Third party risk management in pharma and life sciences – you’re only as strong as your weakest link

In the last few weeks, we have seen both the ransomware attack on the NHS in the news, and more recently, the impact caused by a software bug in an update from a cyber security firm, causing IT outages across the globe. These two incidents, added to the traditional high risks of issues such as bribery and corruption, stress the importance of third party risk management and due diligence.

While the ransomware attack on the NHS hit the headlines in early June, the repercussions are still being felt today with nearly 8,000 patient procedures – including organ transplants and cancer treatments – having been cancelled, postponed or diverted to other facilities in London. The root cause of this was an attack on a blood testing firm, one of the NHS’ third-party providers.

As the NHS continues to deal with the fallout from the incident, it should have acted as a warning sign to pharmaceutical and life sciences businesses, who may also be at risk as they tend to work with and be reliant on many third parties to deliver their services. Boards and audit committees of pharma businesses will no doubt be scrutinising these risks even more closely to ensure patient safety, and service continuity focusing on thorough testing and assessing of the maturity of third-party management practices.

Only as strong as the weakest link

Most companies have risk mitigation and business continuity plans in place; however, these tend to focus on internal matters and there is often less rigour around or due diligence on third parties. Companies don’t always think to assess which of their critical activities depend on a third party or take steps to be confident they have adequate assurance that their third parties have the right controls in place should an incident happen to one of them. This means even those companies that have the most stringent processes and plans for themselves are only as strong as their weakest link.

Steps to take

It can be difficult and overwhelming to manage an eco-system of third parties and feel assured that they have watertight processes in place. The key steps that firms should take are:

  • Assess their value chain and identify which are critical processes, and whether these rely on third parties.
  • Map out third parties and identify where there might be a business continuity risk if their services failed.
  • Conduct due diligence on these critical third parties and report any potential red flags in their processes. This due diligence includes adverse media, sanctions and watchlists, beneficial ownership, legal disputes and many other publicly available sources and should also include IT Due Dilligence. This is crucial, particularly as third parties are less likely to be accredited by the International Organisation for Standardisation, or be subject to the same levels of rigour.
  • Create crisis plans and stress test scenarios – build business continuity crisis management frameworks for potential scenarios that could impact the business. Conduct crisis simulation activities so they can test that these plans are thorough and will stand up against a live crisis. The Board and senior leadership team must be involved in testing and wargaming exercises at least annually, as they will ultimately be accountable in the event of an incident.

Taking these steps will put firms in a significantly better position should an issue arise, while failing to address these areas can lead to significant reputational damage and regulatory compliance issues. It’s important to remember that this can’t be a ‘one and done’ activity – third party risk management has to be an ongoing priority. Risks must be continuously monitored, any new vendors interrogated, and crisis management plans updated if anything changes.

Invest ahead of a crisis

The biggest error that we see is companies being ill-prepared for a crisis, such as a cyber-attack. Companies tend to be reluctant to put resource and funding into something that they think might not ever happen, or they don’t interrogate the role that third parties play thoroughly enough. This can be a stressful, costly, and dangerous oversight. Risk management should be treated as an insurance policy – with firms putting checks and balances in place in the hope they never have to fall back on them.

*This article was first published on Accountancy Age on 6 August 2024. Link to the article here: Third party risk management in pharma and life sciences – you’re only as strong as your weakest link - Accountancy Age

Get in touch 

If you’d like to speak to one of our pharma and life sciences experts, get in touch using the button below.

Contact us

 

Key contacts