Beruflich Dokumente
Kultur Dokumente
COMPLIANCE
This white paper will offer practical advise to those forward-thinking organizations
seeking to add the missing link to their compliance management systems.
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 1
Two Views Of Regulatory Compliance
A key example of this phenomenon is the 21 CFR Part 11 Final Rule issued in
March of 1997 which provided governance for those organizations that elected to
create, maintain, and submit electronic records to the U.S. Food and Drug
Administration (the Agency) using electronic signatures. The rule provided
guidance on the use and management of electronic signatures and electronic
records. Most organizations internally established a written policy representing
their interpretation of the regulation and selectively choose I.T projects that would
be “21 CFR Part 11-compliant”. This led to the wide adoption of electronic
document management systems technology within the regulated community with
“built-in” Part 11 features. These systems were in most cases custom-designed at
considerable expense. Moreover, the design of Part 11 systems varied from one
system to another even within the same company thus resulting in an inconsistent,
fragmented approach across the company.
At the same time, the vendor community jumped on the band wagon and began
promoting Part 11 compliance for their products. Since there was no product
“certification standard” issued by government that represented what a Part 11
system was to include, most technology buyers operated on the principle of caveat
emptor – “let the buyer beware”. Missing within many of these “solutions” for Part
11 compliance was a clear strategy for effective management of electronic
records. Specifically, many systems were noticeably deficient on how to manage
and retain audit trails, irrefutably link electronic records and audit trails, and a clear
definition within the program of what is a complete electronic record. Most current
systems lack a clear strategy for short term and long term access and retrieval.
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 2
Compliance As A Legal Best Practice
O rganizations came to realize through their attempts to comply with 21 CFR Part
11 that their reactive response was both costly and short-sighted. Many
projected that their efforts, if they continued implementation on the current path,
would result in costs estimated as greater than the cost of earlier Y2K compliance
initiatives from 1999. Thus, organizations began re-thinking their compliance strategies at
a higher level. The take-away for some was the fact that electronic document
management systems did help to achieve measurable increases in operational efficiency.
It was indeed faster to electronically create, route, review, and electronically sign and
approve documents than manually processing them. They also realized that these
electronic systems delivered tangible cost reductions associated with the elimination of
manual processes. It also became clearer that inconsistencies due to “silo”
implementations exposed organizations to greater risk as opposed to reducing risk. Thus,
VIEW FROM THE GOVERNED (CDONTINUED)
a major imperative was to reduce risk and provide a consistent approach to regulatory
compliance.
Therefore, the principles that shaped this new change in thinking about regulatory
compliance can be summarized as follows:
These principles, while simplistic, are the very foundation of good corporate governance
within any organization. Compliance creates a legal “best practice” and establishes a
baseline for acceptable regulated systems environments. Instead of building compliance
“on top of” technology platforms, organizations are seeking now to embed compliance
business rules into technology platforms thus reducing the need to “re-invent the wheel”
for regulatory compliance management systems.
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 3
Compliance From The Agency Perspective
In times past, regulators would introduce regulatory guidelines with little or no thought as to
the impact of these regulations on the regulated community. Many of these regulations
suggested (but did not mandate) technological solutions as a means of compliance forcing
companies to purchase a myriad of automation tools to address the requirements. Again
we can look at 21 CFR Part 11 Final Rule (Part 11) as an example of this phenomenon.
Post-implementation of Part 11, the industry reported back to the Agency that the rule
unnecessarily restricted the use of technology, significantly increased compliance costs,
and discouraged technological innovation. In response, the Agency issued new guidance
representing its current thinking on Part 11 that resulted in a withdrawal of all previous
guidance and a refocus of how this rule should be applied as an outgrowth of their new
GMP initiative called “Pharmaceutical GMP’s For The 21st Century”. This new initiative was
predicated on the basis that GMP’s had not changed much in decades but the industry has
VIEW FROM THE GOVERNMENT
a whole had. Therefore, the regulations had to change to reflect the times. Interestingly
enough, the Agency developed regulatory principles that, in theory, would promote placing
the most resources in areas of greatest risk and use science-based risk assessments while
taking full advantage of advances in technology. This is evolutionary thinking on the part of
the FDA.
What we see now at the FDA is a major shift in the Agency’s thinking on compliance. They
are now looking at the impact of regulations on business from a cost perspective and
attempting to provide clearer regulations that have practical solutions that target the
greatest compliance burden to the areas of greatest risk. Although some view the current
policies of the FDA as controversial sighting the belief that the new risk-based approach
may actually compromise the safety and efficacy of new therapies, most agree that better
guidance and consideration of the cost of regulation is a welcome change.
The compliance evolution has brought about a significant change in the way organizations
and Agencies such as the FDA view regulatory compliance. Given the current evolution
that is underway, there are several questions which must be answered as to where do we
go from here. Specifically, we must ask, “How does this paradigm shift affect the way in
which compliance systems are developed and managed?” Further, “How can organizations
practically forge the missing link in a chain of established technology given the current
sensitivity to cost?”
From the view of the government, a realistic approach to establishing compliance policy is in the
greater public interest. Practical policy can result in more organizations achieving sustained
compliance resulting in better product quality and safety.
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 4
The Regulatory Perfect Storm
A regulatory ‘perfect storm’ has been brewing over the past few years within
the compliance community. With recent changes in 21 CFR Part 11
guidelines, the new Sarbanes-Oxley (SOX) corporate governance initiative,
and the Health Insurance Portability & Accountability Act of 1996 (HIPAA),
information systems organizations are experiencing a convergence in requirements
for electronic record privacy, security and short/long-term retention. These three
factors represent the most challenging aspects of managing electronic records and
thus have for a more comprehensive strategy for managing I.T. assets.
The situation facing most I.T. organizations is that many of the legacy technologies
implemented were not deployed as part of a long term, comprehensive strategy. In
fact, most were deployed in “organizational silos” where the “pain” was most
pronounced. Now, as these same organizations review current
PRIVACY, SECURITY, RETENTION
The overlapping requirements for privacy, security, and retention will have significant
impact on existing legacy systems that were not designed with these requirements in
mind. Those organizations in the eye of the storm with disjointed legacy systems, the
convergence of these requirements will create a violent upheaval that will force
integration. Like never before, the factors of privacy, protection, and retention that
swirl around new regulations must anchor any new system to help achieve sustained
regulatory compliance. These requirements are in fact, the foundation of a good
electronic records management system.
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 5
Quality: The Foundation of Compliance
From a historical perspective, it is helpful to trace the origins of today’s quality management
principles to gain a better understanding of their intent from a practical sense. Quality
assurance programs were first formally developed during World War II. The basic principle
of this new initiative at that time was to reduce waste and scrap and this increase the
profitability of the manufacturing process. Greater productivity and cost-effectiveness are
derived from advanced quality assurance programs and control systems. Organizations
have come to realize that they must compete (and excel) in quality to achieve sustained
competitive advantage and sustained compliance. The metrics used to measure the
effectiveness of quality assurance programs was to achieve zero failures or rejections or
significantly reduce the number of failures or rejection rate. From these early initiative came
a major quality assurance program known today as Total Quality Management (TQM). The
TQM program emerged about 15 years ago and has widespread use throughout many
organizations.
The TQM program has established ten criteria as its base foundation. These criteria are as
follows:
3. Quality Improvement
♦ Process established and implemented
♦ Present problems
♦ Improve quality
♦ Analysis
♦ Continuous improvement
♦ Performance standards and measures
• Problem identification, control resolution, and follow-up (corrective
and preventive actions)
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 6
Quality: The Foundation of Compliance
5. Work Processes
♦ Work
• Line management provides training, resources, and
direction
• Worker is first line
• Review and improvement
• Planning, authorization, and accomplishment
♦ Identify and control items
♦ Handling, storage, and shipping
♦ Monitoring and data collection equipment
6. Design
♦ Process established and implemented
♦ Inspection (Requirements versus the design)
♦ Changes are controlled
♦ Interfaces are controlled
♦ Records
♦ Verification
7. Procurement
♦ Process established and implemented
♦ Technical and administrative requirements
♦ Selection, suitability, evaluation, and receipt
♦ Supplier evaluation
♦ Acceptance testing
• Process established and implemented
• Conducted by and for the line organization
• Test requirements and acceptance criteria
• Re-testing when necessary
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 7
Quality: The Foundation of Compliance
9. Management Assessment
♦ Process established and implemented
♦ Performed by managers
HISTORICAL PERSPECTIVE (CONTINUED)
There are many parallels from the manufacturing-centric view of TQM that may be applied
to the discussion of electronic records management systems. Records managers can
apply these same TQM principles to their compliance management systems to significantly
reduce risk and achieve higher levels of compliance.
The intersection of the principles of quality management and driving business results
require organizations to integrate technologies such as regulatory content
management, storage management systems, business intelligence (compliance
intelligence), relational databases, and other tools successfully to allow organizations
to understand some of the cause-and-effect relationships that go on within that
business. Information and knowledge are intimately related to quality
management…good quality management is based on making decisions based on
facts rather than intuition…and a modern quality management system that is dynamic
and adaptive to evolve and continuously improve is fueled by knowledge.
A more integrated approach to how business is managed is needed to deal with these
challenges that are based on a systems approach to management. A fundamental
component of any effective quality management system is a document management
capability that meets the basic requirements for document and data control and
provides enhanced capabilities to support broader business process improvement
objectives.
The table on the following page highlights the quality management principles and
summarizes how they may be applied to electronic records management.
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 8
Quality: The Foundation of Compliance
ERM programs must include top-down Enterprise collaboration systems may be deployed to
Top Down Ownership ownership to ensure consistency across the ensure effective communication of management decisions
organization. across the enterprise.
Quality improvement consists of developing Corrective Actions Systems (CAPA) and content
the standards for quality including written management systems may be effectively deployed to
Quality Improvement procedures to ensure continuous address continuous improvement while maintaining
improvement. electronic records.
Inspection and acceptance testing are essen- Most TQM systems leverage statistical analysis tools and
tial for continuous improvement. From a mathematical models to document inspection and testing
Inspection & Acceptance Testing records management point of view, inspection activity. Automated Test Procedures (ATM’s) are an
of ERM systems must be considered. effective tool for managing this information.
Management assessment represents the Business intelligence systems coupled with reporting and
required oversight function mandatory for analysis tools provide the information that management
Management Assessment TQM. This is primarily a reporting function. needs to assess RMS quality.
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 9
Active Compliance Process Framework
A s Bill Gates said “If the 1980’s were about quality and the 1990’s were
about re-engineering, then the 2000’s will be about velocity... Quality
improvements and business process improvements will occur far
faster. When the velocity is fast enough, the very nature of the business
changes.” – Bill Gates, 1999. The question is, how do organizations move from
a passive state of compliance to an active state of compliance?
♦ Compliance Office
♦ Executive
♦ Employees
♦ External Regulators
Training and education are the foundation for the active compliance state
while expert guidance and consulting are wrapped around:
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 10
Final Recommendations
the organization and to facilitate quality. Through the integration with EMC
Documentum technologies and eQCM, organizations can enjoy an unprecedented
level of interoperability to ensure consistency and efficiency as they meet their
compliance objectives. Records managers must think strategically when moving
towards a higher level of compliance.
As regulators and those regulated have evolved their thinking towards a new
paradigm, records managers need to shift their focus towards establishing integrated
systems that not only manage electronic records in a legally defensive manner, but
deliver true ROI and compliance intelligence through integration with key technology
Compliance intelligence is
components that deliver intelligence from electronic records.
“actionable” information used to
assess the level of compliance
In summary, for effective electronic records management, organizations need to take
across the organization and to a lesson from TQM and follow the principles that lead to good quality management.
facilitate quality. These principles have been shown to seek adoption of the following integrated
technologies:
The good news is that most of these technologies are resident in house within your
organization. Compliance is not a one-size-fits-all proposition. Avoid technological hype from
vendors who re-purpose existing technologies to fit the latest fad. Compliance is serious
business. Records management is crucial to your business. Add electronic management
systems as the missing link in your technology programs and watch your compliance risk
decrease while your business accelerates through increased operational efficiency.
The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 11
Page 12
Amadeus International
400 Jean-Lesage Bvld. Suite 500
Québec City, QC, Canada
G1K 8W1
Phone: 418.525.0606
Fax: 418.525.0909
ABOUT AMADEUS INTERNATIONAL