How Can the Bank of England Help Pharma Companies Better Manage Third Party Risk?

What can the Bank of England teach pharma and biotech companies about managing risk? More than you might think.

The pharma industry has transformed its approach to outsourcing, evolving from simple cost-saving measures to complex strategic partnerships that drive innovation across research, manufacturing, supply chains, compliance, and commercialization. While these partnerships offer undeniable benefits, they also introduce significant strategic, operational and compliance risks.

The financial sector has faced similar challenges with its growing dependence on third party vendors, particularly for critical functions like IT services, data processing, and cloud infrastructure. In response, the Bank of England’s Prudential Regulation Authority issued Supervisory Statement SS2/21, establishing comprehensive guidelines for managing outsourcing risks.

While designed for financial institutions, the SS2/21 framework offers valuable lessons that transcend industry boundaries. In this article, we’ll explore how pharmaceutical companies can adapt these principles to build more robust third party risk management programs.

The Rise (and Risk) of Third Party Dependencies in Pharmaceutical Companies

In recent decades, the pharmaceutical industry has undergone a dramatic shift in its operating model. Rather than being done ‘in-house’, drug development, manufacturing, and commercialization now rely heavily on an extensive web of external partners.

This trend towards greater outsourcing, which began in the 1980s and 1990s with a focus on cost savings in manufacturing, has evolved into a deep reliance on an ecosystem of third parties. These organizations offer pharma companies many benefits, including specialized skills and technologies, flexibility to scale operations and an ability to focus on their core competencies.

Here’s a glimpse of how widespread this reliance has become:

• R&D: Pharmaceutical companies now routinely outsource 3 out of 4 of their clinical trials to Contract Research Organizations (CROs).
• Manufacturing: Contract Development and Manufacturing Organizations (CDMOs) play a crucial role, with the market valued at a staggering $250 billion in 2023.
• Commercialization: Companies are increasingly turning to Contract Sales Organizations (CSOs) to handle commercial activities, especially in emerging markets, with an estimated $10-15 billion spent on CSOs each year.

And this trend shows no signs of slowing down. The total pharmaceutical contract market for all services is projected to grow at a rate of 7.2% annually through 2028.

But this dependence on third parties isn’t without its downsides, as recent history has shown. Think quality and data integrity issues at CMOs, ethical concerns in clinical trials run by CROs, bribery and corruption and inappropriate marketing practices by CSOs and cybersecurity breaches at software vendors, to name a few.

So, how can pharmaceutical companies effectively manage these growing risks? Perhaps the Bank of England can offer some valuable insights.

Lessons from the Bank of England’s SS2/21 Guidance

The Bank of England’s guidance on third party risk management aligns with and emphasises the importance of many established practices in the pharmaceutical sector, such as:

• Having clear third party risk management policies and procedures
• Performing robust due diligence prior to onboarding new partners
• Ensuring strong contractual protections are in place
• Having robust business continuity plans which are regularly tested
• Performing ongoing monitoring of third party performance

However, the guidance also highlights more advanced requirements which the pharmaceutical industry can leverage to further strengthen its approach to third party risk management. These include:

Senior Accountability: The guidance emphasizes the importance of clear accountability in managing third party risk. This means establishing clear lines of responsibility and ensuring that senior leaders are actively engaged in oversight.

The board of directors and audit committee should be actively involved, and specific senior managers should be held accountable for managing these risks effectively.

This focus on senior accountability helps ensure that third party risks receive the visibility, engagement, and investment they deserve within the organization.

Comprehensive and Holistic Risk Framework: Instead of a fragmented approach where each department manages its own vendors (IT handling software vendors, compliance overseeing distributors, etc.), the Bank of England recommends a unified, organization-wide framework.

This framework should encompass all third parties, cover all types of risk (operational, financial, reputational, cybersecurity, etc.), and would, in pharma, span the entire product lifecycle, from research and development to commercialization and post-market surveillance.

This holistic approach provides a more comprehensive view of third party risk and helps ensure consistent standards across the organization.

Criticality Assessment: The Bank of England stresses the need for a criticality assessment (also known in business continuity management circles as a ‘Business Impact Assessment’ or ‘BIA’). In pharma this would involve identifying which business processes and services are most essential to the company’s operations and, ultimately, to patients.

For example, manufacturing and supply processes are crucial for ensuring the uninterrupted availability of medicines. Disruptions in these areas could lead to drug shortages and have serious consequences for patients. In contrast, while important, some internal processes, like certain aspects of facilities management, might be less critical.

By mapping any dependencies on third parties for those essential activities, companies can prioritize their third party risk mitigation efforts and develop robust contingency plans to ensure business continuity in case of disruptions.

Impact Tolerances: The Bank of England also recommends defining “impact tolerances”. This involves determining the maximum acceptable level of disruption a company can tolerate for a critical service before it has ‘significant’ negative consequences.

In the pharmaceutical industry, this means considering the potential impact of disruption on patients, customers, the company’s financial stability, and even the broader healthcare system (particularly where the company has been designated as ‘Critical National Infrastructure’ by the government). For example, for a CDMO responsible for producing a life-saving drug, the company would have a very low impact tolerance for disruptions, as any interruption in supply could have life-threatening consequences for patients. In contrast, while inconvenient, the organization would likely have a much higher impact tolerance for disruption from an IT vendor responsible for managing the company’s intranet.

By defining impact tolerances, pharmaceutical companies can prioritize their resilience efforts and set clear recovery time objectives.

Exit Strategies: Finally, the Bank of England highlights the importance of maintaining “exit strategies.” This means having a well-defined plan for ending a relationship with a critical third party vendor. This plan should include options for transitioning to an alternative provider or bringing the service back in-house, if feasible. This could be triggered by a vendor’s poor performance, third party bankruptcy, or the termination of the contract. Having a robust exit strategy is crucial for minimizing disruption and ensuring business continuity in the event of an unexpected problems

Conclusion

The pharmaceutical industry’s reliance on third parties is here to stay. While outsourcing offers clear benefits, such as increased agility and access to specialized expertise, it also introduces significant risks.

By leveraging the Bank of England’s guidance, pharmaceutical companies can build more robust third party risk management frameworks. This will help them navigate the complexities of outsourcing relationships, protect their operations, and ensure compliance in an increasingly interconnected and volatile world.