A strategic approach to risk management is essential for life sciences companies to continue benefitting from third-party services. With these services becoming more necessary — and more risky — a top-down management perspective is critical.
Meet growth goals while managing the risks inherent in innovation. See the following risk management guideposts, which were offered in a discussion among Grant Thornton life sciences and risk professionals moderated by Mark DeLuca
, senior vice president of Worldwide Sales at risk management and compliance provider Opus
Scan a well-populated risk landscape
The numerous components of risk add up to management complexity. They comprise multiple life sciences sectors including biotech, pharma and medical device manufacturers, health care providers, insurers, wholesalers and government entities; people within your organization with their intertwined connections to third-party services; and your third parties — e.g., intermediaries, contract manufacturers and researchers, suppliers, distributors, sales agents and their subcontractors.
Because of the vast diversity of constituents and related risks, your risk management base effort is master data management. MDM requires identifying all the parties with which everyone in your organization does business, as well as the services provided. Bringing them together into records segregated by function or service makes it possible to segment and manage the risks.
Understand 4 trends creating primary challenges
“The ecosystem continues to evolve and change,” explained Lisa Walkush
, the leader of Grant Thornton’s National Life Sciences Industry
. “For one thing, there’s a growing use of third parties in this industry. This is due to a number of reasons, but much of it is how companies are growing, innovating, partnering and outsourcing.” Another element in this trend is reliance on the cloud — a third-party mainstay for storage and management.
As use of third parties increases, auditors and regulators are scrutinizing it as a major risk area. Companies feel the pressures of time and cost of compliance.
The acceleration in third-party participation is adding momentum to another trend. Already-high concerns about protecting patient and consumer information are rising. Breaches result in damages to all involved, including patients.
A fourth trend in third-party risk is the pursuit of M&A. Integration and due diligence processes require further Q&A, said Walkush. “What third parties is our target using? How are we going to get all that information together? Do we know the whole universe of their third parties? How are we vetting those third parties? How will we manage them?”
Take 5 steps to effective risk management
First, get to know your data, including basic numbers and names. Identify all third parties serving all functions in your organization.
“Build a solid understanding of whom you’re engaging with,” said Walkush. “Setting aside preconceived ideas, walk through the identification process. You could come across obscure pockets of third parties that people in the organization are engaging with.”
Then, Walkush advised, move on to identifying the specific data being accessed.
According to Vikrant Rai, director of Cyber Risk, “Components of this spread out in various parts of the organization. For example, in evaluating the cybersecurity side of domains for a client, we asked how they managed their supply risk. There, as in many companies, processes were defined at a broad corporate level. At the business level, they didn’t know the vendor tier.
“They didn’t have an understanding of the type of services being provided, where their data was, and which third parties or downstream entities were touching sensitive data. This points to the need to figure out controls before engaging with providers.”
With data in hand, ensure meaningful risk assessments. This entails an onboarding or re-assessment of each third party that could lead to deeper due diligence.
Risk Advisory Services Managing Director Adam Schrock
explained best practices: “Information security, or infosec, expands their third-party assessments to include additional privacy requirements provided by the privacy organization or general counsel legal group. The privacy group and the chief privacy officer drive the policies.”
To strengthen the assessment process, Walkush advised, simplify your technology approach. “Think about the opportunity to collapse technology onto one platform, with all the information in one location.”
Next, look at contracts. Understand your contractual engagements with third parties — their responsibilities and your obligations. “Besides the obvious things like right to audit,” Walkush said, “if your third parties are engaging fourth parties, make sure that slow-down clauses are included and that they are holding their parties accountable for everything you are holding the third party accountable for.”
Establish a contract management process with clauses about updating sensitive data confidentiality as it changes over time. Put in place security controls so that third parties engaging with fourth parties or downstream entities share the contractual clauses and conduct reviews.
In addition, said Schrock, many historical contract templates don't adequately cover information security and privacy requirements. “Some companies renegotiate contracts to add in those clauses. Many default to updating the language when contracts are renewed. If you have contracts that don’t expire for, say, 10 years, you could take the initiative to renegotiate some service agreements and put in the proper security and privacy clauses.”
The first three steps lead naturally to the fourth — ongoing risk-based monitoring.
“You don’t want to monitor every single one of your third parties,” Schrock said. “You want to look at the highest risk and most critical third parties from a risk perspective, and focus appropriate monitoring activities and due diligence on them. That can be via automated means or through vendors providing data feeds into the security posture of your third parties. Another way is periodic risk assessments or controls validation.”
The final step is continuous collaboration. Are the appropriate people connected with the risk program, and is information being shared?
Walkush noted that the approach typically taken is bottom-up instead of top-down. “Instead,” she said, “recognize the enterprise-level importance of third-party risk management, and take a strategic perspective, getting everyone to step outside of siloes. So people in compliance should be talking more with people in procurement.”
There is, additionally, an external collaboration opportunity that could pay off well for your organization. Though apparently not yet in play in life sciences, creating an industry consortium to exchange risk management ideas and successes has worked in other industries. After discussions and agreements, a hub-and-spoke model disseminates information to members. Take, for example, vendor validation. Third parties complete one form, and a consortium entity manages the processing. The purpose is risk management that is effective in cost and outcome.
Your risk management program can ensure the most advantageous use of an important asset, your third-party network.
Gain more insights
Risk management in life sciences: A work in progress
Controlling medical device cyber risk
Balancing strategic, cyber and operational risk
Leader, National Life Sciences Industry
+1 215 814 4000
Director, Cyber Risk
+1 212 624 5212
Managing Director, Risk Advisory Services
+1 602 474 3415