MASTERING REGULATORY

COMPLIANCE

BEST PRACTICES EXECUTIVE SERIES

The Missing Link: The Role of Compliance Process Control in

Achieving Sustained Regulatory Compliance

The Step Above

Compliance™

Compliance Process Control

 The Compliance Evolution

R ecent trends in technology and globalization have mandated

INTRODUCTION

significant changes in current regulations. As these macro forces evolve, so does

the need for regulatory guidelines that keep pace with the changes. The surge in
regulatory compliance and enforcement have contributed to changing how
organizations view and comply with current regulations. On the one hand, there
are organizations that view regulatory compliance as a necessary evil. The
mention of regulatory compliance within these organizations conjures up thoughts
of endless audits, tense interrogations by regulatory officials and additional cost
burden. On the other hand, forward-thinking companies are beginning to see
compliance not as a burdensome cost of doing business, but as a way to drive
process efficiencies and decrease costs. These organizations have concluded
that compliance makes good business sense and if done correctly, can have
positive impact on bottom line operations.

This white paper will

explore current
thinking on regulatory
compliance. The
discussion will focus
on the way that
compliance
management has
evolved from its earlier
perception by many
businesses as a
necessary evil to the
current wisdom that says if done correctly, regulatory compliance makes good
business sense. Based on this understanding of the evolution of regulatory
compliance, the premise of this discussion from a systems perspective is that most
compliance management systems are missing a critical link required for the
successful implementation of any such system which is the electronic records
management framework. Most so-called compliance management systems focus
purely on the management of documents in a regulated controlled environment.
However, little consideration is given within these systems to capturing electronic
records in a manner that preserves the authenticity, integrity, security and long
term retention of these records in a legally defensible manner.

This white paper will offer practical advise to those forward-thinking organizations
seeking to add the missing link to their compliance management systems.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 1
 Two Views Of Regulatory Compliance

R egulatory compliance is currently in a state of rapid evolution. From

the standpoint of those organizations regulated by government agencies, the
pressure and economic impact of compliance with current regulations has forced
them to re-think how they view regulatory compliance. In the past, these
VIEW FROM THE GOVERNED

organizations typically viewed regulatory compliance as a necessary evil. Many

regulatory compliance programs were not implemented strategically across the
company. On the contrary, compliance programs were very reactive in response
to guidelines issued by regulatory authorities. From a I.T. standpoint, systems
were developed and deployed within specific departments impacted by a specific
regulation in question. The result of this approach within many organizations was
a costly, fragmented compliance systems where efficiency and consistency were
often an after-thought from a systems point of view.

A key example of this phenomenon is the 21 CFR Part 11 Final Rule issued in
March of 1997 which provided governance for those organizations that elected to
create, maintain, and submit electronic records to the U.S. Food and Drug
Administration (the Agency) using electronic signatures. The rule provided
guidance on the use and management of electronic signatures and electronic
records. Most organizations internally established a written policy representing
their interpretation of the regulation and selectively choose I.T projects that would
be “21 CFR Part 11-compliant”. This led to the wide adoption of electronic
document management systems technology within the regulated community with
“built-in” Part 11 features. These systems were in most cases custom-designed at
considerable expense. Moreover, the design of Part 11 systems varied from one
system to another even within the same company thus resulting in an inconsistent,
fragmented approach across the company.

At the same time, the vendor community jumped on the band wagon and began
promoting Part 11 compliance for their products. Since there was no product
“certification standard” issued by government that represented what a Part 11
system was to include, most technology buyers operated on the principle of caveat
emptor – “let the buyer beware”. Missing within many of these “solutions” for Part
11 compliance was a clear strategy for effective management of electronic
records. Specifically, many systems were noticeably deficient on how to manage
and retain audit trails, irrefutably link electronic records and audit trails, and a clear
definition within the program of what is a complete electronic record. Most current
systems lack a clear strategy for short term and long term access and retrieval.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 2
 Compliance As A Legal Best Practice

O rganizations came to realize through their attempts to comply with 21 CFR Part
11 that their reactive response was both costly and short-sighted. Many
projected that their efforts, if they continued implementation on the current path,
would result in costs estimated as greater than the cost of earlier Y2K compliance
initiatives from 1999. Thus, organizations began re-thinking their compliance strategies at
a higher level. The take-away for some was the fact that electronic document
management systems did help to achieve measurable increases in operational efficiency.
It was indeed faster to electronically create, route, review, and electronically sign and
approve documents than manually processing them. They also realized that these
electronic systems delivered tangible cost reductions associated with the elimination of
manual processes. It also became clearer that inconsistencies due to “silo”
implementations exposed organizations to greater risk as opposed to reducing risk. Thus,
VIEW FROM THE GOVERNED (CDONTINUED)

a major imperative was to reduce risk and provide a consistent approach to regulatory
compliance.

Therefore, the principles that shaped this new change in thinking about regulatory
compliance can be summarized as follows:

♦ Reduce Compliance Risk

♦ Improve Process & Operational Efficiency

♦ Reduce Cost & Cycle Times

♦ Increase Product Quality

♦ Improve Enterprise Compliance

♦ Improve Organizational Collaboration

These principles, while simplistic, are the very foundation of good corporate governance
within any organization. Compliance creates a legal “best practice” and establishes a
baseline for acceptable regulated systems environments. Instead of building compliance
“on top of” technology platforms, organizations are seeking now to embed compliance
business rules into technology platforms thus reducing the need to “re-invent the wheel”
for regulatory compliance management systems.

Given their experiences with leveraging technology to achieve regulatory compliance

objectives, many organizations have concluded that if compliance is viewed strategically
from the top and applied consistently across an organization, compliance makes good
business sense. It can result in many tangible benefits with bottom line impact. This
epiphany has resulted in a major shift in thinking of compliance as a necessary evil
towards the revolutionary concept of compliance as a key business driver and competitive
advantage. Compliance can be a key competitive advantage in that it promotes quality by
design. Companies are taking a more holistic approach to regulatory compliance. The
birth of the Chief Compliance Officer and other such positions are testament to this shift in
thinking of compliance in a more strategic manner. From the standpoint of the governed,
compliance is a given business factor. Real compliance can be a strategic business
advantage if compliance programs are properly implemented.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 3
 Compliance From The Agency Perspective

R egulators in recent years have become more conscientious of the cost of

regulations and regulated companies are taking into consideration the practical
implications of compliance when developing policy guidelines.

In times past, regulators would introduce regulatory guidelines with little or no thought as to
the impact of these regulations on the regulated community. Many of these regulations
suggested (but did not mandate) technological solutions as a means of compliance forcing
companies to purchase a myriad of automation tools to address the requirements. Again
we can look at 21 CFR Part 11 Final Rule (Part 11) as an example of this phenomenon.
Post-implementation of Part 11, the industry reported back to the Agency that the rule
unnecessarily restricted the use of technology, significantly increased compliance costs,
and discouraged technological innovation. In response, the Agency issued new guidance
representing its current thinking on Part 11 that resulted in a withdrawal of all previous
guidance and a refocus of how this rule should be applied as an outgrowth of their new
GMP initiative called “Pharmaceutical GMP’s For The 21st Century”. This new initiative was
predicated on the basis that GMP’s had not changed much in decades but the industry has
VIEW FROM THE GOVERNMENT

a whole had. Therefore, the regulations had to change to reflect the times. Interestingly
enough, the Agency developed regulatory principles that, in theory, would promote placing
the most resources in areas of greatest risk and use science-based risk assessments while
taking full advantage of advances in technology. This is evolutionary thinking on the part of
the FDA.

What we see now at the FDA is a major shift in the Agency’s thinking on compliance. They
are now looking at the impact of regulations on business from a cost perspective and
attempting to provide clearer regulations that have practical solutions that target the
greatest compliance burden to the areas of greatest risk. Although some view the current
policies of the FDA as controversial sighting the belief that the new risk-based approach
may actually compromise the safety and efficacy of new therapies, most agree that better
guidance and consideration of the cost of regulation is a welcome change.

The compliance evolution has brought about a significant change in the way organizations
and Agencies such as the FDA view regulatory compliance. Given the current evolution
that is underway, there are several questions which must be answered as to where do we
go from here. Specifically, we must ask, “How does this paradigm shift affect the way in
which compliance systems are developed and managed?” Further, “How can organizations
practically forge the missing link in a chain of established technology given the current
sensitivity to cost?”

From the view of the government, a realistic approach to establishing compliance policy is in the
greater public interest. Practical policy can result in more organizations achieving sustained
compliance resulting in better product quality and safety.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 4
 The Regulatory Perfect Storm

A regulatory ‘perfect storm’ has been brewing over the past few years within
the compliance community. With recent changes in 21 CFR Part 11
guidelines, the new Sarbanes-Oxley (SOX) corporate governance initiative,
and the Health Insurance Portability & Accountability Act of 1996 (HIPAA),
information systems organizations are experiencing a convergence in requirements
for electronic record privacy, security and short/long-term retention. These three
factors represent the most challenging aspects of managing electronic records and
thus have for a more comprehensive strategy for managing I.T. assets.

The situation facing most I.T. organizations is that many of the legacy technologies
implemented were not deployed as part of a long term, comprehensive strategy. In
fact, most were deployed in “organizational silos” where the “pain” was most
pronounced. Now, as these same organizations review current
PRIVACY, SECURITY, RETENTION

regulatory requirements, it has become clear that in order to

achieve sustained compliance, these systems must be
integrated seamlessly across the enterprise.

New regulations when introduced to the compliance community

often require retrospective design and validation to meet the new
requirements. Security and privacy challenges inherent in
regulations such as HIPAA have broad legal implications which
may go beyond the security and privacy challenges of most
legacy systems. Audit trails, in many cases, are absent from the
existing solutions.

Good corporate governance, as mandated by Sarbanes-Oxley,

requires organizations to secure and retain information in a
manner sufficient to maintain corporate memory. These same
organizations must have comprehensive audit trails that clearly
support chain-of-custody requirements and help promote better
decision-making and improved accountability. At the same time, privacy of sensitive
corporate records must be maintained.

The overlapping requirements for privacy, security, and retention will have significant
impact on existing legacy systems that were not designed with these requirements in
mind. Those organizations in the eye of the storm with disjointed legacy systems, the
convergence of these requirements will create a violent upheaval that will force
integration. Like never before, the factors of privacy, protection, and retention that
swirl around new regulations must anchor any new system to help achieve sustained
regulatory compliance. These requirements are in fact, the foundation of a good
electronic records management system.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 5
 Quality: The Foundation of Compliance

N o discussion of regulatory compliance would be complete without consideration to

the subject of quality. As regulatory agencies and the industries they regulate
undergo the current evolution, quality management is evolving as well. Quality
management is evolving from the traditional perspective of prevention of defects to a much
broader business-centric principle to maximizing focused on key business drivers and
HISTORICAL PERSPECTIVE OF QUALITY

customer satisfaction. Some now view quality as a competitive advantage.

From a historical perspective, it is helpful to trace the origins of today’s quality management
principles to gain a better understanding of their intent from a practical sense. Quality
assurance programs were first formally developed during World War II. The basic principle
of this new initiative at that time was to reduce waste and scrap and this increase the
profitability of the manufacturing process. Greater productivity and cost-effectiveness are
derived from advanced quality assurance programs and control systems. Organizations
have come to realize that they must compete (and excel) in quality to achieve sustained
competitive advantage and sustained compliance. The metrics used to measure the
effectiveness of quality assurance programs was to achieve zero failures or rejections or
significantly reduce the number of failures or rejection rate. From these early initiative came
a major quality assurance program known today as Total Quality Management (TQM). The
TQM program emerged about 15 years ago and has widespread use throughout many
organizations.

The TQM program has established ten criteria as its base foundation. These criteria are as
follows:

1. Top-Down Program Ownership

♦ Senior management ownership
♦ Performance objectives established
♦ Line organization implementation
♦ Responsibilities and authorities defined
♦ Individual empowerment

2. Personnel Training And Qualification

♦ Affects all personnel
♦ Stimulate professional development
♦ Maintain proficiency and promote improvement
♦ On-going training review

3. Quality Improvement
♦ Process established and implemented
♦ Present problems
♦ Improve quality
♦ Analysis
♦ Continuous improvement
♦ Performance standards and measures
• Problem identification, control resolution, and follow-up (corrective
and preventive actions)

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 6
 Quality: The Foundation of Compliance

4. Documents And Records

♦ Process established and implemented
♦ Documents identified and controlled
HISTORICAL PERSPECTIVE (CONTINUED)

♦ Records identified and controlled

♦ Records retention

5. Work Processes
♦ Work
• Line management provides training, resources, and
direction
• Worker is first line
• Review and improvement
• Planning, authorization, and accomplishment
♦ Identify and control items
♦ Handling, storage, and shipping
♦ Monitoring and data collection equipment

6. Design
♦ Process established and implemented
♦ Inspection (Requirements versus the design)
♦ Changes are controlled
♦ Interfaces are controlled
♦ Records
♦ Verification

7. Procurement
♦ Process established and implemented
♦ Technical and administrative requirements
♦ Selection, suitability, evaluation, and receipt
♦ Supplier evaluation

8. Inspection And Acceptance Testing

♦ Inspection
• Process established and implemented
• Conducted by and for the line organization
• Based on risk and complexity
• Acceptance criteria established

♦ Acceptance testing
• Process established and implemented
• Conducted by and for the line organization
• Test requirements and acceptance criteria
• Re-testing when necessary

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 7
 Quality: The Foundation of Compliance

9. Management Assessment
♦ Process established and implemented
♦ Performed by managers
HISTORICAL PERSPECTIVE (CONTINUED)

♦ Focused on broad categories of management issues

10. Independent Assessment

♦ Process established and implemented
♦ Represents senior management
♦ Technically knowledgeable personnel
♦ Focus on improving quality
♦ Action based on risk, complexity, and status
♦ Problem tracking and resolution

There are many parallels from the manufacturing-centric view of TQM that may be applied
to the discussion of electronic records management systems. Records managers can
apply these same TQM principles to their compliance management systems to significantly
reduce risk and achieve higher levels of compliance.

The intersection of the principles of quality management and driving business results
require organizations to integrate technologies such as regulatory content
management, storage management systems, business intelligence (compliance
intelligence), relational databases, and other tools successfully to allow organizations
to understand some of the cause-and-effect relationships that go on within that
business. Information and knowledge are intimately related to quality
management…good quality management is based on making decisions based on
facts rather than intuition…and a modern quality management system that is dynamic
and adaptive to evolve and continuously improve is fueled by knowledge.

A more integrated approach to how business is managed is needed to deal with these
challenges that are based on a systems approach to management. A fundamental
component of any effective quality management system is a document management
capability that meets the basic requirements for document and data control and
provides enhanced capabilities to support broader business process improvement
objectives.

The table on the following page highlights the quality management principles and
summarizes how they may be applied to electronic records management.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 8
 Quality: The Foundation of Compliance

Total Quality Management & Electronic Records Management

TQM & RECORDS MANAGEMENT MAPPING

TQM Principle Records Mgt Impact Applied Technology

ERM programs must include top-down Enterprise collaboration systems may be deployed to
Top Down Ownership ownership to ensure consistency across the ensure effective communication of management decisions
organization. across the enterprise.

Learning management technology may be considered to

Personnel Training & Qualification
Training is an essential part of any TQM
address this criteria. In most TQM systems, training is tied
initiative. It is often over-looked and under-
to operating procedures. Integrated training tracking
estimated.
systems are effective in managing this information.

Quality improvement consists of developing Corrective Actions Systems (CAPA) and content
the standards for quality including written management systems may be effectively deployed to
Quality Improvement procedures to ensure continuous address continuous improvement while maintaining
improvement. electronic records.

Electronic records management technologies coupled with

Documents and records are the life blood of
electronic content management systems may be
Document & Records any organization. They must be maintained in
effectively deployed. Also, storage management
a controlled manner.
technology may be used for long term retention.

Business processes represent the engine that

drives the business. The goal in achievement Business process management and business intelligence
Work Processes of compliance is to automate these processes systems may be leveraged to address this criteria.
to ensure consistency and quality.
Quality design criteria ensures that all proc-
esses designed are mapped to stated require- Design criteria for TQM can be addressed with business
Design ments from the business. This criteria can be process management software and content management
met with automated change control proce- systems.
dures.
Procurement records are vital to the success-
ERM systems and regulatory control systems may be used
ful operation of the business. These records
Procurement must be established and retained in a secure
to manage this information. Business intelligence systems
may be an effective way to manage this information.
environment.

Inspection and acceptance testing are essen- Most TQM systems leverage statistical analysis tools and
tial for continuous improvement. From a mathematical models to document inspection and testing
Inspection & Acceptance Testing records management point of view, inspection activity. Automated Test Procedures (ATM’s) are an
of ERM systems must be considered. effective tool for managing this information.

Management assessment represents the Business intelligence systems coupled with reporting and
required oversight function mandatory for analysis tools provide the information that management
Management Assessment TQM. This is primarily a reporting function. needs to assess RMS quality.

Independent assessment is designed to

Independent Assessment
eliminate internal bias. From a records man-
This is primarily an external function to audit ERM sys-
agement perspective, it is good best practice
tems.
to conduct external audits on electronic re-
cords.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 9
 Active Compliance Process Framework

A s Bill Gates said “If the 1980’s were about quality and the 1990’s were
about re-engineering, then the 2000’s will be about velocity... Quality
improvements and business process improvements will occur far
faster. When the velocity is fast enough, the very nature of the business
changes.” – Bill Gates, 1999. The question is, how do organizations move from
a passive state of compliance to an active state of compliance?

Active compliance is loosely defined as the process of moving from a state of

passive compliance characterized by higher costs and higher compliance risk
to a state of continuous improvement, lower costs, and lower compliance risk.
Active compliance blends performance management and compliance
THE ACTIVE COMPLIANCE FRAMEWORK

management into a structured organizational framework. As shown from the

diagram, the active compliance framework involves four specific groups of
people integrated through a comprehensive set of policies and
procedures:

♦ Compliance Office

♦ Executive

♦ Employees

♦ External Regulators

Training and education are the foundation for the active compliance state
while expert guidance and consulting are wrapped around:

♦ Business process management

♦ Reporting and risk management

Source: AMR Research, 2003
♦ Document and records management

♦ Security and audit control

It is interesting to note that an essential component (and the missing link in

many systems) is the document AND records management component.
Records management is a common thread across the entire spectrum of
enterprise business systems. As previously mentioned, the document
management component is present in most compliance management
initiatives. Records management is the missing link.

Today’s records managers need to understand how to manage electronic

records and shift their thinking in ways that parallel quality management
principles as discussed in the previous section.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 10
 Final Recommendations

A s organizations seek to achieve higher levels of compliance and reduce

regulatory risk, there are several ways in which today’s technology can be
applied to help achieve these objectives. It should be clear from the
previous discussion that compliance does make good business sense if properly
implemented. Amadeus Compliance process control systems are designed to
effectively manage the flow and control of regulatory information as it permeates the
enterprise. Compliance intelligence allows organization to leverage this information
through the use of electronic records management systems as the core foundation, to
help businesses effectively create, manage, store, retain, and use electronic records
to automate business processes and accelerate operations. The eQCM system is
tightly coupled with EMC Documentum’s Electronic Records Management system to
deliver “actionable” compliance intelligence to assess the level of compliance across
COMPLIANCE INTELLIGENCE

the organization and to facilitate quality. Through the integration with EMC
Documentum technologies and eQCM, organizations can enjoy an unprecedented
level of interoperability to ensure consistency and efficiency as they meet their
compliance objectives. Records managers must think strategically when moving
towards a higher level of compliance.

Compliance intelligence is
“actionable” information used to
assess the level of compliance
across the organization and to
facilitate quality.
As regulators and those regulated have evolved their thinking towards a new
paradigm, records managers need to shift their focus towards establishing integrated
systems that not only manage electronic records in a legally defensive manner, but
deliver true ROI and compliance intelligence through integration with key technology
components that deliver intelligence from electronic records.
In summary, for effective electronic records management, organizations need to take
a lesson from TQM and follow the principles that lead to good quality management.
These principles have been shown to seek adoption of the following integrated
technologies:

♦ Electronic Records Management Systems

♦ Enterprise Content Management Systems
♦ Compliance Intelligence and Reporting Systems
♦ Storage Management Technologies
♦ CAPA (Corrective and Preventive Actions) Systems For Continuous Quality
Improvement
♦ Business Process Improvement

The good news is that most of these technologies are resident in house within your
organization. Compliance is not a one-size-fits-all proposition. Avoid technological hype from
vendors who re-purpose existing technologies to fit the latest fad. Compliance is serious
business. Records management is crucial to your business. Add electronic management
systems as the missing link in your technology programs and watch your compliance risk
decrease while your business accelerates through increased operational efficiency.

The Missing Link: The Role of Records Management In Achieving Sustained Regulatory
Compliance © - Page 11
 Page 12

Amadeus International
400 Jean-Lesage Bvld. Suite 500
Québec City, QC, Canada
G1K 8W1

Phone: 418.525.0606
Fax: 418.525.0909
ABOUT AMADEUS INTERNATIONAL

For more information, visit our website at www.amadeussolutions.com

Email Us At: info@amadeussolutions.com

© 2008 Amadeus International. All rights reserved. Printed in Canada.

Amadeus, Quality Resource Planning, eQRP, the eQRP® logo, eQCM and the eQCM® logo are registered trademarks of Amadeus International
in Canada, the United States, Europe as well as several other countries. All other product and service names mentioned are the trademarks of
their respective owners.