Recently I had a conversation with a compliance professional I know, someone with solid credentials and experience—but experience mostly in the industrial manufacturing sector, with a stint in agribusiness as well. She has been contemplating a switch into the healthcare sector, ideally medical device manufacturing. Did I have any advice on how to make that industry move?
I get career questions fairly often. Usually people are looking for a new job opportunity (which sometimes I do know of), or want some connections if they are moving to a new city (which I’m delighted to provide). Occasionally recruiters call to ask me whether I know good candidates for a specific job (happy to help if I can).
I hadn’t considered my friend’s situation until she asked me about it. Which led us to a robust and somewhat meandering talk about compliance careers—with, I hope, some observations worth passing along to the Radical Compliance empire. You tell us if we’re barking up the right tree.
First, beware the jungle of Food & Drug Administration compliance. Whole magazines and conferences are devoted to FDA compliance, for good reason. The FDA is a powerful agency with sweeping purview, and exacting rules that rarely arise elsewhere. Off-label marketing, quality control, oversight of clinical trials—these issues require long years of study and practice to gain expertise. A mid-career compliance professional trying to tackle FDA compliance without prior experience is jumping into the deep end of the pool, against stiff competition from drug industry veterans.
That said, most compliance officers know this. It’s industry-specific regulation, and above all it applies to the pharmaceutical industry. Many other businesses also fit within that broad umbrella of “healthcare and life sciences,” with plenty of issues beyond FDA compliance where an outsider might find opportunity.
Seek Out the Parallels
My contact raised the excellent point that lots of corporate compliance experience can transfer into the healthcare fields. For example, she has years of experience building compliance programs for the Foreign Corrupt Practices Act. On a substantive level, the policies and practices one uses in FCPA compliance aren’t terribly different from a compliance program under the Anti-Kickback Statute. That’s the law that prohibits medical professionals from offering bribes to win business that includes Medicare or Medicaid dollars from the U.S. government.
Sure, the messaging is different, since most doctors and hospital employees won’t know what the FCPA is. But the steps required for effective compliance—proper training, strong policies, whistleblower hotlines, systems to identify improper payments—are all still there. Someone who knows how to configure a strong anti-bribery program will find his or her skills can fit the needs of either law.
You’ll need a strong colleague who knows the healthcare or life science company’s specific processes and workflow, but that’s true of any new firm a compliance officer joins. The killer skills are knowing how to convince people that bribery is wrong, and how to design payment systems that flag those payments.
You could say much the same about other core elements of a strong corporate compliance program. Nurturing a speak-up culture—from training employees that speaking up is OK, to designing a comprehensive incident reporting program, to knowing which reporting analytics are worth tracking and matching to key performance indicators—that experience is hugely useful, whether the reports are improper payments or quality control issues in a medical device manufacturing center.
Finding a company willing to buy into this logic is another matter. One Radical Compliance reader, working in life sciences in the Far East, told me it does sometimes happen; she knew of a few sizeable biotech firms that recently hired non-life sciences people for compliance jobs out there. Anti-corruption experience is a good way to frame the argument, she said; consulting experience can help too.
The Big Pivot Point
My conversation with the career-mover picked up much more when we touched on privacy. At first I wanted to say that expertise in HIPAA compliance is invaluable (which it is), and that if a compliance officer craves employment stability, consider boning up on privacy in the related field of education (which you should). Data security is another issue where the details might differ from one industry to the next, but the basic principles of identifying and securing at-risk personal data holds true across all sectors.
But the greater potential is all about why data security and privacy are such serious issues right now. They’re serious issues because thieves are stealing data more aggressively and companies are adopting the cloud for data storage at the same time. That is, the risk profile for data is elevating, just at the moment when companies are pushing a tremendous change in how data is stored and managed.
That, really, is where lots of employment potential exists for compliance professionals: in helping corporations understand how their privacy and data security risks will change as their IT infrastructure moves to the cloud.
Risk assessments will change. Governance of third parties will change. Workflows will change. Investigations, forensics, and breach disclosure protocols will change. Internal controls and risk matrices will change. And while all of that will be especially urgent for businesses like healthcare and life sciences, because healthcare data is so sensitive, ultimately it will be true of every other business, as well.
I touched on all these ideas in a post last week from Oracle’s Modern Finance Experience conference. Oracle CEO Mark Hurd said it best: the cloud will slash IT maintenance costs for large enterprises, and drive many businesses to adopt more standardized best practices. Companies will need compliance officers who can figure out that world.
To phrase it another way: in a world where the cloud will let companies operate any way they want, companies will need people who know how the company should operate. The future will be a blend of astute business process analysis and optimization, within the regulatory demands spelled out by multiple agencies.
Healthcare, medical devices, even pharmaceuticals—they can be wonderfully lucrative and challenging paths, for industry veterans or professionals moving into the industry from other sectors. But fundamentally, when you look at what companies will need to be able to do in the future to survive, a lot of the greatest needs will cut across many industries. I don’t think that’s going to change soon.
But like I said, those are just my ideas. What are yours? Email me at [email protected] or comment below.