Welcome to Focus Forward, the monthly e-newsletter of Tim Rosa Associates. I've created free subscriptions for our valued business contacts. If you find this newsletter worthwhile, please continue reading. You can also forward this newsletter to colleagues by clicking this Forward email link. If you do not want to receive Focus Forward, simply click on this SafeUnsubscribe™ link and we will never bother you again.

The Compliance Documentation Lifecycle: 12 Steps to Success

Meeting the demands of regulatory requirements has become a fact of business life.
U.S.-based companies must contend with compliance standards set forth by legislation such as SOX, SB 1386, HIPAA, and CALEA (1), along with rules issued by regulatory agencies like the FDA and the SEC. Global organizations must deal with requirements set by EMEA (2), ANSI (3), TIA (4), ATIS (5) and others. The regulatory environment is not only here to stay, but it’s actually growing. For example, since California passed SB 1386 in 2002, 32 other states have passed similar laws, with more on the way. A dozen similar bills pending at the federal level are modeled after SB 1386.

You’re receiving this newsletter because at least one of your responsibilities involves documenting information for regulators, customers, or other important audiences. Clearly, the quantity of compliance documentation is likely to increase over time, so the use of a proven process will ensure that quality will not suffer. In this issue, I outline TRA’s Compliance Documentation Lifecycle™ to support better planning and management of your compliance projects.

Using the Compliance Documentation Lifecycle

Creating and maintaining quality compliance documentation is an essential ingredient for successfully demonstrating internal controls and achieving the requirements specified by the regulations. After working with scores of clients on regulatory and validation documentation projects, we’ve developed the TRA Compliance Documentation Lifecycle, which tracks the critical steps necessary for planning, developing, and managing compliance materials. Whether you’re responsible for one document or one hundred, following this approach will save you time and cut documentation costs while streamlining the approval process.

1. Identify all regulations that apply to your business. That sounds like a pretty obvious statement, but it’s often easier said than done, especially for companies operating in different countries. Regulations may be based on the type of business you have, who your customers are, the types of products and services you offer, the geographic markets where you operate and sell, and so on. For example, a pharmaceutical company based in the United Kingdom that sells products in both the U.K. and the U.S. is subject to both EMEA and FDA regulations, while a privately-held company in the U.S. is not subject to SOX. Your organization’s Chief Compliance Officer, Regulatory Affairs Director, or other member of the senior staff may need to seek outside counsel to make sure that all applicable regulations are identified.
   
   
2. Know the regulations. All of the regulations are posted on the website of the regulatory agency. While many websites and resource centers also post the documents, it is best to go to the original sources, read them in their entirety, and seek out training on them if desired. This way, you can read not only the regulations themselves, but any guidance and discussion documents that also have been issued. You will obtain a complete picture of what is expected of your organization, versus relying on someone else’s summary. While it may be easier to read a 100-word abstract of the regulation than reading the 100-page original text, you may be putting your organization, your shareholders, and possibly your customers at risk by taking such a shortcut.
   
   
3. Perform a gap analysis. Once you have studied the regulations, you need to understand where your organization is in compliance and where it is not. Performing this gap analysis—determining what is expected vs. what you still need to do—is critical to success. If you have a designated Regulatory Affairs or Compliance officer, this person should have the access and authority required to manage the gap analysis effort. However, we often find that compliance is a shared responsibility, a dynamic that inherently slows—and sometimes stops—the gap analysis effort. Compliance isn’t optional, so find outside help to lead this process on your behalf and provide you with the action plan you need.
   
   
4. Inventory your current documents. Once the gap analysis has been completed, you will probably have a fairly long list of documents to create. Save time, money, and headaches by repurposing material you’ve already developed. Create a catalog of all documents you already have that could serve as source material for the compliance documents need to be created. In most cases, you cannot use these documents ‘as is’ to meet the requirements, but you should be able to re-use some content. Identify document authors and/or subject matter experts who could provide relevant information when it’s time to start writing the actual documents.
   
   
5. Decide on the type of submission. Most regulatory agencies allow you to submit regulatory documents on paper or electronically. The type of document you choose to create is an important decision to make upfront. However, there are often unique requirements for electronic submissions, such as the use of special forms, or the creation of a user account on an agency server, so be sure to familiarize yourself with these requirements ahead of time. If you don’t, you can make a lot of extra work at the end of the project when pressure is most severe and time is of the essence.
   
   
6. Create templates. Many of the documents you need to create will have to be developed many times for different products, services, or lines of business. Typical documents include Standard Operating Procedures (SOPs), Standard Work Instructions (SWIs), Installation Qualifications (IQs), and Operational Qualifications (OQs). As a result, creating a template for the content and formatting of each document type ensures consistency and speeds development time.
   
   
7. Write the documents. With a template in hand, a writer can develop the content with the full knowledge that once it has been completed, the objective of demonstrating compliance will be in sight. But writing regulatory documents is not a solitary activity or something that should be undertaken by someone without regulatory experience. The writer must work closely with key subject matter experts who can collaborate on drafting content or at least provide time to be interviewed for “content extraction” if nothing has been written down (an all too often occurrence).
   
   
8. Contact the regulatory agency. As the first draft is being created, select departments (such as Compliance, Regulatory Affairs, Quality, Finance, and Legal) should reach out to the regulatory agency to discuss what your company is doing, the approach you are taking, and your timeline for completing the document. This proactive stance makes the formal review by the regulatory agency go along most efficiently. Be sure to keep the right internal teams in the loop so that you’re all speaking with one voice to the regulators.
   
   
9. Review the documents. Once drafts of the document are ready, an internal review panel must review the drafts. This panel is typically made up of the content experts who contributed to the draft, and needs to include representatives from departments such as Compliance, Regulatory Affairs, Quality, Finance, Legal, IT, Engineering, and Project Management. The number of review cycles required to finalize the document depends on both the type of document and its complexity. TRA recommends that clients anticipate that they will review two working drafts and then one final draft before submitting them to regulators.
   
   
10. Submit the documents. Once the documents have gone through all their internal reviews, you need to submit the documents to the regulatory agency. The submission requirements are posted on the regulatory agency’s website and you must follow them exactly (see step 5). Any deviance from what is expected will not be acceptable and can push your submission to the bottom of the review queue.
    
    
11. Respond to comments. The regulatory agency reviews your submitted documents and delivers their comments. They can be in summary form, detailed markups on specific items that need to be changed, feedback presented orally or in person, or any combination of these methods. You need to set aside time to review the comments in detail. Where necessary, you need to prepare a response to the comments and/or revise the documents.
    
    
12. Rinse and repeat. Once the regulatory agency accepts your documents, check your calendar. It’s likely that the next compliance deadline is upon you already. Be sure to refer to the TRA Compliance Documentation Lifecycle again when planning your next compliance documentation challenge.

Bottom Line

As a staff employee of a pharmaceutical company, I wrote my first regulatory documents for a piece of laboratory automation equipment in 1986. After Tim Rosa Associates was established, we completed our first regulatory documentation project in 1992, and in 1997 we formally established our compliance practice. We now have a number of senior-level consultants and regulatory writers with the experience necessary to support clients of all types through all phases of the Compliance Documentation Lifecycle. Starting with an understanding of your business and the regulations involved, then performing a gap analysis, then reviewing internal documents and working with subject matter experts, and creating and submitting documents, our team works in collaboration with yours to ease the compliance documentation burden and streamline the approval process.