Quality and Compliance are Corporate Initiatives
A local biotech company has an opening for an Executive Director of IT Quality and Compliance and after a quick inquiry with a friend who works at the company, I learned it reports up into the CFO. This is a good thing. Not the best thing. But better than what I typically see in the companies I audit and have consulted with.
Compliance within biotech, med device and diagnostic companies has been distributed between the various functional groups. SOX belongs to Finance. GxP belongs to Quality. GDPR and HIPAA bounce between various departments depending on the which functional area first neeeded to comply with the regulations.
This leaves IT scrambling to support fractured processes with siloed data. This is inefficient and increases company risk.
We live in a data driven world, powered by technology that is getting more complex by the day. As technology solves one problem for us, it introduces a new data challenge. We are playing technology whack-a-mole.
Government bodies introduce new regulations to attempt to address some of these problems (data integrity, privacy, etc.) which, when companies fail to comply, can become very expensive.
We saw this recently with Meta and the announcement that they had been fined repeatedly for violating GDPR.
We are seeing more 483s and FDA warning letters around data integrity and process failures. As I wrote about in December 2018, while SaaS offerings provide significant value to life sciences companies, if not appropriately selected, implemented, and managed, they present significant corporate risk around data integrity and processes.
Then there are the cyber risks. As I wrote about in the blog post Cybersecurity Insurance is Not a Cybersecurity Strategy, there are ways to mitigate risk through a cybersecurity initiative focused on people, processes, and technology
As companies have gone more and more virtual (prior to and as a result of Covid), they become more decentralized introducing greater regulatory and compliance risk.
Functional areas can easily select and implement new SaaS / software solutions with a few clicks and often without providing a payment method.
Vendors love this. Life sciences companies should be very, very concerned.
I never fully understood why compliance and quality were not corporate functions within life sciences companies.
Even if data is not initially shared, a lot of it ends up coming together at some point and has to comply with some regulation or standard.
— Clinical data feeds regulatory submissions
— CMC data feeds regulatory submissions and supports ongoing commercial product operations
— Quality data feeds regulatory submissions and supports ongoing clinical and commercial operations
— Inventory data has a financial component that feeds financial systems and financial reporting (SOX)
Over the last 24 years as I’ve selected, implemented, and validated IT related systems supporting nearly every function within a biotech company, I’ve been frustrated by the lack of coordination between the various functional areas.
— Quality doesn’t want SOX processes and controls in their systems.
— Finance doesn’t want their SOX system processes outside of Finance.
— Clinical has external stakeholders that produce and/or need access to SOPs and documentation and they don’t want it in the Quality systems.
So if we set up systems that could be effectively managed and controlled, with the option to be shared (data and processes), we could streamline (thereby making it more efficient) and improve quality, ensure data integrity, and (attempt to) adequately protect data and corporate IP.
I’ve said for years that we can satisfy compliance requirements by establishing and following good business practices.
Centralizing IT Quality and Compliance, as near to the top of the organization as possible, demonstrates to the rest of the organization that data and technology quality and compliance are a core part of the culture, not just an afterthought.
About the Author
Terri Hanson Mead provides IT compliance and IT strategy services for biotech, medical device, diagnostic, and digital health companies. Through her companiy, Solutions2Projects, she helps life sciences companies align technology roadmaps with corporate objectives and meet IT compliance requirements in a complex and regulated industry.