Risk is inversely proportional to one’s distance from a problem. For regulators, it seems straightforward to control biopharmaceutical and medical device risk. For pharmaceutical, biotechnology, and medical device executives, however, risk is hardly so clearly defined; it extends, grows, twists, and compounds through a chain of suppliers, consultants, and business partners. So when regulatory officials claim that compliance accountability cannot be delegated, biopharmaceutical and medical device companies are left holding the bag.
Years ago, as a C-level executive for a combination medical device company, I consistently wished for some way to entrust compliance accountability to those suppliers and outsourced vendors conducting the work, whether computer validation or contract manufacturing. Although blanket contract terminology (“company X will comply with regulations Y”) can be inserted into any agreement, a supplier or vendor will not be the one in the news due to a regulatory investigation nor be the recipient of the government’s notification of noncompliance. With a supply chain for a product that stretched from Europe to Japan, this was a heavy burden of risk and worry to manage, one that seemed a Sisyphean task of global risk and regulatory compliance.
Since founding my consulting firm several years ago, I have worked with my clients toward a reasonable solution to the problem of vendor regulatory compliance accountability and risk. Given my role in trying to help solve this problem with my clients, I decided it was only fair to have my firm be the first through the gates of the process my clients and I have termed “shared risk.”
Early in 2007, I shared some of our experiences and results on the Washington, DC based radio program, Tomorrow’s Business. Here I take the two successful components of the shared-risk strategy — strategic vendor selection and contractual risk-sharing tactics — and couple them with a review of the mistakes made along the way. If you use this experience as a guide, I hope you can implement the successes and avoid the pitfalls.Strategic Vendor Selection
With the exception of start-ups, most businesses have a vendor qualification process. Ironically, what nearly all businesses do not have is a straightforward, systematic process to assess and verify that a potential consultant, contractor, or supplier is a “good fit” for the business and its strategic goals. That such a process is a good business practice is confirmed by its impact on a company’s bottom line.
Based on my career in the medical device industry and the experiences of my biopharmaceutical and medical device clients, the average cost of a supplier qualification is $5,000–8,000. A 2004 report by the Institute for Supply Management noted that the typical company spends at least 33% of its revenue on purchased services from contract organizations, outsourcing, and consulting (1).
Taken together, vendor selection is a significant component of your bottom line. Add in the risk of noncompliance and poor product safety or efficacy stemming from failure within your supply chain, and the impact can easily double or triple.
To reduce your risk, reduce costs, and improve your compliance capabilities, use a simple matrix such as Cerulean’s Strategy-Impact Matrix diagram to map your prioritized business objectives against the levels of effort required (Figure 1). You can then grade potential vendors based on risk, cost, and compliance.
Prioritize Strategies: First, sit down with the rest of your team and lay out a prioritized list of your business goals. Limit yourself to six to 10 business strategies. Depending on your objectives, business situation, and marketplace, you may want to consider creating one list for short-term goals (e.g., 18 months or less) and another for long-term goals (e.g., three or more years). If you create two lists, then you will follow this process twice, creating two matrices, one for the short-term and one for the long-term.
Once you have prioritized your strategic goals and initiatives, you need to assess where third-party help (e.g., contract sterilizer, computer outsourcing vendor, or compliance consultant) will significantly raise your chances of success and reduce your risk. To do that, you must first assess the effort required by your business initiative.
Rate Effort Level: The challenge in this step is to be able to critique yourself and your company honestly, identifying your strengths and your gaps and/or areas in need of improvement. If you have an inkling that you handle feedback poorly, or if you and your team have a poor history in such exercises, consider bringing in an independent, objective facilitator to help you in this critique. Depending on the size of your company this could be a person from outside your company, someone from another division, or a financial backer.
The gaps to be filled and areas to be improved are, in essence, your risks. Prioritize them based on the potential impact to your organization in terms of effort levels required (including time, resources, money). The reality is that you cannot cover everything all at once and will need to make tradeoffs. Limit yourself to four to 10 ranked areas of need.
Graph the Results: On the Y-axis, list your strategic priorities, starting with the lowest priority and moving to the highest. On the adjoining X-axis, list the areas of your business that need to be improved (or filled), ranked by impact (or effort levels) required, starting with the lowest levels to the highest. At the midpoint on each axis, draw a line that crosses that axis to create a four-quadrant grid (Figure 1).
You should now have four quadrants, starting from the top left and working clockwise: high priority with low effort; high priority with high effort; low priority with high effort; and low priority with low effort.
Using the Strategy-Impact Matrix: There are four broad categories of purchased service vendors: outsourced functions, staff augmentation, project-based help, and external advisors. An outsourced function might be contract research. Staff augmentation could be a consultant who operates as your quality assurance manager or interim chief information officer. Project-based help could be an independent project assurance advisor or a contractor’s project team. And external advisors include outside legal counsels or independent compliance advisors brought in to conduct workshops, help review and refine strategies, or serve on retainers.
Low Priority, Low Effort: Anything in the low-priority-with-low-effort quadrant can be used to try out a first time vendor. By definition, the cost will be low and so should the risk. Therefore, any vendor qualification required can be done remotely (e.g., through paper qualification) rather than on-site — either through a mailed-out questionnaire, phone interview, or (if your processes allow) a filed memo noting the matrix results and the logic behind your choice.
Low Priority, High Effort: Anything in the low-priority-with-high-effort quadrant can be completely outsourced with relatively little risk and minor qualifications. Because these a
re low-priority areas that require a high level of effort, you are unlikely to obtain a good return on your investment if they are handled any other way. Cost will be driven by effort and the market, but because risk is low, vendor qualification can be done remotely or on-site as you decide. Consider basing your decision for remote or on-site qualification on a formal risk assessment of the vendor’s potential impact on your product’s safety and efficacy or proof of regulatory compliance.
High Priority, Low Effort: Help in the high-priority-with-low-effort quadrant should come from an outside advisor. Because a high strategic priority comes with high risk (and therefore requires costly vendor qualifications), when its costs are combined with the overall low cost of the effort itself, you are likely to expend far more in on-site vendor qualification than is justified. A reasonable balance comes with an outside advisor you can qualify remotely and who will agree to the second core component of the shared risk strategy, contractual tactics.
High Priority, High Effort: Third parties that rank in the high-priority-with-high-effort quadrant require on-site qualification. When risks and costs are both high, qualification should be most stringent. Vendors in this category typically have a high impact on product safety and efficacy (such as a contract sterilizer), or on the proof of either product safety and efficacy or your compliance with regulatory rules (for instance, a contract clinical laboratory). Using contractual tactics to share risk with vendors in this quadrant is crucial for both your compliance and your piece of mind.Contractual Tactics to Share Risk
Central to judicial application of these tactics is recognizing your vendor’s marketplace reality: Is your business (or your industry as a whole) a significant portion of your vendor’s revenue? If not — for instance, when a glass manufacturer receives less than 10% of its total revenue from sales to pharmaceutical companies — you may have limited success with all these tactics and have to settle for just one or two.
Tactic 1, Compliance Agreements: Ideally, you want your vendors to provide at least one-third of the compliance and quality work you need to complete. You can achieve this by crafting a compliance (or quality) agreement with your vendors. Although this can be done as a separate agreement, typically it is often easier to structure it as an addendum to your main contract.
Any compliance agreement covers three crucial points:
Accountability should adhere to specific rules and regulations. These should be relevant to services and equipment being supplied to your company. In my own experiences as an executive, I consistently found that my job was easier when the contract spelled out “21 CFR Part 11” rather than just “FDA rules and regulations.”
Clarify auditing and vendor qualification expectations. Include financial penalties for delays or audit failures and financial rewards for audit successes.
Require a yearly compliance summary report. This should cover the vendor’s compliance status and continual improvements relevant to your specific needs (e.g., progress on SAS 40 compliance is largely irrelevant if you need 21 CFR 820 compliance).
Tactic 2, Financial Performance: Simply put, if a vendor’s equipment or suggestions do not work, the cost should go down. Conversely, structure your agreement such that if the vendor exceeds mutually agreed-upon thresholds, payments increase.
Such deals can also incorporate timescales and other variables. Imagine a piece of laboratory equipment (e.g., mass spectrometer) that requires constant, costly calibrations with vendor-certified technicians. Rather than structure a support contract for the mass spectrometer as typical, push for a threshold beyond which your company will not pay for calibrations; however, make sure this threshold leads both ways. If the equipment requires fewer calibrations than typical, the vendor might receive a bonus.
Note that simply pushing for financial performance measures and penalties as a way to reduce costs is the biggest mistake you can make when it comes to sharing the risk with your vendors. You must also share the rewards.
Tactic 3, Audit Support: As a medical device executive, I was always less than impressed with the level of service and support I received from many of our purchased services when a regulatory inspection (or other third-party audit) was scheduled. Some vendors seemed to disappear from the map during an active investigation, only to reappear after much of the dust had settled. When I founded my consultancy, it was with the firm determination to tackle that risk avoidance head-on with the third contractual tactic in the shared risk strategy, audit sharing.
Our company provides three different ways in which we share the risk of audits and investigations. But of these, the most consistently appreciated is the one that I recommend you push your vendors for: active audit support. In your contract, spell out the support you require during audits of your company, and make clear the financial penalties for failure to provide this support.
For instance, if a regulatory inspection is announced when your company is in the midst of clinical trials or is submitting a new drug for approval, you will want your clinical trial vendors (including any interactive voice response system [IVRS] vendor) to provide the following four items:
Compliance level summary (e.g., ISO certifications, EU clearance)
Quality manual (e.g., “see the components in the ICH Q10, step 2 document”)
Risk management methodology summary
Dedicated contact individual (and a backup person) for the duration of the audit.
You probably have older versions of the first three in your vendor qualification files. But it is the ability to rapidly provide the most current copies and a dedicated vendor contact person to the outside investigator that will demonstrate your commitment — and that of your vendors — to continually improving quality, safety, efficacy, and sharing the risks.
Depending on the type and scope of the audit, require your vendors to help you prepare for it by participating in teleconferences and meetings. If the audit is unannounced, require your vendors to provide this active audit support as soon as they are contacted. The more you and your vendors can come together to present a united front on large issues (e.g., safety and efficacy), the more subtle pressure you place on individual auditors to focus on the minor faults present in any human-originated system. This should result in a good audit for you and a better bottom line for your company.Common Mistakes to Avoid
Strategy is dictated by goals, and sharing risk with vendors is not a goal but a means to an end. For most organizations, the goal is a safe and efficacious product that provides revenue and positive bottom line growth. Unfortunately, without all the management in your organization on the same page, you leave yourself open to four common mistakes.
Mistake 1, Confusing Cost-Effectiveness and Cost Cutting: The mistake that I have seen over and over is confusing cost-effectiveness with lowering overall costs. Cutting costs is a means to an end, an operational tactic. Cost-effectiveness is more strategic, taking into consideration the short-term and the long-term, broad relationships, risk controls, and so forth. Cost-effectiveness may save money, but it always allows reinvestment in high-impact activities such as customer service and interaction, innovation, and improved competitiveness. Sharing risk with your vendors gets off track when the logic behind it is restricted to “lowering costs.”
Mistake 2, Mutual Misunderstanding: As often as not, this is the result of poor internal communications
across a company’s functional units, and it is only compounded with a vendor added to the mix. Do not underestimate the challenge of effectively sharing what is planned (and hoped for) over the next 18 months. Given the often different “language” nuances of support functions (e.g., information technology, quality assurance, and legal) and line-of-business executives, what seems to be a good meeting may result in a series of poor decisions that negatively affect the vendor selection efforts. The goal is not complete agreement between business units and support functions, but to translate the language enough to capture and evaluate internal business interdependencies and ensure mutual understanding.
I recently worked with one client who had a wonderful business case and detailed request-for-proposal (RFP) it was preparing to send out for purchased information technology (IT) services. As an independent sounding board (“our back-pocket CIO,” as the research and development vice-president noted), my role was to act as a third set of eyes and translate between the IT and R&D executives. I was to ensure that an appropriate level of coverage existed for the business unit and nothing glaring had been overlooked. R&D management were very excited about an upcoming partnership currently being negotiated with an outside product development company to jointly bring a new product to market in the next year. Unfortunately, when I reviewed the IT department’s RFP, there was no mention of working with any future partner, nor any collaborative technologies to be implemented or supported by the outsourced vendor soon to be in charge of the company’s network and data security.
Failing to account for or resolve internal communications challenges will have even worse consequences once a vendor contract is signed. Two studies in 2005 by financial service firms revealed that nearly 70% of companies that had negative, costly experiences with outsourcing did so because underlying communication issues, relationship factors, and process problems were not resolved before the vendor came on board (2, 3).
Mistake 3, Failure to Diversify: Many years ago, an old colleague of mine decided that managing the various vendors our company had ended up with was simply too much. He was going to “put all the eggs in one basket and watch that basket.” Concentration of purchased service activities into one or two vendors can occur when the executives in charge of managing those vendors have confused cost-effectiveness with cost-cutting. Strategic vendor selection and shared risk is really about investing wisely. A solid investment strategy, as any financial advisor will tell you, is to “diversify, diversify, diversify.”
For my colleague, the end of the road came two years later. The IT contracts were concentrated in the hands of one of the big three IT consulting firms, and they knew it. To my colleague’s chagrin, the vendor with whom he had touted such a great relationship dramatically raised prices during renewal negotiations. Despite repeated late-night internal assessments of timelines and resources needed to bring the services back in-house (or to switch the services to another vendor), it was clear to all of us that such a shift was not feasible. Too much was at stake in the rest of our company: Several new high-profile partnerships were being negotiated, two new products were in test market with a third on its way, and the reverberations and reorganizations from the previous year’s merger had only recently been laid to rest. The renewal turned into a seven-year contract at 30% higher rates over its lifetime. Needless to say, this renewal contract also heralded the end of my colleague’s career with our company.
Even if yours is a small or midsized company, that type of worst-case situation can be avoided by signing at least two different outsourced vendors for areas of long-term work that rate as high-effort, low-priority on the matrix. This will allow your company to try out several vendors who can wait in the wings as understudies.
Mistake 4, Viewing Risk Management as a Science: Despite all the claims, articles, and protestations, risk management is more art than science. Most risk management models rely on data sets whose data points have been aggregated and averaged, removing the outliers and dramatically nontypical findings (4). Ironically, when it comes to batch or medical product testing, such averaging to achieve a “good” set of data is a big “no-no” to regulatory and safety investigators. Make sure to carry that mindset over to any discussion of risk with your vendors and potential vendors. Blend the numbers with your intuition, judgment, and experience; listen to the skeptics on your team, be they employees or the outside advisors with whom you have already shared risk. When people all share the risk, you may be surprised at how the “never-going-to-happen-scenario” can suddenly get everyone’s focus.Final Thoughts
The shared-risk strategy also can be applied to selecting potential partners (or areas in which to partner), licensing, new product development opportunities, and so forth.
Sharing the risk of regulatory compliance with your vendors recognizes the global marketplace in which we all increasingly conduct business. Regulators may not have the authority to search up and down the supply chain, but you have the corporate responsibility to push accountability to your vendors. Just make sure you share the rewards, not just the risks, and your vendors will eagerly agree.
Are you ready?