It's no secret that boards want more data and information from chief compliance officers. Many directors consider regulatory, governance, and compliance risks at the top of the “needs-more-attention” list. Yet communicating effectively with the board is never easy.
Directors have limited time, and compliance officers must decide what information should rise to that level of reporting. Pfizer's chief compliance officer Douglas Lankler addressed some of those difficulties at the Compliance Week 2011 conference in Washington last month.
Lankler should know. Pfizer has been involved in three separate enforcement actions over the past few years that have shaken up its compliance reporting structure and put board-level scrutiny on compliance issues. Pfizer entered into its third corporate integrity agreement in the fall of 2009, and agreed to pay $2.3 billion as part of a settlement with the Justice Department over an investigation into past off-label promotional practices. The first two compliance issues were inherited through acquisitions. The most recent enforcement action forced Pfizer to separate its compliance function from the legal division. As CCO, Lankler began reporting to the chief executive officer and joined Pfizer's executive leadership team.
Lankler now provides updates to the audit committee at every one of its monthly telephone meetings and presents for half an hour at the committee's six in-person meetings a year. He will also begin presenting at the first meeting this month of the newly established board-level regulatory and compliance committee. Establishing a “dedicated committee” is “a growing phenomenon,” especially in the healthcare industry, Lankler said.
He gave the new committee's members a thick report before walking them through certain areas of focus. “We have talked and will talk to make sure that all the committee members were on the same page about the regulatory framework within which we operate, the history of the company, how we're structured etc.,” said Lankler.
Updating the board on the compliance matters from the ongoing government investigations is one of Lankler's most important tasks, he said. It requires working closely with general counsel to prepare a joint presentation and he is careful to put the emphasis on what is important, given the time constraints of board meetings. “To make sure that we give people a sense of where we are in the process, we have a tracking chart,” he said. “To the chagrin of our litigators, we put a red, yellow, or green dot next to each line. Otherwise, it just doesn't matter to them; it's just a long list. That red-yellow-green approach allows us to direct the conversation in a way that makes sense.” Whenever Lankler adds to or subtracts from the tracking chart, the change and its cause are highlighted in a memo to the board.
In addition to the monthly reviews, Lankler submits an “annual compliance assessment report” of around 30 pages, including plenty of graphs and charts, to the board. In big, black letters with boxes around them, he offers his conclusions about what he sees as the most significant risks, whether the program has sufficient resources to achieve what is necessary in combating them, his view on the health of the organization from a compliance standpoint, and his perception of management's commitment around these things. “Not surprisingly, these are typically very positive statements,” he said. The fact that management knows he does this report incentivizes good behavior.
“I tell my CEO that I need to be measured based on the number of non-events that happened. In terms of a global security report, I tell him, 'If our building didn't blow up today, I get credit.'”
—Douglas Lankler,
Chief Compliance Officer,
Pfizer
The biggest lessons that Lankler learned about what the CCO should tell the board, are (1) to review the minutes carefully, (2) to share information with the rest of management in advance (or as Pfizer calls, it to “socialize” the information), (3) to ensure that there will be no surprises, and (4) to prepare in advance with general counsel, outside counsel, and the external auditor.
What to Measure
The board is very concerned about how the company is measuring improvements in the compliance function. Lankler measures compliance efforts in terms of how well inspections go during internal monitoring and auditing—for example, whether countries are rated “generally satisfactory” instead of just “satisfactory” on FCPA. “I will tell you unequivocally, the way I get measured is by how much bad stuff I prevent from happening,” he said. That's why he presents the board with “external environment considerations,” which assess what is happening in the industry and compliance issues that peers are facing. “If it's happening to one of our competitors, I want my bosses to know,” said Lankler.
“I tell my CEO that I need to be measured based on the number of non-events that happened," said Lankler. "In terms of a global security report, I tell him, ‘If our building didn't blow up today, I get credit.' Or if we get through a quarter where we don't get a new whistleblower case or a subpoena. It's a crude measurement, but that really is what's important to him as a businessman."
Pfizer Chief Compliance Officer Douglas Lankler spoke to CW 2011 attendees about how best to communicate with the board.
Asked to explain risk review versus internal audit reports, Lankler distinguished between auditing and monitoring, despite some overlap. “One reason that Pfizer had problems that led to us paying $2.3 billion dollars is that we were absolutely fantastic at auditing—going back afterward and checking to see whether there were problems or not—and not as good, at monitoring—watching things as they happen on a day-to-day basis, checking them against data searches.” For example, he said Pfizer likes to search within sales representatives' e-mails for certain keywords to see if they're talking about things that could create a problem for the company. Or, they take a close look at fluctuations in sales figures, including positive ones: why did Texas, for example, jump through the roof on a product when no other state did?
If a problem is not detected early on, it spreads very quickly, Lankler said. “If you're not on top of it, then the amount of dollars that come into the organization that could be as a result of improper practices—that nobody even knows are improper because of the complexities of things—was the big learning point for us,” he said.
That's why Lankler put special focus on his program for compliance risk management, noting that “chief risk officer” had just been added to his title—“Just because there's got to be a way to take everything that's negative and bad and stuff it under one guy.” He said he wanted to use this as an opportunity to tell committee members about the organization's primary compliance risks, which include the Foreign Corrupt Practices Act, the new U.K. Bribery Act, anti-corruption in general, the industry-specific Food and Drug Cosmetics Act, which regulates how products are promoted, in addition to the other Food and Drug Administration rules.
No comments yet