Starting from the premise that a compliance program must be implemented according to the size and characteristics of the organization, we will now make some recommendations for its implementation in a large company, which, due to its focus and complexity, varies significantly from that of a small company.
Firstly, and considering that large companies usually have greater resources available, we recommend that, in addition to dedicating financial, technological and human resources, through the participation of specialized teams during its implementation, the governing body and senior management demonstrate a commitment to the culture of compliance, sufficiently visible to generate awareness at all levels of the organization, through awareness-raising, sensitization and training programs.
Likewise, considering that a large company could have a higher degree of exposure to risk, as a consequence of the volume or complexity of its operations, it is recommended that, as a starting point, and prior to the identification of the activities, operations and/or processes exposed to risk, the following methodologies be developed ad hoc for the organization:
Risk assessment: which takes into account the risks inherent to the organization’s activities, and the criteria for determining the level of impact and probability consider the nature of the business, its economic environment and the influence on the fulfillment of strategic objectives.
Control evaluation: which measures the level of control strength, considering, for example, the degree of automation (manual or automatic), the nature of the control (preventive or detective), the ability to circumvent the control (vulnerability) and the frequency of execution of the control.
Review of controls: to ensure an adequate control environment, through guidelines that allow the development of control monitoring plans that contain specific actions and lines of defense aimed at properly managing the supervision of previously identified controls.
As you can see, large companies will not only have a higher degree of sophistication during the implementation stage of a compliance program , but also during its operation, since, compared to a small company:
The frequency of review of risks and controls will be less spaced.
Higher levels of reporting of the results of the different model reviews will be established.
More frequent and more specialized communication programs will be required.
Codes, policies, procedures, action guides, manuals, protocols and/or instructions will be developed for specific risk areas.
Increased internal controls will be implemented.
The use of technologies for monitoring the program and access to the reporting channel will be assessed.
Compliance programs will be integrated into the organization’s various processes.
The model will be flexible enough to grow with the organization (scalable).
The appointment of an internal auditor will be evaluated.
The governing body or senior management, as appropriate, will need to appoint a compliance program officer with autonomy, authority and independence .
In conclusion, the implementation of a compliance program in large companies must be adapted to the specific characteristics and dimensions of the organization, considering aspects such as operational volume, exposure to risks and complexity of its structure.
For this, the involvement of corporate governance is key, since it must lead and promote the implementation and supervision of the compliance program, in addition to ensuring compliance by acting in an ethical and responsible manner.
In addition, it is essential to create customized methodologies to evaluate risks, controls and their constant review, thus ensuring a solid control environment.
By Jorge Luis Hurtado, Deputy Manager of Legal and Regulatory Management at Redinter.
Fifth installment of the “Rule The Rules” Podcast, our conversation where the Director of the Compliance Group at az, Yoab Bitran, welcomed Donald Dillman, Compliance Director at Diebold Nixdorf.
Donald shared his experience in different companies and organizations, and provided recommendations to improve internal investigation processes.
Fourth chapter of the az t Podcast of “ Rule The Rules ”, our conversation where the Director of the Compliance Group of az, Yoab Bitran , received Gabriela Gutiérrez, Chief Compliance Officer of VEON.
Gabriela shared her experience in different industries and her vision on the state of compliance in the region.
AI governance transcends regulatory frameworks and enters into business strategies. It covers a wide spectrum of elements ranging from financial planning to risk management. Responsible AI governance can strengthen a company’s reputation and attract customers and talent. AI governance can foster an environment of responsible innovation, enabling companies to develop AI solutions that create a positive impact on society. Companies that adopt strong AI governance will be better positioned to compete in an increasingly digitalized market.
In this regard, ethical principles will always be key when considering the development and implementation of AI systems. The importance of transparency in AI algorithms and the need to explain the decisions made by these systems, as well as the need to train employees in the responsible use of AI, are fundamental aspects.
Supreme Decree No. 016-2024-JUS was published in the Official Gazette El Peruano, approving a new Regulation of Law No. 29733 – Personal Data Protection Law (hereinafter, the “Regulation”). Through this regulation, new obligations are imposed on the holders of personal data banks and/or those responsible for their processing, such as:
Notify the National Authority for Personal Data Protection within 48 hours of becoming aware of a security incident that causes the exposure of large volumes of personal data or serious harm to its owners. This must also be notified to the affected owners within the same period, unless the incident has been resolved or such damage has not occurred. Likewise, any security incident that occurs must be duly documented and a record kept.
Appoint a Personal Data Protection Officer when large volumes of personal data or sensitive data are processed, who will be responsible for supervising compliance with the obligations and being the point of contact with the Authority. In the case of business groups, only one officer may be appointed per group.
Have a security document, which must be formally approved and must be complied with by personnel with access to information systems. It must be up to date and contain at least the access management procedures, privilege management and periodic verification of assigned privileges regarding information systems.
Likewise, proactive responsibility mechanisms are established, of an optional nature, which represent the commitment of the person responsible to comply with the regulations and may be considered mitigating circumstances of liability in a possible administrative sanctioning procedure, such as:
Conducting Personal Data Protection Impact Assessments, especially when it involves sensitive data, data for the purpose of creating personal profiles, data of people in particularly vulnerable situations, among others.
The implementation of Codes of Conduct, which establish specific rules for compliance with regulations within the entity or business group, such as procedures that facilitate the exercise of rights, supervisory mechanisms, clauses for obtaining consent, among others.
On the other hand, the new Regulation establishes new features such as the recognition of portability as a manifestation of the right of access to the personal data of its owners, which implies the transfer of the data to another controller or owner of personal data banks, when requested and technological possibilities allow it, as well as the possibility of establishing a first contact to obtain the express consent of the owner for advertising and commercial prospecting purposes (if this is not obtained, a new contact cannot be made).
Finally, the registration of personal data banks is established free of charge and the creation of the platform “I take care of my personal data” for citizen attention.
The new Regulation will come into force 120 calendar days after its publication in the Official Journal. Specifically, the obligations regarding the appointment of a Compliance Officer will come into force progressively over a 4-year timeframe, depending on the sales volume of the responsible companies. Regarding the right to Portability, this will take effect 6 months after the Regulation comes into force.
For more information or in case of any questions on the subject, contact us at the following email: innovacion@cpb-abogados.com.pe
In the pharmaceutical industry, compliance has become a fundamental pillar to ensure that all operations are carried out with integrity, ethics and transparency in order to position itself solidly in the market.
As this is such a relevant sector for public health, ensuring that all activities are carried out in accordance with the highest legal and ethical standards not only protects companies, but also strengthens the trust of patients, institutions, physicians and society in general.
In recent years, compliance in the pharmaceutical industry has led to a transformation in the organizational cultures of the companies that lead the industry. The Chief Compliance Officer and the Ethics Committees have become indispensable figures within organizations that prioritize compliance, ensuring that all business activities are carried out in compliance with ethical principles and the law.
A few years ago, the inclusion of compliance clauses in contracts, such as data protection, codes of ethics and anti-corruption regulations, generated numerous discussions between the parties involved. However, today, this is no longer a topic of debate. Compliance has become global and it is indisputable that these types of clauses must be present to ensure regulatory and ethical compliance at an international level.
Looking ahead to 2025 and beyond, the industry will continue to work on developing effective compliance programs that will enable them to be in line with international regulations.
When it comes to personal data, the adoption of the General Data Protection Regulation (GDPR) in Latin American countries has increased. Pharmaceutical companies must redouble their efforts to ensure the protection of patients’ personal data and comply with international standards. The increasing digitalization and use of big data in research and development makes rigorous management of personal data mandatory to avoid sanctions and maintain public trust.
The fight against corruption will continue to be a priority in the industry. Companies must implement and constantly update their compliance programs to prevent corrupt practices, always keeping in mind the internationally referenced provisions, such as the FCPA and the UK Bribery Act.
A gradual recovery in M&A activity is expected next year, driven by the improvement in financial markets and the strategic need for companies to transform and expand. Compliance will continue to play a fundamental role in these types of transactions, mitigating risks and ensuring that they are carried out efficiently and in accordance with the law.
There is no doubt that support from new technologies will be key to achieving effective compliance programs. Specifically, in regards to:
Risk detection and prevention: AI and machine learning enable the analysis of big data to identify unusual patterns that could signal compliance risks. This effectively prevents fraud and illicit activities.
Process Automation : Repetitive and administrative tasks, such as document review and compliance verification, can be automated, increasing efficiency and helping to reduce the margin for human error.
Informed Decisions: AI systems offer detailed analysis in real-time, facilitating decisions based on accurate and up-to-date data. This is vital for regulatory compliance in a dynamic business environment.
The implementation of AI will not only generate help for companies, but also significant challenges. It is essential to ensure transparency in this type of automated processes and to comply with the regulations and standards in this area, which will be constantly changing due to the dynamics involved.
In 2025, compliance in the pharmaceutical industry will continue to evolve to meet new challenges and comply with stricter regulations. A strong compliance program will not only avoid sanctions, but will also improve the reputation of companies and strengthen stakeholder trust.
It is crucial for pharmaceutical companies to maintain a proactive and continuous approach to regulatory compliance, adapting to changing regulations and leveraging new technologies to detect and prevent risks. By doing so, they will not only contribute to a more ethical and transparent business environment, but will also ensure equitable access to medicines, reaching more patients and reducing costs.
By Vanessa Malcolm, Head of Legal Department at Megalabs.
