FDA’s Lessons on Internal Reporting

Aside from all the FCPA news that’s been happening lately, compliance officers also have a cautionary tale to consider this week about internal reporting. We have the fiasco of the Food & Drug Administration and a whistleblower trying to raise alarms about poor conditions at Abbott Nutrition’s infant formula manufacturing plant in Michigan.

The Washington Post broke the story earlier this week, and compliance professionals with babies at home may want to strap on a helmet since you’ll be banging your head against the wall before we’re done. 

As reported in the Post, a whistleblower submitted a detailed report to the FDA about their concerns for the Abbott plant last October. The report then languished for another four months before it finally was escalated in February to senior food safety officials at the FDA who could understand the gravity of the problem. 

By the time the whistleblower’s report did reach the desk of Frank Yiannas, the FDA’s deputy commissioner for food policy, one infant had already died and at least two more were hospitalized. Another infant died soon thereafter, and the FDA rushed to shut down the plant — which directly led to the infant formula shortage gripping the country today.

What will make compliance officers scream is that the FDA ignored the whistleblower’s report for four months because neither the FDA’s food policy divisions nor the agency’s food safety inspectors need to report to Yiannas. Rather, those divisions report directly to the FDA commissioner, who historically hails from a medical background and puts a priority on pharmaceutical issues. 

So we had a flawed organizational structure that thwarted the escalation of internal reports to executives who could properly assess the issue. Families across the country are paying the price of that mistake. 

That’s the lesson here for corporate compliance and audit professionals: assess the mechanics of your internal reporting system, to be sure that reports are classified properly; and assess the oversight of your issues management process, to be sure that once a report enters the system, it goes to people with the competence and authority to address it.

Internal Reporting and Escalation

Yiannas’ interview with the Washington Post makes for disturbing reading. The killer quote is probably this: 

“It wasn’t sent to me, and it wasn’t shared with me internally. How does this happen?” Yiannas, who previously ran the food safety program for Walmart, the nation’s largest grocer, told the Washington Post. “There were early signals, and in any safety profession you want to take those seriously to stop the domino effect. That didn’t happen.”

Well, precisely. Yiannas actually raises two distinct but important points that internal reporting and issue management systems need to get right.

First is that bit about early signals. Yiannas is really talking there about risk identification: does your organization understand which individual pieces of evidence connect to the various risks that you face? 

To have that understanding, you need to compile a list of the risks you face; and then engage in a rigorous process to consider what evidence would connect to each risk. For example,  what words would a reporter use? What questions could you ask (in an online intake system, for example) to elicit critical information from a reporter? 

Then you can start to build an early-warning system that can correctly interpret those early signals Yiannas mentioned. (Or, more likely, you can have a productive conversation with internal reporting vendors to assure that their proposed structure meets your needs.)

The second important point is about taking things seriously. That’s risk escalation. 

Plenty of compliance technology vendors will say their systems can route each internal report to whomever at your company should see it. I take the vendors at their word and don’t worry about that part. (Although remember that report from earlier this year, finding that most companies don’t use any formal case management system.)

Instead, I worry that your org chart won’t align with the escalation path that each risk needs. That was the FDA’s problem, after all; Yiannas, head of the FDA’s Office of Food Policy & Response, didn’t see a 34-page whistleblower report raising serious questions about food safety. 

This is where internal audit teams could help. They can assess whether your internal reporting and case management system includes people with the right competency to evaluate the nature of the report

Sometimes that question has an easy answer. For example, if the report alleges fraudulent financial reporting, steer it to an investigator with expertise in accounting. Other issues might not be so clear, especially if they involve technical matters such as a cybersecurity weakness or manufacturing defects. 

You might also need to consider office politics and turf wars. Again, internal audit can be your friend here, since they answer to the board’s audit committee and have more ability to recommend structural changes. 

On Reforming the FDA

The House held hearings earlier this week to explore the infant formula crisis, including whether the FDA needs structural changes so it can address such risks more quickly. Consumer groups and food safety advocates are already calling for just such structural change. 

I’d be remiss if I didn’t stress that the FDA should be led by a physician or some similar person with expertise in pharmaceuticals and public health — especially these days, as we still struggle to put the covid pandemic behind us. But the agency does have dual objectives of food safety and drug industry oversight. So FDA leadership needs to assure that its organizational structure allows competent people in each field to see internal reports relevant to their expertise. 

That’s a point the corporate world needs to embrace, too.

Leave a Comment

You must be logged in to post a comment.