How to Shift from Reactive Compliance to Strategic Quality Management

Published on: 
BioPharm International, BioPharm International-07-01-2009, Volume 22, Issue 7
Pages: 40–45

A culture of quality that emphasizes business objectives, risk management, and the informed application of technology can improve compliance.

There is virtually no activity conducted by biotech companies that is not currently monitored for compliance. Requirements in the form of good laboratory practices (GLPs), good clinical practices (GCPs), and good manufacturing practices (GMPs) affect nearly every aspect of the discovery, development, clinical testing, manufacturing, labeling, marketing, and distribution of products. And product development oversight will likely become more, rather than less, intense in the future.

Michael Breggar

Such regulation can be doubly expensive. On one hand, you must shoulder regulation's direct costs: those incurred to develop and maintain compliance programs and rectify cited failures. On the other hand, in the event of citations, you must endure the business costs that accrue from not achieving compliance: delayed approvals; missed market opportunities; product liability; expensive remediation; and potential loss of product, market share, and credibility.

But does compliance have to be as costly as most companies believe?

Consider that compliance, by definition, is reactive. It implies a response to something—a rule or requirement. As a result, the compliance management strategies of most life sciences companies are fundamentally reactive. They focus on whatever issues arise and the companies often face the same issues year after year. A few companies, however, take a more proactive approach. They learn from regulatory experiences and aim their compliance efforts at preventing problems, thereby achieving savings in both direct and business costs. The top performing organizations, however, take a more strategic approach. Instead of treating compliance as a cost of doing business, they extract the business value from regulatory and quality imperatives, and move from a culture of compliance, whether reactive or proactive, to a culture of strategic quality management.

The dimensions of quality—not compliance—must be the focus of a strategically oriented company. Such strategic quality management is no more expensive than a reactive wait-and-fix strategy, or a proactive plan-and-prevent approach. In fact, by evolving compliance into regulated quality, companies can achieve lower overall quality assurance costs, enormous time savings, fewer compliance problems, and a stronger alliance with regulatory authorities.


Moving fast from reactive to proactive compliance, and then to genuinely strategic quality management, is a communication and relationship challenge. Business processes throughout the organization must emphasize the forging of partnerships throughout the organization. Departments understand their interrelationships and work together to leverage technical and business tools jointly (Figure 1). The overall objective is to first identify and then add value to regulatory work practices by combining traditional compliance procedures with breakthrough business methodologies.

Figure 1. A quality systems hierarchy

GMP Process Audits


Companies with strong, strategic approaches to quality use a variety of distinctive work practices and methodologies. Some, for example, regularly perform GMP process audits that help them quantify levels of risk should compliance goals not be met. Such auditing also helps companies strategically focus their quality assurance (QA) dollars on areas that most require adjustment, or where savings likely will be most significant, instead of the much more costly approach of waiting until problems occur.

Enterprise Risk Assessments

Some companies are using the newly in-vogue enterprise risk assessments (ERAs) to identify and prioritize quality risk and then draft a mitigation plan. These ERAs raise awareness of the nature of quality management and facilitate analysis of the business value of the quality function.

To build flexibility into compliance-budgeting activities, a few companies use a "work breakdown structure" that helps them "predefine" what has to be done and what costs are involved. Operating budgets can then be structured to portray accurately where the company is positioned currently with respect to GMP compliance. This can be accomplished by considering baseline costs, factoring in acceptable industry tolerances, and then developing alternative model projections. It is then possible to track actual figures and compare them to projections. Other companies rely on trend analyses to understand the financial impact of reaching key business goals. These analyses typically consist of industry best practices, historical data, and interpolation of economic trends into financial projection models. Both of these elements are typically incorporated into ERAs.


Virtually all companies can increase compliance levels and improve overall quality management through benchmarking. By helping to identify, adopt, and deploy the best practices of diverse life sciences organizations, as well as best internal practices, benchmarking programs make it possible for companies to develop individualized best manufacturing practices.

One specific process—quality management benchmarking—can help companies analyze the costs and risks associated with reaching best-practice compliance. Quality management benchmarking provides a clear view of inter-departmental connectivity, so it helps QA and executive management implement processes and technologies that support an integrated, strategic approach to quality. Quality benchmarking also can help forge links between those responsible for the financial health of the company and those responsible for the quality of products produced.

Quality management benchmarking seeks to answer two important questions. The first question is: Is the compliance effort harmonized across regulatory standards in the markets for the company's products, such as the US, EU, Japan, and China?

Despite the ultimate stringency of regulation, most drug regulations are subject to interpretation. Yet many companies take the gray ink of regulations as the indelible black ink of dogma. They will therefore develop one set of standard operating procedures (SOPs) for their US sites, another set of SOPs for their European sites, and another for Japan. But it is far more efficient and cost-effective to develop and maintain one overarching set of SOPs that harmonizes requirements across all three markets with a sub-set of SOPs that covers any absolutely clear differences.

The second question is: How do specific compliance practices within departments compare with other departments in the same company; other sites in the same company; the competition; other relevant industries in the global marketplace; and other companies in nonrelated industries but with some similar business processes?

If different departments in the same company—such as R&D, manufacturing, and pharmacovigilance—are handling similar compliance matters differently, then compliance can't be managed effectively. Benchmarking across departments enables the enterprise-wide alignment of these activities. For example, information technology is pervasive in biotech companies. Data should be standardized across departments and computer system validation should be consistent.

Sometimes, different sites dedicated to different therapeutic areas in a company will use different SOPs for compliance. This situation is often encountered following mergers and acquisitions. Here, too, benchmarking across sites can uncover opportunities for consistent and strategic management of compliance.

Benchmarking against other biotech companies is difficult because the cultural, people-driven components of various companies differ widely and are difficult to replicate. Although such benchmarking may not enable emulation, it can provide a window into successful business practices. Biotech, despite a plethora of things that make it different from small-molecule pharmaceuticals and other businesses, is still, after all, a business. And many business practices translate well from industry to industry.

For example, consider biotech as a knowledge-based business. Although the end-product is a biologically-derived compound, the research leading up to the development, data in the clinical trials and subsequent applications, information highly relevant to drug safety, and so on, is ... well, information. Successful businesses "tag" this information with certain actions (such as proactively passing it to a colleague, to R&D, to medical affairs or legal, or even to certain parts of manufacturing). This tagging enables a knowledge lifecycle and actually enhances the knowledge by further enabling a state of proactive collaboration. Information has thus been transformed from a static to a dynamic state and becomes a business asset.

Benchmarking against other relevant global industries, such as small-molecule pharmaceuticals or medical devices, can provide additional insights into best practices in regulated industries. Benchmarking against unrelated industries with similar business processes, like oil and gas or automotive, can provide insight into the management of protracted, expensive R&D, or quality programs.

A quality management benchmarking program must begin with the establishment of metrics that help quantify program success and provide a basis for re-assessment. The same metrics also may help QA executives establish cost-bases or estimates to improve their overall quality program. In the process of establishing these metrics, companies must be able to recognize their most critical compliance issues. Do they trend more in the R&D side as opposed to manufacturing, product delivery, or even within QA itself? Also, how is quality currently measured? The most compliance-focused (reactive) companies, for example, often use GMPs as their primary, and even sole measure of quality. Finally, the development of quality metrics helps companies determine cost-reduction "actuals" before implementing complex information systems.


QA departments can do a number of things to help create a culture of quality, instead of reactive compliance. These include:

Use enterprise risk assessment to uncover potential vulnerability to regulations. Most companies perform annual GMP audits, but few companies simultaneously examine the costs associated with fixing the identified deficiencies. Even fewer extend the data to consider the enterprise-wide risks and costs associated with those deficiencies.

Consistently seek to improve inter-department communications. This can include, for example, enhancing operating procedures, reducing documentation review time, training, and auditing. Auditing helps identify gaps between the procedure and the actual or desired business process. Training and amended SOPs can bridge these gaps effectively if the review or release process encourages authors to make enhancements.

Eliminate (not just reduce) redundancies in the corporate QA environment. At many companies, procedures are layered in their development. For example, most companies add SOPs to groups rather than simultaneously revising groups of SOPs, resulting in the duplication of material and redundancy in tasks.

Understand what should and should not be outsourced. Should you outsource such things as a biologics license application, IT, or manufacturing? There are a number of things that can be outsourced, which can reduce headcount, but before doing so, it's important to understand both pros and cons.

Standardize outsourced efforts through vendor auditing (or some pre-approval process) and early communication of compliance issues to prospective vendors. The FDA regularly requests vendor audit reports, and specifically mentions consultants and vendors in the GMPs (21 CFR 211.34). Companies must set standards for consultants and vendors.


Despite the need for a high level of control and coordination among IT systems, many companies remain wary of the costs and efforts involved in developing such capabilities. For many, this is because FDA validation guidelines and enforcement procedures seem vague and capricious, which makes it harder to make prudent investment decisions. Nevertheless, the evolution from compliance to quality must include the ability to identify compliance-management investments with a strong payback potential. In turn, that ability requires a strong understanding of regulatory requirements and the strategic context of the business so that money is not misspent.

A robust document-management system—combined with work processes that effectively use the system—can dramatically improve compliance activities, including tracking and trending adverse reactions, reporting and documenting manufacturing problems, and maintaining standard SOPs needed for compliant operation.

Unfortunately, many companies purchase expensive document-management systems and then neglect to use their workflow features. As a result, the system simply functions as a big, expensive electronic filing cabinet. Before purchasing such systems, companies should understand their overall IT strategy for compliance and what they expect from the document-management process to help achieve it. Then, an informed decision can be made about which system to buy.

In some cases, the company's existing technology may suffice. For example, most companies use business intelligence software, which is neutral when it comes to what kind of data it can handle. It is therefore possible to use that software to manage toxicology or adverse events.

No matter what software or system is used, the key to making document management successful is deploying systems and processes concurrently. Because a document management system directly affects how people do their work, that work may have to be restructured to take advantage of the efficiencies offered by such a system. To capture maximum value from document-management systems, companies must examine their operating systems and approaches, break down work processes, and reconstruct them in a manner that:

  • capitalizes on benchmarking and best practices research

  • better uses budgeted regulatory and QA funds

  • identifies compliance "high-risk elements"

  • standardizes outsourcing

  • eliminates redundancies in the QA and regulatory environment

  • reduces document-review time

  • forges tighter links among work units

  • minimizes modification of the chosen system.

Successful document management, thus, does not require a computer system as much as it requires a computer-related system. Whereas the former involves implementing hardware, software, and peripherals, in the latter a comprehensive operating environment is implemented that also includes system inputs, related business processes, operating procedures, physical utilities that support system operation, and any other factors that affect the "steady state" of the system.

Integrated document-management systems are needed to produce the strong SOPs, training, and auditing programs, system security, and disaster recovery documentation that increase compliance.


Regulatory oversight is a fact of life. Companies do not have the luxury to decide which mandates they find applicable or practical. But they do, in most cases, possess the opportunity to become more strategic about how they meet compliance requirements. For all that they currently do—or fail to do—to manage compliance, companies must understand that savings in time, cost, and aggravation are achievable. Ascending to a strategically focused culture of quality that emphasizes business objectives, improved communication, risk management, and the informed application of technology will improve processes as well as products.

But beyond all the methods and technology for moving from reactive compliance to strategic quality management lies the most important factor of all—people. Processes and products in biotech are intricate and expensive; the risk of failure is high and the consequences are huge. The performance of people and the tools that are available to them in this environment are therefore critical. Generally speaking, most FDA citations appear technical. But their root cause is nearly always managerial issues that impede the performance of people: Is the right information reaching the right people on time? Are personnel properly trained? Is the company leveraging available information to improve operating practices? Are regulations being interpreted properly and, once interpreted, are they being translated into applicable SOPs? A strategic quality management program that empowers people to move beyond mere compliance is not only economically justifiable but will be welcomed throughout the organization.

Michael M. Breggar is a principal at Tunnell Consulting, King of Prussia, PA, 610.337.0820,