In the life sciences sector, the halting of elective surgeries combined with the impacts of the historic hospitalizations and the upending of global supply chains has left sizable gaps between firms’ actual and projected economic performance. Consequently, operational budgets and administrative functions are under increased pressure in both the private and public healthcare settings.
Corporate compliance teams can proactively contribute to mitigating pandemic-propelled business stress by reevaluating their third-party vendor risk assessments to address changed circumstances and risk elements. A tangible solution is third-party risk scoring, which when done effectively, can provide valuable insight relative to the allocation of limited compliance resources in a post-pandemic environment. Compliance teams can recalibrate their approach in the following ways:
1. Account for Business Continuity Risk in Third-Party Risk Scoring
With commercial activity slowly reengaging from the extended period pandemic standstill, businesses are acutely focused on securing revenue and managing operational cash flow. These times are particularly difficult for small enterprises that have limited sources of capital as well as large corporate entities that are going through financial restructuring.
For many medical device and pharmaceutical companies, where in-country distributors and sales representatives are often key to opening underdeveloped or geographically isolated markets, the pandemic has disrupted established networks. In many cases, the pandemic has dissolved legacy relationships especially in geographies that have been decimated by COVID-19. The resulting void has created both an opportunity for new third-party relationships as well as enhanced the threat of uncharted third-party risks.
From a compliance perspective, third-party risk scoring can be adjusted to place an increased emphasis on company size, measures of financial stability, and other key risk attributes to assess potential new relationships. Such efforts would not prevent companies from engaging smaller distributors, who often perform exceedingly well, but would help protect the company from being left without distributor revenue in certain locales in the event of a bankruptcy or liquidation.
Classification by third-party size and financial stability may also prove useful in other ways. Companies may discover that their sole distributor in a large, emerging market is a “mom-and-pop” shop. A failure there could leave the company without a presence in an entire country for several months. Conversely, they may find themselves inexplicably betrothed to a network of low revenue distributors in a market where one larger distributor would likely suffice.
2. Prepare for No On-Site Audits
For many compliance teams, the on-site audit is a useful risk remediation tool. In some situations, the on-site audit is proposed as a form of compromise between commercial and compliance teams. For instance, compliance may approve a red-flag-laden but high-performing third-party on the condition that an on-site audit is performed. However, given the uncertainty surrounding international travel, it is unlikely that compliance teams will be able to perform on-site audits in the near future.
To account for this constraint, compliance teams should factor in a third-party’s ability to provide all relevant records electronically and seek additional information regarding the third-party’s data management systems. Established third-party distributors should be no stranger to document retention standards, but a new emphasis must be placed on electronic storing of all records. This requirement may result in smaller third parties being punished with higher risk scores, but the inability to conduct on-site audits removes an important tool in the compliance toolbox and should be reflected in the risk calculation.
3. Adjust Volume of Business Calculations
Many companies incorporate third-party annual volume of business calculations into their risk methodology by estimating anticipated third-party business as a percentage of the company’s total business in a specific market. If a third party represents an outsized percentage of the company’s business in a certain country, this could indicate an unhealthy overdependence on a single third party. Moreover, the higher the third-party business volume, the more potential for third parties to covertly siphon off funds and the more tempting it will be for bad actors to get their hands on. Put simply: the higher the business volume, the higher the risk score.
At the risk of sounding repetitive, it is safe to assume that business volume for this fiscal year will be down for third-party distributors and sales representatives. Without a risk scoring adjustment, lower volume will have third parties sliding down the risk scale, leading to artificially lower risk scores.
To address this pandemic reality, compliance functions should modify the business volume targets incorporated into their vendor risk scoring methodology by expanding the time horizon and working with updated numbers. For example, the targets can be expanded to reflect a three-year average for a third party, which would help control for the lower numbers this year. Additionally, compliance teams should consult closely with the business units to determine what would be an appropriate estimate for 2021, instead of relying on pre-pandemic calculations.
The COVID-19 pandemic has put immense pressure on the life sciences industry. Compliance functions are being asked to identify, quantify, and remediate new risks arising from the outbreak and the corresponding shutdown of the global economy.
As a response to this uncertainty, compliance teams can adjust their risk scoring methodology by accounting for business continuity risk, preparing for no on-site audits, and adjusting business volume targets. These steps can help compliance teams proactively respond to the changed environment.