Inherent Vendor Risk Basics for Small Pharma and Biotech Startups

Outsourcing clinical research has become a multibillion-dollar industry. Approximately two-thirds of all expenditures in early development are outsourced to third parties. Small and midsize biopharma companies account for about 90% of that spending. By outsourcing to a contract research organization (CRO), sponsors benefit from the CRO's therapeutic and operational expertise, geographic reach, and well-established processes and tools.

Sponsors need to remember that, while outsourcing to a CRO may seem like the perfect solution, they can’t outsource their responsibility for clinical trials. Pharma and life science organizations operate in a highly competitive and tightly regulated industry. They have also been subject to some of the largest fines under the Foreign Corrupt Practices Act (FCPA).

Suppose you are a biotech startup looking to enter clinical trials or a small pharma vendor project manager new to the industry. What should you be doing to defend your organization against vendor risk? Understanding your organization's exposure to vendor's inherent risks is a good place to begin.

Understanding and Identifying Inherent Vendor Risk

Outsourcing a product or service to a third-party vendor exposes your organization to risks which naturally exist in that product or service and are known as inherent risks. Identifying the types and amounts of risks present in vendor engagement is essential. The management of clinical trials may be subject to various risks, which can be compounded if the vendor does not have the necessary controls to mitigate these risks.

Let's examine 8 common risks in clinical research:

1. Strategic risk occurs when your vendor's products, services, actions, or missions aren’t aligned with your organization's strategy.
2. Reputation risk is the risk that your clinical research and organization’s reputation may be impacted by your vendor's customer service, lawsuits, outages, and data breaches.
3. There are two types of operational risk: internal and external. Internal operational risk refers to the vendor's ineffective processes, people, controls, and systems. The external operational risk comes from outside events like epidemics, natural disasters, severe weather, or cyberattacks.
   
   Understanding and identifying operational risk is important, especially when the vendor is critical to your organization or the trial. Classifying a vendor as critical indicates that if that vendor were to underperform or fail, there would be significant impacts on your organization, the trial, or the trial subjects. Critical vendors are also those that could attract regulatory scrutiny or have significant impacts on your clinical research.
4. Transactional risks occur when a vendor facilitates or processes financial transactions for your organization. For a clinical trial, this can mean that the vendor may be billing the subjects' insurance or Medicare for various procedures during the study.
   
5. You’re exposed to compliance risks when the vendor fails to comply with the laws and regulations governing the products and services it provides to your organization. Vendors may also pose a compliance risk if they don’t comply with your internal policies, procedures, or business standards.
6. Financial risk have two dimensions. The first is how the product or service impacts revenue or operating expenses. This can be assessed during an inherent risk assessment. The second relates to the vendor's financial stability, which is determined during the due diligence stage.
   
   In the early phases of a clinical trial, it can be hard to estimate the financial impact because the revenue stream might not be clear. Among the most important questions to ask is: Could this vendor's actions delay or even prevent our drug or medical device from reaching the market?
7. Information security risks can be cyber or physical security-related risks. Cyberattacks and data breaches are the most common events stemming from missing or ineffective cyber controls.
8. A vendor's location or operations in a foreign country exposes your organization to geopolitical risk. Clinical trials don't always carry the same risks as other industries. However, the study protocol will always specify where and how the trials will be conducted, so it's still something to consider.

These eight categories should give you a basic understanding of inherent risks and how they might manifest in a clinical trial. There may be additional risk categories depending on the clinical trial you perform.

Once you have identified the possible risks, you'll need to risk-rate those vendor engagements:

• High-risk vendors have direct interaction with study subjects/patients. They’re responsible for the collection of data that contributes to primary and secondary efficacy or safety variables.
• Moderate-risk vendors have the potential to influence study conduct (e.g., translation vendors, equipment suppliers).
• Low-risk vendors don’t engage with patients or provide data for the trial. They support ancillary tasks (e.g., meeting planners, advertisers).

Vendors with high operational risks may also be considered critical if their failure significantly affects your organization, the trial, or the subjects. Each of your vendors should have a risk rating and a classification of critical or non-critical.

Identifying the inherent risks for any vendor engagement is a best practice. Before signing a contract, you must know the vendor's inherent risks and ensure they have taken the appropriate steps to mitigate them. Taking the time to assess these risks is well worth the effort and contributes to a smoother clinical trial.