In a prior blog post, I wrote about the issue of whether corporate boards of directors could be confronted with the issue of whether they could be held liable for not implementing a reporting or monitoring system for compliance with current good manufacturing practice (CGMP) regulations enforced by the Food and Drug Administration (FDA). I based my discussion on the decision by the Delaware Supreme Court in the case Marchand v. Barnhill et.al., No. 533, 2018 (Del. June 19, 2019).
Marchand involved Blue Bell Creameries, a large manufacturer of ice cream, which had experienced a listeria outbreak. This outbreak contaminated its products and led to the death of three people in 2015. The company recalled its products and shut down production.
The listeria outbreak followed years of alleged problems at Blue Bell’s manufacturing plants. There was abundant evidence of Food and Drug Administration (FDA) and state regulatory findings of compliance failures from 2009 to 2013 and a series of repeated, positive tests for listeria at the company’s plants beginning in 2013.
The Supreme Court noted that because Blue Bell’s only product was ice cream, food safety was one of Blue Bell’s central compliance issues. In its decision, the court determined that no system of board-level compliance monitoring and reporting existed at the company even though management was aware of food safety red flags.
The Court reached this conclusion despite the presence of safety procedures as part of the company’s day-to-day operations—e.g., employee safety manuals, occasional audits, and inspections by governmental regulators. But such day-to-day operational safeguards are inadequate for the board to give attention to the company’s central compliance risks.
Another recent case involves the issue of board of director liability for alleged lapses in oversight of compliance in a highly regulated industry - this time involving drug development and not manufacturing quality. In re Clovis Oncology, Inc. Derivative Litigation, 2019 Del. Ch. LEXIS 1293 (Del. Ch. Oct. 1, 2019). Clovis Oncology, Inc. was a small biopharmaceutical company that had no products on the market but had one especially promising cancer drug (rociletinib, or “roci” as the court referred to it) in its development pipeline. Given the centrality of “roci” to Clovis’s business prospects, the court referred to “roci” as the company’s “mission critical product” like the importance of ice cream to Blue Bell’s business in the Marchand case.
The early clinical results for “roci” were encouraging, but later trial data revealed that the drug was unlikely to gain FDA approval. When it became clear to investors that the FDA would not approve the drug, Clovis’s share price dropped precipitously. The plaintiffs sued the company’s board of directors claiming the same type of underlying facts of regulatory non-compliance that were present in Marchand – alleging that the board of directors breached their fiduciary duties to monitor the company’s operations by ignoring red flags that the company was not following FDA regulations and the clinical trial protocol submitted to the FDA and permitting inaccurate data to mislead the FDA and investors about the drug’s efficacy.
The Court described the company’s “serial non-compliance” with the protocol and FDA regulations, with the most crucial being its reporting of the drug’s objective response rate (“ORR”). The ORR measured the percentage of patients experiencing meaningful tumor shrinkage verified by confirmation scans. The company consistently told the FDA and investors that the drug achieved certain ORR rates.
The board, however, received reports that the ORR was inflated. Clovis, 2019 Del. Ch. LEXIS 1293 at *31. The company argued that the FDA had agreed with its plan to report unconfirmed responses and that FDA guidance was not as clear as investors had alleged.
In Marchand, the Delaware Supreme Court held that the ice cream company did not “make a good faith effort to put in place a reasonable board-level system of monitoring and reporting.” Marchand, 212 A.3d at 824.
In Clovis, by contrast, the company had created such an oversight system where a board committee was specifically charged with “compliance oversight” and the full board reviewed detailed information about the company’s clinical trials. Instead, the court found that the allegations were sufficient based on the board’s failure to respond to the red flags that the oversight system identified.
Focusing on the board’s alleged failure to monitor established systems in the face of “red flags,” the Court described Marchand as requiring that “when a company operates in an environment where externally imposed regulations govern its ‘mission critical’ operations, the board’s oversight function must be more rigorously exercised.”
Because “protocols and related FDA regulations” governing the company’s clinical trial were “mission critical regulatory issues” for the company’s “mission critical product,” the court determined that the plaintiffs had sufficient facts to demonstrate that the board consciously ignored red flags from management’s departure from the clinical trial protocol and misleading public statements by failing to correct the company’s reporting. Clovis, at *28, citing Marchand, 212 A.3d at 824.
How can the pharmaceutical industry apply these two recent court decisions that involve the adequacy of regulatory compliance systems for companies that are doing business in a pervasively regulated industry? Here are a few suggestions.
- Clearly identify the processes, operations and products that present “mission critical” risks to the company, such as leading development candidates in a pipeline.
- Ensure there are appropriate board-level reporting systems for each critical risk, so the board is aware of the company’s key risks and ensure that the management reporting system produces actionable board-level information about each one.
- A board must implement a reporting and controls system and monitor its functioning.
- Assess whether there are enough directors with the necessary expertise to engage with management on the critical risks, such as pre-approval drug development.
- Firms should ensure that there are processes in place to enable boards to regularly spend adequate time on regulatory compliance issues.
The adequacy of board oversight of regulatory compliance will be closely examined when a non-diversified company like a small or start-up biopharmaceutical has a “mission critical” product such as a promising drug in development and operates in an industry heavily regulated by government agencies such as the FDA.
Directors must do more than rely on regulatory compliance programs operating within the organization or delegate responsibility to management. Directors must understand the organization’s critical regulatory compliance risks, receive reports on those risks, and act on any red flags presented to the board.