How Pharma Can Best Manage Third-Party Risk
By Brad Gilliat, Blake Gardner, and Bob Mooney

Managing third-party risk is one of the most arduous challenges facing pharmaceutical companies, and regulatory requirements are just one piece of this puzzle.
Pharmaceutical organizations are continually evolving — rapidly. Often, this evolution involves an increased use of third parties. As changes occur, companies’ third-party risk management (TPRM) programs must continue to adapt to ensure compliance, maintain quality, and ultimately help protect the companies’ reputation. The challenge is doing so effectively without compromising growth or exposing organizations to unnecessary risk.
Third-Party Providers And Associated Risks
TPRM rarely takes a one-size-fits-all approach, especially in the pharmaceutical industry, where organizations leverage a range of third-party types such as clinics, retail pharmacies, health information system providers, independent research organizations, universities, and more. Many third parties also might provide distinct services under more than one engagement. Such diverse and expansive third-party populations are driving many organizations to consider a refreshed strategy to tackling third-party risks. An important first step is to understand the composition of the third-party population as well as its risk exposure. TPRM functions can then take a risk-based approach to their job.
Assess Inherent Risks
With a complete, organized inventory of third-party engagements, TPRM functions are enabled to further assess the inherent risks of the third parties. While TPRM teams have been using inherent risk questionnaires for years, pharma companies are finding that risk domain (the types of risk that a given third party might pose) coverage needs to be continually evaluated and expanded as regulatory and risk landscapes change. This enables organizations to better identify how regulations apply to each third party differently. Understanding these risks prior to due diligence performance helps ensure a comprehensive review.
Identify Risk Domains
Many TPRM functions already are being tasked with building new risk domains into their programs. Beyond traditional risks (such as information security and privacy), TPRM teams are increasing emphasis on ethics and compliance; quality; environmental, social, and governance; and other related fields (see exhibit).
What risk domains does your TPRM program include in scope?
Source: “Crowe 2024 Life Sciences Third-Party Risk Program Benchmark Survey.” More than half of participants’ TPRM programs include ethics and compliance risk in scope, and just over 25% consider quality risk in scope.
Quality, good clinical practices, good manufacturing practices, and data integrity initiatives are affecting the pharmaceutical industry and risk domains, and relevant requirements have driven an increase in TPRM scrutiny of third-party activities in the supply chain. For example, manufacturing procedures might require that source materials are stored at a certain temperature prior to processing. Quality control personnel in charge of implementing good manufacturing practices might require data to validate that the materials are adequately handled from the time they are manufactured and shipped by suppliers until the time they are processed. This underlines the importance of engagement-specific, focused due diligence and ongoing monitoring to truly understand the risks a third party poses to an organization.
Challenges Of Expanding Risk Domains
Expanding risk domain coverage comes with several unique challenges that can persist across the people, process, and technology aspects of TPRM. Treating risks across multiple domains requires a tailored approach, and this can lead to some issues.
- Overextended people. Organizations often find themselves coordinating with several different teams or stakeholder groups to consolidate efforts while attempting to conduct as thorough a review as possible. Often, people are being asked to do more with less, and TPRM functions find themselves struggling to stay afloat after expanding risk domain coverage — a direct result of compounding requirements for each third party.
- Convoluted processes. The combination of several programs into one or more TPRM processes can result in duplicative activity or extended timelines. Lines of authority also might become skewed as risk acceptance and approvals are required across several stakeholder groups. Third parties might not be sure whom to contact to participate in due diligence or continuous monitoring requests and might become frustrated with the process.
- Incompatible technology. Technology solutions that operated effectively in legacy programs might not be able to support the nuanced requirements for each risk domain group. This could result in some stakeholder groups feeling forgotten or unheard.
Effectively Manage Third-Party Risks
Despite the challenges, pathways to success do exist. Organizations that can adapt and scale enable themselves to meet compliance challenges and sometimes drive positive industry change through influence on their third parties:
- Enhanced TPRM governance, including clearly communicated roles and responsibilities, is vital to drive the effective management of third-party risks. Depending on the TPRM governance structure, this might involve use of a centralized TPRM team or several subject-matter expert (SME) teams that manage their own respective risk domains.
- Detailed procedures also might improve practitioner experience and efficiency. Whether using a centralized, hybrid, or decentralized approach, work instructions specific to each stakeholder group help avoid missteps and inaction due to uncertainty. In a centralized program, risk domain SME teams focused on quality management systems, information security, and ethics and compliance might each create review guidance for a centralized TPRM team. Alternatively, a centralized TPRM team could be tasked with training SME teams on TPRM processes and technology to enable the SME teams to independently manage risks relevant to their work function.
- Appropriate technologies, including the adequate configuration of these tools, are vital to enabling practitioners to perform their work and keep stakeholders informed. Implementing technology tools is no small task, and even mature organizations find themselves in the midst of multiyear efforts to improve the interoperability of systems supporting their TPRM processes. Technology that enables organizations to increase efficiency without compromising quality is necessary to scale most maturing TPRM programs.
No single approach to managing third-party risk exists for pharmaceutical companies, but appropriately considering the people, process, and technology components of the TPRM function is vital in determining the best approach. The life sciences industry and pharma continue to drive innovation in the TPRM space simply out of necessity, and an efficient program could protect organizations from unacceptable risk while managing employee workloads and improving stakeholder experience.
About The Authors:
Brad Gilliat, CISA, CTPRP, is a principal in the consulting group at Crowe, coordinating a dedicated network of third-party risk consultants and assessors around the globe. He specializes in supporting organizations in designing, building, and running their third-party risk management programs.
Blake Gardner is a senior manager in the consulting group at Crowe.
Bob Mooney is a manager in the consulting group at Crowe.