Create a free account to continue

Business Process Vs. Compliance Process: What's the Difference?

Some processes are 'by the book,' while others are -- well, given more latitude for interpretation.

Having recently flitted about on several of our finest air carriers across several continents, I have thought about how certain practices by the flight attendants are predictably consistent, and others vary. For example, we’re always told to turn off our electronic devices at the point when the airplane doors are closed. However, when it is time to hand out the pre-landing buttery mint, some flight attendants express their individuality with more flare than others.

This got me thinking. Some processes are "by the book,” while others are -- well, given more latitude for interpretation.

In our industry, I have come to the conclusion that this is often explained as the difference between a "compliance process" and a "business process." Ordinarily I would give a simple nod of assent that not everything a pharmaceutical firm does is regulated. But lately it seems that the expression "business process" is broadly and dismissively used as an excuse for not having an approved procedure.

Once upon a time there was a General Manager who reacted to a history of ill conceived, redundant, and ineffective CAPAs that clogged the system. He wanted to get control of this problem once and for all by personally reviewing all CAPA proposals prior to entry into the formal electronic CAPA management system. He claimed that this was just a "business process," and that the "compliance process" started at the point he allowed a record to be initiated in the database. After all, the electronic database was the "official, validated system." This also meant that his personal little "business process" did not require an approved procedure, nor was there a need to record the decisions.

I have problems with this specific example, as well a general pang about this whole “business” versus “compliance” thing.

First, the specific. As well intentioned as this GM’s initial review of proposed CAPAs may be, any process or decision that has an impact on the quality of a product, process or system -- is a CGMP compliance process. The initial review by management must be described in a written procedure approved by the Quality Unit, and the decision, and who made the decision must be documented.

Besides, doesn't this rather unorthodox practice give the impression that company management is just doing an end run around the Quality Unit? I can think of a list of questions to ask, such as: What criteria do you use to screen out a proposed CAPA? How do I know that it's not based on the cost of the solution? How do I know that you aren't trying to hide something?

Frankly, I really don't think there was anything sneaky going on. But, what do I know? How could you prove otherwise? There was no procedure or a record.

There is also a bit of irony about pre-screening proposed CAPAs. Management was trying to improve the overall effectiveness of the CAPA system by ensuring that only legitimate and well-conceived proposals were being agreed upon. However, they failed to identify the root cause of the historic ineffective CAPAs and to, well -- develop a CAPA for ineffective CAPAs. Had they done so, they would have discovered that the Quality Unit had differing views among the reviewers as to the criteria for a well-written and complete CAPA proposal. Solving the QA reviewer problem was the ultimate answer, not adding an additional layer of review.

All this aside, allowing the language of “business process” and “compliance process” into our phraseology just further creates the great divide in our minds that CGMPs are just a “bolt on” to what we do. Such thinking entrenches the attitude that “business” is what we really do, and “compliance” is those other things we do to keep the “bogey man” from giving us a 483.

It has ever been my experience that the firms that struggle the most with achieving sustainable compliance and a state of control, are those that cannot appreciate the value and super ordinate goals of CGMPs and integrate with the daily operation -- in word and deed.

Do you find yourselves using “business process” and “compliance/CGMP process” to make some sort of a distinction at your firm?

What exactly is the distinction you are trying to make, and why?