Third party risk management in pharma and life sciences – you’re only as strong as your weakest link
In the last few weeks, we have seen both the ransomware attack on the NHS in the news, and more recently, the impact caused by software bug in an update from cyber security firm, causing IT outages across the globe. These two incidents, added to the traditional high risks of issues such as bribery and corruption, stress the importance of third party risk management and due diligence.
While the ransomware attack on the NHS hit the headlines in early June, the repercussions are still being felt today with nearly 8,000 patient procedures – including organ transplants and cancer treatments – having been cancelled, postponed or diverted to other facilities in London. The root cause of this was an attack on a blood testing firm, one of the NHS’ third-party providers.
As the NHS continues to deal with the fallout from the incident, it should have acted as a warning sign to pharmaceutical and life sciences businesses, who may also be at risk as they tend to work with and be reliant on many third parties to deliver their services. Boards and audit committees of pharma businesses will no doubt be scrutinising these risks even more closely to ensure patient safety, and service continuity focusing on thorough testing and assessing of the maturity of third-party management practices.
Most companies have risk mitigation and business continuity plans in place; however, these tend to focus on internal matters and there is often less rigour around or due diligence on third parties. Companies don’t always think to assess which of their critical activities depend on a third party or take steps to be confident they have adequate assurance that their third parties have the right controls in place should an incident happen to one of them. This means even those companies that have the most stringent processes and plans for themselves are only as strong as their weakest link.
It can be difficult and overwhelming to manage an eco-system of third parties and feel assured that they have watertight processes in place. The key steps that firms should take are:
Taking these steps will put firms in a significantly better position should an issue arise, while failing to address these areas can lead to significant reputational damage and regulatory compliance issues. It’s important to remember that this can’t be a ‘one and done’ activity – third party risk management has to be an ongoing priority. Risks must be continuously monitored, any new vendors interrogated, and crisis management plans updated if anything changes.
Invest ahead of a crisis
The biggest error that we see is companies being ill-prepared for a crisis, such as a cyber-attack. Companies tend to be reluctant to put resource and funding into something that they think might not ever happen, or they don’t interrogate the role that third parties play thoroughly enough. This can be a stressful, costly, and dangerous oversight. Risk management should be treated as an insurance policy – with firms putting checks and balances in place in the hope they never have to fall back on them.