Third parties, 3 risks and Your life sciences business


Authored by RSM US LLP

Biopharma and med devices should weigh risks upfront

It is standard business practice for many organizations in the life sciences industry to use third-party relationships and resources to achieve desired objectives. These partnerships, for instance, help biopharma and medtech companies complete research and clinical trials as well as commercialize, manufacture and distribute products. Often, these third parties do so by processing and assessing key organizational data. Since these relationships generally result in productivity and financial benefits, their use is projected to further increase.

While there are many benefits to working with third parties, so too come risks. Life sciences companies should be especially mindful of three major areas of concern: regulatory compliance, data security and reputational impact. Failure to address these vulnerable areas with your third parties can result in financial loss or expose your organization to further regulatory or legal challenges. A closer look is necessary in order to understand the underlying issues and ways to address these risks.

Regulatory compliance

From Food and Drug Administration regulations to the Foreign Corrupt Practices Act, biopharma, medtech and other life sciences companies must address compliance requirements at every angle of the business. Failure to ensure your business activities—including those with third parties—are in compliance with regulations can expose the company to fines or costly legal repercussions. To mitigate compliance risks, life sciences companies should establish a third-party relationship management program to map third-party contractual commitments against regulations and foreign laws, where applicable.

You need to monitor and assess your third-party relationship management program, and make changes when needed, to demonstrate a commitment to compliance to auditors or regulators. You should also escalate any increased risk or performance missteps and execute needed changes via governance and reporting. Keep in mind, no one-size program fits all. Develop a risk assessment and compliance program that considers your overall risk profile as well as your specific domestic and foreign third-party relationships. Understand whether any of your third parties are subcontracting elements of their obligations as this provides additional challenges from a contractual and oversight perspective. In the eyes of regulators, you are the company you keep, so make sure your third parties are obeying the law and upholding your company’s standards and brand. 

Data security

Managing confidential data is no small task for most companies given today’s environment of increased hacking attacks and security breaches. To counter this, new regulations have been implemented. However, have your existing contract agreements with third parties also been updated to align with these newer policies?  For instance, do you have a clear segregation between company and third-party responsibility regarding the protection of data and a plan in the event of a breach? Do you know what types of data your third parties have access to and the security around that data? It’s imperative to review your existing third-party engagements and update contracts as needed.

Additionally, privacy regulations in the European Union have also become more rigorous, even for U.S. organizations. The EU’s General Data Protection Regulation requires all organizations that hold, transmit or process EU resident data to comply with the law, regardless of whether you or your third party actually operate in the EU. Failure to comply can result in significant financial penalties: up to 4% of global revenue or 20 million euro, whichever is greater. Enforcement start in May 2018.

While many life sciences companies are subject to U.S. federal, state or industry data privacy regulations and have related controls in place, GDPR raises the bar for protecting consumer information and requires speci?c tracking from collection to disposal. To address this and all your data security concerns, make sure you periodically audit your current security and privacy strategies, amend controls and planning as needed, align governance appropriately and have an incident response plan in place. Keep in mind, when it comes to protecting data privacy and security, failure to plan is planning to fail.

Reputational impact

If life sciences businesses use third parties, they must realize that they remain responsible for the actions of those organizations conducting business on their behalf, domestically and abroad. Conducting business internationally through a third party does not exclude your company from corruption risks. And, if corruption exists, your company is subject to legal action and scrutiny that can affect your overall reputation for years to come. Too frequently it is the third party that organizations use that causes the reputational damage.

To mitigate risks in this area, implement a robust third-party data collection and due diligence program, and include a contractual provision to allow for monitoring of third-party activity. Focus on continually improving your compliance programs and the resulting controls to identify new and emerging risks and to prioritize your limited compliance resources. To paraphrase Benjamin Franklin, it takes many good deeds to build a good reputation, and only one bad one to lose it. Don’t let your third party’s indiscretion be that one deed that tarnishes your good name.

The takeaway

Leveraging third parties can help your life sciences business gain proficiencies and contribute to your overall profitability, but you must also remember that associated risks in working with them still rest with your organization. Weigh the risks upfront for a successful relationship in the long run.

Source: 5 things to know about managing third-party relationship risks 

Originally published on  December 04, 2017, revised on July 22, 2021

Let's Talk!

Call us at +1 213.873.1700, email us at or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by Nancy Aubrey, Nathaniel Ruey and originally appeared on 2021-07-22.
2021 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

​Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Vasquez & Company LLP can assist you, please call +1 213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: