A Low Cost, Seven-Step Approach to Reducing FDA Enforcement Risk
August: normally full of summer… sun, sand and surf. As the song goes, “summertime and the living is easy…”
In 2020, COVID-19 — and more recently its Delta variant — wreaked havoc on an orderly return to business as usual.
But recently progress has been made as the FDA said they have resumed some of its foreign inspectional activities and has begun transitioning to its standard operations for domestic inspections.
My hope is that all of you involved in quality and compliance are enjoying some time off with friends and/or family and getting a chance to read a good book on a quiet beach somewhere.
But be forewarned, the FDA does not appear to be taking any enforcement vacations. Companies need to remain vigilant reducing enforcement risk for the remainder of the Summer and Fall. In keeping with the season, this posting is going to be light, relatively short, and easy on the eyes. But, don’t underestimate what I’m about to tell you. The following can be a roadmap for significant risk-reduction within your operation, and you don’t have to spend one thin dime to accomplish any of this.
So let’s get started.
Initially, enforcement risk reduction is largely a matter of focus. Reducing risk prospectively is a project, and in my strong opinion, should not be considered part of “base business” operations. Organizations are generally staffed to manage base business, not to develop new or fix broken systems. That said, you can achieve such focus with the following.
Step 1: Create a three-month, strict timeframe for an enforcement risk reduction project. Why three months? Well, for one thing, it’s a manageable timeframe – it is short enough to be real. Also, three months puts pressure – and focus (which is what you want) – on your team to deliver.
Step 2: Prepare to get things done. If you’ve got a staff of 20 people that are already overworked, you can’t just add more work to their plate. You have to eliminate low-value work items to free staff up for a big project push. There’s no magic here – even the best people need to go home and relax after a hard day’s work – and therefore, to focus on enforcement risk reduction, you will likely have to eliminate some other activities for the three month period. Get your staff together for one-hour and go through and ask them what activities should be put on hold for three months so that you can achieve focus. In all likelihood, you’ll get an earful from them.
Step 3: Turn your staff into a project-based team. There is a big difference in how people work on routine, base-business business responsibilities, as distinguished from tight, project-focused, project-managed activities. I personally believe that humans are “hard-wired” for project type work: cross the river; hunt the animal; build the shelter; plant the crops. By turning your workforce from a “staff” into a focused “project team” you immediately convert passive content consumers into active content producers.
Make sure you appoint a project lead (project manager) and decompose the project sufficiently to make it manageable. Make sure the project lead is a “can-do” type of individual that will not only get things done, but will make sure that the other people with task responsibilities get their things done!
Step 4: Conduct a hyper-critical assessment (deep dive) of your operation. The objective here is to not provide a report for management to beat anyone up with. The objective here is to quickly, and without attribution of fault, figure out where there is risk in your operation. I would suggest that no names be included with the report, and perhaps, the report should not even be published or circulated. The report should only be used as the basis for an aggressive project remediation plan.
Step 5: Review/Analyze/Triage. Get together with your quality and compliance team in a conference room with multiple stacks of Post-It Notes, flipcharts and markers. Take each of the findings / risk areas from Step 4 and for each finding, identify the level of risk exposure from the finding (high, medium, low) and what specific actions and resulting deliverables can be taken to reduce or mitigate the risk within a finite 90 day window. It is essential that you focus on activities that can be completed within the 90-day window. Capture everything, but if it’s a longer-term remediation project, analyze it separately, after the fact.
After you prioritize the risk exposure, re-prioritize within each classification of risk exposure to get a prioritized list of activities that needs completion within the 90 day window.
Step 6: Plan. Project management should be a core skill of any quality, regulatory or operations professional but unfortunately, it often isn’t. A checklist or to-do list is not a plan – plans are documents that provide a roadmap – with details, resources, explanations, etc., of how you are going to get from Point A (in this case a list of things that need completing) to Point B (a list of things that are completed).
The project leader you appoint (with overall responsibility for project timing and commitments) should develop a fully-resourced project plan with realistic completion deadlines, identified predecessor tasks, and containing the prioritized list of items you identified as necessary to drive down enforcement risk. Ensure supporting documents exist to help project members understand the project purpose, governance, support structure, etc.
Step 7: Execute. No matter how well you plan, if you don’t execute, everything up to this point has been for nothing. Good execution is hard – people need to focus on completing activities within pre-defined timeframes. If they run into problems, make sure they ask for help. I once worked for a company that told me that one of the few things that would simply be considered unacceptable was failing to ask for help if I needed it.
Track progress closely; meet regularly and update status; update project plans (and GANTT charts if you have them); identify task delays that disrupt the critical path; communicate regularly and consistently. By ensuring you execute strictly to plan, you will walk away in 90 days with a huge level of progress, and will have reduced substantial risk.
Enforcement risk reduction is hard work. Systems need to be remediated; documents rewritten; training conducted; procedures redeveloped; stories developed; gaps plugged. All this work is generally above and beyond the role of base business personnel. By providing focus, project-based approaches, and good project execution discipline, however, your organization can begin to reduce enforcement risk without a great deal of expenditure.
Enjoy the rest of the Summer!