Q. How has information technology (IT) dealt with regulatory issues (e.g., Sarbanes-Oxley, the Health Insurance Portability
and Accountability Act, 21 CFR Part 11, etc.)?
Regulations such as 21 CFR Part 11 have been well understood (and implemented) by the industry for several years. However, for the first time, the life
sciences industry is feeling the need to manage regulatory compliance across regulations on a risk-based approach. Often,
there is one officer in the company who is charged with regulatory compliance, and this officer is keenly interested in mitigating
risk proactively in a unified governance framework for the company.
The cost of noncompliance has become almost unfathomable in the pharmaceutical industry. Companies that are affected by noncompliance
(be it a SOX [Sarbanes-Oxley] associated restatement or an FDA consent decree) suffer far beyond the superficial commercial
aspects. Corporate culture, leadership, confidence in management, and even the capability to recruit and maintain talent
are severely challenged. As a result, chief regulatory officers in the life sciences industry are at a very strategic helm,
and their direct relevance to business continuity and growth is becoming well understood by boards of directors and investors.
Q. Which regulatory requirements are the most challenging and why?
For each company, a given regulation could impose challenges that are particularly difficult within their specific business.
Sarbanes-Oxley provides great challenges because the extent to which companies interpret and implement regulatory compliance
is sometimes subjective. As a result, companies usually go overboard in an attempt to remove regulatory risk altogether. On
the other hand, with regulations such as 21 CFR Part 11 and the like, the scope is well understood, but the challenge with these initiatives is the cost of validation. Often
the cost and complexity of validation is extremely high, enough to thwart continuous improvement initiatives.
Q. What industry (outside life sciences) that you know of has a good handle in dealing with regulatory compliance, and why?
Financial services firms, by the nature of their business, have incorporated risk-based strategies in their regulatory compliance
initiatives for years. This makes them extremely resilient to sporadic noncompliance, changing regulations, changing market
conditions, and changing customer requirements.
Q. How creative can software makers be when providing compliance solutions? Is there room for 'out-of-the-box' thinking?
Compliance is always a combination of process documentation and recording of deviations (potential, or real) from such processes.
Scientifically speaking, unless all processes can be standardized across the industry, it would be impossible for any company
to develop an out-of-the-box compliance solution. However, there are some process areas that are reasonably standard in the
life sciences industry, and we are working toward some prebuilt compliance tools for some standard business processes and
Q. Do you have any comments on regulatory requirements outside the United States?
Local regulations (or "localizations") are the cost of doing business globally. In today's economy, this is a need that cannot
be ignored. We, at Oracle, have seen a trend toward incorporating local financial regulations in shared service transaction
Q. Do you foresee unified global regulatory requirements?
To some extent, there already are unified world regulatory requirements. Market-leading regulatory bodies, such as FDA and
the USDA, assume leadership roles in implementing world-wide regulations. Their regulations are immediately adopted with little
or no variations by regulatory bodies in other countries. Often individual countries might adopt a superset of FDA regulations
by combining FDA regulations with country-specific codes developed by their regulatory bodies. The cost of not doing business
with the US is so great, that we believe that bodies such as FDA and USDA truly have a global impact.