Where Has Quality Gone?

The payment marked the largest amount ever paid by an FDA-regulated company for a civil violation of the Federal Food, Drug and Cosmetic Act. One year later,  Wyeth-Ayerst, a division of American Home Products, agreed to pay $30 million for similar failures.

Lost in the shadow of these historic agreements are the additional punitive damages and the business impact. Abbott was required to correct certain manufacturing processes within a time frame developed by the FDA, or pay $15,000 per day (up to $10 million) until they were corrected. In addition, if the product manufacturing processes for certain medically necessary products (which were not removed from the marketplace) were not brought into compliance within a year, Abbott was required to pay 16 percent of the gross proceeds generated by those products. The company recorded $250 million in lost sales. Wyeth-Ayerst was also provided with an extensive list of corrective actions to be taken within a finite time frame. Both companies were directed to use outside auditors to oversee the remodeling of quality assurance procedures and to certify compliance, which would be further inspected by the FDA at the end of the process.

Similarly, last year the Ford Motor Company and Firestone/Bridgestone Inc. faced unusual government scrutiny, both at home and abroad, about whether the companies--and their executives--had knowledge of a safety issue (or should have) and if they acted to fix it in time. At the core of this investigation were the quality systems, communication and business processes of the companies' product development and manufacturing operations.

The liability of such quality control defects is increasingly falling into the laps of senior executives. In the Abbott case, Miles White, chief executive officer of the Abbott Corporation, and Thomas Brown, president of Abbott Diagnostics, were the named defendants in the government's action. Jacques Nasser, CEO of Ford, was called to testify before the U.S. Congress. And a few years before, senior executives from a medical device company received prison sentences for their actions. The exposure of executives and companies is gripping the attention of senior staff. These cases highlight a larger problem: What has happened to quality control?

Prelude to Problems
In the early nineties, as part of the never-ending search for greater efficiency and increased economies of scale, management consultants created visions of future operating environments. Downsize and outsource, they said. Management seized the opportunity to make their organizations lean. Cost and head count reductions became the order of the day as personnel were replaced by new technologies. Initial returns were promising and shareholder value trumpeted the success.

But did the whole business model really need to be fixed? At the operations level, where directives from above are translated into action, capacity is finite and resources are usually constrained. The resulting hierarchical structures no longer defined reporting relationships. Suddenly, mangers had ten to fifteen people reporting directly to them. As they lost the day-to-day control over the organization, operations managers prioritized needs and efforts to resolve the immediate problems. But as "do more with less" became a prevalent philosophy, errors from the front line were creating more risk exposure to the enterprise, senior management and outside directors. 

For many companies now structured this way, it seems executives espouse one philosophy while their companies practice another. For example, in a survey by PriceWaterhouseCoopers in the late 1990s, senior executives identified the need for effective approaches to integrate risk management across the enterprise by aligning objectives, risks and controls. Implementation starts at the top, they claim. The board and CEO clarify and prioritize business objectives, and each successive layer of the company establishes and prioritizes objectives that are in synchronization with the enterprise plan. 

The survey, however, shows that different levels of management and nonmanagement perceive risk management controls differently. In general, boards of directors and top management set appropriate business objectives, but they fall short of creating corporate cultures in which all employees understand these objectives and execute their day-to-day tasks in accordance with them. For example:

- Virtually all CEOs (95 percent) state that they "truly have an open door policy and will reward employees who communicate potentially bad news." Half of all employees (48 percent), however, state "the messenger of bad news takes a real risk in my company." 

- Nine of every ten senior executives in the survey agree that internal control is critical to effective management. Yet, 80 percent of that same group agree, "when it comes down to compensation, making the numbers is what really matters." This type of thinking creates powerful disincentives that undermine effective control cultures. 

- Three-quarters of the chief executives answer "no" when asked whether their employees intentionally circumvent cumbersome corporate policies. Yet, half of the non-CEOs indicate that such circumvention is common. 

In the end, these positions leave the manufacturing realm forced to review its ways by the strong arm of the courts and regulatory systems. 

Quality Audits
The pharmaceutical industry provides a revealing case study due to the severe liabilities its poorly maintained quality systems can illicit. For example, FDA 483s, Warning Letters and Consent Decrees, can result in nonapprovals of pending new drug submissions, delayed approvals of new products and loss of government contracts. Through legal channels, the FDA can also force an injunction from manufacture, search of premises, seizure of products and records and prosecution--corporate or individual, civil or criminal. Penalties include fines--individual and corporate--sanctions and imprisonment.

Businesses can lose market share and their good name while bearing the cost of litigation and remediation. Particularly severe penalties could ultimately put companies out of business. Individuals can lose even more; if fraud is involved they can be permanently barred from employment in the industry.

The FDA compliance and enforcement policy reflects a core value of the Food, Drug and Cosmetic Act. Compliance with regulatory requirements and ethical conduct standards are mandatory. Individuals who actively participate in unlawful conduct, allow it to happen by passively tolerating violations, or fail to take steps to learn that violations were occurring can be held personally responsible.

Under the Quality System Regulations (QSR)--the regulations covering the manufacture of medical devices--management is charged with executive responsibility to establish a commitment to quality. Manufacturers are required to provide adequate resources, including internal quality audits, to meet the expectations of the regulation. Beyond the requirement to establish audits, management must review the results. When audit findings reveal situations where there is non-compliance with QSR, corrective action must be taken. The QSR also require verification or validation that corrective and preventive actions are effective. 

Clearly, the FDA expects executive management to be involved with, and responsible for, all aspects of quality management. FDA inspectors are trained to solicit information regarding senior management's nvolvement as a routine part of their investigations. The FDA's emboldened enforcement following the Abbott consent decree is a notice to industry that fines and penalties directed against individuals are the new rule of the day.

Reinstating Quality 

Symtoms of Regultory Danger  -Nonexistent or poor networks to communicate significant information -Not expanding staff to meet increasing workload -Not identifying infrastructure and new system requirements  -Overly ambitious financial goals -Unrealistic or ambitious research and development goals -Management that gives lip service to quality assurance and Good Manufacturing Practices -Poor problem-solving approaches and documentation -High turnover of senior staff -Utilization of untrained or underqualified quality assurance resources -Benign board of directors -Notice of inspection findings with more than five "important" observations -Increasing number of recalls -Poor procedures for release of product and change control

In a complex and decentralized business environment, corporations must institute consistent, enterprise wide compliance policies and procedures to prevent litigation and reputation damage and meet shareholder expectations. Legislators, investors, regulators, customers and the public are demanding accountability and effective controls. The challenge is to focus compliance to cover the real danger points, avoiding the expensive blanket coverage of every risk. Regulatory risk assessment needs to be set in the context of broader business risks, such as product recalls, failure of key development projects, process quality in remote locations and marketing practices which fall below industry standards.

Large organizations can become complacent in their operations. This attitude drives the organization into a risk exposure mode before anyone realizes it. Some companies have historically pushed the regulatory envelope, creating a culture that does not encourage change. And smaller organizations often do not have the knowledge or the resources to make the necessary assessments. 

Now, more companies are recognizing that it may be necessary to undertake reality checks to assess risk exposures. And without sufficient resources, and under a culture unable to identify and correct systemic problems, these organizations often find that they must use third parties to perform independent assessments. (Sometimes, as with Abbott and Wyeth-Ayerst, such course of action is mandated by the government.) The specialists can examine adherence to regulations and quickly identify gaps that, when corrected, can significantly reduce risk exposure. 

With clarified objectives and defined risks, quality controls can be tested and necessary improvements designed. But risk and control alignment requires regular reassessment by management. Periodic reviews by auditors, regulators and compliance personnel are not substitutes.

Through a combination of in-house and outsourced efforts, quality assessment of product development and manufacturing systems must be reinstated at all organizations. Senior management must know they are the ones on the line.