In Vivo is part of Pharma Intelligence UK Limited

This site is operated by Pharma Intelligence UK Limited, a company registered in England and Wales with company number 13787459 whose registered office is 5 Howick Place, London SW1P 1WG. The Pharma Intelligence group is owned by Caerus Topco S.à r.l. and all copyright resides with the group.

This copy is for your personal, non-commercial use. For high-quality copies or electronic reprints for distribution to colleagues or customers, please call +44 (0) 20 3377 3183

Printed By


A Next-Gen Approach To Health Care Risk And Compliance

Executive Summary

Across the health care industry, the increasing numbers of ethics violations, data breaches and reputational challenges reflect the growing magnitude and prevalence of compliance failures.

Since 2009, health care companies have received non-compliance fines totaling $50bn. And the industry has the third-highest number of monitorships after financial services and industrial goods.

These violations make it clear that a traditional compliance approach is increasingly ineffective. Given the US Department of Justice’s recent revisions of its guidance on corporate compliance, health care risk and compliance (R&C) functions need to evolve their approach to ensure that it meets today’s tougher standards. They need to adopt a next-generation approach to compliance.

Compliance In A Changing Landscape

Many health care companies have used a “commodity-driven” compliance model that is best described as “reactionary”: it looks backward, telling people what they did right or wrong, with a focus on checklists and reporting. This approach may have sufficed for mitigating traditionally high-priority risk areas, such as third-party risk management, anti-corruption and conflicts of interest. But emerging trends such as new business models, the changing approaches to company/health care professional interactions and artificial intelligence – against the backdrop of a rapidly expanding pace of innovation, –are expanding the risk landscape and making innovative solutions essential.

About The Authors: The Boston Consulting Group

  • Tad Roselund, senior partner and managing director

  • Bernhard Gehra, senior partner and managing director 

  • Myrto Lee, managing director and partner

  • Carla Spörle, managing director and partner

There are three reasons why now is the time to act. First, compliance efforts really matter. Substantial and demonstratable effort and investment – and the positive outcomes it creates -- remain key factors for the evaluation of compliance programs by regulators, boards and society. It is now expected that data and advanced analytics will be used proactively, and that compliance will play a role in the business innovation and growth agendas.

Second, digital technologies, including new data visualization dashboards, integrated systems and, most recently, generative AI, provide tremendous opportunities for R&C professionals to enhance their efficiency and effectiveness. These technologies are especially useful because they enhance signal finding, make it easier to leverage knowledge quickly, and increase the richness of organizational interactions. All three technologies can help the R&C function assume a more proactive, value-adding role.

Third, there is a significant business opportunity at hand. By transforming R&C from a function that can slow down the business to one that helps it to move faster, organizations can create a significant competitive advantage. After all, a race car can push harder and faster in the corners when the driver trusts the brakes.

Adopting A Next-Gen Approach To Compliance

R&C leaders should adopt a model that is designed to meet the uniqueness of the organization’s business, operational and risk profile. Seven practices are key.

1. Root Compliance In The Business

To add real value, the R&C function needs to be able to understand the business’ real-life pain points and risk exposure across the value chain: R&D, medical, commercial and supply chain. But this is only feasible if compliance collaborates closely with the business and is viewed as a valued advisor rather than as a hurdle. This is about talent, but also listening, building relationships, earning trust, understanding context and being present at the right tables at the right times.

2. Redefine The Service Model

The R&C function also needs to be able to provide its services anywhere they are needed, such as performance management, due diligence and post-merger integration. For this reason, we recommend adopting a service model that is value-focused, leveraging data analytics to provide real-time insights into performance and enable predictive risk management for functions across the enterprise. Organizations may need to integrate compliance staff into the processes of the particular function (such as R&D) or establish regular working groups to foster collaboration.

3. Broaden The Span Of Control

Silos – both real and perceived – are dangerous. That’s because risk often extends across functions, so new risks can fall through the cracks of organizational structures. R&C leaders should consider expanding oversight and accountability – at a minimum influence -- to include emerging risk issues and initiatives, such as Enterprise Risk Management, Environmental, Social and Governance, Responsible Artificial Intelligence and privacy.

4. Embrace Cross-Functional Innovation

Learning works best when people from across the organization help identify areas of the corporate R&C program in need of improvement and suggest ideas on how to innovate. Experts from functions outside of the compliance function should be encouraged to participate and be made to feel that their contribution will be valued.

5. Improve Digital And Data Capabilities

Data, digitization and analytics/insight generation are now essential for designing and implementing an effective, forward-looking program. Data are also critical for tackling complex compliance challenges such as due diligence of business partners. Investments in IT and people are key. Usually, the first step is to clean up the fragmented data landscape, but R&C needs to push on this area regardless of challenges in the underlying architecture.

6. Expand The Arsenal Of Talent

A well-oiled compliance program requires many more skills – both hard and soft – than in the past. R&C Leaders should take a close look at existing talent to identify where there are gaps and use recruiting, training and upskilling to fill them. This may well mean expanding the staffing model from traditional compliance and audit professionals to include people with fresh ideas and complementary skills. Data analytics, business operations, digital marketing and engagement, process design and improvement, and adult learning should all be part of the mix.

7. Instill a Culture of Compliance

R&C leaders should think about shifting the culture of the compliance function from overly control-oriented to ethical. Instead operating via ultimatums, audits and scare tactics, the department should focus on business enablement, trust and competitive advantage. Senior management needs to set the tone, communicating that misconduct will not be tolerated and that ultimate accountability lies in the first line. Leaders also need to make sure that the employees are well informed about the compliance program and are convinced of the company’s commitment to it. We recommend appointing a “risk and compliance champion” in other functions who can improve communication and enhance general understanding about R&C management.

Time For Action

The compliance function is at an inflection point. As the bar for performance continues to rise, health care R&C leaders need to act as agents of innovation. They need adopt a next-gen approach that ensures that their compliance program embraces policies and controls that support ethical norms while reducing risks. Companies should start actively shaping their next-gen compliance path now – and not leave it up to other forces to determine.


Latest Headlines
See All



Ask The Analyst

Ask the Analyst is free for subscribers.  Submit your question and one of our analysts will be in touch.

Your question has been successfully sent to the email address below and we will get back as soon as possible. my@email.address.

All fields are required.

Please make sure all fields are completed.

Please make sure you have filled out all fields

Please make sure you have filled out all fields

Please enter a valid e-mail address

Please enter a valid Phone Number

Ask your question to our analysts