Calvin London (calvin@thecomplianceconcierge.com) was the former head of Business Operations and Integrity in Celgene Pty Ltd, Australia and New Zealand. He is now the Founder and Principal Consultant of The Compliance Concierge.
Much of my career has been in disciplines that have required standard operating procedures (SOPs). I shudder to think how many SOPs I have authored, reviewed, and/or approved. Every healthcare compliance guideline or regulation has the expectation that SOPs (aka procedures/processes) will be an integral part of your compliance program.
A new International Organization for Standardization (ISO) standard has recently been developed to provide guidance on compliance management systems and their use (ISO 37301)[1] to replace the old standard ISO 19600:2014 that covered this topic. The Office of Inspector General provides specific guidance to a number of healthcare professionals, hospitals, and nursing facilities, as examples.[2] Guidance on compliance programs for pharmaceutical manufacturers has also been provided. These documents provide information on how to structure an effective compliance program. Each includes reference to policies and procedures.
In June 2020, the U.S. Department of Justice updated its guidance for evaluating compliance programs,[3] with specific focus on the effectiveness of the program. Effectiveness is measured by how well the program was designed, resourced, and how well it works. A whole section of this update is dedicated to policies and procedures and includes discussion on the design, comprehensiveness, accessibility, responsibility, and who the gatekeepers are.
Most compliance regulations and guidance documents go something like this: “The corporation must demonstrate a robust code of conduct supported by established policies and procedures that reinforce the compliance culture into day-to-day practice.” Clearly there is a need for SOPs. However, whether your SOPs are actually helping or hindering the business (and your compliance) is a question worth asking every so often. When was the last time you actually looked at your SOPs not with an eye to meeting regulations or guidance but rather with an eye to “do they really give me what they are meant to?”
What makes good compliance SOPs?
There are books written on what makes a good SOP, and there are also many opinions as to what a good SOP is. Good documentation 101 will tell you that procedures are the “how to” documents of polices. Policies define what is required, and procedures then become the instructions on how to achieve the requirements in a consistent and structured fashion.
There are many ways to structure SOPs. What format you choose and what subheadings you use is personal, and it should be. Picking the appropriate format for your SOPs needs some consideration. There are also many different versions of SOP templates and proposed content to choose from. This discussion is not about the format of SOPs, but rather consideration around the content and use of their effectiveness. Beyond structure, which should fit the needs of your organization, there are three key points to a good SOP: consistency, conciseness, and context. How you address these three aspects will determine whether your SOPs become your friends or foe (a drain of resource that do little to provide consistent instruction and direction).
Consistency
Having a standardized format for SOPs is only the first step. What goes in your SOPs is the most important aspect. SOPs need to communicate a clear message, in a concise fashion, with clearly defined expectations.
Regardless of the format chosen, retaining the same format across all SOPs provides employees with a hidden road map as to where they will find information. For example, SOPs should reference who is responsible for the action and the review and approval of the action, as appropriate. Many companies have a dedicated section for responsibilities, while others use bold type or different colored font to indicate a responsibility. Both are appropriate, but of the two, the second approach avoids unnecessary repetition in the text of the SOP. In today’s technological age, this is not a difficult thing to achieve, especially if your SOPs are sourced or retained electronically. As long as there is consistency, the SOPs will be better reference documents.
Conciseness
Some SOPs become relics even before they have been approved. An SOP that is 40 pages long—yes, they do exist!—is not going to be used effectively. Adrienne Escoe in her book The Practical Guide to People-Friendly Documentation[4] provides an anecdote applicable to SOPs called the “Thud Test.”
She describes how one of her clients assesses the quality of their SOPs. After completing each piece of documentation (in this case it was manuals), they drop them on the floor. The louder the thud, the happier the client. It is not the quantity of instruction, but the quality of instruction that is important. Larger organizations may fall victim to the “Thud Test” when they allow compliance SOPs to be drafted by quality personnel. Don’t get me wrong, I have nothing against quality personnel, but they will have been trained to meet every aspect of instruction because that is what is mandated by most regulators in their area (e.g., U.S. Food and Drug Administration).
For example, an instruction on how to complete a funding application form should not be as detailed as:
“Sit down at your desk and do not take any calls until you have finished. Commence with section 1, complete all sections 1 through 10 in Courier 10-point font, and then save the form.”
Nor should it be as simple as: “Fill out the form and save it.”
Neither of these two approaches provides useful instruction. The first contains irrelevant information—it doesn’t matter where you sit, and it doesn’t matter if you take calls until the exercise is completed. The objective is to complete the form accurately. The second approach provides little if any instruction, and neither example indicates which form to fill out. A better version would be: “Complete Form [xx] with the required information for all sections. When finished, save the file in folder [yy] under the application name and advise compliance who will process the form.”
You don’t need a baseball bat to kill a fly, but you will probably need a flyswatter—the right tool for the right job. Specific details if required can be built into a controlled form when required. This has the added advantage of keeping the specific requirements directly associated with the place of recording the requirement or the response. As a rule of thumb (from my experience), the shorter the compliance SOP, the better, and any SOP that is longer than 10 pages should be reassessed and/or subdivided.
Context
SOPs should interact with each other to form a web of instruction, just as policies combine to create the essence of a compliance program. They should also cross-reference each other to provide the complete picture. This approach will facilitate having SOPs that are not too long and that will retain their relevance. Some schools of thought frown upon this approach, stating that it is too difficult to manage a suite of SOPs with cross-references. From my experience, these views are usually in companies that have too many SOPs or an ineffective document control system. One of the simplest ways to effectively cross-reference SOPs is to establish a traceability matrix that lists the SOPs and their referral points. This will allow traceability at the time of review or when new SOPs are developed.
Another important aspect of context is to ensure the end users of the SOPs are involved in their creation. Involving employees that are going to use them will hopefully ensure that the SOP instruction is relevant to the task at hand, rather than the impression of what is required by a manager who will never perform the task.
