The qordata Guide To Developing Key Compliance Indicators


Integrating technology into compliance processes is not news. News is what the latest in this tech-functional collaboration can help achieve.

One of the most exciting developments in the realm of pharmaceutical compliance is data analytics’ potential for automation. It gives compliance and transparency professionals, quantified savings in the time and effort needed to compile and then submit spend reports. In addition, automation achieves reduction in:

  • Risk and exposure
  • Error rates
  • Cost
  • Opportunity cost associated with compliance resources

Compliance professionals already spend most of their time sorting through a surplus of data. With this technique, they can reduce their work, and improve the quality of their submissions by over 70%.

Compliance Automation: How Is It Done?

As the diagram below indicates, monitoring for compliance can be a time-consuming and stressful activity, even if it is done all year round. Compliance/Transparency professionals are accustomed to dealing with large datasets. It is not knowing what is in their data that is stressful. As long as processes are not automated, that stress will remain.
















Now let us revisit the diagram, this time attaching iteration and average frequency.
















The most time-heavy tasks fall in three areas, highlighted in the diagram above. Not by coincidence, this is also the point where most iterations take place. Automation works by reducing and/or eliminating the functional burden at these activity points. It does so with the help of KCIs or Key Compliance Indicators. (Mentioned elsewhere as Key Control Indicators).

What Are KCIs?

A Key Compliance Indicator is a quantitative, periodic metric which measures business performance against risk thresholds that the respective business lines establish in conjunction with compliance. It defines acceptable boundaries for each form of activity, and for each spend category. Like other indicators of organizational health, a KCI is a SMART metric, i.e. it is:

  • Specific
  • Measurable
  • Achievable
  • Realistic
  • Time-bound

Another way to define a KCI is: “A metric, almost always numeric, identifying the point at which an activity has reached or crossed a predefined limit. Exceeding the prescribed limit presents a violation.”

“While monitoring KCIs falls in the Compliance/Transparency ambit, ensuring compliance is everyone’s responsibility in the organization.”

Examples of KCIs include frequency of spend analysis, inspection of the monitoring process; due diligence mechanism. These are broad definitions which are narrowed down with specific figures. For instance, frequency of spend analysis will be broken down into weeks/months or quarters, and so on.

Examples of KCIs include frequency of spend analysis, inspection of the monitoring process; due diligence mechanism. These are broad definitions which are narrowed down with specific figures. For instance, frequency of spend analysis will be broken down into weeks/months or quarters, and so on.

KCIs: Why Do You Need Them?

Why indeed? In the presence of the traditional KPI and the relatively newer KRI (Key Risk Indicator), why do you need Key Compliance Indicators?

KCIs provide preemptive control before Key Risk Indicators become relevant. They highlight areas more widely than KRIs, which limit themselves to one item per indicator.  Because of their audit-friendly nature, they allow companies to make timely actionable responses and accelerate the automation process.

The nature of external audits also gives a good incentive to internalize KCIs:

At FSA, the voluntary self-regulation body from Germany which is a member of EFPIA, the penalty is described as follows:

“As with the other codes, the FSA arbitration board can impose up to 400,000 Euros financial penalties on companies which violate the code. The money is donated to a charitable cause. Furthermore, the arbitration board can publish the name of the company on the internet.”    (FSA)        

Likewise in Bulgaria:

“The ethics committee can impose fines of BGN 2000 to 7 000 (EUR 1 = BGN 1.95583). For repeated misconduct, twice the amount can be imposed. Administrative expenses and fees (BGN 600) are borne by the infringing party.”

And after May 2018, non-compliance with GDPR promises even greater penalty (up to 4% of the worldwide annual turnover of the preceding financial year or €20.000.000 per infringement, whichever is higher).

In USA, CMS Open Payments has imposed similar penalties for violation of Sunshine Payments:

“Applicable manufacturers and applicable GPOs may be audited at any time for compliance to ensure the submission of timely, accurate, and complete reports of payments or other transfers of values made to physicians and teaching hospitals and physician ownership or investment interests.  Applicable GPOs may be audited to ensure the submission of timely, accurate, and complete reports on ownership or investment interests held by physicians and their immediate family members at any time…..CMS requires that your organization keep all records related to payments or other transfers of value for at least five years from the date that the payment or other transfers of value are posted…..Civil monetary penalties (CMPs) of up to $1,000,000 may be imposed on your organization if it fails to report information in a timely, accurate, or complete manner.  Any CMPs collected will be used to implement Open Payments.”  (CMS)

Clearly, the mere threat of a CMP (Civil Monetary Penalty) is not a sufficient deterrent.

According to qordata’s research, pharmaceutical companies, on average pay $3billion in financial penalties and settlements each year.

In January 2017, PLC Subsidiaries was charged $350 million to settle its False Claims Act Allegations by the Department of Justice.

In an industry already much-maligned by the regular publication of Big Pharma Scandal, any tool that promises a reduction of reputational risk is a sound investment.

How To Get Corporate Buy-In

A longstanding—albeit misleading—view held towards compliance is that it is necessary, but does not yield visible organization value—specifically to revenue centers. This obviously presents a challenge when developing indicators related to business risk. How can you—as a compliance/transparency professional—-get the support and openness you need to construct the right KCIs for your company?

For this, you need to be:

  • Consultative: The process with which KCIs are developed is neither top-down nor bottom-up. While it does take input from the relevant teams, it needs to be consultative rather than directive. Understand the reasons behind the input (and even objections) put forward by your sales/business teams.
  • Realistic: It helps to borrow the ‘Critical Chain Method’ when setting timelines and thresholds for business lines. They are trained to ‘under commit and over deliver,’ and in all likelihood may submit timelines that are either cushioned or over-aggressive. Neither works. The Critical Chain Method applies a 50% slash on these deadlines and adds a buffer to the next step in the project. This offers a healthy balance between prudence and actual user behavior. It is also recommended, because it will give your team extra time to master dirty data, thus reducing the probability of error and inaccuracy in the first stage.
  • Solution-Oriented: There will be conflict. You will be tempted to impose punitive timelines and reporting frequency schedules. You may lose patience with the slow pace of adaptation your counterparts demonstrate with the new compliance-based-monitoring system. You may feel that they do not understand the seriousness of regulation, particularly from a punitive perspective. They on the other hand, may complain about the rigidity, inflexibility, and lack of cooperation they face from compliance. Both stances are natural and inevitable. Both sides win when they achieve a workable middle ground. This will happen in an environment of openness, objectivity and for this, the discussion needs to be more frequent and informal. Understand not only the business lines’ processes but also their challenges. Conduct ‘mystery shopping’ exercises, where you may accompany sales reps on their HCP visits, or conduct inquiries independently. Sample the data they submit. Focus on trying to understand rather than trying to diagnose. This mindset helps build trust and encourages the sales teams to be forthright. For objectivity, insights need to be as quantified and visible as possible. You need to give sales/business teams control into the system so that the reports have their ownership first. They should be given realistic deadlines to verify their spend data collect and submit supporting documentation and so on.
  • Forward-Looking: Product launches, new physician engagements, high-profile industry events: These are meant to attract the enthusiasm of your sales teams, and probably will. This may lead them to overcommit. It is your responsibility to have a balanced, realistic view on the potential of each of these opportunities. A good start is to analyze historical trends for similar or related events. For instance, in the case of physician engagement, conducting a historical analysis can help you predict with some accuracy, the expected outcome, and/or the kind of resource investment needed, including frequency of engagement. The analysis may be in relation to location, specialty, drug and/or HCO. If you already have a robust internal data repository, fetching specific datasets can be time-consuming and frustrating. It is far more helpful to have your data presented visually. It takes the conflict out of guesswork and estimates. Discussions emanating from a dashboard that contains a visual representation will lead to more constructive, productive engagement across business teams. The more interactive the dashboard, the better.

The KCI Mechanism

KCIs are quantitative, but they are derived from quantitative and qualitative insights received from internal data and external information. So the process of establishing will involve the concept of triangulation.

Step One: Collecting Datasets

Internal Datasets

Pressure from the Sunshine Payments Act (USA), and the general reputational risk the pharmaceutical industry faces globally has prompted medical drug and device manufacturing companies to develop robust internal datasets. Since spend data publishing is required by law in USA, and by voluntary disclosure via EFPIA in EU, the size of data gets compounded at least annually. This means the earlier an organization starts with spend data reporting, the richer and more helpful the resulting insights will be for internal purposes. To start with, it will help identify trend lines, which can guide future pharmaceutical spend patterns for your company. This will become the foundation on which your Central Data Repository is formed.

External Datasets

Market intelligence, industry reports, and publicly available spend data published on the CMS Open Payments Website database, Industry association pages and company websites forms the basis of relevant external datasets you need.

Why do you need external datasets for reporting?

For those who already have one—or have started using a data analytics solution, these external datasets can be a helpful tool for external and internal purposes. For instance, if you can manage to efficiently gain insights from this dataset, you can:

  • Compare your company’s performance against industry and competitor performance
  • Identify and capitalize on underlying and emerging trends in your drug(s)’ specialty
  • Set realistic and achievable KCIs by viewing industry/competitor/internal outlier history
  • Add direct, visible value to corporate planning and direction-setting with spend data per HCP/HCO in your relevant segment
  • Monitor drug performance as a function of pharmaceutical spend

Step Two: Applying The Mechanism

Now that you have relevant, workable data in one place, it is time to start with the most critical step in setting your KCIs.


  • Begin by identifying focus areas for your company, operative words being, ‘your company’. Priorities within the industry will be custom to the organization—even in an industry as organized as pharma, focus areas will be company-specific. For instance, you could ‘zone in’ on vendor relationships, spend limits/thresholds, or even limit per sales rep.
  • Attach ‘risk weights’ to each of these focus areas. This will be a simple exercise, by the end of which you will be easily able to identify ‘Low Risk’ and ‘High Risk’ areas.
  • Now (re)-visit historical data to learn traditional organizational challenges which contribute to high risk. Has it been sales rep retention? Training issues? Has it been pushing sales in a certain region, or towards a certain demographic? Is there a seasonal/industry cycle that your company is regularly susceptible to? In this step, you identify what they are, and prioritize the top three.
  • As the saying goes, ‘You can’t manage what you can’t measure.’ With data, focus areas and the problem with you at this stage, your challenge will be knowing how to convert KCIs into quantitative indicators. Avoid the temptation to be too simplistic here. For instance, in the case of high-risk vendors, sales figures will not be a good indicator. (We can safely assume most transactions in these cases are undocumented, or incorrectly documented). So you need to think one step ahead. Ask yourself: What brought my attention to this issue in the first place? Was it strong presence of a brand in a certain area but low sales? (Or vice versa?) Did a sales rep identify sales in an area with no designated vendors/distributors? For compliance professionals without data analytics solutions, this means combing through large datasets, and identifying a combination of anomalies across a period. You will get your answers by applying simple rules to a combination of internal and external datasets.
  • Got an answer to the fourth point? Good. That means you have successfully identified a trigger. The larger your organization, the more sophisticated these triggers will be.

  • KCIs revolve around the concept of automated alerts, and this is what triggers help generate. This is demonstrated in the following example:
  1. Each sales rep has a monthly spend threshold of $100 per HCP.
  2. For many months, one HCP has been receiving spend equivalents of $199, from one sales rep with no scripts generated.
  3. If, for the current month, the sales rep repeats the $199 spend with no script, an automated alert will be generated, going to you (the compliance/transparency professional); the sales team leader and the sales rep.
  4. The sales rep will be obliged to present TOV Detail, which is an explanation and supporting evidence of why the KCI violation took place. It will determine whether you ought to proceed with an investigation into the spend violation or not.
  5. The extent of the violation ($100- $199) will be visualized by color coding or a symbol. This is the Summary.
  6. The KCI is the $100; the trigger is the point at which the $100 limit is crossed. i.e. an alert will be generated even if the spend is $101.

Helpful Tips:

  1. When establishing KCIs, start by at least twelve per function. You can always narrow it down.
  2. Two magic words in KCI Implementation are: “Focus” and “Mechanism”. To test the strength of each indicator, you need to see how targeted it is, and if its procedure (mechanism) has easy and swift traceability.
  3. When prioritizing focus areas and traditional challenges, it pays to do a cost-benefit analysis against the time required per task.

KCIs, Compliance And Monitoring

The process of setting up KCIs makes your datasets much more manageable from a compliance perspective. It also gives your function the flexibility of active and passive monitoring. With it, you have the liberty to take action when you need to. It is very effective in cases where suspicions fall on internal miscreants—triggers mean you can monitor them without (or before) the need to become confrontational.