Leverage Compliance Challenges To Improve Business Operations

Regulatory compliance is a reality and smart FDA-regulated life science companies will leverage those requirements to improve their overall operational efficiency and approach compliance as an opportunity to improve best practices, suggests a white paper from Computer Associates (CA).

"Compliance is not a hurdle to overcome," said Sumner Blount of eTrust Regulatory Solutions at CA. "Rather, it presents the opportunity to understand a business more fully, institute effective controls within it, and use these controls and the technology that supports them as a way to expand and improve operations."

Blount's view tracks with what many consultants, including former FDA inspectors, have told PIR in recent months. While the agency is likely to issue updated Part 11 requirements in August or September that will possibly clarify some issues such as risk management, most experts stress that regulated companies should be approaching compliance as a business need rather than a purely regulatory demand.

"It is important that compliance be seen in a broader context," Blount said. While compliance is simply meeting the letter of the law such as Part 11, business performance, in the context of compliance, involves "using the process and technology changes brought on by compliance for the increased efficiency of the business itself."

To fully leverage compliance efforts, he recommended a program where compliance is:

Automated: Manual compliance is costly and "simply not a viable long-term option because there will always be new regulations coming and existing ones are unlikely to be weakened"; Continuous: It is never a one-time effort and must be ingrained into the "DNA of the enterprise." Controls once owned by a central group must become decentralized, automated, and under the purview of local units; and Sustainable: "Compliance is a broad topic, and the regulations can vary greatly, but in almost all cases the key element of sustainable compliance is a centralized way of managing all users and their access to protected resources."

Because FDA-regulated firms must contend with Part 11, the Health Insurance Portability and Accountability Act (HIPAA) and the reporting requirements of Sarbanes-Oxley, identity-based compliance is the most effective way to ensure that fragmented, manual processes give way to a centralized, automated and optimized process for managing all users and their access. Strong audit trails are a crucial component of any Part 11 compliance effort, experts have repeatedly stressed to PIR.

An effective compliance program can provide a number of direct benefits, including:

Risk reduction: Identifying and minimizing risk helps the operation run more smoothly for longer periods of time, and also reduces personal liability risk for key executives; Increased efficiency: Moving to a centralized identity management platform can deliver major efficiencies, including greater productivity for new employees, a reduction in required help desk resources and a decreased burden on security administration and development staff; Improved business effectiveness: Decisionmaking can be improved because essential information is available and accurate; and Increased business agility: A centralized way of managing all esecurity and user access makes it easier to incorporate new businesses into the corporate infrastructure.

But it is important to remember that security management is at the heart of almost all regulations, Blount noted. Without a strong esecurity infrastructure that protects systems, applications and edata from unauthorized use or access, compliance with any regulation such as Part 11 is essentially impossible. An effective program will provide identity management, provisioning of new users, access management to specific systems and auditing that spots seemingly minor variations that can lead to serious problems if unchecked. -- Michael Causey