Pharmaceutical and life sciences companies are in the cross-hairs when it comes to third-party and supply chain risk management. With a huge reliance on third parties across almost every phase of their businesses, a range of general and specific laws and regulations to adhere to, and a surge in cyber-attackson their data assets by malicious players, it’s no wonder that companies struggle to keep up.
COVID-19 has only exacerbated challenges to the industry with business disruption, economic uncertainty and an unprecedented urgency for R&D, production and distribution.
In this landscape of heightened threats, costs to those in the industry from third-party breaches can be high:
- A data breach in the pharmaceutical industry can cost companies upwards of $5 million, and even more if a third-party vendor or supplier is the cause – which in most cases it is. And now, more than ever, hackers are actively seeking out vulnerabilities in pharma digital supply chains, targeting IP assets.
- Last year alone, pharmaceutical and life science companies felt the pain of over $ 456 million in US imposed sanctions for FCPA violations. Most actions involved a third-party intermediary.
As a consequence, many pharmaceutical companies are looking for a smarter and more integrated way of managing their third-party risks. And they are turning to Aravo to help them. In 2020, pharmaceutical and life sciences represented Aravo’s fastest growing vertical market and is now the largest segment of Aravo’s diverse customer base.
Aravo’s pharmaceutical clients typically cited product functionality, scalability, and deep domain expertise as differentiators when selecting Aravo for third-party risk and performance management. But, let’s drill down into some of the specific program challenges that Aravo helps firms in this industry with.
Pharmaceutical companies face a broad range of third-party risks
Aravo pharmaceutical clients recognize the importance of a holistic approach that manages third party risk across multiple risk domains.
Pharmaceutical companies need to manage a broad range of third-party risks across the enterprise. They share many in common with other sectors, but some are unique, such as pharmacovigilance. Together with assessing and monitoring financial viability, operational resilience, and regulatory compliance, pharmaceutical firms typically focus on the following domains:
- Anti-bribery/corruption – Global operations, the overlap between healthcare or charity contacts and government officials, and strict regulatory guidelines require pharma to be especially vigilant when it comes to bribery and corruption risk.
- Information security and cybersecurity – Greater reliance on outsourcing increases the risk of security breaches that threaten IP, operations, and other data assets.
- Data privacy – GDPR, HIPAA, and the ethical mandate to maintain confidentiality of patient data become more difficult as PHI and other personal data is shared across third-party outsourcers, such as clinical trial partners.
- Pharmacovigilance – Ensuring drug safety extends across the third-party ecosystem, from certifying that clinical trial investigators are reporting accurately to ensuring that partners avoid non-compliant communications and off-label usage.
- Health and safety – Regulatory and other guidance (e.g. US FDA CFR 21, EU and WHO guidelines) related to Good Distribution Practice (GDP) and Good Manufacturing Process (GMP) as well as responsible sourcing extend to third parties.
- Sustainable procurement – Taking social and environmental factors into sourcing and procurement outcomes is important to pharmaceutical and life science companies. ESG (Environmental, Social and Governance) forms a core component of this, and organizations are increasingly embedding this into their programs.
⮚ Aravo’s ability to integrate multiple risk domains into a centralized solution is valued by our pharmaceutical clients.
Pharmaceutical companies need a centralized system of record
Pharmaceutical companies need a centralized system of record of all their third parties – both critical suppliers and the “long-tail.”
Prior to selecting Aravo, many life sciences organizations reported that they lacked a centralized view of third-party risk. Data existed in various silos and different parts of a program (such as information security assessments or ABAC due diligence) were conducted in separate systems.
Not only does this disjointed approach have the potential to create huge blind spots, it’s extremely inefficient, and creates a resource drain on already small teams. Without a centralized inventory, employees spend a disproportionate amount of time tracking down and compiling data, rather than focusing on activities that mitigate risk, such as enhanced due diligence and remediation for higher-risk segments.
This inefficiency (and lack of complete information) inevitably extends to board reporting. When resource-strained risk teams are forced to go through a variety of spreadsheets and documents to tabulate and aggregate information for a risk report for the board, it can take hundreds of hours and still lead to errors. In fact, a 2019 survey report released by Compliance Week and Aravo found most respondents (83%) did not feel that their board reports were wholly complete and accurate.
⮚ Aravo pharmaceutical clients benefit from a centralized system of record or “golden source of truth” of all their third parties (including suppliers, outsourcers, agents, clinics, etc.).
Third-party due diligence at the speed of business
Pharmaceutical companies need to embed greater efficiency into their third-party risk management program outcomes.
The inefficiency that comes from not having a centralized system of record is also frustrating to the business. Time is of the essence in this highly competitive segment. Delays in clinical trials, acquiring raw materials, securing distribution partners, or any other aspect of the chain from research to consumer delivery can have huge opportunity costs for the business. Meanwhile, consumers don’t have access to the therapeutics they need. Aravo life sciences customers report a reduction in onboarding time from 30% to as much as 90%.
Obviously, with people’s lives on the line, being more efficient can’t come at the cost of effective due diligence. Intelligent automation, including AI and machine learning, not only eliminates tedious manual tasks like sending email reminders to complete assessment surveys. It can also be used to provide deeper insights into potential risks and the effectiveness of controls as well as increase the efficiency in mitigating risks. For instance, if continuous monitoring detects a material change in risk associated with a third party (e.g. changes in financial viability, an incident that could disrupt supply, a change in beneficial ownership), an automated TPRM system can trigger the appropriate issues and corrective action process, including a business impact assessment. This can allow the remediation process to begin even before a team member is aware of the issue.
⮚ Aravo provides pharma and life sciences a risk-based approach to due diligence that is both agile and efficient.
Pharma and life sciences typically need to go deep into contract and sub-contract risk assessments.
Though most TPRM programs have more in common than not, pharma and life sciences clients do have some unique requirements that some vendors have historically been unable to deliver. Contract-level risk management is a good example. Not all solutions allow life sciences organizations to assess, manage, and mitigate risk at the engagement or contract level as well as the entity level. For instance, an organization may have multiple contracts with a single organization to perform different kinds of services. Each of these can have different risk profiles based on factors such as the type of service or the location.
For many Aravo life sciences customers, their requirements go beyond even this engagement-level assessment, and they need to be able to drill down to the sub-engagement. For instance, when contracting for clinical trial services, the third-party may agree to provide services in multiple locations or regions within the same contract. The organization may need to conduct due diligence for each site related to information security/data privacy or bribery and corruption risk in various countries, for instance.
⮚ The ability to assess risk at the engagement or sub-engagement level is an inherent part of Aravo applications.
Subject Matter Expertise
There’s nothing like experience when it comes to supporting holistic, cross-functional pharma and life sciences TPRM programs.
Pharma and life science organizations report that they find it challenging to validate vendor claims that they can meet these unique requirements in addition to all of the other risks that third parties present. Many specialty solutions focus on one or two risk domains that are specific to life sciences, such as anti-bribery and corruption or pharmacovigilance. Others are focused on one stage of the relationship lifecycle, such as due diligence, but not the end-to-end process. These solutions can create additional silos as the organization must bring in additional products fill risk domain and lifecycle gaps.
Enterprise systems (such as ERP or procurement) sometimes offer third-party risk management as an add-on to their suites. These vendors typically lack deep understanding of third-party risk management and its specific impact on pharmaceutical/life science organizations.
To be successful, buyers in this vertical market are seeking third-party risk management solutions that have a focus that is both deep and wide – deeply rooted in third-party management and wide enough to encompass expertise in all of the risks a pharma/life science organization may encounter in their third-party relationships.
⮚ Aravo’s long and successful track record of working with pharmaceutical clients, means we are able to provide best-practice approaches for the industry, and continue to innovate to support ongoing industry developments.
Pharma and life sciences firms tend to have global programs with a high volume of third-party relationships.
Typically, life science organizations depend on international markets for both supply chain and distribution, which not only increases regulatory focus, but also requires a robust technology. The TPRM team may be located in multiple geographies and dealing with third parties (suppliers, service providers, distributors, etc.) virtually anywhere in the world. Validation that a TPRM solution provider has experience implementing and supporting complex global ecosystems is a critical requirement.
⮚ Pharma/life sciences customers with operations in literally dozens of countries and tens of thousands of third parties have a long track record of using Aravo to manage their third-party risk management process in a way that meets both enterprise and regional requirements. Aravo’s interface was designed for easy localization and has been translated into 36 languages so far.
Pharma and life science companies are looking for the right balance of pre-configured best practices embedded into TPRM technology, together with the flexibility to configure elements to their own business requirements.
Faced with regulatory pressures, an obligation to patients, and competitive pressures, life sciences companies generally don’t have the time or resources for long TPRM deployments. Many look for products with ready-to-use capabilities that help them get their programs up and running quickly without heavy reliance on an internal team of subject matter experts.
⮚ Aravo’s preconfigured applications are built from the ground up to align to regulatory guidance and incorporate Aravo’s unparalleled experience in serving pharma/life sciences and other highly regulated verticals.
However, most pharma/life sciences organizations also have a long-term vision for how their programs may grow and mature over time, especially if they have specialized requirements.
⮚ Built on a single highly configurable platform, Aravo’s ready-to-use applications make it relatively simple for organizations to add new functionality, modify workflow, or enhance capabilities based on specific requirements, either with trained internal resources or support from Aravo Global Services.
As a highly regulated sector, pharma and life sciences need the confidence that the assessments and processes in their system are aligned to regulatory requirements, and that there’s a robust compliance audit trail in place.
Life sciences is a heavily regulated industry, governed by many international and domestic regulations related to production, marketing, and distribution. The global nature of the pharmaceutical industry, including the role government plays in healthcare decisions in many countries, makes it particularly exposed to violations of bribery and corruption regulations such as the US FCPA or the UK Bribery Act. On average, more than 90% of FCPA enforcement actions are due to the actions of a third party, such as a distributor or other partner. And FCPA actions carry heavy monetary penalties. Of the $456 million in penalties meted out to pharmaceutical and life science companies in 2020, nearly $350 million was imposed against a single company.
The manufacturing process also undergoes tight government scrutiny, such as US FDA CFR 21 and EU and WHO guidance related to Good Distribution Practice (GDP) and Good Manufacturing Process (GMP). Regulators hold life sciences organizations responsible for ensuring these practices are followed throughout their entire supply chain as well as by third-party logistics providers. This may mean going beyond third-party due diligence to evaluate fourth parties and nth parties.
Additionally, a robust and accessible audit trail plays a critical part in the defensibility of any compliance program.
⮚ Aravo applications map to prevailing regulations, guidance and industry standards. Additional customer-defined assessments can be included if your own compliance team has created proprietary assessments. Every action in Aravo is time and role-stamped with visualized audit trails across all workflows and full reporting capabilities. This is important for defensibility and for demonstrating compliance to auditors, management and examiners.
One size does not fit all when it comes to due diligence.
Pharma/life sciences organizations need especially robust due diligence capabilities to ensure they understand the blurry lines between healthcare professionals (HCPs), government officials, and other politically exposed people (PEPs). For instance, in countries with socialized medicine, HCPs may be also be considered government officials, requiring stronger controls for evaluating risk and compliance.
Even charitable giving partners can pose potential risks to pharma/life sciences organizations. In addition to partners across the supply chain, pharma/life sciences organizations need to be able to conduct due diligence on patient assistance programs (PAPs) and charitable organizations to identify the structure, ownership/board members, eligible recipients, and any other characteristics that could expose the organization to reputation or regulatory risk.
⮚ Aravo supports a risk-based approach to due diligence. Clients can layer in deeper assessments for riskier suppliers, based on type of supplier, geography, services or products provided, that can also be triggered by events such as negative news coverage.
Gifts and entertainment
Understanding what gifts and entertainment suppliers might be providing on their behalf, is important to the pharmaceutical sector.
Gift tracking workflow has also become a requirement based on the need to approve and document any gifts to individuals or organizations, ensuring that controls are followed and providing an audit trail.
⮚ Aravo clients also benefit from capabilities that allow them to track and approve gifts (given or received) in the system – an important control in the prevention of bribery.
Pharmaceutical companies need to ensure cybersecurity, information security and data privacy are a core part of their third-party risk management program.
There’s been a surge of cyber-attacks against the pharmaceutical sector in the wake of COVID-19. According to a BlueVoyant report, attacks on the biotech and pharmaceutical industry had increased by 50% between 2019 and 2020.
While third-party risk programs in the sector have traditionally focused on ABAC risk, there’s also a business-critical requirement for information security, data privacy, and other assessments and monitoring for IT risks related to third parties. Those in this sector are particularly attractive targets for hackers (and now increasingly more sophisticated state players), due to their valuable R&D, IP, trade secrets, PHI, and other personal data. It’s important that firms conduct the necessary due diligence on their third-parties, and understand their cyber-security controls, as it is their supply chain that often presents the weakest link.
⮚ Aravo clients benefit from pre-configured applications for cybersecurity, information security and data privacy together with integrations with cybersecurity health ratings services like BitSight and SecurityScorecard. Built on one intelligent automation platform, they integrate directly to become part of a cross-functional, holistic solution for third-party risk management rather than another data silo.
With regulatory pressure and external risks like cybersecurity on the rise, pharma/life sciences organizations are maturing their programs by investing in third-party risk management to protect their stakeholders and consumers. Many are selecting Aravo and cite product functionality, scalability, and deep domain expertise as the motive behind their decision.