Managing third-party risks in the life sciences industry

Internal compliance reviews are not enough; life sciences companies need to assess their third-party business partners


Driven by globalization and strategic imperatives, life sciences (pharmaceutical, medical device and biotechnology) companies continue to increase their reliance on third parties for nearly every phase of their businesses, from preclinical research and clinical studies to supply chain and commercial functions. Consequently, companies are turning to third parties that perform support functions such as making travel arrangements, scheduling logistics, dealing with information technology and providing general consulting.

Of course, those companies then risk becoming vulnerable to possible legal and reputational harm based on the ways their third parties also manage regulatory and operational risks. And those risks get further compounded by potential exposure to personal liability, as evidenced by recent corruption allegations in China involving travel services. Today, regulators are paying particular attention to contract manufacturing organizations, travel agents, customs agents and investigators who initiate clinical studies.

Managing those risks becomes more challenging in the cases of acquisitions or divestitures that change a company’s structure and operations. This article discusses considerations for life sciences companies that deal with third parties, and it offers ways companies and their executives can better assess and manage that third-party risk.

Risks galore
Life sciences companies face regulatory and other risks from a wide range of sources, including:
  • Product adulteration and adverse drug events and their impact on patient safety
  • Issues in cGXP (current good practices)
  • Missing or incorrect product registration
  • Preclinical and clinical trial issues, such as lack of informed consent and lack of data integrity
  • Violations of the False Claims Act, of anti-kickback statutes, the Foreign Corrupt Practices Act, the UK Bribery Act 2010, and the guidelines of the Organisation for Economic Co-operation and Development
  • Flawed financial reporting
  • Qui tam or whistle-blower allegations
  • Off-label allegations
  • Intellectual property and antitrust actions
  • Theft or diversion of products
  • Global trade, customs and sanctions issues
Companies have taken significant steps to manage today’s third-party risks. Many have adopted stronger compliance and audit processes to become able to adhere to anti-bribery regulations. Many have extended their reviews of business partners to account for operational risks. Some companies use satellite technology and electronic tools to monitor transactions and products in transit. Some have made their whistleblower hotlines more accessible to third parties. Others are realigning roles and responsibilities to facilitate coordination between legal, compliance and business.

Nevertheless, there remain gaps between companies and their vendors, and other third parties, ranging from managing people and systems, to appropriately prioritizing and managing risk. In addition, one single company may have in place several varying risk-based methodologies. For example, internal audit may be using a different methodology from the one the compliance department uses. In that case, there should be a clear justification for the differing approaches. Plus, companies should have processes in place that ensure that the results of each methodology are aligned at the enterprise level.
Following are four practical steps that companies can take to enhance their third-party risk management programs.

1. Align the business with risk and compliance, and take advantage of the right talent
Companies can find themselves struggling as a result of their inability to grasp the talent management issues inherent in third-party risk management. At times, a business formalizes decisions before consulting with its risk and compliance divisions. To minimize the liability that could result, both risk and compliance should be at the table during the decision-making process—as long as those functions help find paths forward (as opposed to just discussing the risks and obstacles in the proposed strategy).

Of course, their inclusion requires that risk and compliance professionals understand the intricacies of the business, which can be an issue unless those individuals have had responsibilities within the business units. Therein lies the other challenge: identifying the right talent to work with both the business and risk management functions. A longer-term solution might involve developing a rotation program wherein compliance officers periodically rotate in and out of business units.
That way, risk and compliance professionals would have the exposure to enable them to understand the business, changes to the business and future objectives. And hirers can look for potential candidates with experience in both business and compliance.

2. Define ‘third party’
Even though an enterprise-wide understanding of what constitutes a third party may seem obvious, some companies fail to capture all types of third parties in their risk considerations. Sometimes this is the result of a limited view across the organization.

For example, corporate compliance may not have responsibility for third-party logistics companies because that kind of third party may be managed by the supply chain organization. Internal audit may not have responsibility for speaker program vendors because Compliance may be responsible for that area. And the quality organization may be the only function responsible for compliance with current good manufacturing practice. Hence the need for a corporate integrity committee aligned across the business and support functions. Through such a committee, all corporate groups could share and coordinate the responsibilities for all third parties working with the organization. Companies might want to start with a draft definition of a third party, circulate the draft definition to the relevant business and support functions, and obtain agreement from the appropriate constituents before finalizing it as part of corporate-wide policy. Then confirming and coordinating roles and responsibilities in managing those third parties can proceed.

3. Identify sufficiently the population and interrelationships of risk
Many companies take a risk-based approach to managing risk (i.e., the situations that are most prone to violations or liabilities get the most attention). However, it remains unclear whether that method yields an analysis of the true risks the organization faces.

For example, a potential flaw in executing a risk-based approach is that it bases on historical factors the risk that an event will occur and its consequences are significant. But because a company’s business may vary from year-to-year based on, say, acquisitions or other transactions, a history-based approach can fail to identify new risks. A recommended approach would involve establishing a protocol whereby any change to the business triggers an evaluation of the company’s, or the relevant function’s, risk profile. The level of evaluation can, of course, be flexible to adjust for the level of change the company is facing.

Risks that are less prevalent may nonetheless have significant impact. For example, life sciences companies need to be very careful in managing global trade risks and issues. Specifically, how does the company manage the exporting or importing of its raw materials and products? What customs regulations exist in the countries through which the company transports products that have been substantially transformed? It is important to deeply understand and thoroughly map the physical and financial flows involving production. Without sufficient understanding of product creation and movement, a company may not be able to sufficiently manage third-party risk—not to mention risks from global trade and transfer-pricing issues.

Interrelationships among risks are also sometimes overlooked. For example, anti-corruption, aggregate spend and global trade each involve payments to third parties, and can involve payments to the same third party for different transactions that are getting captured in different systems. The same concept applies when the company focuses on corruption risk but fails to address financial fraud risk, which is vitally important given the shifts in regulatory enforcement. For example, the US Securities and Exchange Commission indicated that it would renew its focus on financial reporting fraud by creating a dedicated task force and using technology to identify irregularities in financial reporting. [1] By failing to account for interrelated risks, a company could properly address one set of risks while insufficiently handling another set of related risks, thereby reducing the overall risk profile of the company to inadequate.

4. Align technology and risk-based systems
The deployment of computer-based systems to manage third parties can also present challenges. Many life sciences companies have different systems around the world and, possibly, different versions of the same software. In addition, not all of those systems may be able to communicate directly with the company’s central financial reporting systems. Therefore, it can be difficult to obtain a standardized data set to analyze, which can make the updating of data for risk management purposes cumbersome and expensive. In many cases, the only feasible solution is to use regional monitoring systems that focus on geographic-specific risks, and then put in place a process that integrates risks from each region into a global risk management mechanism.

Further, including the IT department’s system roadmap is a key consideration, because being able to understand which systems are being retired and which new systems are being planned will govern which data exists, where it resides, and whether the level of information is sufficient for risk management purposes. IT roadmaps are particularly important in mergers and other corporate transactions that involve the synthesis of a number of disparate systems; those situations can be challenges to identify and capture structured and unstructured data for risk management purposes.

Lastly, companies should be aware of the types of data that are stored even temporarily with a third party. Companies should have access to all types of their data, such as invoices, and shipping information and documentation. When a company forms a joint venture, for example, provisions are typically set forth covering the overall goals of the undertaking, but not many, if any, of the provisions involve data governance and risk management protocols. That omission can be a cause for concern.

Conclusion
Given the globalization of the life sciences industry, the prolific use of third parties and the increasingly complex regulatory environment, third-party risk management can determine whether a company will achieve its business objectives or not. As discussed, third-party risks can be better mitigated by:
  • Having the right team of professionals in the business and in risk management
  • Sufficient understanding of the population of risks and their interrelationships
  • Continuous monitoring of changes in the business and its business partners
  • Proactive management of the information technology life cycle with the associated data
Life sciences companies continue to work on those initiatives at significant cost, so that the products they create can continue to better enhance patient health and safety. And through improved coordination of their risk management efforts, companies can both reduce cost and mitigate overall risk. 
 
 
Yogesh BahlABOUT THE AUTHOR
Yogesh Bahl is managing director at AlixPartners (New York, NY), specializing in helping life sciences companies manage risk-related issues in operations across R&D and commercial value chains. He has 20+ years’ experience with strategic alliances, corporate integrity agreements, auditing and monitoring, and third-party risk management. He holds an MBA in finance and statistics and a BS in accounting and international business from New York University’s Stern School of Business.