Law360 (April 23, 2020, 3:43 PM EDT) --
Life sciences and health care companies are on the front lines in the fight against COVID-19 and so critical to the response that they often find their own actions under the microscope. To successfully navigate the complex and unique nature of this rapidly evolving situation, these companies will need to rethink and refocus their approach to risk and compliance.
As might be expected due to their special position in the context of a global pandemic, life sciences and health care companies are experiencing a spectrum of issues. Some of those issues are no different than the business challenges across all sectors (e.g., navigating the stay-at-home workplace; following shelter-in-place orders).
Other issues are unique to operations in the life sciences and health care sectors (e.g., ensuring patients continue to have access to their medicines), and some are borne of the direct involvement by companies trying to bring interim and longer-term solutions to the crisis (e.g., trying to develop vaccines under expedited circumstances).
All life sciences and health care companies, along the same and different lines as companies in other sectors, are also having to figure out how to maintain the effective operation of their compliance programs, while wondering whether this is a two-month, six-month, or even longer challenge. We are on untrodden ground.
While there are many challenges being confronted across the elements of compliance programs, the areas of reporting systems and internal investigations present their own unique challenges. The guidance in these areas is clear under ordinary circumstances.
For example, the "Resource Guide to the U.S. Foreign Corrupt Practices Act" provides, "An effective compliance program should include a mechanism for an organization's employees and others to report suspected or actual misconduct or violations of the company's policies on a confidential basis and without fear of retaliation ... once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company's response."
But what does that mean under the circumstances of a global pandemic? What is effective reporting and investigating in the current environment? How will the regulators judge companies?
If a company finds itself before U.S. prosecutors in the months ahead regarding issues from the time of this pandemic, how will prosecutors interpret and apply the U.S. Department of Justice guidance around the evaluation of compliance programs?
How will prosecutors assess, within the context of a global pandemic, "whether the company's complaint-handling process includes proactive measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers?"
What is an effective reporting system under these circumstances? How will prosecutors "assess the company's processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline?"
When everything is moving at a different pace, and priorities must necessarily be repositioned, what is a "timely investigation" during this period? What is a "thorough" investigation?
The changes being experienced by many companies demonstrate a need to adapt swiftly to meet these regulatory expectations. Some companies are seeing a reduction in issues being reported through normal internal channels. Some are facing challenges monitoring operations through their typical procedures. And some are identifying new and emerging risk areas and conduct not seen before.
As companies transition to different working environments, the nature of the issues being reported has also changed, at least for the short term, and legal and compliance teams expect these shifts will also lead to changes in the manner in which issues are detected and reported.
It remains critical that compliance considerations keep pace and anticipate the risks ahead. While there are understandable concerns about the inadequacies of technology and mobility, and there might be an understandable tendency to focus elsewhere, there are many ways that companies can remain proactive and adequately detect, investigate and address their compliance risks.
Regulatory Enforcement in the Current Climate
Regulators worldwide have made clear that enforcement will continue. This includes enforcement of anti-corruption laws, as well as laws and regulations around sanctions and export controls, money laundering, securities and financial reporting, and compliance and other relevant laws. Any perceived dip in enforcement due to the crisis is likely to be short-lived, and equally short-sighted.
For example, the DOJ and U.S. Securities and Exchange Commission stated explicitly that FCPA enforcement remains unabated. In a memorandum to its Washington, D.C.-based employees dated March 16, the DOJ directed that prosecutors and other employees telework due to the COVID-19 pandemic. It was recognized that some of the department's cases, including the document-heavy work of the DOJ's FCPA unit, should be able to continue as normal.
There are limitations, however, and meetings such as witness interviews have reportedly been postponed or moved to calls and videoconferences. Just a few weeks ago, lawyers were working through new travel restrictions to countries such as China, South Korea and Italy, but further restrictions tightened abruptly and most lawyers have since found themselves confined to their own homes.
Given the large sums of money that have already been poured into the efforts to test and treat the novel coronavirus, regulators are likely to scrutinize in detail how companies act during this time. Enforcement authorities will expect companies to have established additional oversight to reflect changing risk profiles, and will expect companies to continue investigating any reported allegations, as well as continue to assess, test and improve their compliance programs.
For life sciences companies especially, the potential ramifications from individual and third-party corrupt activity are higher than ever, as they can potentially undermine the global efforts to contain and mitigate the outbreak. Such misconduct, when discovered, will have far-reaching implications and ramifications, and may permanently damage public trust in the companies at issue. There is already one example.
3M Co., a U.S. multinational conglomerate that produces a wide variety of products, including personal protective equipment and medical products, has faced unprecedented demand for its N95 respirators — protective and highly efficient respiratory masks generally used by health care workers. In response to the global crisis, beginning in January, 3M reportedly doubled its output of N95 respirators to a rate of 100 million masks per month, and is seeking to increase production further.
On April 2, the U.S. government invoked the Defense Production Act to require 3M to prioritize orders from the Federal Emergency Management Agency for N95 respirators, and 3M stated publicly that it is collaborating closely with the U.S. administration. As part of the U.S. government's requirements, 3M also secured authorization from the Chinese government to import 10 million masks to the U.S. from 3M's factory in China. However, where 3M and other companies have responded urgently and worked closely with governments and/or health care organizations, numerous opportunities for misconduct have also arisen.
3M stated publicly that it had received reports of individuals fraudulently representing themselves as being affiliated with 3M, selling 3M products at inflated prices, selling counterfeit 3M products, and other unethical business practices. 3M stated it would take "decisive action" on these reports and created a new hotline and website form specifically to report price-gouging, fraud and counterfeiting of 3M products. 3M has faced withering criticism across media channels in connection with its handling of these issues.
Refocusing on Compliance: Assessing Risk, Enhancing Oversight and Improving Frameworks
Many health care and pharmaceutical companies are racing to develop potential treatments, vaccines and other products through clinical trials and other regulatory requirements. Experienced compliance and legal teams will recognize the significant corruption and other risks that arise out of such exigent circumstances.
The influx of large sums of money from governments combined with far-reaching, widespread medical crises create a perfect storm in which bad actors can and will take advantage and exploit the pandemic for their own purposes. Understanding the greater danger to commercial operations and compliance systems during a period of great uncertainty and instability, companies and compliance functions should be as vigilant as possible, and be mindful when there is a need to fast-track or accelerate business processes, including for humanitarian reasons.
There are a number of key activities companies should conduct during this time that will place them in the optimal position when reporting and enforcement activity begin to increase, including:
Continue to encourage reporting.
While companies may be experiencing a temporary decline in internally reported allegations, or at least certain types of allegations, companies should continue to encourage reporting of all issues, and reaffirm their commitment to reviewing and investigating employee and third-party complaints.
For some companies, such as 3M and other health care companies tasked with urgent fulfillment of humanitarian needs, a dedicated hotline for a specific subset of issues may be warranted, and will make clear the company's commitment to these issues. In these situations, companies should consider internal communications detailing the new reporting mechanism. Enough must be done at this time to capture important compliance issues that might otherwise be lost in the circumstances.
Investigation teams should remain well-resourced and capable of continuing their work to the fullest extent possible. Make clear to investigation teams that the continuation of their work remains vital — and is in fact more vital in the current circumstances given the opportunities for misconduct, the urgent nature of business shifts and changes, and humanitarian considerations.
It is also critical that companies consider how employees and third parties are likely to report compliance concerns going forward, ensure that any newly identified compliance issues are communicated to the broader compliance team and ensure they are mindful of emerging risk areas.
Continue to reassess priorities and innovate with investigations.
Investigations remain a core component of any company's compliance program, and as the risks and challenges facing the company change, the investigative priorities should evolve with those changes. Significant ongoing investigations should continue to completion, and new allegations of misconduct should be promptly addressed, but investigation priorities should align to the organization's risks and the employee population's realities.
While the current social-distancing and remote working environment present a number of difficulties conducting investigations (e.g., collection of hard copy documents and in-person interviews), available technology, careful planning and strategic action can allow counsel to successfully complete most investigations. From the initial steps in an investigation, such as data preservation, issuance of preservation notices and legal holds, and document collection, to later steps such as interviews, forensic analysis and controls assessments, there are few investigative efforts that cannot be performed remotely.
Document preservation and collection are critically important in any investigation, particularly if there are delays completing the investigation or taking disciplinary action. Technological tools allow for discrete document holds of electronic data. In some circumstances it may be necessary to collect data in order to sufficiently preserve records if there are concerns with preservation instructions or the long-term availability of data platforms. Although IT personnel currently face numerous demands maintaining remote working environments, with the exception of limited hard copy files and records, most documents and electronic records can be collected remotely.
Review and forensic analysis of financial data also is typically possible to undertake remotely. However, some investigative steps will be challenging, including third-party audits, review of many expense reports, and verifications requiring surveillance or physical visits. It is also critical to carefully ensure the use of secure file-sharing platforms across the investigative team, and to consider data security and privacy considerations that may be impacted by changed tactics.
While it may not be possible to travel or conduct interviews in person for now, videoconference solutions are a viable alternative in most situations. These can be facilitated in several ways:
- Use videoconference software, where possible, to help build rapport and observe the witness during the interview to gauge credibility, as well as to work with documents.
- While the participants may be joining from their homes, it is important to maintain a sense of formality during the interview, and likewise balance under the circumstances.
- Inform the witness in advance that the interview will be conducted by video to ensure the technology is in place and the individual is prepared to be on camera.
- Confirm at the outset of the interview that the video will not be recorded and ensure that the witness will not attempt to record the interview.
- Current technology allows for near-seamless sharing of documents, but requires careful planning. Consider whether to share documents in advance of the interview.
- Continue to follow normal protocols for conducting interviews, including use of any Upjohn notice, appropriate introductions, and taking periodic breaks.
- Limiting the number of individuals that will participate and ask questions during the interview is particularly important in a more challenging videoconference setting.
While the conduct of investigations does not look like it did just over a month ago, there are effective alternatives to allow most investigations to proceed with little disruption or delay. Regulators expect companies to continue to identify compliance concerns and remediate promptly. On balance, it is almost always preferable for companies to timely conduct investigations, even with some limitations, rather than delay action at the risk of allowing misconduct to continue.
Continue to demonstrate awareness, understanding and adaptation.
For employees and company leaders alike, the current situation is an unprecedented one. Many employees are now isolated, with pressing concerns regarding their families and their own health on their minds. It is understandable, therefore, that some employees may be less inclined to report issues, though for others, they may be more zealous in calling out misconduct that could negatively affect the efforts to mitigate the pandemic.
Companies should continue, and even increase, communications with employees, to remind them that the company understands the unique nature of this situation, and that while expectations regarding the upholding of values, compliance and ethics remain unchanged, the company also knows that these are difficult times for everyone.
When planning investigations, it is important for companies to keep in mind these precarious and unique circumstances, while balancing the critical elements of conducting an appropriate investigation. Regulators will not accept that crucial steps of an investigation were not taken due to the pandemic; however, a little will go a long way and will be more likely to secure cooperation if investigators and companies can show genuine understanding for individuals' unique situations, and be flexible enough to accommodate them, such as for witness interviews.
Proactive Compliance Actions to Consider
Regardless of whether companies experience a brief lull, or even an extended slowdown in the customary flow of reports and allegations, the consequent reduction in investigative activity should not lead to complacency. Rather, this is an opportunity for companies to refocus resources from generally reactive investigative functions to more proactive compliance activities, including designing and implementing program adjustments, compliance communications and tone from the top, and expanding monitoring, oversight and transparency initiatives.
It is especially critical at this time for companies to simultaneously accelerate their compliance considerations and assess their current risk profile, particularly if they have made or will make sudden operational shifts in light of the pandemic, such as responding to government requests or demands, working with other companies and nongovernmental organizations to develop a vaccine or testing kits, and other such changes, which will necessarily expose the company to additional risk. There are also adjustments being made across the industry to the reality of selling and marketing at this time.
Situational Risk Assessment
Assess and identify changes to the company's risk profile under the current circumstances. If the company is reassigning production lines to create health care protective equipment, or working with governments to create a vaccine, these operational changes are governed by specific laws and regulations but may also branch out into unregulated gray areas. Companies should conduct frank, thoughtful risk assessments to understand where they may face new and emerging risks.
While it may seem acceptable on its face to proceed into certain areas without such a formal assessment under such difficult circumstances, this could make the difference in terms of problems down the line. Assessing the unprecedented risks associated with this unprecedented time of global pandemic could serve as a foundation to avoiding a potential onslaught of investigative burdens later, as the missed opportunity to identify these risks comes back to roost.
Situational Compliance Assessment
Along those same lines, conduct a diagnostic review of the company's compliance framework and program in light of the findings from the situational risk assessment. Identify where there may be gaps, for example, policies that address clinical trials under current regulations, but which do not speak to the unique acceleration of human trials that will affect some health care companies in their R&D efforts.
Like law firms and prosecutors, companies and their sales and marketing teams are dealing with the new world of virtual detailing and speaker program interactions, and how traditional meal activity fits in. Existing compliance programs were not built with these times in mind. Should existing policies and procedures be changed, or should emergency guidelines of a supplemental nature be issued?
Whatever the answer for the particular company, it is the process and the record of the process that will matter down the line. And the potential slight, but nonetheless significant, changes to the compliance program now may also serve to mitigate the risk of the aforementioned investigative onslaught later.
It is prudent to reexamine any new or expanded risks the organization may face based on operational changes, and identify whether existing compliance frameworks are effective to mitigate those risks, including whether there are sufficient monitoring and oversight activities to detect potential issues. It may be necessary to temporarily amend portions of the compliance program, including policies, procedures and controls, to address the current issues facing the company.
In particular, despite the particular challenges against the backdrop of an understandable focus on health and safety and economic well-being, companies must not lose sight of their reporting and investigations program components. This is an opportunity to reaffirm ethics and values, emphasize a strong tone at the top and at the middle, and empower compliance and investigations resources.
Gary Giampetruzzi and Morgan J. Miller are partners, and Chris Hardjasa is an associate at Paul Hastings LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
For a reprint of this article, please contact email@example.com.