Thomas Pfennig, Global Head of Compliance and Data Privacy, Bayer AG

Thomas Pfennig is the Global Head of Compliance and Data Privacy at Bayer AG, a multinational life sciences company based in Leverkusen, Germany and a global leader in the fields of healthcare and agriculture. Thomas oversees all compliance activities within Bayer’s divisions and global functions, including the implementation of LPC Express—an ambitious effort to centralize legal compliance and data privacy departments into a global shared services function facilitated through a digital platform. In this exclusive interview, we ask Thomas, one year after rollout, how has LPC Express made life better for Bayer?

You have put an extraordinary amount of work into creating LPC Express. What have been its greatest successes, so far, and have there been any unexpected challenges along the way?

LPC stands for Law, Patents, and Compliance, and Express really describes the fast-service renderings that we are offering in the organization. Before making such a change possible, we had to define and implement globally harmonized processes and approval workflows. We also had to contemplate country deviations in case of local specifics. Essentially, this meant mapping our portfolio and defining its processes to make them run smoothly in a digital environment. That was the first step.

In 2020 and 2021, we implemented the first wave of compliance and data privacy use cases—such as third-party due diligence, data privacy services, fair market value approvals with respect to interactions with healthcare professionals, gift approvals, charitable donations, and global training processes—and put them on the platform. We also harmonized our internal investigation workflow with a uniform global case management platform as part of our LPC Express service.

When you move a lot of operational activities from countries to regional hubs, you need to collaborate with your local teams so it is clear what stays within their portfolio and what goes into these hubs. For us, these are all recurring transactional automatable activities.

Then, in order to staff these new express centers, you need to hire talent in APAC, EMEA, and the Americas—the three regions that we are covering with our LPC Express centers. The folks we have hired are very service-oriented, tech-savvy and, of course, extremely knowledgeable with respect to compliance and data privacy.

We are now generating large sets of data out of the platform to drive analytics and optimize reporting, something we were not able to do before. I am very proud of that.

The platform is very consumer-centric. We are constantly aiming to optimize quality of service and user experience, and that’s reflected by the feedback we are collecting, which is now at 4.1 out of a possible five stars. It’s extremely satisfying to see that our clients in Bayer are accepting and adopting the services at a level that is satisfying to them.

As of last year, the next planned phase for LPC Express was to add new processes, refine existing services, and bring new countries into the scope of shared services, including Bayer’s U.S. organization. How has that progressed so far?

We are heavily leveraging the project management skills of our shared service centers, primarily rendering HR services or accounting payment services and the like. We are really a front runner also within Bayer to integrate Compliance, Legal, and Data Privacy services into such an environment. We deliver according to a clearly defined roadmap with milestones overseen by a steering committee that I am a member of, so I can say that we have been really delivering.

Now, the U.S. and China are within scope. Originally, we were not going to touch them because this was such a new approach. We wanted to gain experience first on how it would be adopted in the organization and how the new processes would run. Now, roughly 18 months into the process, we can really say the processes are running very smoothly. The organization has adopted the new services and innovations, and the savings that we have achieved with this new model are ready to be leveraged in the U.S. and China as well. There, it will start with third-party due diligence or assessments and approvals. The U.S. and China both have new data privacy laws, so data privacy offerings will be handled out of LPC Express as well.

It’s a dynamic process, requiring a lot of alignment. We don’t want to generate new risks, we want to maintain the risk profile that we had prior to establishing this new environment, so we really need to make sure that we are going in a way that is also comfortable for our U.S. and Chinese colleagues. But progress is being made, and we are confident that LPC Express will equally achieve positive feedback in those two countries as well as the rest of the world.

What have other functions within Bayer learned from your experience with LPC Express?

This is not an exercise that we in Legal, Compliance, and Data Privacy are pursuing on our own. The entire enterprise is reorganizing and restructuring. We have support from the very top of the organization, but we are not operating in a vacuum. Every function within the company has been essentially running in the same direction of digitalization—pruning services, prioritizing, and of course, automating.

Of course, there are deviations and some functional specifics. For example, when it comes to the digital environment, we are running this on a platform powered by Service Now and an implementation partner in Germany. These two external partners are unique to Ethics and Compliance because we are shifting a portfolio into LPC Express that no other function in the company is offering. So, there is not much comparability, frankly speaking. But when it comes to advancing a mindset change, that is something that everybody in Bayer is pursuing. It is like we are moving from a travel agency—where you sit down with your travel agent to arrange your journey—to an online booking service where you essentially do things yourself with the help of an online tool. Others in the company describe the transition as going from a white-glove dining service—especially with respect to some compliance and data privacy counseling—to a healthy “fast casual” meal, where people don’t have to wait until the person in the office is available.

Our platform is there 24/7 and is extremely standardized. We use a lot of knowledge management, which is really critical element that is can be leveraged beyond LPC. It would be a challenge if an organization would only let its LPC Legal and Compliance team transform into a new digital area.

Part of Bayer’s digital transformation has been to automate repetitive, low value compliance tasks and free up your team members to perform more strategic, higher-value work. How has that worked out for you so far?

Before we went operational with this new approach, we sat down with our colleagues in the countries, our business clients, and our commercial leads to identify the three buckets of service offerings in Legal, Patents, and Compliance. About 30 percent of our portfolio is contracts—this is in a digitized Contract Center environment now. Then we have 40 percent transactional, recurring, low-risk, and not necessarily local, specific tasks. And then roughly 30 percent of the overall portfolio is staying within the countries with very senior legal and compliance professionals who have more time to dedicate their capacity to high-risk, must-win commercial activities.

We were innovating and restructuring with some savings targets in mind—up to 30 percent in some regions—meaning you would need to compensate for lost headcount. We have delivered towards those expectations. We have not let our local functions essentially handle the consequences without support from the Contract Center and LPC Express. So overall, this has gone very well.

Moving your organization into those new spheres requires a lot of alignment within your own function. Bayer’s Legal and Compliance team comprises 35 regions across the world, serving 200 countries, so I have lost count of the calls that we have had over the last two years to make sure everybody understood what is expected from them in the future, or how to transition a client or from in-person, local counseling to into a ticket-like digital platform. This is a critical part of change management that we really need to continue.

We also have much better transparency now into the time and quality of services, both in LPC Express, as well as in the countries. We clearly know what is in scope for each team within LPC Express, with all of the digital tracks that we populate nowadays. We generate the data to measure performance and the quality of the services that you render.

Last but not least, the local teams now have fewer exception-driven decisions. When you digitalize, you are essentially in a zero-or-one framework. With fewer exceptions comes speed, predictability, and more clarity and harmony. This approach is the way to go.

As you have led this digital transformation, how have you balanced the need for structure with the need to improvise as needed?

We will have 30 services in LPC Express by the end of 2022. Doing that is a matter of agility, so we used some agile methods. But it’s also a matter of rigid project management, which highlights another benefit of resorting to your shared service center. Usually, the functions that have been plugged into the shared service center are fast transactional services that can be digitalized. But before you digitalize, you need to have your process in place. This is something I would suggest every compliance, data privacy, and legal department to start with.

Then you create a blueprint. We have clear milestones of assessments and a staggered approach with the more complex use cases coming towards the end of the implementation. That way, the low-hanging fruits are implemented and run smoothly up front to increase acceptance and adoption of the services.

Honestly, when it comes to transitioning from a more traditional compliance and data privacy environment to a modern, digital one, you don’t want to improvise too much. You still need to make sure that you have no loopholes or opportunities to circumvent processes. We would rather delay the rollout of a new use case if we were uncomfortable with the results of our user acceptance tests, or if we saw that there were still flaws in the digital workflows that we were building. If you make a mistake in this process, you had better be able to explain to a government regulator why you launched your service prematurely.

Overall, there is some flexibility to adjust on the road with respect to the software. We release minimally viable software versions that have to achieve a certain quality threshold. And we need to feel comfortable about releasing the services into a stable environment on the platform.

If you could go back to the very beginning of this project and tell yourself or your team something that you know now about the project, what would that be?

First, we partnered with a relatively small company here in Germany for implementation. As we developed 20 use cases in the system within 18 months, you can imagine that capacity has been very sparse at times on the implementation partner side. So, make sure that you have sufficient capacity available to prevent bottlenecks on your timelines. I would have felt more comfortable having a few more hands on deck right at the beginning.

Second, we were very ambitious with our timelines. There were deliverables expected from us in terms of savings that also accelerated this whole process. And of course, if you want to assure a certain level of quality, you don’t want to sacrifice that by accelerating beyond the point where things are spinning out of control. So overall, I would say that a slower pace probably would have been better.

Third, when it comes to expanding the scope towards U.S. and China—which were originally out of scope—make sure what your vision is, so you do not surprise your partners along the way. Now, we feel comfortable executing in other regions as we did with these two countries, which were themselves very receptive to the idea, by the way. But if you want to expand the geographical reach of your portfolio, clear communications are very important. That is something I probably would have done a little bit differently.

Lastly, IT budget. Not only do you have to secure licenses, you have to make sure that you maintain the infrastructure that you are improving. We have seen a lot of challenges with decommissioning local IT applications and with building APIs to connect these local approval workflows with our global platform. There’s a lot of technology, and there are a lot of adjustments that our local IT colleagues have to shoulder, so building a little more buffer into the IT budget would not have hurt.

These are the four things that I would do differently, overall. Nevertheless, we took about a year to prepare and gave ourselves two and a half years to execute. So when we talk about a three-year-plus timeline, it was ambitious, but doable.

 

About the Expert
Thomas Pfennig is Global Head of Compliance and Data Privacy of Bayer AG, a German multinational pharmaceutical and life sciences company and one of the largest pharmaceutical companies in the world. He oversees all legal compliance activities within Bayer’s divisions and corporate functions globally.