Third parties, 3 risks and Your life sciences business

ARTICLE | July 20, 2021

Authored by RSM US LLP

Biopharma and med devices should weigh risks upfront

It is standard business practice for many organizations in the life sciences industry to use third-party relationships and resources to achieve desired objectives. These partnerships, for instance, help biopharma and medtech companies complete research and clinical trials as well as commercialize, manufacture, and distribute products. Often, these third parties do so by processing and assessing key organizational data. Since these relationships generally result in productivity and financial benefits, their use is projected to further increase.

While there are many benefits to working with third parties, so too come risks. Life sciences companies should be especially mindful of three major areas of concern: regulatory compliance, data security, and reputational impact. Failure to address these vulnerable areas with your third parties can result in financial loss or expose your organization to further regulatory or legal challenges. A closer look is necessary in order to understand the underlying issues and ways to address these risks.

Regulatory compliance

From Food and Drug Administration regulations to the Foreign Corrupt Practices Act, Biopharma, MedTech, and other life sciences companies must address compliance requirements at every angle of the business. Failure to ensure your business activities—including those with third parties—are in compliance with regulations can expose the company to fines or costly legal repercussions. To mitigate compliance risks, life sciences companies should establish a third-party relationship management program to map third-party contractual commitments against regulations and foreign laws, where applicable.

You need to monitor and assess your third-party relationship management program and make changes when needed, to demonstrate a commitment to compliance with auditors or regulators. You should also escalate any increased risk or performance missteps and execute needed changes via governance and reporting. Keep in mind, no one-size program fits all. Develop a risk assessment and compliance program that considers your overall risk profile as well as your specific domestic and foreign third-party relationships. Understand whether any of your third parties are subcontracting elements of their obligations as this provides additional challenges from a contractual and oversight perspective. In the eyes of regulators, you are the company you keep, so make sure your third parties are obeying the law and upholding your company’s standards and brand.

Data security

Managing confidential data is no small task for most companies given today’s environment of increased hacking attacks and security breaches. To counter this, new regulations have been implemented. However, have your existing contract agreements with third parties also been updated to align with these newer policies? For instance, do you have a clear segregation between the company and third-party responsibility regarding the protection of data and a plan in the event of a breach? Do you know what types of data your third parties have access to and the security around that data? It’s imperative to review your existing third-party engagements and update contracts as needed.

Additionally, privacy regulations in the European Union have also become more rigorous, even for U.S. organizations. The EU’s General Data Protection Regulation requires all organizations that hold, transmit, or process EU resident data to comply with the law, regardless of whether you or your third party actually operate in the EU. Failure to comply can result in significant financial penalties: up to 4% of global revenue or 20 million euro, whichever is greater. Enforcement starts in May 2018.

While many life sciences companies are subject to U.S. federal, state, or industry data privacy regulations and have related controls in place, GDPR raises the bar for protecting consumer information and requires speci?c tracking from collection to disposal. To address this and all your data security concerns, make sure you periodically audit your current security and privacy strategies, amend controls and planning as needed, align governance appropriately, and have an incident response plan in place. Keep in mind, when it comes to protecting data privacy and security, failure to plan is planning to fail.

Reputational impact

If life sciences businesses use third parties, they must realize that they remain responsible for the actions of those organizations conducting business on their behalf, domestically and abroad. Conducting business internationally through a third party does not exclude your company from corruption risks. And, if corruption exists, your company is subject to legal action and scrutiny that can affect your overall reputation for years to come. Too frequently it is the third party that organizations use that causes the reputational damage.

To mitigate risks in this area, implement a robust third-party data collection and due diligence program, and include a contractual provision to allow for monitoring of third-party activity. Focus on continually improving your compliance programs and the resulting controls to identify new and emerging risks and prioritize your limited compliance resources. To paraphrase Benjamin Franklin, it takes many good deeds to build a good reputation, and only one bad one to lose it. Don’t let your third party’s indiscretion be that one deed that tarnishes your good name.

The takeaway

Leveraging third parties can help your life sciences business gain proficiencies and contribute to your overall profitability, but you must also remember that associated risks in working with them still rest with your organization. Weigh the risks upfront for a successful relationship in the long run. For more information, check out our article 5 things to know about managing third-party relationship risks.