Friday, December 13, 2013

Johnson & Johnson case study

The below is the Health Care Compliance and Ethics section from the Johnson & Johnson 2012 Citizenship & Sustainability Report.

Alleged wrongdoing of Johnson & Johnson has resulted in a $2.2 billion fine, as reported in the November 4, 2013 Wall Street Journal article posted here.

This is a candidate for a case study by the ethics and compliance community.

I have written this email to the J&J Chief Compliance Officer.

Health Care Compliance and Ethics

The ethical principles embodied in Our Credo are the lenses
through which our employees make thousands of business
decisions each day. To help ensure that we conduct business
according to these principles, we have an extensive list of
policies and procedures that define what we expect of our
people and our business partners throughout the world. Our
well-established policies and procedures cover all major
categories of corporate conduct and are consistent with the
legal requirements of all locations and constituents where
the Company conducts business. Policies and procedures are
supported by training and communication plans. Compliance
is achieved through controls, audits, reviews and certifications
ranging from company self-assessments to independent audits.
Policies related to codes of conduct are established at the
Corporate Headquarters and are communicated and executed
at all of the Company’s global business units. Policies and
procedures most often have established preventative controls
(policies, reviews and approval requirements) and detective
controls (after-the-fact reviews) with the requirement to escalate
to the Corporate Headquarters (Escalation Policy) violations that
may require investigation, potential disclosure and disciplinary
The Company has an extensive Credo Hotline system where
access (by phone or website) is communicated to employees
annually and readily available to all employees, vendors,
distributors and customers. The Credo Hotline is anonymous
and executed through an independent third-party provider. A
well-documented process exists to ensure that all Credo Hotline
calls are reviewed, investigated (when needed) and responded
to according to protocol.
Codes of Conduct: Our primary policies and codes of conduct
include Our Credo, our Policy on Business Conduct and our
Health Care Business Integrity Guide. They are supported by
our Credo Hotline and in-person resources, and failures are
addressed with disciplinary actions.
Our Credo: This document defines the ethical values required
of all employees and business partners of the Company. The
annual and biannual anonymous Credo Survey, open to all
employees, gauges employee attitudes toward the Company’s
and their individual obligations to the Credo. Survey results are
reviewed at all levels (from individual operating unit departments
to the Executive Committee) and action teams are often formed
to address opportunities to improve Company culture.
Policy on Business Conduct: The principles of Our Credo
and requirements of the law are embedded in the Policy on
Business Conduct. The policy is communicated across the
enterprise and training on compliance is made available to
all employees. Compliance with communication, training and
execution of specific aspects of the policy are assessed by
Internal Audit. Each business unit and approximately 400 senior
executives are required to certify compliance with the Policy
on Business Conduct annually. Exceptions reported during the
certification process are independently reviewed, investigated
and documented by the Law and Audit departments; the results
of the certification are reviewed with the Regulatory, Compliance
and Government Affairs (RCGA) Committee of the Board of
Health Care Business Integrity Guide: Legal requirements
of Health Care Compliance and the Foreign Corrupt Practices
Act are embodied in the Health Care Business Integrity Guide
(HCBIG). The HCBIG is available to all employees on the
Company’s website; training is required and documented for
all employees in health care–related positions. Adherence
is verified through ongoing independent audits and operations
testing conducted by Internal Audit and Health Care Compliance
& Privacy. Information on reviews are part of regular updates
to the RCGA Committee of the Board of Directors. Where
process reviews identify questionable activities, these issues are
escalated to the Triage Committee and for-cause investigations
Johnson & Johnson has a system for annual certification by
senior management on compliance with its anticorruption
policies and procedures. The results of this certification process
are also shared with the U.S. Department of Justice as part
of Company’s commitments under its Deferred Prosecution
Credo Hotline: Beyond the controls built into various policies
that define the Company’s code of conduct, all employees,
vendors, distributors and customers have the opportunity to
anonymously report potential violations of policy or law through
the Company Credo Hotline, available by telephone or website.
Additionally, anyone can report allegations through other methods
(phone calls, emails, etc.) within their local business unit or to
the Audit, Law and Security or Human Resource organizations.
All Credo Hotline reports are routed by the external vendor to
Corporate Internal Audit, which triages the reports to corporate,
business unit or operating company personnel on the basis of an
established algorithm for follow-up investigation and action. In
addition, a Triage Committee comprised of the Chief Compliance
Officer, Internal Audit, the Law Department, Worldwide Security
and Human Resources reviews the serious allegations to
determine the best means to investigate.

In-Person Resources: Each substantial operating company
has its own health care compliance officer, part of whose job is
to help ensure compliance with, and provide guidance on, the
Company’s policies. In addition, the Company’s Law Department
also provides direct guidance and training on the Company’s
Disciplinary Actions: Failure to comply with the Company’s
policies can and does result in disciplinary action, including, but
not limited to, warning letters, impact on annual performance
and/or compensation, and termination of employment.
Compliance with the Company’s policies is also embedded
within leadership imperatives for all senior leaders.
Anticorruption Training
Bribery of any form, including contributions and donations,
are part of the key elements of the Health Care Business
Integrity Guide.
Johnson & Johnson policies require anticorruption training for
employees who may present a compliance risk to the Company
and places a significant emphasis on the training requirement
to ensure compliance. In 2012, two courses were combined
into one and given to meet the requirement: “Health Care
Business Integrity for J&J Employees” and “Understanding
the U.S. Foreign Corrupt Practices Act (FCPA).” This training
emphasizes U.S. and international anticorruption and anti-bribery
laws and describes how to identify health care professionals
(HCPs), governmental organizations (GOs) and HCPs who are
deemed GOs. The training covers all aspects of the Health Care
Business Integrity Guide, including charitable contributions,
donations, third-party intermediary (e.g. distributors) and
cross-border interactions, all of which are deemed as high-risk
In 2012, Johnson & Johnson operating companies met the
training goal, as tracked by an online training application,
with training completed for more than 79,000 employees.
In addition to our own employees, we also hold many of
our critical third-party intermediaries, such as distributors,
accountable to the Company’s policies. Due diligence
and background checks are regularly conducted on sales
intermediaries to help ensure compliance with our policies. In
addition, the Company requires that its sales intermediaries
be trained in the requirements of the HCBIG, and that
contracts include specific contractual commitments to abide
by all applicable anticorruption laws, comply with our HCBIG
policies when interacting with customers on our behalf and
allow for auditing of their activities. Training is also provided
to third-party intermediaries to help ensure understanding of
the Company’s policies. Regulatory compliance of suppliers
and vendors is monitored and audited by our Regulatory
Compliance and Procurement organizations. Internal Audit
performs annual contract reviews of a number of key vendors
to ensure compliance with agreed upon contract provisions and
requirements. Any allegations of impropriety raised regarding

business dealings with third parties are documented and
investigated by Internal Audit, the Law Department or other
appropriate organizations within the Company.
Reporting Breaches: Information is reported up internally
within the organization to senior management and, as
appropriate, also shared with the Executive Committee, the
Board of Directors and/or the external auditors. Many breaches
are subject to confidentiality, legal, privacy or other similar
restrictions and, therefore, are not publicly disclosed. However,
this information is reported externally in our public filings if it
meets the criteria for requiring public disclosure.

No comments: