For pharmaceutical and life science firms there has been nothing like the past 18 months. Faced with a 100-year pandemic that demanded unprecedented speeds in research and development while working under conditions that were unusual to say the least, these companies have had to collaborate with each other and with third parties as never before. And yet, even in these exceptional times, the requirements of development, trials and production continued to be exacting.
Outsourcing is nothing new in the industry. Small firms that concentrate on research use third parties routinely both in clinical trials and manufacturing. And even the giants no longer do everything in-house. As with other industries, globalization and the complexities of production have led pharmaceutical companies to rely on contractors for more and more activities.
In the plus column, third parties contribute instant expertise, fresh insights and logistical support. In the not-so-plus column, outsourcing a firm’s workload can be tantamount to outsourcing its reputation and financials, with potential for significant harm. This is why maintaining close oversight of contractors through the use of third-party risk management (TPRM) practices in contracting, audit, compliance and IT security should be a key concern for the industry.
Three categories of risk
One area with a high potential for exposure is the abundant and ubiquitous sharing of electronic information among a life science firm’s cluster of third-party providers. Life science firms are already prime targets for hackers who are eager to steal or hold hostage valuable intellectual property (IP), clinical trial participants’ info, finances and more. Now, thanks to the electronic linkage between a firm and its partners, hackers can prey on these third-party organizations whose internet security and employee training may not be up to par and use them as a gateway to the organizations they support. To paraphrase a saying, a company information’s protection is only as strong as its weakest partner.
In addition to cyber theft issues, there are two other categories of third-party risk for pharmaceutical companies: process control and quality control.
Under process control, pharma and life science firms must ensure that the data their partners work with is securely retrieved, processed and stored in accordance with applicable data privacy regulations, and that IT and other systems are functioning at a high level to allow for that. Under quality control, organizations must ensure that procedures at the contracted entity are carried out in a timely, accurate and traceable manner using key performance indicators (KPIs).
To manage these risk categories, pharma firms must have the ability to monitor third-party activities on an ongoing basis.
A major difficulty in managing third-party risk stems from the fact that TPRM responsibilities are often spread among various departments. Third parties may interact with operations or clinical staff, legal may be involved in the contracting process, but another department, perhaps procurement, may be tasked with overseeing vendor performance. The departments of compliance and audit also have major roles, but their oversight may not be comprehensive enough to ensure that all parts of a production line, for example, are contributing as expected. Alternatively, the internal audit function may be doing an excellent job of end-to-end analysis, but its oversight may lack the necessary timeliness, especially if audits are conducted infrequently.
Managing TPRM Risks
Good management of third-party risk begins with the contract.
- Are the contract requirements based on KPIs?
- Are there clauses built into the contract that allow for audits, including on-site vendor audits?
- Do the audits cover procurement, quality control and compliance? Do they cover processes, systems and IT?
- Do they unearth all the right information?
The next step is good execution.
- Does the firm exercise its right to audit third parties?
- Do the audits make sure vendors are meeting all industry and company standards?
- Is the audit comprehensive, covering even minor activities that could spell trouble?
- And are the audits carried out with sufficient frequency?
Finally, there is ongoing oversight.
- Who has oversight for what, and how often?
- What is the quality of oversight? Without thorough reporting, management may be relying on hope rather than information, which is never a good strategy.
- Is the oversight holistic, providing top management with the big picture and identifying any potential weak links?
- Yet is it also granular where necessary, focusing on areas of critical importance?
- Is there an up-to-date, easily accessible scorecard of each vendor, to provide an invaluable aid in managing third-party risk?
All industries are moving toward greater use of third-party contractors to cope with markets that are increasingly complex and global, and the pharmaceutical and life science industry is no exception. Assessing their TPRM capabilities in light of the new realities is a first step companies can take to shore up this critical function to ensure compliance and protection from quality issues, data leakage and theft.