Identifying the Hidden Vendor Risks of Contract Research Organizations

Selecting a Vendor and Mitigating the Risks

There is much to consider when trying to identify whether a vendor is right for you, and you need to consider how you will handle the risks associated with that vendor. During this stage of the consideration process, you should perform the following activities:

1. Send the CRO a Request for Information (RFI) and Request for Proposal (RFP)
   Sending your potential vendors RFIs and RFPs will aid you in narrowing down your pool of prospective vendors. You should review and understand their clinical trial backgrounds, how they plan to conduct the trials, and how their specific services will impact the process.
   
   Your RFI should be designed to help your organization evaluate whether the CRO will meet your needs and expectations during the relationship. You may request information such as the CRO's trial experience, how the staff is trained, device clinical trials, regulatory experience, and patient populations.
   
   After you've narrowed down your list, you should send RFPs to your remaining prospects. Request a full summary of the CRO's background, how they intend to carry out the trial, and any objectives and necessary information regarding their products and services.
   
   Once you have reviewed and analyzed the RFPs, you can narrow your vendor selection and determine which CRO(s) should proceed to due diligence.
2. Conduct thorough due diligence
   Due diligence is a systematic process used to verify that a vendor's controls can sufficiently mitigate any inherent risks. The due diligence process involves collecting documentation from the CRO to review and assess their policies, procedures, security practices, and compliance information. Your organization may also require your potential CRO to complete a vendor risk questionnaire to provide further information regarding their control environment. Reviewing and assessing vendor information is essential to ensure that there aren't any hidden risks and that the CRO can comply with industry regulations.
   
   In addition to the vendor questionnaire, the vendor should provide specific documentation such as policies and procedures (including information security and privacy policies), organization of fourth parties, SOC reports, physical security of testing and lab facilities, and disaster recovery plans. The requested documentation should help your organization verify that the proper controls are in place to protect the safety of your patients, organization, data, and sponsors. Remember, your organization's responsibility is to identify and manage the risks and impacts of the clinical trial, outsourced or not.
   
   Once you’ve completed your due diligence activities, you can determine if your prospective CRO is the right one to serve your organization and its clinical trial. If that’s the case, your organization can move forward with the CRO, knowing they have effective controls. Or, in other instances, you may find that the CRO doesn't have controls that are robust enough to manage all the risks, forcing your organization to look at other CRO options.