RAPS is closely monitoring developments in the Coronavirus (COVID-19) outbreak. See our public safety page for the latest updates.

Regulatory Focus™ > News Articles > 2020 > 5 > A guide to good vendor management

A guide to good vendor management

Posted 22 May 2020 | By Yatin Ajgaonkar, MSc 

A guide to good vendor management

This article addresses best practices for regulatory affairs departments in their work with vendors. The author provides an overview of the vendor-contract giver relationship, then discusses finding an appropriate vendor, due diligence in selecting a vendor, vendor-related risk management, contract management, performance evaluation, maintaining the vendor-contract giver relationship, and the importance of follow-up meetings, audits, and reviews.
A vendor may be defined as an enterprise that provides or supplies goods or services. To some degree, all companies rely on vendors, and that is true for regulatory affairs departments as well. A good vendor has a vital role in the success of an organization, but there needs to be a robust vendor management process in place. The most important aspect of the relationship between the vendor and the contract giver (the party that requires the service and will pay for it1) is the activity carried out by the vendor. However, most of those activities are not under direct control of the contract giver, so there is always a chance that deviations from the contract will not be noticed or that small changes “creep” into the relationship and process over time.
For example, many regulatory affairs (RA) departments outsource language translations to specialist service companies. But how does one determine whether the service company has done a good job? If no one in an RA department is fluent in the language outsourced for translation, there is likely no way for the final product to be proofread and assessed for quality and accuracy once it has been delivered.
Another area in which RA departments regularly rely on service providers is in the preparation of submissions, particularly those for countries where the company may not have representatives or for which specialist local knowledge is required. Again, one must be able to ensure that the service provider is delivering work that meets your requirements and standards. RA professionals know how submissions are prepared, but how can one determine if the vendor selected the correct or optimal application route?
Risk management
To manage these risks, the RA department needs to have good vendor management processes and practices in place.2 Risks exist whenever a service is outsourced, but the contracting company can deal with those risks by:
  • Accepting that there is residual risk and managing it in accordance with established criteria.
  • Avoiding risk-generating activity when it is identified.
  • Transferring or sharing risk to reduce its effect or occurrence.
  • Mitigating or treating the risk to eliminate or reduce its impact.
  • Escalating or highlighting the problem to decision makers for their approval of finances or plans to deal with risk decisions.
To execute any of the above strategies, one needs first to identify and evaluate each plausible risk, because risk management is an ongoing process throughout the lifecycle of every contract with a vendor. However, if vendor management is effective, risk management becomes less labor intensive. A good vendor management process can help a company achieve better results by reducing potential risks, ensuring service deliverability, and deriving value through the partnership with the vendor.
Best practices in managing vendors
Vendor management is achieved by being able to control certain factors, such as knowing the vendor, having a plan for working together, and balancing quality and costs. Below are various ways to ensure a contract giver is on the right path in managing vendors.
Due diligence
It is a valuable first step to create a database of available vendors and their current information. Rate or prioritize the vendors, based on their pro-and-con features, then create a shortlist of those who seem best suited for meeting one’s requirements. Keep the shortlist in the company database for future use. This is also an excellent opportunity to check and verify that the suppliers one has been using are still trading and that their contact information is current.
Often, vendor cost is the primary criterion for selection, but the lowest cost does not always guarantee the best value. For that reason, it is important to examine the vendor’s financial stability, legal and regulatory records, and service quality.
In general, the best vendors are less likely to follow procedures that may create risks and/or deviations from the contract. A stable, well-run organization will likely have a good plan for identifying, mitigating, and managing risk. It will also work with competent partners, resulting in a smooth, risk-averse process that promotes mutually beneficial development through learning.
But that could vary from case to case. A practical example would be the submission of a variation in China. The vendor will have prepared the submission documents, but new regulations requiring a submission strategy change may have been published. A good vendor will proactively suggest the best way to handle the new situation, thereby reducing the risk of rejection of the variation. Although one may expect a vendor to be proactive in a situation such as that, proactivity is rarely addressed in a contract between the RA department and vendor.
Better contract management
Even if the best of the vendors are selected, good performance may be hindered if the vendor and contract giver are not clear on what to expect from the partnership. Generally, contracts are led by commercial teams. However, it is also important to include technical teams, such as regulatory affairs and quality assurance, and others as needed, such as medical writing experts, at the appropriate juncture to create the right technical/commercial balance.
Other important technical requirements, such as those relating to service and product specificity, are essential for the financial terms covered in commercial contracts. It is crucial to have a delineation matrix in the contract to identify and establish roles for each partner, and having a clear demarcation of work specified in the contract helps in conflict management. In actual operation, this also serves as the basis for identifying and creating metrics, which in turn help establish measurable key performance indicators (KPIs). If we use the previous example of the submission of a variation in China, then the contract should clearly show which party is responsible for:
  • Regulatory intelligence on the Chinese regulations
  • Preparing the variation
  • Approving the variation
  • Submitting the variation
  • Maintaining contact with the agency or department
  • Responding to agency queries
The contract should clearly state the expected flow of data, documents, and scripts. This clarity ensures a one-way flow of information and rules out the creation of uncontrolled documents (that is, documents outside of the quality system), which present a risk for data integrity issues. In addition, the RA department’s system for handling and storage/archiving of documents should be mirrored in a similar system with the vendor. The contract should also address whether the vendor should store original documents from the agency or if it should keep copies only and send the originals to the contract giver.
A good contract should cover commercial terms, description of services, KPIs, confidentiality clauses, data protection clauses, and conflict management procedures. In addition to pricing and performance, the contract giver should also recognize the importance of creating a long-term synergistic relationship with the vendor, which will generate maximum value from the partnership.
Performance management
The real test of the service begins once the contract has been signed, and that’s where performance management comes to the fore. It is helpful to use a tool, such as a spreadsheet or a software program, to measure the performance of the vendor against the various KPIs. Such tools will rate the vendor against the KPIs and provide information on the vendor’s performance or areas of weakness. KPIs need to be acceptable to both parties and should generally be established at the time of contract signing.
KPIs are measurable, but it is also useful to have some intangible KPIs for long-term partnerships. Some criteria for creating KPIs include:
  • Financial viability ‒ Measured by understanding whether the company is financially stable and whether the partnership is beneficial to both the parties.
  • Quality ‒ Measured by evaluating conformance, accuracy of work (e.g., whether the submission been accepted by the agency or rejected on formal grounds).
  • Deliveries ‒ Measured by on-time deliveries, response time, performance during urgent requirements, inventories.
  • Relationship management ‒ Consideration of the vendor’s involvement in the work and its commitment and flexibility. It looks at whether both parties see their partnership as a long-term relationship. It also includes communication, for example, does the vendor promptly communicate information about new regulations to the contract giver?
It is useful to create graphs and explain vendor pros and cons to company management. One can also use the data to build a strategy but should avoid using dated data – there is no substitute for current, real-time data.
Vendor relationship activities
Various activities can help in getting acquainted with a vendor. Regular meetings with the vendor can offer insight into how the vendor operates. The meetings can also focus on supply management, audits, or reviews.
Supply management meetings. These meetings are arranged at fixed intervals to help gauge supply and technical issues and allow for appropriate planning. The contract giver can assess the vendor’s performance against purchase orders monthly, for example, or a vendor may be tasked with maintaining a set of marketing authorizations. The latter should be a straightforward task, and monthly meetings may be sufficient for tracking progress.
Contract givers can also arrange annual business review meetings, which may include the following:
  • Long-term business plans, forecasts, and strategies
  • Contract manufacturing review
  • Discussion/review of the agreements
  • Quality review
  • Review of KPI summary
  • Process improvement, review of capacities, and bottlenecks
  • Review of risk assessment, the business continuity plan, and the challenges
  • Overview of the vendor’s economic and financial health
An annual business review or quality business review meeting can provide metrics on a vendor’s performance for a year. The review should cover all the vendor’s activities, communications, and contributions. These meetings also help create alignment and trust between the contract giver and vendor.
Audits. Audits are carried out at fixed points, perhaps once every two years, or as agreed to in the contract. One advantage of an audit is that the auditor has access to data and people not typically available during technical, supply, and planning meetings. Audits are also helpful for understanding the vendor’s processes, which can help grade the vendor against the established KPIs. The person-to-person interaction afforded by an audit is essential for promoting mutual understanding between the contract giver and the vendor.
Reviews. These meetings are for reviewing documents. Sometimes, companies may use templates for the vendor to provide updates and information about ongoing work and KPIs. However, vendors often tend to provide over-optimistic data or feedback to avoid penalties or creating a negative impression, so it is preferable, where possible, to visit the vendor in person for these reviews. In that way, the contract giver can review processes in real time and see first-hand how the vendor deals with various situations and problems.
Vendors may frown upon review visits during their operations and often view these visits as micromanagement. But reviews are important, especially if the contract giver wants to gather observational evidence. The visits can be used to raise the standards of a problematic vendor and foresee or reduce risks.
Depending on the type of work and the business relationship between the contract giver and the vendor, some of the vendor’s personnel may be working with the RA team at the contract giver’s site. Alternatively, data and document exchange may be facilitated via cloud services or similar electronic platforms. This may be the most suitable solution, especially in extraordinary times, such as now, during the COVID-19 pandemic.
Figure. Risk assessment and vendor management are interrelated, continuous processes.


There are no shortcuts to a risk-free operation when working with vendors, but adhering to the following six rules could guide one in the right direction:
  • Select a good partner as a vendor ‒ Aim to find the best, and balance cost and quality.
  • Have clear expectations ‒ Be sure both parties are aware of and agree on what is expected of the partnership.
  • Gauge performance at regular intervals ‒ Use tools to monitor vendor performance.
  • Have regular visits/meetings ‒ Keep in touch with the vendor through various planned meetings.
  • Have a multifaceted team ‒ It should draw from all departments, but approach meetings with the vendor as one team.
  • Do not rule out micromanagement ‒ do not hesitate to actively participate in the vendors’ activity to ensure reduction/mitigation of risks.
  1.  European Commission. Outsourced Activities. In: EudraLex ‒ The rules governing medicinal products in the European Union: EU guidelines for good manufacturing practice for medicinal products for human and veterinary use. 28 June 2012. Accessed 21 May 2020. https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/vol4-chap7_2012-06_en.pdf.
  2.  International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use. ICH harmonised tripartite guideline: Quality risk management (Q9). Published 9 November 2009. Accessed 21 May 2020. https://database.ich.org/sites/default/files/Q9%20Guideline.pdf.
About the author
Yatin Ajgaonkar, MS, has worked in the pharmaceutical industry for more than 20 years. He holds a master’s degree in microbiology from the University of Mumbai. In his current position as a quality assurance lead at UCB India, he works extensively with various vendors, which involves risk assessments, audits, and relevant remediation. He can be reached at yatinaj@gmail.com.
Cite as: Ajgaonkar Y. A guide to good vendor management. Regulatory Focus. May 2020. Regulatory Affairs Professionals Society.

Regulatory Focus newsletters

All the biggest regulatory news and happenings.