Regulation

Q. How has information technology (IT) dealt with regulatory issues (e.g., Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, 21 CFR Part 11, etc.)?

Regulations such as 21 CFR Part 11 have been well understood (and implemented) by the industry for several years. However, for the first time, the life sciences industry is feeling the need to manage regulatory compliance across regulations on a risk-based approach. Often, there is one officer in the company who is charged with regulatory compliance, and this officer is keenly interested in mitigating risk proactively in a unified governance framework for the company.

Q. Which regulatory requirements are the most challenging and why?

For each company, a given regulation could impose challenges that are particularly difficult within their specific business. Sarbanes-Oxley provides great challenges because the extent to which companies interpret and implement regulatory compliance is sometimes subjective. As a result, companies usually go overboard in an attempt to remove regulatory risk altogether. On the other hand, with regulations such as 21 CFR Part 11 and the like, the scope is well understood, but the challenge with these initiatives is the cost of validation. Often the cost and complexity of validation is extremely high, enough to thwart continuous improvement initiatives.

Q. What industry (outside life sciences) that you know of has a good handle in dealing with regulatory compliance, and why?

Financial services firms, by the nature of their business, have incorporated risk-based strategies in their regulatory compliance initiatives for years. This makes them extremely resilient to sporadic noncompliance, changing regulations, changing market conditions, and changing customer requirements.

Q. How creative can software makers be when providing compliance solutions? Is there room for 'out-of-the-box' thinking?

Compliance is always a combination of process documentation and recording of deviations (potential, or real) from such processes. Scientifically speaking, unless all processes can be standardized across the industry, it would be impossible for any company to develop an out-of-the-box compliance solution. However, there are some process areas that are reasonably standard in the life sciences industry, and we are working toward some prebuilt compliance tools for some standard business processes and functions.

Q. Do you have any comments on regulatory requirements outside the United States?

Local regulations (or "localizations") are the cost of doing business globally. In today's economy, this is a need that cannot be ignored. We, at Oracle, have seen a trend toward incorporating local financial regulations in shared service transaction processing environments.

Q. Do you foresee unified global regulatory requirements?

To some extent, there already are unified world regulatory requirements. Market-leading regulatory bodies, such as FDA and the USDA, assume leadership roles in implementing world-wide regulations. Their regulations are immediately adopted with little or no variations by regulatory bodies in other countries. Often individual countries might adopt a superset of FDA regulations by combining FDA regulations with country-specific codes developed by their regulatory bodies. The cost of not doing business with the US is so great, that we believe that bodies such as FDA and USDA truly have a global impact.