The Operational Foundations That Characterize Regulatory Leaders

By: Steve Gens, Managing Partner, Gens & Associates Inc.

Organization agility, process maturity, and data accountability, rather than technology investment, are the strongest predictors of regulatory performance and future readiness, according to the latest international Operational Excellence and World Class RIMSM study. With a cascade of structural changes converging on the regulatory function, organizations that have deferred this foundational work are running out oftime.

Of the 59 pharmaceutical, biologics, medtech, and gene therapy organizations that participated in our most recent Operational Excellence and World Class RIMSM study - the 47th cycle of the industry’s longest-running regulatory information management (RIM) benchmark - only four had genuinely embedded a culture of end-user data accountability. The finding is significant in the light of what is coming over the horizon for this industry and the implications for the regulatory function, from ambitions around AI, to the move to more fluid data exchange with health authorities.

Most notably, the four companies that have deliberately placed the onus on specific teams and individuals to vouch for the quality, accuracy and completeness of the data in their systems recorded an aggregate data quality confidence score of 93%, compared with 50% for all the other companies in the study. Their efficiency across 15 core RIM capabilities registered 93%, versus 70% for the rest. For health authority commitment tracking data, collective confidence levels more than doubled. Submission timelines, regulatory relationships, and an organization’s ability to respond when health authorities ask pointed questions all depend on high data reliability and associated confidence. Yet, as things stand, for 55 of the 59 organizations surveyed this is not a given.

Holding individuals and teams explicitly accountable for the accuracy and quality of the data in their systems might seem organizationally straightforward in principle, but it is persistently difficult to sustain in practice. While almost two-thirds of organizations in the latest benchmark study report actively working toward it, few have achieved their goal.

In addition to having an impact on current performance, this issue has a direct bearing on how well companies and their regulatory activities can be optimized for the future, something the latest study has measured specifically via a new Future Readiness Indicator (FRI), introduced to assess how well organizations are positioned for a period of simultaneous, compounding change, or “confluence of change”. This refers to the combined near-term impact of AI and advanced automation, cloud-based regulatory spaces (CBRS), data aggregation platforms (e.g., data lake, data fabric etc.), structured data mandates, and workforce transformation. Of the 59 organizations taking part in the benchmark study, just one registered as “ready and leading”, while more than a fifth (21%) fell into the “at risk” category. The remaining 77%, although making progress, exhibit gaps that will require deliberate investment to close.

The Accountability Challenge

Regulatory functions have traditionally organized accountability around documents and dossiers, a model in which ownership is clearly established (a submission has an author, reviewers, and approvers). Taking accountability down to the level of individual data elements is structurally different, and is newer territory for most regulatory teams, despite the fact that clinical operations and supply chain functions have operated this way for years.

The shift from document-centric to data-centric regulatory work, supported by IDMP standards, hasn’t been uniform across organizations, particularly in terms of the underlying data governance infrastructure required. Although the steps involved, such as defining quality thresholds, embedding data responsibilities in role definitions, and ensuring that product teams own the accuracy of data linked to their portfolio in regulatory systems - is understood conceptually, in many cases the execution hasn’t happened.

The four exceptions in this study are not running fundamentally different technology from their peers (our research has found no correlation between top performers and any single software provider across its 25-year history). The key differentiating factors, rather, are an organizational culture and governance structure that treats data quality as a core performance metric, rather than a background IT concern.

The Impact of Process Maturity

In this latest research cycle, we measured process maturity across nine core regulatory process areas, using the Capability Maturity Model Integration (CMMI) framework.1 Top performers predominantly operate at Level 4 (measuring) or Level 5 (optimizing) for most processes, while the broader participant group largely registers at Level 3 (controlled) or Level 2 (repeatable, but not consistently).

The performance spread across those maturity levels is broad. The high performers report operational throughput improvements in 80% of cases, versus 47% for their peers. Time-to-filing improvement in secondary markets is 70% vs 26%; operating cost improvement is 90% vs 39%; user productivity 90% vs 50%. In other words, there are measurable differences in delivery capability.

Operating at Level 4 or 5 gives an organization something more than efficiency, specifically the capacity to absorb change, scale workload, and integrate new capabilities without the friction of inconsistently-applied processes. Regulatory functions managing their processes through KPI-driven continuous improvement have the structural flexibility that responding to multiple simultaneous changes requires. Those that lag risk carrying process debt into a period of great change and new demands.

Key Contributors to Future Success

The one organization in the current study that qualifies as having “ready and leading” status in the FRI analysis has been a consistently strong performer across multiple cycles of this research over the years. This isn’t down to its various technology choices, but rather the work it has done at an organizational and process layer beneath any systems. The company has a culture of shared trust across functions, for instance, and has established clearly-defined roles and responsibilities. It also exhibits a genuine openness to new approaches and treats change management as an ongoing core competency.

The organization’s data governance model is fully implemented, with clear accountability for mission-critical data elements, and the company is seen to operate at Level 4 or 5 across all nine regulatory process areas benchmarked this cycle. It actively manages for change, rather than reacting to it when it happens.

A Resetting of AI Expectations

Enthusiasm for AI across the regulatory environment is not matched by action in the latest data. While 47% of organizations report pilots or implementations underway, and every large company in the study claims to be making significant AI investments, of 131 benefit-realization responses tracked across all AI and advanced automation use cases, just six exceeded expectations. Consensus on realistic implementation timelines has shifted to 2027–2028, meanwhile.

Where AI is delivering results today, the conditions enabling consistently include well-defined processes, structured and trusted data, and bounded task scope. Clinical document generation features most commonly as the target of AI adoption, followed by AI-assisted translation and CMC content generation. The combination of AI-generated first drafts, AI-assisted quality control, and reduced translation cycles has real potential to compress the timeline from clinical study closure to filing. A tipping point for broader dossier-section authoring - rather than individual documents - is projected for 2028. But successful realization will depend on data governance and process maturity being in place before the technology is applied.

Two Structural Shifts Worth Tracking

Two further developments from this year’s study are likely to have significant operational implications. The first is cloud-based regulatory spaces, the subject of a visible shift in industry sentiment over the last 12-18 months. 41% of organizations are now already actively participating in a CBRS initiative; a further 47% plan to do so within a year; and 71% believe it will fundamentally change how the industry works with health authorities within five years. It would see today’s one-to-one submission model, which sees a dossier filed separately with each health authority, give way to a single dossier that is reviewed simultaneously by multiple regulators, something early pilots have shown to be technically feasible. The data governance and process implications for regulatory functions have not been fully worked through by most organizations, however.

The second noteworthy development is the expanding role of data aggregation platforms - data lakes, data fabrics, and comparable infrastructure - in connecting regulatory systems with clinical, safety, quality, and commercial data for analytics and AI model training. All large organizations in the study now have their regulatory systems connected to a data aggregation platform. As agentic AI matures and this infrastructure becomes more sophisticated, it will reopen the longstanding architectural question of whether an integrated regulatory platform or a well-connected best-of-breed approach serves the function’s actual needs - and provide new data with which to answer it.

The Outsourcing Dimension

For organizations that rely on CDMOs, CROs, and other outsourcing partners to carry portions of their regulatory workload, the study’s findings provide additional nuance. This is because data accountability and process maturity cannot be decoupled from outsourced relationships; rather they are the conditions under which outsourced work either runs smoothly or generates friction.

When the authoritative source data that a CDMO or regulatory service provider depends on is of uncertain quality, or when the processes governing how that data is transferred, validated, and updated lack clear ownership, costs are accrued in rework, delay, and escalation. The organizations in this study with the strongest data governance and process maturity consistently report better outcomes across the board. Building those foundations is not preparatory work that precedes a productive outsourcing relationship; in most cases, it is what makes one possible.

The 2025 study covers a period in which the regulatory function is being asked to absorb more change, faster, than at any point over the last 25 years. The organizations investing in governance, accountability, and process discipline now are not simply improving their current performance metrics; they are investing in the organizational capacity to absorb what comes next - whether that is a new structured data mandate, a CBRS requirement, or an AI capability that is finally ready to deploy at scale. The cost of deferring that investment compounds with each successive wave of change.


About the Author

Steve Gens is Managing Partner of Gens & Associates Inc, a life sciences benchmarking and advisory firm. He has led the Operational Excellence and World Class RIMSM study for more than 12 years, working with pharmaceutical, biologics, medtech, and gene therapy organizations globally on regulatory information management strategy and performance improvement.


Subscribe to our e-Newsletters Stay up to date with the latest news, articles, and events. Plus, get special offers from Pharmaceutical Outsourcing – all delivered right to your inbox!

Sign up now!

  • <<
  • >>

Join the Discussion