Follow-up, Enforcement Critical to Compliance Program Success

May 23, 2006

Too many FDA-regulated life science companies mistakenly believe that writing and posting a good erecord compliance program is enough, experts stressed at recent events.

"A policy is a process, not a destination," said Barry Johnson, IGX global director of risk mitigation at a May 10 webinar sponsored by Proofpoint. Firms that believe publishing a policy, even a stringent one, fail to understand that training and repetition are required to "drive the policy home," Johnson said.

"Don't just throw money at [compliance efforts] with technology," Johnson advised. Instead, make certain that you have in place adequate training and enforcement policies that you can also show to FDA inspectors and others as needed. He noted that in court discovery it is common for prosecutors and others to look for hard proof that a company not only published but enforced a compliance program. That tracks with the FDA inspector mantra of "if it isn't documented, it didn't happen," former inspectors have repeatedly told PIR.

Commit to Training

He advised full training annually, with weekly or monthly spot updates as technologies or policies change.

Companies need to test their plans in a mock crisis scenario, he suggested. After producing a plan with a formal set of procedures, it should be put through its paces by testing to see how well it handles a data corruption issue.

Their risk mitigation team should also have a fair amount of proactive decisionmaking authority, Johnson said. He's seen companies where following a major edata hack, it became clear that the lower-level tech team was aware for months that someone was trying to illegally access the edata. But the team had no authority to fix the problem at the root.

In addition to proactive decisionmaking authority, the IT team must work closely with others in the firm, said Erica Driver, principal analyst with Forrester Research. Speaking at a May 18 webinar sponsored by Computer Associates, she advised close and regular contact between IT architecture personnel, erecords management and email administrators and legal personnel. "You must have a cross-functional team," she said.

Teams Must Talk

It is critically important to communicate, and not easy to do, she admitted. However, it is necessary because different groups have different priorities when it comes to erecords. For example, erecord professionals tend to take a cautious approach and like to hold onto everything, while legal decisions tend to be driven by a desire to hang on to as little as possible. "You must make the effort to meet all those needs," Driver said.

A single message archiving solution should solve multiple business problems, she said. Those include:

Compliance: Can the system provide adequate search and audit trail capabilities? Legal discovery: In addition to search needs, can it handle case management, marking and numbering and integration with ediscovery software? IT cost savings: Can it remove mail from the server, compress files and conduct efficient retention management?

The IT team should also think about the future even as it works on present-day demands, she said. For example, more and more companies are approaching message archiving in the full context of enterprise content management (ECM), she noted. "Your vision should be moving" in that direction, too, Driver said. "Treat information management as an infrastructure issue and email as part of information management." -- Michael Causey