Guest Column | December 22, 2017

Top 10 Risks To Life Sciences Companies In 2018

By Tracey Keele, KPMG

At Risk

The new year is just around the corner, signaling a fresh start and new beginning. Janus, the Roman god of new beginnings and namesake of the month of January, likely inspired our familiar tradition of reflection and resolution this time of year. Janus had two faces, which allowed him to look backward to the past and forward to the future.

As we ring in 2018, how can we apply this tradition to our organizations, reflecting on organizational health and sustainability and what will make us stronger in the year ahead?

At KPMG, we developed a Top Risks and Trends for 2018 list to highlight critical risk challenges facing life sciences companies today. How is your organization responding to these risks and opportunities to drive the health of your organization in 2018 and beyond?

1. U.S. Government Pricing

Governments are under tremendous pressure to curtail healthcare spending. Regulators are focusing on a range of issues including price gouging, price fixing, specialty pharmaceutical pricing, co-pay coupons, patient assistance programs, and timely, accurate statutory reporting for government programs.

This is a complex, technical area subject to a high level of interpretation and change. Based on the level of complexity and scrutiny, this should be an area of continued attention and independent review.

2. Patient Support Programs

Patient support programs (PSPs), which aim to improve patient care outcomes and experiences, have evolved beyond prescription adherence to benefits/insurance verification, financial assistance, scheduling, and patient counseling and education. These programs vary widely in design and application and introduce a range of risks including, but not limited to, kickbacks, off-label promotion, safety and pharmacovigilance, and inadequate safeguards over patient data and privacy.

3. General Data Protection Regulation (GDPR)

Greater connectivity in healthcare technology creates new challenges and risks to protect data. The EU’s GDPR, which goes into effect May 25, 2018, addresses threats that compromised personal data pose to the public. Fines for failing to protect data pose a big risk to life sciences companies and can cost up to 20 million euros or 4 percent of global revenue, whichever is greater. All indications are that Data Protection Authorities are serious about enforcement. This complex and nuanced regulation will take significant time, effort, and investment to implement.

4. Third-Party Risk Management

Third-party interactions in this highly regulated industry carry significant risk throughout a company’s operations, including drug discovery and development, manufacturing and supply, sales and marketing, and operational and administrative support. The volume of interactions with business partners creates multiple risks regarding kickbacks, off-label promotion, contract compliance, cybersecurity, and relationships with clinical research organizations and contract manufacturers.

5. Anti-Bribery & Corruption

This is not a new risk for the life sciences industry, but it remains a top one due to the regulated nature of the industry and reliance on government officials for development, marketing, manufacturing, and distribution. The life sciences industry is particularly vulnerable to these laws where healthcare practitioners (e.g., doctors, nurses, pharmacists) are employed by national health systems and considered government officials. Regulators continue to focus on cross-border cooperation and enforcement.

We continue to see a disproportionate level of anti-bribery/anti-corruption concerns arising from China, southeast Asia, the Commonwealth of Independent States (Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Ukraine), Eastern Europe, west Asia, and Latin America.

6. Cybersecurity

The number, scale, and sophistication of cyber breaches continue to grow, despite investments in data protection. It is now widely accepted that it is not a matter of “if” your company will be impacted by a cyberattack, but “when.” There is genuine cause for frustration, and “cyber fatigue” is weighing upon many organizations inside and outside life sciences. However, losing vigilance can have catastrophic consequences (e.g., loss of intellectual property, loss of data supporting clinical trials).

KPMG’s survey of life science executives in charge of data protection in 2017 found financial information, intellectual property, and clinical research to be the assets most vulnerable to attack. With nation-states now the most likely source of cyberattacks, the focus on intellectual property and R&D data will only intensify, raising the stakes for life sciences, an industry that relies on collaboration and data exchange to fuel innovation.

7. Social Media/Digital Marketing

Connecting with patients online — especially via social media — creates a huge opportunity for life sciences companies, but it is coupled with governance challenges and exposure to a range of risks. Content is viewable and accessible to a global audience beyond customers, including employees (past and present), shareholders, competitors, detractors, and regulators. Companies need to actively consider and manage risks in areas such as adverse event monitoring and reporting, data privacy, off-label promotion, intellectual property, and reputation.

8. Serialization

Life sciences supply chains are grappling with evolving serialization regulations globally and escalating challenges — country-specific readiness, master data management, artwork change management, sustainability of compliance, and internal packaging site and contract manufacturer preparedness. These regulations — where the FDA and EU have key milestones coming up in 2018 and 2019, respectively — aim at reducing the risk of fraud and counterfeit products by marking each salable product unit with a unique identifier.

9. Opioids

Manufacturers, wholesalers, and distributors are under increasing scrutiny, and some are facing legal action for alleged irresponsible sales and marketing practices and failing to address market oversupply of opioids, given the spike in overdose deaths in recent years. Internal auditors must encourage organizations to go beyond compliance with the letter of the law, since it is likely to be a matter of time before the spirit of the law starts to affect the manufacture, supply, and dispensing of these drugs.

10. Accounting Standards

New accounting standards affecting revenue recognition and lease accounting are complex and highly technical. ASC 606, the revenue recognition standard for public companies that is effective Dec. 15, 2017, represents arguably the most significant change in accounting standards in recent history and requires fundamental changes to people (e.g., resourcing levels), processes, and technology that necessitate substantial time and investment. The new lease accounting standard takes effect just over a year later on January 1, 2019, for public companies and has a significant impact on medical equipment leases, which may change how capital spending is planned.

The new standards represent a seismic shift in expectations. Further, there is an absence of clear guidance, requiring significant interpretation and judgment by management. This is a top risk for 2018 because the new standards are complex, companies are tracking behind in their readiness, and implementation and related disclosures under SAB 74 will be closely scrutinized by the Securities and Exchange Commission.


The life sciences industry continues to face a myriad of issues, including the opportunities and risks associated with digitization, culture, and managing the costs of compliance. Although many of these issues have been longstanding, the risk environment continues to evolve and, in some cases, intensify. In this highly regulated industry, we see too often an over-emphasis on compliance and the letter of the law, versus a balanced compliance and ethics approach that also emphasizes the spirit of the law. A greater focus on culture, how decisions are made, and which behaviors are valued and rewarded can significantly bolster risk management efforts.

Internal auditors and other risk/compliance executives play an important role in helping their organizations navigate this challenging and transforming risk environment. What resolutions can your organization make in 2018 to improve its health and sustainability?

About The Author:

Tracey Keele, a KPMG partner who leads the firm’s Pennsylvania Internal Audit and National Life Sciences Internal Audit Practices, has 20 years of experience with audit, risk management, and governance-related matters. She has served in various leadership roles within a $40 billion multinational company, with responsibilities spanning geographies, risk areas, and business units.

Keele helps organizations better understand their risks and take action to preserve and create value. Among other topics, she helps organizations understand the critical role of culture in risk management and how to build culture auditing programs. Keele designed and implemented a culture auditing program that transformed the impact of internal audits and catalyzed cultural change. She leads KPMG’s culture auditing services within the U.S.