Regulatory Compliance Health Check

Transcription

1 Regulatory Compliance Health Check Survey Results September

2 Index: 1.0 About This Survey 2.0 Process Maturity: 2.1 High Level Analysis 2.2 Comparing Industry Sectors 2.3 What Do the Scores Mean? 3.0 Product Regulatory Risk Management for Manufacturers 4.0 Risk: 4.1 High Level Analysis 4.2 Comparing Industry Sectors 4.3 What Do the Scores Mean? 5.0 Sample Actions to Improve Your Compliance Processes 6.0 The Challenge of the Regulatory Avalanche 7.0 What s Next? 8.0 About Compliance & Risks 1 of 18

3 1.0 About This Survey The Regulatory Compliance Health Check Survey was carried out by Compliance & Risks to allow companies to benchmark the maturity of their regulatory compliance and risks processes against the industry average, as well as to gain an insight into averages across varying industries. Questions were asked to establish how each organization; discovers regulatory developments analyses regulatory developments communicates regulatory developments implements regulatory developments 135 companies responded from a range of industries as seen in the chart below: 2 of 18

4 The answers provided allow an analysis using an adaptation of the Capability Maturity Model (CMM) which assesses process capability. This approach originates in the software industry, but has broad applicability. The term "maturity" relates to the degree of formality and optimization of a process, from ad-hoc practices, through to active monitoring and optimization of the process. In order to gain insights, we have broken the regulatory compliance process down into its four main elements, (corresponding to the four bars in each chart on the following pages) namely; Discovery Analysis Communication Compliance Actions This is how your organization finds out about developments in regulatory requirements. It could be by means of newsletters, bulletins, attending conferences, standards committees or other events, or via a structured information service or database. This refers to how a piece of regulatory content is assessed for its impact on your organization or its products. How the outcome of the analysis is communicated to those who need to know the information. Having the right information, at the right time and in the right format are key here. If regulatory development requires something to be done, how is this managed? Is there a closed loop and traceability to ensure actions follow in a timely manner? The term maturity relates to the degree of formality and optimization of a process 3 of 18

5 2.1 Process Maturity - High Level Analysis The chart below shows scores for each of the four regulatory process stages for each of the respondent industry sectors. Only 5 companies reported one or more elements of their process at level 5 (Regularly Updated). There tends to be slightly higher scoring for self-scoring on implementation of compliance actions, than for the process of finding, analyzing and communicating the regulatory developments. This raises the question of whether the right things are being done, as there appears to be lower capability maturity in the process to find and analyze regulations. Based on our sample size, some sectors show a relative weakness in a particular process stage such as Implementation (compliance actions) for Industrial, Agricultural Machinery companies and Discovery for Consumer Electronics, Healthcare and Apparel industries. (Note: Some sectors omitted due to insufficient sample size.) 4 of 18

6 2.2 Process Maturity - Comparing Industry Sectors Combining the four process stages to give an overall Regulatory Management Process score for each sector reveals a variation in process capability between industry sectors. It is noteworthy that on average, only one sector reaches an average level 4: Audited, and are well below achieving a process that they would regard as responsive (corresponding to level 5: Regularly Updated ). 5 of 18

7 2.3 Process Maturity - What Do the Scores Mean? Answers to the questions in our survey broadly correspond to the 5 levels of maturity in the CMM model for each of the process stages. Scoring is on a scale of 1-5: Score What does this look like? Potential downsides Opportunities 1-2: Informal unwritten Processes are informal / unwritten. Much activity will be ad-hoc. Outcomes and risk exposure unknown, tend to be very short-term focused, regular surprises, unnecessary costs. Small improvements will bring noticeable results. 2-3: Formal written Processes are mostly formal / written. A start has been made on controlling the process, outcomes and risk, but results are unpredictable, and risk exposure is unmeasured. Having process documents can lead to a false sense of security. They may not be followed, and unpredictability may result. Being at this stage should mean there is buy-in to the principle of process documentation. It is a basis to ensure they are followed. 3-4: Adhered to Written processes are in place, and mostly followed. Good processes need to keep up with the times, creeping changes may mean new needs are not being met. This is a great place to be in order to start validating that the desired process results are being achieved. 4-5: Audited Process is controlled and predictable, until demands and circumstances change. Audits can ignore the needs of your organization and merely become a boxchecking exercise. Use audits as an opportunity to validate process, to ensure that it s keeping up with changing needs. This will help progress to level 5. 5: Regularly updated Responsive process in place and organization's changing needs are being met. Keep it up, don t let complacency set in! Apply metrics to ensure resources are made available to meet ongoing needs. 6 of 18

8 Scoring below average in a specific process stage can mean increased likelihood of... Discovery Analysis Communication Compliance Actions Surprises can be expensive and disruptive. Effort and resources will be spent reactively rather than planning and streamlining. Good discovery means staying ahead of developments, looking 2-3 years or more ahead. This can mean that those in your organization needing specific regulatory information are dealing with irrelevant or low-priority information. This can lead to duplication of effort and/or inadequate targeting of information. Delays to new product releases and recalls are all too common. Reputations and bottom lines are damaged when those acting on regulatory updates don t have the information to hand at the time and point of application. All work done in discovery, analysis and communication can be nullified if there is no followthrough. Action in development programs need to be as early in development as possible. All the other downsides on the left can still happen without appropriate action following it up. 7 of 18

9 3.0 Product Regulatory Risk Management for Manufacturers Risk in the context of product compliance involves recognizing that there are constant developments in regulations and standards worldwide that present a degree of unforeseeable impact on the company s ability to sell its products. This risk must be recognized and managed by all companies manufacturing and selling products. Responsibility for management of risk, including product compliance risk, ultimately belongs to an organization s board of directors. Where there is lack of clarity that the board owns that risk, it can lead to many of the issues experienced by many companies who struggle to meet their basic compliance obligations with many of the inherent downsides that entails. Risk reporting to the board, even in product companies, often omits any reference to product compliance risk. Product compliance is about ensuring access to the company markets, and yet this is often absent from the board s considerations. Where there is a disconnect between the board s ownership of risk and the operational functions of the organization the effect can be similar, it often results in under-resourcing and lack of prioritization of market access functions. Where risk management is happening at operational level, there will be tools and methods employed to manage risk. The survey questions relating to risk in the survey were designed to ascertain insights into these three factors: clarity of responsibility at board level acceptance of that responsibility by incorporating appropriate risk management practices into company policies and processes looking at the example of risk rating of regulatory developments as representative of the use of tools and innovation 8 of 18

10 4.1 Risk High Level Analysis In every sector it is worth noting that in almost every case, ownership of risk scores highest, whilst in the working out of that ownership throughout the organization scores are lower. From the companies surveyed, it s also interesting to note that Aerospace, Technology Hardware, and Industrial sectors score towards the lower end of the scale when it comes to risk capability. Only seven companies from the total number who participated in the survey had no risk scoring system in place. 9 of 18

11 4.2 Risk Comparing Industry Sectors Unsurprisingly, Health Care Equipment scores highest when it comes to risk ownership management and processes amongst manufacturers. What might be more surprising to readers is that Household Appliances comes in second place. As we work with companies in this sector quite intensively, we at Compliance & Risks are aware of how competitive the sector is. Organization and anticipation of regulatory developments is a strategic enabler. 10 of 18

12 4.3 Risk What Do the Scores Mean? Q1: Is responsibility for product regulatory risk at the top of the organization defined and understood? Score What does this look like? 5 4 Clearly defined and understood by all - responsibility at, or near board level is clear and informs strategy. Seen as sector leader due to coordination of corporate knowledge and resources Responsibility is implied - ownership is defined, but not necessarily widely understood Outcomes High-End Ratings: Timely international product launches and market penetration. Good integration of R&D and international sales organization into market access program. Prioritized resourcing of market access function. Predictable cost of compliance and low cost of non-compliance. 3 2 Diffused responsibility - divided between general management, but not clearly defined A little - those at operational level do their best to manage risk 1 No one has that responsibility Outcomes Low-End Ratings: Lack of understanding at top of the organization of importance of market access function, and the constant increase in regulatory burden. Difficulties in obtaining resources for product compliance and market access activities. Lack of coordination with other business activities. Duplication and gaps in effort in, and between business units. Large variations in performance between projects, business units, territories. Compliance viewed as a cost centre rather than business enabler. 11 of 18

13 Q2: Is product regulatory risk management and mitigation systematically incorporated in business processes? Is prioritization of regulatory developments on the basis of risk assessment a consistent part of the normal operation of the organization? In other words, is it embedded in SOPs and product development processes? Score What does this look like? 5 4 Cutting edge / Ongoing review - As below, plus system is looking forward at the regulatory horizon, i.e. 2 years ahead. Proactive Comprehensive - As below, plus risk approach consistent and quantifiable across markets/products Outcomes High-End Ratings: Predictable product development project durations. Early incorporation of forward looking regulatory developments into product design. Product exhibits leading-edge technology and environmental performance Mostly in place - for important markets/products Partially - Exists for some markets/activities/products. Mostly understood, not necessarily systematically or consistently Does not exist, or ad hoc, reactive, firefighting Outcomes Low-End Ratings: Low predictability in product development projects. Late, expensive modifications needed before release. Delayed product release. Market access difficulties for new products and shortened product life-span significantly impacting profitability. 12 of 18

14 Q3: Is there a structured approach to regulatory risk rating in place? For example, using a market and/or subject matter weighted risk scoring scheme. Is regulatory activity risk prioritized? For example, on the basis of the importance of the market to your organisation and/or prioritized on the basis of product safety rather than other subjects? This is a developing area, being enabled by modern data systems assisting manual risk rating or providing automated or partially-automated risk rating. Score What does this look like? 5 4 Cutting edge / Ongoing review - As below, plus system is looking forward at the regulatory horizon, i.e. 2 years ahead. Proactive Comprehensive - As below, plus risk approach consistent and quantifiable across markets/products Outcomes High-End Ratings: Good allocation of resources, regulatory growth trends identified, resources allocated appropriately and in timely manner. Rare firefighting, work can be planned and measured. Good metrics / Key Performance Indicators Mostly in place - for important markets/products Partially - Exists for some markets/activities/products. Mostly understood, not necessarily systematically or consistently Does not exist, or ad hoc, reactive, firefighting Outcomes Low-End Ratings: Risk of uneven, poor allocation of compliance resources. Loudest (or most senior) voice gets the resources. Important regulatory developments not prioritized, time and effort often spent on wrong things. Lack of responsiveness to trends such as growth of regulations in a particular parts of the world. 13 of 18

15 5.0 Sample Actions to Improve Your Compliance Processes Score(s) in any of the process stages below industry average, or where there are significant differences between capability scores between process stages, point to an area of risk exposure and an opportunity to improve. In addressing the kind of issues raised by this survey it is important to get to the root cause in each case. In doing this it is helpful to ask the why? questions. For example; 14 of 18

16 6.0 The Challenge of the Regulatory Avalanche With the constant growth of the regulatory avalanche, often existing resources that are in place can no longer keep up. Established ways of managing regulatory requirements continue to be stretched due to the increasing volume of regulations worldwide. The chart below shows new regulations since 2003 under seven of the main subject areas impacting products. C2P: Global Regulations by Subject Note: Subject totals are greater than region totals (see chart on pg 16) because certain regulations impact more than one subject Discovery in particular can be stretched by growing regulatory activity in regions where historically there was little regulation e.g. Asia and Latin America. Lack of familiarity with the market or people on the ground are compounded by language issues. This makes Discovery, Analysis and Communication more difficult than was previously the case. 15 of 18

17 C2P: Global Regulations by Region. 16 of 18

18 7.0 What s Next? Do you have trouble justifying expenditure on compliance resources? Are you unsure if there are gaps in your coverage? Worried about duplication of effort? Are you trying to move to a more strategic approach to compliance? Compliance & Risks offers a Regulatory Process Consulting service that helps companies address their resource and process challenges. Through our holistic approach we work with you and your staff to identify areas of high-risk and help you to make the business case for resource allocation. 17 of 18

19 8.0 About Compliance & Risks Established in 2002, Compliance & Risks helps manufacturers, retailers and their supply chain partners monitor and manage requirements, regulations and standards for a cleaner, safer and better world. It creates business advantage for clients by providing reliable legislative information, insights and actions through C2P, its knowledge management platform, consulting, market access, managed services and other solutions. The company is recognized as the end to end global regulatory solutions provider across the technology, consumer goods and retail, industrial goods and life sciences sectors. Headquartered in Cork, they also have offices in Brussels, California, London and New York. For more information, please visit Important Notice: All information provided by Compliance and Risks Limited and its contributing researchers in this report is provided for strategic and informational purposes only and should not be construed as company specific legal compliance advice or counsel. Compliance & Risks Limited makes no representation whatsoever about the suitability of the information and services contained herein for resolving any question of law. Compliance and Risks Limited does not provide any legal services Compliance & Risks Limited. All rights reserved. 18 of 18