The trusted source for
healthcare information and
Government enforcement agencies have set their sights on research institutions. As a result, research compliance should be a vital component of any research institution’s overall compliance plan, says Sandy Piersol, a senior manager with Deloitte and Touche in Philadelphia.
Piersol says the risk-assessment process for research institutions is the same as that used for other compliance programs. The principles can be fashioned into practical applications, and the same five-step risk assessment process can be applied within the research component of the institution regardless of whether it is for the whole institution, one clinical trial, or one department.
"The formula is simple," says Piersol. "Risk areas minus your controls equals your assessment of risk." She says a high risk accompanied by a lot of controls can become low risk. But without those controls, risk will remain high.
Piersol and Kim St. Amant, another senior manager with Deloitte and Touche in Boston, recommend these steps:
I. Identify risk areas. The first step is to identify risks and prioritize the high-risk areas, Piersol says. One important issue that research institutions should consider is what risk areas have special relevance to their research portfolio. Another is where the research enterprise may be vulnerable.
Risk areas are not static, risk assessment is not a one-time event, and on-going identification and monitoring of risk is mission-critical, warns St. Amant. Frequently, new laws and regulations as well as new interpretations must be considered. In addition, often there are new lines of business and new ways of doing things.
New staff often represent a risk area. "You may have done training last year and now have many people who are new to the organization," she says. "That can create risk in and of itself."
St. Amant says numerous sources can help identify risk areas, including documents from the Department of Human Services’ Office of Inspector General, analysis of applicable laws as well as relevant lawsuits, qui tam cases, and settlement agreements.
II. Prioritize high-risk areas. It is important not to waste time on low-risk areas, warns Piersol. "You want to go right to the high-risk areas and prioritize those," she asserts. "It is essential to start with the risk areas that are likely to give rise to liability and dollars."
III. Assess risk. Piersol says research institutions also must determine the "current state" of compliance and ask themselves, Are we in compliance?’ If an area is found not to be in compliance, organizations must learn why and then redesign internal controls, she says.
IV. Analyze findings and solutions. According to Piersol, research institutions must seek to understand the cause and extent of the problems identified. "Once you identify a problem, you must dig deeper to find out the root cause," she explains.
However, every rumor does not warrant an investigation, says Piersol. Some concerns can be addressed to the compliance committee or other internal identity without inordinate resources. "The key is to act on it," she asserts.
V. Operationalize corrective actions. Prioritizing corrective actions and assigning accountability often can be the hardest step, says Piersol. That makes it critical to get the right people on board and develop a timetable, she says.
Corrective actions can be accomplished with policies, procedures, training, and monitoring and auditing. These steps often need to be repeated and, to be successful, should be "built-in" vs. "added-on." Only when processes are built into the fabric of the organization will people understand why certain steps are being taken, she says.