Compliance officers often worry about the threat of siloed risk management, where one part of the enterprise is addressing a risk without keeping other parts fully informed. The Securities and Exchange Commission recently served up a good example of how that threat comes to pass, in the case of Mylan and its improper charges for EpiPens.
The facts in the SEC settlement order tell an interesting story. In the mid-2010s, Mylan was selling its EpiPens to the tune of $1 billion annually, making them its most important and largest product line. Mylan also classified the pens as “generic” drugs under the Medicaid Drug Rebate program, which allowed Mylan to pay lower rebates back to the government for all those Medicaid dollars paying for said pens.
Well, in 2013 federal regulators launched a probe into that generics classification. It soon became clear that according to FDA rules, Mylan should have classified EpiPens as a “branded” drug, and paid larger rebates back to the Medicaid program. The generic classification and its smaller rebates meant Mylan was overcharging the feds, which would be a violation of the False Claims Act.
In late 2014, Medicaid officials told Mylan that it had indeed misclassified its EpiPens. The Justice Department began putting together a False Claims Act case.
Mylan and the Justice Department then tussled for the next two years, until they agreed in October 2016 that Mylan would pay $465 million to settle the charges. That was roughly 10 percent of Mylan’s gross profits for 2016, so the settlement was a material amount of money.
Unto itself, that’s fine — but Mylan hadn’t disclosed any of this potential trouble to investors until Oct. 7, 2016; despite knowing for more than two years that the company had a big risk on its hands.
That failure to disclose is what prompted the SEC enforcement action two weeks ago. Mylan knew since late 2014 that its EpiPens were misclassified, and that the company would face some kind of reckoning under the False Claims Act. But the company disclosed none of that to investors, nor set aside any contingency funds for settlement, until October 2016.
The failure to accrue contingency funds meant Mylan was overstating its financial picture for two years, until it had to swallow the whole $465 million litigation cost in 2016. Hence the SEC brought its own civil action under federal securities law, which resulted in a $30 million fine against Mylan announced on Sept. 27.
So those are the facts. What risk management lessons can we learn?
One Event, Multiple Risks
What happened here was that Mylan had a single instance of misconduct, which spawned numerous risks across the enterprise. Misclassifying its EpiPens led to a regulatory enforcement risk with the Justice Department; and that enforcement risk then created a secondary disclosure risk with the Securities and Exchange Commission.
A company with astute risk management should see those risks rippling across the enterprise, and respond accordingly. Mylan didn’t. The lesson for other compliance officers is that you should re-examine your risk management and compliance functions to make sure this sort of thing doesn’t happen to you.
Mylan’s legal team was working on a significant case that had the potential to impose material costs upon the company, but its financial reporting team wasn’t disclosing the true dimensions of that risk to investors — because, for whatever reason, the finance team didn’t understand those true dimensions either. That was the screw-up.
Exactly what communication breakdown happened at Mylan? The SEC complaint only says this:
Although Mylan’s controls required quarterly discussions of significant contingencies by its financial and legal teams, the controls failed to require material information be provided to the teams. Certain members of the financial team evaluating the loss contingency relating to Mylan’s EpiPen classification were not informed of some material developments concerning the progress of DOJ’s investigation.
For example, Mylan’s 2014 and 2015 annual reports said Medicaid regulators “may take a position contrary to a position we have taken.” Mylan’s 2015 annual report also stated, “We cannot assure you that our submissions will not be found by CMS … to be … incorrect.”
Except Medicaid regulators had already told Mylan by October 2014 that they had decided the company’s generics classification was wrong — well before those 2014 and 2015 annual reports were published. Mylan knew regulators had taken a position contrary to its own. It also knew a Justice Department probe was underway, and a potentially large settlement was quite possible.
Or at least, Mylan’s legal team knew all this. As the SEC states, Mylan’s finance team didn’t know those facts, and consequently couldn’t respond in the appropriate way: by disclosing the risk to investors and accruing a contingency fund to cover the costs of settlement.
Proper Structure to Break Down Silos
This is why companies have risk committees or compliance councils: so everyone can gather, talk, and understand how a single event at the company might have different consequences for different parts of the enterprise.
In fact, re-read one crucial line from the SEC settlement order again: “Mylan’s controls required quarterly discussions of significant contingencies by its financial and legal teams.”
That is, the quarterly discussions themselves were a disclosure control for the company — and just like any other control, a quarterly meeting of the risk committee might sometimes not work; or it might be designed poorly so it doesn’t work well.
That’s the trap your compliance or risk management function wants to avoid. You want to design your risk or compliance committee — who participates in it; who leads it; what information is shared to all members of it — so that all parts of the enterprise understand what a risk event means to each of them, and how to respond accordingly.
That’s how you break down silos to assure smart risk management across the enterprise.
This raises some interesting questions about leadership and technology, too. For example, one school of thought is to have a chief risk officer lead all this, where he or she is responsible for assuring that all parts of the company know how to respond to various issues.
Well, that approach implies that compliance reports into risk management, since regulatory compliance is just another enterprise among many others. But plenty of compliance functions still report into legal, and others report directly to the CEO — so how would this chief risk officer idea work? Plus, the idea also implies that legal itself might report into risk, and I’ll eat my shorts the day I see a general counsel do that.
As to technology, if all relevant documents and information on a risk event were housed in one place, different parts of the enterprise might not be left clueless about material items, as Mylan’s finance team seemed to be. But structuring your IT systems that way is not easy, and it drives the importance of access and security controls sky high.
However you want to look at these questions, the threat of silos isn’t going away. Compliance and risk professionals still have a lot to learn, so reading up on the Mylan case is a good homework assignment.