Research Compliance Risk Assessments - Huron Consulting Group
Research Compliance Risk Assessments - Huron Consulting Group
Research Compliance Risk Assessments - Huron Consulting Group
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong>-<br />
Using the <strong>Risk</strong> Assessment to Build a Workplan<br />
July 18, 2012<br />
<strong>Huron</strong> Life Sciences Summer Webinar<br />
Series
About Our Speakers<br />
Leah Guidry<br />
Managing Director<br />
<strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong><br />
202-585-6845<br />
lguidry@huronconsultinggroup.com<br />
Leah has over 20 years of experience working with healthcare systems, hospitals, academic medical centers, and<br />
physician groups. She advises clients on the development and enhancement of corporate compliance programs,<br />
resolving complex compliance issues, assisting with government disclosure determinations and investigations.<br />
Kris West<br />
Associate Vice President and Director<br />
Office of <strong>Research</strong> <strong>Compliance</strong><br />
Senior Associate General Counsel, Office of General Counsel<br />
Emory University<br />
404-727-2398<br />
kwest02@emory.edu<br />
Kris provides guidance on regulatory requirements for research involving human and animal subjects, as well as basic<br />
research. She works closely with committees that provide regulatory oversight, including the Institutional Review Board,<br />
Institutional Animal Care and Use Committee and Institutional Biosafety Committee. She serves as Emory’s <strong>Research</strong><br />
Integrity Officer and Privacy Officer for matters concerning clinical research. Ms. West has a J.D. degree from Mercer<br />
University and a M.S. in drug regulatory affairs from the University of Florida. Ms. West is a frequent speaker for the Health<br />
Care <strong>Compliance</strong> Association (HCCA), and regularly participates as an instructor for HCCA’s <strong>Research</strong> <strong>Compliance</strong><br />
Academies.<br />
2
Polling Question #1: Does your institution have<br />
a separate research compliance department?<br />
• 99 responses<br />
• Yes – 57%<br />
• No, and research compliance is part of the healthcare compliance<br />
department – 26%<br />
• No, and research compliance is not part of the healthcare<br />
compliance department – 13%<br />
• Don’t know – 4%<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
3
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
AGENDA<br />
• Overview of risk assessments as a precursor to the<br />
compliance workplan<br />
• Similarities and differences between research risk<br />
assessments (and research compliance programs) and<br />
general healthcare risk assessments (and general<br />
healthcare compliance programs)<br />
• Internal and external data points<br />
• Determining priorities<br />
• Options for conducting risk assessments<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
4
Overview
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
OVERVIEW<br />
• <strong>Risk</strong> Assessment – what is it?<br />
• <strong>Risk</strong> assessment is the determination of quantitative or qualitative<br />
value of risk related to a concrete situation and a recognized threat<br />
(also called hazard). Quantitative risk assessment requires<br />
calculations of two components of risk: the magnitude of the<br />
potential loss, and the probability that the loss will occur.*<br />
• Qualitative aspects of the risk assessment are defined by the<br />
institution based on its needs, areas of focus, tolerance for risk, etc.<br />
* Wikipedia<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
6
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
OVERVIEW<br />
• <strong>Risk</strong> Assessment – why do it?<br />
• Thoughtful, methodical approach to resource management<br />
• Enables wise and defensible approach to resource planning<br />
• Expected of OIG and US Sentencing Commission<br />
• Organizes and prioritizes the work flow<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
7
Polling Question #2: Does your institution<br />
conduct an annual risk assessment?<br />
• 91 responses<br />
• Yes – 58%<br />
• No – 42%<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
8
Similarities and Differences
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
SIMILARITIES AND DIFFERENCES<br />
• Program Similarities<br />
• 7 elements<br />
• <strong>Risk</strong> Assessment Similarities<br />
• Same or similar processes used for healthcare compliance risk<br />
assessments can be used for research risk assessments<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
10
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
SIMILARITIES AND DIFFERENCES<br />
• Program Differences<br />
• Regulatory structure is greater and requires more knowledge and<br />
varied knowledge<br />
• Potential for greater specialization (IRB, IACUC, CRB, etc.)<br />
• <strong>Risk</strong> Assessment Differences<br />
• Some area of <strong>Research</strong> carry significantly more risk than general<br />
healthcare<br />
– Bio-medical research using unapproved drugs/devices is inherently risky in<br />
that care delivered to human subjects has not been proven safe and effective<br />
– Need to provide enhanced protections as a result<br />
• Informed consent<br />
• Institutional Review Boards<br />
• <strong>Research</strong> Protection Programs (AAHRPP accreditation = gold star)<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
11
<strong>Research</strong>: What are the <strong>Risk</strong>s?<br />
HIGHLY REGULATED ENVIRONMENT<br />
For most research, there are multiple HHS agencies/offices that may have separate regulatory<br />
and policy requirements related to conducting clinical research. <strong>Compliance</strong> with all of these<br />
different requirements requires a strong research support infrastructure and educated research<br />
community.<br />
Department of Health and<br />
Human Services (DHHS)<br />
Office for Human<br />
<strong>Research</strong><br />
Protections<br />
(OHRP)<br />
Office of the<br />
Inspector<br />
General (OIG)<br />
The Centers for<br />
Medicare and<br />
Medicaid<br />
Services (CMS)<br />
National<br />
Institutes of<br />
Health (NIH)<br />
The Food and<br />
Drug<br />
Administration<br />
(FDA)<br />
Office of<br />
<strong>Research</strong><br />
Integrity<br />
(ORI)<br />
Office for<br />
Civil Rights<br />
(OCR)<br />
Agencies that oversee research*<br />
*In addition, non-HHS research sponsors may<br />
impose requirement, eg. VA, DOD, EPA.<br />
Agencies that oversee healthcare and research<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All Rights Reserved. Proprietary & Confidential.<br />
12
Internal and External Data Points
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
INTERNAL AND EXTERNAL DATA POINTS<br />
• External<br />
• OIG Work Plan<br />
• Enforcement History<br />
• Internal<br />
• Previous experience with external drivers<br />
• Previous experience with internal issues not identified in the<br />
external drivers<br />
• Issues remaining from prior work plans<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
14
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
HOW TO USE THE WORK PLAN IN COMPLIANCE AND INTERNAL AUDIT PROGRAMS<br />
• OIG Work Plan<br />
– Assess the Work Plan through institutional lens<br />
• Identify all areas in the OIG Work Plan that the institution is involved in<br />
• What is the awareness in the institution of the compliance and internal<br />
controls in these area?<br />
• Determine the level of risk for that area in the institution<br />
• Prioritize the area to determine if it needs to be on the institution’s work<br />
plan<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential. 15
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
HOW TO USE THE WORK PLAN IN COMPLIANCE AND INTERNAL AUDIT PROGRAMS<br />
• Government Enforcement history and trending<br />
– Review the trends of government enforcement<br />
• First, monitor the government’s enforcement trends<br />
• Assess those trends for applicability to your services<br />
– Identify areas that apply to the institution and assess their relevance<br />
• Similar to the OIG Work Plan slide, assess the awareness in the<br />
institution of the compliance and internal controls in these areas<br />
• Determine the level of risk for that area in the institution<br />
• Prioritize the area to determine if it needs to be on the institution’s work<br />
plan<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential. 16
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
HOW TO USE THE WORK PLAN IN COMPLIANCE AND INTERNAL AUDIT PROGRAMS<br />
• Previous institutional experience<br />
– Review of previous year’s external inspections/reviews<br />
– Review of previous year’s compliance and internal audit work plans<br />
• Are there areas that were not addressed?<br />
• Are there areas that were not addressed adequately?<br />
• Are there areas that remain unresolved?<br />
– Assessment of Current State<br />
• What issues have arisen that were not on the work plan?<br />
» Have these issues been adequately addressed?<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential. 17
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
HOW TO USE THE WORK PLAN IN COMPLIANCE AND INTERNAL AUDIT PROGRAMS<br />
Emory Approach to <strong>Research</strong> <strong>Risk</strong> <strong>Assessments</strong>: Setting up<br />
the Governance<br />
• Impetus for a New Approach – Merging of the healthcare<br />
and university audit and compliance committees<br />
• Revise charters to encompass new roles/responsibilities<br />
• Division of the “compliance universe” into 3 broad<br />
domains: Healthcare, <strong>Research</strong>, Other<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential. 18
Pre-<strong>Risk</strong> Assessment: Who’s doing what?<br />
• So many laws, so many units – determining who has<br />
responsibility for compliance with major regulatory<br />
requirements<br />
• Develop a grid listing major regulatory requirements<br />
• Add units that currently have compliance responsibilities<br />
• Helps in gap-spotting<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
19
Who’s in the <strong>Compliance</strong> Universe?<br />
• Formation of comprehensive compliance coordinating<br />
committee with point person for each domain: Healthcare,<br />
<strong>Research</strong>, Other<br />
• Point person is responsible for organizing units within<br />
each domain and engaging them in risk assessment<br />
process<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
20
Drilling Down<br />
SELECTING A RISK ASSESSMENT TOOL AND APPLYING IT<br />
• <strong>Research</strong> covers a big waterfront<br />
• Need to coordinate players within all research compliance units –<br />
IRB, IACUC, OSP, IHBC, COI<br />
• Development of research compliance liaison committee<br />
• Getting buy-in on selection of tool<br />
• Lots of products out there<br />
• Everyone wants their own tool<br />
• Training on use of tool<br />
• Reviewing the results and coming up with the compliance<br />
plan<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential. 21
Developing a Plan and<br />
Determining Priorities
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
DEVELOPING A PLAN AND DETERMINING PRIORITIES<br />
• Developing a Plan:<br />
• Define the scope of the risk assessment<br />
– Based on departmental jurisdiction<br />
– Based on areas of institutional research<br />
– Limited to regulatory areas (ex., OHRP, ORI, OIG, etc.)<br />
• Determine the approach for assessing risk<br />
– Data Analysis<br />
– Review of Prior Work Plans and Current State<br />
– Interviews (Individual or <strong>Group</strong>)<br />
– All of the above<br />
• Determine the methodology<br />
– Determine whether to conduct the assessment internally, outsource or<br />
some hybrid<br />
• Resource – internal, external, hybrid<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential. 23
Polling Question #3: What resources are used<br />
for risk assessments?<br />
?<br />
• 100 responses<br />
• Solely internal – 23%<br />
• Solely external – 2%<br />
• Combination of both – 47%<br />
• Don’t know – 28%<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
24
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
DEVELOPING A PLAN AND DETERMINING PRIORITIES<br />
• Determining Priorities<br />
• Use a methodology that assesses the quantitative risk of each<br />
identified risk area<br />
• Sample methodology used by <strong>Huron</strong><br />
– Impact<br />
• Reputation<br />
• Financial<br />
• Legal<br />
– Vulnerability<br />
• Probability<br />
• Detectability<br />
– Internal Controls<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential. 25
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
DEVELOPING A PLAN AND DETERMINING PRIORITIES<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
26
<strong>Research</strong> <strong>Compliance</strong> <strong>Risk</strong> <strong>Assessments</strong><br />
DEVELOPING A PLAN AND DETERMINING PRIORITIES<br />
• Work Plan Development<br />
• Outline all of the risk areas<br />
• Honestly assess the bandwidth and expertise of the department to<br />
handle the risk areas identified<br />
• Always leave room for unanticipated issues<br />
• Hire what you don’t have in-house<br />
• Determine what the work plan tasks need to be<br />
– Audit, process analysis, policy and procedure review<br />
• Assign timeframes and staff to assess<br />
• Make assignments<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential. 27
Questions?<br />
Kris West<br />
AVP & Director Office of <strong>Research</strong><br />
<strong>Compliance</strong>, Emory University<br />
kwest02@emory.edu<br />
404.727.2398<br />
Leah Guidry<br />
Managing Director<br />
<strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong><br />
lguidry@huronconsultinggroup.com<br />
202.250.4679<br />
© 2012 <strong>Huron</strong> <strong>Consulting</strong> <strong>Group</strong>. All rights reserved. Proprietary & Confidential.<br />
28