Third-Party Risk Management Trends in the Pharmaceutical Industry
June 18th, 2021
Third-Party Risk Management (TPRM) practices have been around for about a decade, and pharmaceutical firms were some of the first to adopt these practices. Pharmaceutical and life science companies, like many, first dipped their toes into the TPRM water by developing Anti-Bribery and Corruption (ABAC) programs, which were designed to ensure that companies’ third parties comply with unethical financial practices. As TPRM developed as an accepted and recognized practice, however, pharmaceutical firms recognized the need to extend their programs to cover additional risk domains such as reputational risk, data privacy, and acknowledge upcoming pharmaceutical industry trends.
Unique Characteristics of the Pharmaceutical Industry
While there are crossover characteristics with other industries, (such as manufacturing) pharmaceutical, and life sciences organizations have unique risks and program requirements that must be acknowledged. These characteristics have influenced pharmaceutical industry trends and have become even more visible during the COVID-19 pandemic when pharmaceutical and life sciences were drawn even further into the spotlight.
Complex, Multiple Risk Domains:
The pharma industry is unique to other industry sectors, and therefore hosts unique risks. Depending on the scope of the company, a pharmaceutical organization can utilize many different vendors and third parties who each have their own risk assessment and questionnaire needs. Some vendors, such as a small clinic, may be small-scale and cannot (and sometimes will not) be able to fill out huge questionnaires covering their risk areas. Other vendors, such as a large laboratory service, will be too large to be covered by a small risk questionnaire. While you want to ensure that all potential risk areas are covered, you also do not want to overwhelm your vendors to the point where they stop answering your requests. Avoiding these loops, while mitigating risks is tricky and presents unique difficulties to pharmaceutical and life sciences organizations.
Regional and Global Requirements for TPRM Programs:
One of the biggest pharmaceutical industry trends we’re seeing is that many organizations have locations and/or operations around the globe and, likewise, their TPRM programs are not dependent on only one location. Many pharma companies are looking (or have already begun) to centralize and globalize their TPRM programs. Yet, while this global approach can provide consistency and a holistic view of third-party risks, these programs still have to take into account regional variations and compliance requirements. A best practice is to start with high-risk geographies to get these programs underway, then expand from there.
Need for Engagement and Sub-Engagement Risk Assessments:
Managing risk at the entry or engagement level is a requirement for any third-party relationship as it helps to identify potential risk areas before contracting with these vendors. However, over the past few years, pharmaceutical companies have better understood the need to manage risk at the sub-engagement level and managing the risks of their existing vendors. This is especially important when existing vendors are used for new services, or new potential risk exposures are identified.
Highly Regulated Industries:
Pharma and life sciences organizations are two of the highest regulated industries due to the large number of inherent risks that exist in their business models. Another reason they’re highly regulated is because of their dependence on third-party intermediaries to test and prove various products before going to market. As seen in recent regulation, companies are now being held accountable for the actions and practices of their third parties.
Need for Mature Risk Management Programs:
Due to the high amount of regulation that pharma companies face, their TPRM and ABAC programs are usually (or need to be) more mature than other industries. Despite the complexity of these programs, however, they tend to not have a massively staffed risk function. This lack of human resources can be a challenge and underlines the importance of efficiently managed TPRM processes. This need can align with automated tools such as workflow automation, AI, and machine learning. But because of complex risk domains and regulatory needs, there is not a one-size-fits-all solution that can be plugged in for every pharma company. TPRM automation tools need to be able to manage the degree of inspection and due diligence needed, while also avoiding unnecessary complexities for vendors.
Pharmaceutical and biotechnology companies suffer more breaches from malicious activity than any other industry, with an average incident costing the company upwards of $5 million. This cost can be even more if it is the cause of a third party vendor, which it typically is. As seen in recent years, hackers are actively seeking out vulnerabilities in digital supply chains and pharmaceutical companies are prime targets for state-sponsored hackers as they host and store so much personal information.
Due to the complexity of pharmaceutical companies’ risk management needs, cybersecurity cannot just be done on a regional basis; now, companies are moving to a more global approach which calls for greater coverage and depth of cyber protection. One area this is manifesting in is vendor risk questionnaires. Thorough, multi-pronged approaches and information gathering is needed for auditing purposes, digging into topics such as encryption on vendor devices, anti-phishing training for employees, and more.
Another area cybersecurity is trending in the pharmaceutical industry is home healthcare, a big-ticket item due to COVID-19 quarantine restrictions. In the last year, people who would typically go to clinics, hospitals, or GPs for support or clinical trials can now be visited at home. While this is convenient, it can also open a whole realm of expanded, data privacy risks. Depending on the way the healthcare staff collects data (sometimes on their personal devices), a lack of encryption can lead to potential hacks.
The COVID-19 pandemic and the increased demand for PPE, critical care medication, and vaccinations exposed brittle supply chains and severe disruptions due to this demand. Concentration risk plays a part in this – 30% of manufacturing for active pharmaceutical ingredients (APIs) are located in India and China, two of the earliest countries to experience the pandemic. When a high percentage of suppliers are located in a single geographic area, companies who utilize them in their supply chain face significant concentration risk if a disruptive event (including extreme weather events) were to occur.
To avoid severe disruptions and shortages, pharmaceutical TPRM programs are factoring in supply chain resilience and business continuity. The first step is to determine which suppliers are critical to business operations – and the continuity of these third parties is just as important to determine as the continuity of the company that engages with them. This complexity can be difficult to get your arms around. Understanding what your supply chain looks like, where it is coming from, and where it is going is the first step to building this resilience.
Monitoring platforms that utilize event monitoring capabilities is an important tool for pharma companies to gain visibility into potential impacts such as extreme weather, geopolitical events, pandemics, etc. This visibility into events, but also the actions needed to be taken is important to prepare for risks before they occur. This being said, event monitoring can also be overwhelming due to the amount of data it collects. Critical events filtered alongside your most critical relationships help determine priority areas.
Agility is one of the most important considerations for supply chain resilience in pharmaceutical TPRM programs. Identifying single points of failure, including multiple levels of relationships (your third parties, but also your nth parties) is important to proactively establish appropriate level of controls. Insights and visibility into these sub-contractors are critical to understanding what your supply chains look like and what is needed to manage risks.
Pharmaceutical TPRM Trend #3: ESG Is About to Take Off
Pharmaceutical and bioscience companies should also keep an eye out for Environmental, Social, Governance (ESG) regulations on the horizon. These are designed to protect and promote sustainable, human rights, and other ethical initiatives within large-scale organizations. ESG programs and regulations are already being implemented in the European Union with a new binding EU law requiring companies to conduct environmental and human rights due diligence across whole value chains.
The United States is not far behind with ESG, and there are already regulations such as the California Transparency in Supply Chain act in effect. New legislation will not just be a reporting requirement, however, and will require more risk-based due diligence along every step of the supply chain.
How to Get Your Stakeholders to Collaborate on Pharmaceutical TPRM
As seen with all of the complexities and pharma industry trends explored here, managing TPRM within a pharmaceutical organization can be challenging. There are a lot of different risks, supply chain complexities, and TPRM needs to take into consideration. Experts state that one of the first steps towards TPRM maturity for these sectors is to make sure that TPRM stakeholders within your organization are collaborating. Whether a pharma company is looking to centralize TPRM efforts, globalize, or take stock of current programs, it is important to get everyone in the room at the beginning to communicate on TPRM needs and chains of command.
Mature organizations often have people devoted to specific risk domains (cyber risk, anti-bribery, etc.), as well as people who manage day-to-day relationships with third parties. Including these people in program deployments is also important so that vendor risks and sub-contractor relationships are taken into account. Also included should be legal representatives, procurement personnel, compliance, and executives. While identifying core stakeholders isn’t always the easiest process, it is important to assimilate TPRM needs as quickly as possible.
Scale to the Level That Makes Sense
It is important to not bite off more than you can chew, however. Trying to develop and dictate a global TPRM program too early can cause a lot of headaches if your program is not mature enough to scale up this quickly. A best-practice tip is to work on one area of the TPRM program first, deliver outcomes and successes, then move on from there. This helps develop a sense of interconnections between departments, stakeholders, and automation tools – which helps companies analyze lessons learned before expanding. While doing this, you develop more and more agility along the way.
To learn more about pharmaceutical industry trends and TPRM best practices from Aravo and industry experts, check out our on-demand webinar! The fireside chat features Aravo’s Kimberley Allan and David Rusher, as well as third-party risk management expert, Debbi Warren, who has built award-winning TPRM programs for leading pharmaceutical companies.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.