The year is 2012, and the biotech you founded has just received FDA approval for a wildly promising product with significant differentiation from other products in its class. You only have 35 employees, but begin to build a lean, incentive-based salesforce to launch your novel commercialization strategy built on a specialty distribution model, high-touch reimbursement support, aggressive marketing tactics, and premium pricing. Hiring a compliance officer is not a priority at this time.

Within a year, you are profitable. You launch the best-performing IPO in 2013, and from there, revenues triple, profits rise, and your stock price increases 300%.

When you hire your first compliance officer it is too late. You receive a subpoena from DOJ requesting documents related to the sale, marketing, and reimbursement of your product.

What follows is a national criminal investigation, five qui tam suits, state AG investigations, congressional inquiries, an SEC investigation, and more than 800 civil suits. By 2020, several of your customers, sales representatives, and managers have pled guilty to conspiracy to receiving or paying kickbacks; the company has paid over $200 million to resolve the criminal and civil investigations; and you, along with other members of your executive team, have been convicted of RICO conspiracy and sentenced to prison terms. The company you built has declared bankruptcy.

If this sounds familiar, it is generally the story of the meteoric rise and catastrophic fall of Insys Therapeutics — manufacturer of the sublingual fentanyl spray, Subsys. While the egregiousness of the conduct and severity of the consequences in the Insys case were exceptional, the arc of this story is not altogether unique. The pharmaceutical industry contains many examples of startups that fail to focus on compliance in the early stages — particularly by the time they designed their commercial strategies — which resulted in preventable consequences for the startups or their acquirers.

For public companies like Insys, consequences can include, among other things, DOJ and SEC investigations. For companies intending to sell or enter into joint ventures, compliance issues at the outset often reveal themselves in due diligence, which could ultimately impact the sale price of the company, retention of personnel, and buyout options — and then result in potential government scrutiny.

While the idea of investing in a compliance program may seem daunting to a young company striving for commercial success, it does not need to. In its well-publicized and detailed guidance on evaluating corporate compliance programs, DOJ has explicitly recognized that there is no "one-size-fits-all" compliance program and that it must make a "reasonable, individualized determination" as to the effectiveness of a compliance program in each case. Moreover, there is no "rigid formula" that DOJ uses to evaluate the effectiveness of a specific program; rather, DOJ expects companies to tailor compliance programs to their risk profiles. In other words, a small clinical-stage biotech does not need a "Big Pharma" compliance program, but it does need to conduct a meaningful and realistic assessment of its risks, tailor DOJ's elements of an effective compliance program to those risks, and be prepared to scale up compliance efforts as risks increase.

So what steps should newer, smaller companies take to implement a tailored, but effective, compliance program?

• Compliance Officer and Compliance Committee: For an early-stage company that does not have a marketed product yet, or just beginning to market a product, bringing on a full-time compliance team may be a challenge. In this situation, consider designating an outside consultant or counsel to guide the company through establishing some of the fundamental elements of a compliance program until a team can be built. Designate a compliance committee, consisting of employees across a variety of functions, and include senior and middle leadership.

• Conduct a Risk Assessment: Compliance personnel and the compliance committee should assess the regulatory landscape and the company's business — including the type of product at issue, the potential promotional strategy, the patient population, reimbursement environment, and geographic reach — to identify the most significant risks.

• Policies and Procedures: Establish a code of conduct, as well as policies and procedures, to instill a compliant culture in the organization and provide specific direction related to the company's most significant risks.

• Training: Provide training on the company's policies and code of conduct. The training can take a variety of formats, but it should be tailored to the content and audience.

• Anonymous Reporting and Investigation: Fundamental to an effective compliance program is establishing a system for people to raise their concerns and for the subsequent investigation of those concerns. Even new companies should establish a hotline, designating the person(s) responsible for investigating hotline reports.

The benefits of a well-functioning compliance program extend beyond preventing potential regulatory scrutiny or a government investigation — indeed, a compliance program can help achieve commercial goals in an appropriate manner in an increasingly complex regulatory environment. Furthermore, when companies find themselves in the crosshairs of a government investigation, a company with an effective compliance program should be able to use its implementation and operation of that compliance program to advocate on its behalf. In its 2020 update to its "Evaluation of Corporate Compliance Programs," DOJ expressly directed prosecutors to consider a company's compliance program when determining whether to bring charges or, if so, as a mitigating factor in a damages analysis.

Regardless of size or stage, companies should take deliberate steps toward developing and implementing a compliance program — with an eye toward explaining how the program has been tailored and continuously evolved to meet the company's scale and risk profile.