[Today, I feature an excerpt from my latest book, “Pragmatic GXP Compliance” recently published. Recently, the CEO of a pharmaceutical firm had this to say about this book:
“I finished Pragmatic GXP Compliance today and have to say it is another excellent read. It really hits home with trying to improve our quality culture. My whole leadership team has read the book and absolutely raves about it!”
This book is available in either paperback or Kindle version and can be found at this link: Pragmatic GXP Compliance.]
How many of you have heard something like the following from management?
- What’s the problem? All we’re talking about is a few specks in the tablets.
- What do you mean we can’t release that batch? It met all the finished product specifications, didn’t it?
- Can’t we just retest that batch to see if it is really OK?
- How much adulteration is too much? (Note: Yes, I really did hear a member of management ask me that one time.)
Granted, comments like these should be rare in the 21st century. Nonetheless, helping management, especially when their background is in a non-scientific area, understand the basic elements and requirements of GXP’s is an ongoing challenge.
So, what is the proper approach for helping management, especially senior management, understand the important role they have in ensuring compliance with GXP requirements? Before we look at some specific approaches, let’s begin by reviewing management responsibilities in a GXP environment, the benefits of creating a strong compliance culture, and the enforcement options at the hands of regulatory agencies in the event we fail to maintain the necessary level of compliance.
Responsibilities of Management
What is it exactly that management must do to ensure an appropriate level of compliance? To understand how to best educate management about their responsibilities for GXP, it is best to review those responsibilities.
When operating properly in a GXP environment, management will:
- Create a mission, vision, and Corporate Quality Policy geared to GXP compliance – Perhaps, the most important responsibility for management is to create the overriding messaging of the importance of quality compliance. This is most often established through a mission statement and/or vision statement that clearly articulates the corporate commitment. Such a statement does a couple of things: it continuously reminds employees, stakeholders, and customers that quality compliance is important AND it ensures accountability. When your mission/vision statement declares a commitment to compliance, it makes it much more difficult organizationally to cut corners. A strong compliance commitment included in a mission or vision statement partnering with a Corporate Quality Policy works to establish that quality compliance is a value that cannot be compromised.
- Establish a Quality Unit with the proper organizational reporting structure – Of course, words are cheap. Saying that quality compliance is a value without demonstrating it through solid actions renders it meaningless. GXP’s require that complying firms establish a Quality Unit with adequate organizational strength to ensure compliance. In short, unless the Quality Unit has the ability to stop production or reject noncomplying products, its organizational strength is inadequate. In fact, GXP’s require that the Quality Unit be given status equivalent to functions such as Production, Engineering, and Supply Chain. Quality must sit at the table at which decisions are made that potentially impact quality or GXP compliance. Failing to create such a structure is a management failure that has severely impacted other firms (see Regulatory Agency Enforcement Options below).
- Create a Quality Unit with adequate credentials, numbers, and organizational support to execute GXP compliance – In addition to creating a Quality Unit with adequate organizational strength, management must ensure that members of the Unit have adequate training, experience, and skills to perform all GXP activities. This typically means that Quality Unit leaders have demonstrated ability leading their respective functions. It also means that management adequately fund the Unit. By this I mean enough resources are provided to perform all required activities. It is very tempting to focus resources on activities that “produce revenue” and view quality compliance personnel as overhead. I would argue that a properly resourced Quality Unit can often “pay for itself” by ensuring an ongoing supply of conforming, high quality products. Failing to resource quality functions adequately is a common root cause for firms cited for non-compliance issues.
- Create a periodic management review process that ensures management knowledge and oversight of Quality data and compliance performance – GXP’s require that management have a process in place to ensure awareness of quality compliance through a systematic review of quality performance data. Many firms conduct this formal data review on a monthly or quarterly basis. This review should be adequate to ensure that management is aware of potential adverse trends, quality compliance risks, and actual performance of products at the consumer level. This GXP requirement is one of the elements of the legal basis for “management is without excuse” (discussed below).
- Establish a visible and vocal quality compliance posture – Many GXP regulated firms establish a strong mission or vision statement accompanied by a Quality Policy, then never discuss quality compliance again. Management must make quality compliance an ongoing discussion point. For example, quality compliance should be a topic in town hall meetings, be a typical topic in company newsletters, receive significant discussion in annual corporate reports, and Quality Unit leaders should be routinely highlighted in forums with senior management. Company leaders should mention quality compliance performance in public venues. All of these combine to demonstrate clearly that quality and compliance are more than talking points, but values the help define the success of the company. In short, management must make clear that no year is a good year in which quality or compliance issues resulted in significant regulatory agency or consumer impact.
- Ensure ongoing commitment by recognizing and rewarding strong quality compliance performance – Companies are usually quick to highlight strong performance of sales and marketing organizations. Most firms have an “annual sales meeting” in which top performers are recognized and rewarded. However, do individuals involved in achieving significant achievements in the quality compliance arena similarly recognized and rewarded? A failure to do so often seems to relegate these individuals to second tier status when it comes to company success. Management must demonstrate the importance of quality compliance by recognizing and rewarding it.
- Establish systems to manage performance to ensure compliance – A basic responsibility of management is to manage performance. This also applies to GXP compliance. Creating goals and objectives that measure the output of the Quality Unit and associated contributors to GXP compliance (e.g., Production, Engineering, and Supply Chain) is critical to ensuring that needed ongoing level of performance in these areas.
- Establish an organizational structure and process for escalating known and potential quality compliance issues – Management must be involved in key decisions impacting quality compliance. Establishing such a process for escalating these issues is a responsibility often left to informal communication. Management of firms that give lip service to quality compliance will often work to abdicate their responsibility to be aware and involved in key decisions. I have even heard of firms that adjust their organizational structure to delegate these responsibilities to others. For example, I heard of one firm that had the Quality Unit reporting to the Legal Department, essentially allowing other senior management the shield of the Legal Department to deflect their responsibilities for quality compliance. Senior management at firms that are committed to quality compliance seek opportunities to be directly involved, not create ways to avoid it.
- Establish a process for identifying risks for non-compliance through audits, assessments, and data review outside the periodic management review process – Members of management at some firms are afraid of bad news. However, committed management will seek ongoing input into the performance of these quality compliance systems. Establishing robust internal audit programs, assessments of system performance (e.g., Supplier Quality performance), and ongoing review of performance data are signs of management committed to GXP compliance. I know one firm that formerly had their GXP Compliance Internal Audit function reporting directly to the CEO. This provided an ongoing, direct line of communication to the top manager of the company for potential risks. Later, this same company altered that organizational structure under a new CEO and eventually agreed to a consent decree and large fine to remedy ongoing GXP compliance issues. This organizational change may not have been directly involved, but I cannot imagine a significant slip in GXP compliance when the CEO was getting routine feedback on GXP performance from the leader of the Corporate Compliance function.
- Provide adequate resources and commitment to facilitate continuous improvement of systems, equipment, facilities, and personnel performance – In addition to the Quality Unit, it is a significant management responsibility to properly fund other continuous improvement initiatives. For example, new equipment, updated facilities, and enhanced personnel skills must be funded. You cannot establish solid systems and expect them to remain current without ongoing enhancement. I am aware of a firm that once had a facility so modern and advanced that US FDA personnel routinely visited the facility for training to see “how it should be done.” However, that firm failed to maintain and continuously improvement the operation and a few years later it was the source of a Warning Letter alleging poor maintenance and inadequate resourcing to perform basic GXP responsibilities.
Benefits of a Strong Compliance Culture
Aside from avoiding the negative consequences associated with inadequate compliance, there are other benefits to a strong compliance culture.
First, there is an element of organizational discipline needed for compliance. The mere fact that a strong compliance approach means that you have written procedures, trained employees, maintained equipment, and standards against which to measure performance… all key attributes of many successful operations. When your entire organization has the needed discipline to properly fulfill GXP requirements, success in other areas of the business is likely.
GXP requirements also include, as a built-in, critical element, systems for identifying and correcting problems. In effect, GXP’s drive toward continuous improvement. In a strong GXP environment, there is an ongoing culture of correcting issues, making the operation better, and preventing events that could negatively impact the business or product quality.
As we might expect, a strong culture of GXP compliance should result in better product quality. When processes are consistent, employees knowledgeable and disciplined, and practices in place to ensure that high manufacturing standards are achieved, we can be sure that we will experience fewer rejections, less product loss, and higher conforming finished product.
Finally, when we achieve a strong culture of compliance, the consumer or patient impact will be better. GXPs, by definition, exists to ensure the safety, purity, identity, strength, quality, and efficacy of distributed product. Thus, we should expect that the ultimate patient experience is higher when compliance is better.
Regulatory Agency Enforcement Options
Regulatory agencies have been given significant power to enforce GXP compliance. This is true globally. Reviewing these enforcement options with management can help inspire a greater respect for compliance.
Many of the “tools” used by regulators are well established and well known. For example, most individuals in this industry understand the significance of US FDA 483 items and their global equivalents. Likewise, the use of import alerts, recalls, debarments, seizures, injunctions, and fines are also well established.
There are a couple of enforcement options, though, that are valuable to review with management when discussing the need for enhanced GXP compliance. One example comes from the Danish Medicines Agency (DKMA) which suggested to Europharma DK ApS (a repackaging firm) that the firms needs a new CEO that will appropriately deal with compliance concerns. Apparently, repeated citations of GXP deficiencies did not elicit an adequate response, so DKMA used its influence to drive accountability to the top manager in the company. It has become increasingly common for regulatory agencies to publicly communicate that senior management bears the burden for compliance.
In the US, the “Park Doctrine” has been in use for several years to ensure that top management cannot abdicate responsibility for compliance. The Park Doctrine stemmed from a court decision that declared that management responsibility did not require “awareness of wrongdoing” to be considered liable for GXP deficiencies. In effect, any individual in the company that “is in a position in a corporation with responsibility and authority to prevent or promptly correct” a GXP problem could be held individually responsible for the violative acts. Thus, individual company officers (e.g., CEO, President, Senior Vice-President, etc.) have been prosecuted successfully with fines and imprisonment imposed.
So, management must understand that they cannot abdicate any responsibility for GXP compliance to others down the line in the company. Regulatory agencies now view members of top management as the responsible party for all activities relating to GXP compliance. Helping management understand this is an important step in their “education” about GXP compliance.
Approaches for Educating Senior Management
From a practical standpoint, we are now at that point where we answer the question, “What steps can we take to educate our management about their important role and responsibility in ensuring a strong GXP compliance culture?” I believe there are 4 key steps that can help management to become fully knowledgeable and supportive of these efforts:
- Review with them the management responsibilities, benefits of compliance, and regulatory agency enforcement options discussed above – Certainly, some individuals in senior management roles, especially those new to GXP regulated operations, do not have the experience to fully grasp the challenges and responsibilities included in their roles. For these individuals, it is imperative that they be exposed in detail to these elements. Helping them to understand their personal and individual responsibility may alone be enough to elicit full and active support. For example, a newly named CEO with a background only in Sales or Marketing is suddenly given responsibility for all operational functions, may feel that expending resources for activities “behind the scenes” is less valuable to the overall firm than spending on more visible sales or marketing initiatives. However, when they realize that, like others, they could be prosecuted for a failure to ensure GXP compliance regardless of whether they were personally aware of concerns, they tend to become much more active in learning and understanding how they can avoid compliance issues. However, senior managers do not often become full supporters of GXP initiatives simply out of fear. Thus, there is more to their education needed.
- Highlight the competitive landscape regarding GXP compliance posture – Most members of senior management are highly competitive. They continuously seek competitive intelligence to learn what their peers are doing and how they must react to remain in the game. Taking advantage of their competitive nature can be beneficial with GXP compliance, as well. Help management understand what actions peer companies are taking regarding compliance activities. For example, if a peer company is implementing a new software system that will provide more rapid and accurate data trending information, share that information. If a peer company has received a 483 citation for failing to properly resource GXP-required functions, use that to help justify your needs in similar situations. By using information of competitors, especially in what is considered your company peer group, you can often educate management on the need to support initiatives that strengthen compliance.
- Demonstrate the “value” of compliance – GXP practitioners should never avoid talking about the value of compliance to the company. In fact, speaking in “dollar terms” is often the best way to help others in management understand the need. In fact, if you cannot justify any expenditure in terms of value, it is probably not needed. I believe there are three areas of value that need to be re-enforced with management:
- Cost of non-compliance – Most of us are familiar with the term “cost of poor quality.” This is useful for demonstrating overall loss for poor performance relating to product costs. However, a similar calculation is useful for demonstrating the value of a strong compliance operation. When you total all costs for non-compliance, the number can be substantial. These costs would include costs for: recalls, investigations, complaints, follow-up auditing, batch rejections for GXP failures, CAPA actions, etc. Calculate all costs associated with a failure to execute GXP compliance perfectly. This number will undoubtedly be larger than you expect and can be helpful to demonstrate the importance of a strong compliance culture.
- Direct financial impact – Many individuals underestimate the direct financial value of a strong compliance operation. Consider the value of improved product release times on inventory costs, production planning, and product supply. If you could eliminate all time associated with retesting, investigations, and compliance failures, what would the direct impact be? Or, what would be the value to a faster new product approval time? For example, if you anticipate that a new product will generate $365 Million in annual sales, each day that final approval is delayed costs you $1 Million in sales…. Per day! With that in mind, how important is it to have a pre-approval inspection occur without compliance issues? How important is the entire effort to produce a “first-time right” submission package? Determine the direct value of perfect compliance and utilize that information to educate senior management.
- Indirect financial impact – There is an opportunity impact for strong compliance. For some products, the potential market is impacted by your compliance position. The ability to do business is often strongly influenced for active pharmaceutical ingredient (API) suppliers by their current and future potential compliance position. The value of business opportunities cannot be overlooked as an element of the value of GXP compliance.
- Enforce the importance of “internal” and “external” reputation regarding GXP compliance – Finally, the impact of GXP compliance position on employees (internal), patients (external), and stakeholders (external) should not be ignored. Because so many companies have had business impacts due to poor compliance, it has now become an important recruitment tool. When you can portray a solid and respected GXP compliance position, it does help recruitment and retention of top talent. There is also certainly an impact to shareholders for the same reason. Finding a way to emphasize the fact that a company in GXP regulated industries must be considered a reliable and trusted compliance partner is another important educational tool for management.
Helping management understand the important role and responsibility of leading a GXP regulated company is a key factor to the success of that firm. Using the approaches outlined can facilitate that key educational process and instill quality compliance as a value that will not be compromised.