial Loss
Reputational Damage
Failure to comply with internal policy
Inefficiencies and/or excessive costs
Inappropriate financial reporting or disclosure
Legal Risk
![Page 13: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/13.jpg)
13
An Approach to EWRM
Control Mechanisms
• For all risks with a high composite rating for impact and probability, existing Control Mechanisms should be considered. An organization’s management should apply a rating corresponding to the level of control, such as the following:
Policies and procedures exist and are tested as part of external or internal audits, and/or monitoring controls are in place
Policies and procedures exist
Policies and procedures are in the early stages of development
Policies and procedures do not exist
Accountability
![Page 14: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/14.jpg)
14
Pharmaceutical Case Study
Functional Areas # of Risks Identified # of “High” Risks Identified
# of “High” Risks Identified w/Limited Controls in Place
Sales & Marketing 22 14 8
R&D 44 12 3
Manufacturing 45 5 1
Regulatory Affairs 26 6 1
Financial Reporting 15 8 0
HR 42 12 2
IT 8 6 2
International 16 8 2
![Page 15: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/15.jpg)
15
For more information, contact
Michael P. Swiatocha
Director, Client Services
PricewaterhouseCoopers, LLP
400 Campus Drive
Florham Park, NJ 07932
973-236-4541
![Page 16: Conducting Compliance Assessments and Building Internal Controls In Pharmaceutical R&D Third Annual Medical Research Summit – Session 2.01 Michael Swiatocha](https://reader030.vdocuments.us/reader030/viewer/2022032607/56649ec95503460f94bd6a86/html5/thumbnails/16.jpg)
R E S H A P I N G T H E W O R L D O F e P R O C U R M E N T
Questions &
Answers