In the life sciences sector, the halting of elective surgeries and the upending of global supply chains has left a sizable gap between firms’ actual and projected revenue targets. It seems the only thing receiving haircuts nowadays are corporate budgets.
One way for the compliance function to proactively contribute to this pandemic-propelled pruning is to reevaluate their third-party vendor risk assessments to address changed circumstances and any risk elements exposed by the pandemic. Third-party risk scoring plays a key role in determining how compliance resources are allocated and needs to be modified to reflect the post-pandemic environment.
Compliance teams can recalibrate their risk scoring approach by accounting for business continuity risk, preparing for remote rather than on-site audits, and adjusting for changes in the volume of business transactions. If done correctly, these actions can allow for the allocation of diminishing resources to objective risk measurements, which will please management, the board, and enforcement authorities.
1. Account for Business Continuity Risk
With commercial activity slowly ramping back up from a veritable standstill, some businesses will be forced to lean heavily on their savings to endure these next few months. This makes it difficult for smaller distributors to survive. For many medical device and pharmaceutical companies, these distributors or sales representatives are often key to opening underdeveloped or geographically isolated markets. But the stark reality of the pandemic makes it likely that few of the distributors will remain standing.
From a compliance perspective, third-party risk scoring can be adjusted to place an increased emphasis on company size and measures of financial stability. This would not prevent companies from engaging smaller distributors, who often perform exceedingly well, but would help protect the company from being left without distributor revenue in certain locales in the event of a bankruptcy or liquidation.
Classification by third-party size and financial stability may also prove useful in other ways. Companies may discover that their sole distributor in a large, emerging market is a “mom-and-pop” shop. A failure there could leave the company without a presence in an entire country for several months. Conversely, they may find themselves inexplicably betrothed to a network of low revenue distributors in a market where one larger distributor would likely suffice.
2. Prepare for No On-Site Audits
For many compliance teams, the on-site audit is a useful risk remediation tool. In some situations, the on-site audit is proposed as a form of compromise between the commercial and compliance teams. For instance, compliance may approve a red-flag-laden but high-performing third-party on the condition that an on-site audit is performed. However, given the uncertainty surrounding international travel, it is unlikely that compliance teams will be able to perform on-site audits in the next 6-9 months.
To account for this in the vendor risk scoring system, compliance teams should factor in a third-party’s ability to provide all relevant records electronically and seek additional information regarding the third-party’s data management systems. Established third-party distributors should be no stranger to document retention standards, but a new emphasis must be placed on electronic storing of all records. This may result in smaller third parties being punished with higher risk scores, but the inability to conduct on-site audits removes an important tool in the compliance toolbox and should be reflected in the risk calculation.
3. Adjust Volume of Business Calculations
Many companies incorporate third-party annual volume of business calculations into their risk methodology by estimating anticipated third-party business as a percentage of the company’s total business in a specific market. If a third-party represents an outsized percentage of the company’s business in a certain country, this could indicate an unhealthy overdependence on a single third-party. Moreover, the higher the third-party business volume, the more potential for third parties to covertly siphon off funds and the more tempting it will be for bad actors to get their hands on. Put simply: the higher the business volume, the higher the risk score.
At the risk of sounding repetitive, it is safe to assume that business volume for this fiscal year will be down for third-party distributors and sales representatives. Without a risk scoring adjustment, lower volume will have third parties sliding down the risk scale, leading to artificially lower risk scores.
To control for this, compliance functions should modify the business volume targets incorporated into their risk scoring methodology by expanding the time horizon and working with updated numbers. For example, the targets can be expanded to reflect a three-year average for a third party, which would help control for the lower numbers this year. Additionally, compliance teams should consult closely with the business units to determine what would be an appropriate estimate for 2021, instead of relying on pre-pandemic calculations.
The COVID-19 pandemic has put immense pressure on the life sciences industry. Compliance functions are being asked to identify, quantify, and remediate new risks arising from the outbreak and the corresponding shutdown of the global economy.
As a response to this uncertainty, compliance teams can adjust their risk scoring methodology by accounting for business continuity risk, preparing for no on-site audits, and adjusting business volume targets. These steps can help compliance teams proactively respond to the changed environment.
TDI can help you navigate the post-COVID-19 world of third-party risk assessments with customized solutions to suit your company’s unique business needs. Get in touch today.