RAPS is closely monitoring developments in the Coronavirus (COVID-19) outbreak. See our public safety page for the latest updates.

Regulatory Focus™ > News Articles > 2020 > 5 > Using risk management to support outsourcing activities

Using risk management to support outsourcing activities

Posted 18 May 2020 | By Jessica Schlegel, MSJessica L. Hale, PharmDDarin S. Oppenheimer, DRSc, FRAPS, RAC, PMPGeorge A. Cusatis, MS, RACWilliam MejiasDan ViscoSuraj Ramachandran, MS, RAC 

Using risk management to support outsourcing activities

This article outlines organizational risks and benefits with respect to third-party vendors and partnerships in regulatory affairs functions. It also discusses the different controls available to apply an effective risk management program in an organization.
The use of contracted or third-party services can be an effective way for organizations to resource projects or programs. This way of working has been a growing trend in business operations, especially in the US. It is estimated that, by 2027, more than 40 million Americans will be, or would have been, independent workers at some point in their careers.1 The cost of research and development is known to be a financial strain on many organizations (especially considering the development of biologics, combination products, or digital health solutions, without any guarantee of regulatory approval or successful market acceptance. Considering these constraints, it is prudent for organizations to consider the use of third-party vendors, when feasible, to transfer or mitigate some of the inherent risks with respect to development activities. However, these solutions require advanced capabilities with suitable business processes to ensure the creation or distribution of safe and effective products. An organization may not be equipped to manufacture on a large-scale basis, but through a business partnership with a third party that has these capabilities and competencies, they can together effectively produce new solutions.
Although these contracted services can be beneficial for overall business strategies and operations, they can create or further exploit vulnerabilities within the organization. This in turn can introduce risks, which need to be evaluated, mitigated or transferred. It is critical for organizations to understand how risk is determined and what the appropriate scenario for application would be to ensure that they can satisfy regulatory requirements across all functions and processes. Given that risk is determined by probability, severity of harm, and often, rate of occurrence, it is important to understand that using third-party vendors can add additional risk to the manufacturer of products.
Risk management plays a part in nearly all activities within an organization and is critical for success. Most organizations have job functions or even entire functional groups dedicated to managing risk at all levels. These programs should be developed with consideration of any requirements set forth by regulations and awareness that there are many international standards that are followed in industry and recognized by health authorities. These standards, such as ICH Q9 (quality risk management), ISO 9001 (quality management), ISO 13485 (quality management, medical devices), ISO 14971 (risk management, medical devices) ISO 27001 (information security) and ISO 31000 (risk management guidelines) focus on or provide guidance on effective risk management. According to ISO 31000, risk can be defined as “the effect of uncertainty on objectives” and risk management as “coordinated activities to direct and control an organization regarding risk.” Managing risk occurs both internally and externally in an organization and allows for making informed decisions, aiding in developing strategy and achieving objectives.2
Implementation of risk controls, which are steps or actions to reduce risk, contribute to the effective management of risks. Risk controls can range from simple, such as user access management, to more complex, such as compliance with legal and contractual requirements.3 The enforcement of risk management occurs internally and externally. Internally, policies and procedures regarding risk management are enforced by management. The organization may also enforce external risk management recommendations, such as guidances and consensus standards that are adopted by health authorities as best practices.
An example of risk management for medical devices is postmarket reporting of adverse events (AEs) or device malfunctions to the Food and Drug Administration (FDA). To be compliant, manufacturers need to establish a complaint-management process to collect user reports when the device does not function as intended. An effective complaint-management process allows the manufacturer to gain insight into issues as they arise. The timely communication of errors or AEs allow a manufacturer to act, and thus mitigate similar events from occurring. Postmarket surveillance studies and any postapproval studies that were required as a condition of product approval are also requirements of postmarket reporting.4 All requirements in this example are part of a larger risk management process to monitor device safety and effectiveness after they have entered the market.
Although an organization or sponsor can outsource work to a third party, it is ultimately the sponsor’s liability to ensure the quality and safety of the product.5 There are different levels of risk, depending on the service a third-party vendor provides, and each risk needs to be carefully assessed and mitigated.6 Examples of risks to the organization during production could be inadequate specification of design, improper cleaning or sterilization, and the inherent challenges with the manufacturing process in general. If the vendor has enhanced sterile manufacturing capabilities with a quality reputation, pursuit of a partnership may be in the organization’s best interest. In any of these business partnerships, due diligence must be performed to ensure that the selected third-party vendor will continuously produce quality and operate consistently within legal and regulatory requirements,7 and an organization should perform a risk-benefit analysis to ensure the business arrangement will appropriately fulfill its needs. Ensuring and maintaining supplier quality management is a risk-centric process5 and is vital to maintaining the sponsor’s reputation and quality.
Risk evaluation and mitigation
To design a risk management framework, the organization should assess and understand its internal and external context.
Table 1. Examples of Internal and External Context for the Organization to Consider.2

Internal context examples External context examples
Vision, mission, values strategy, objectives,   policies, and the organization’s culture Key drivers and trends affecting the objectives of the organization
Capabilities in terms of resources and knowledge Political, legal, regulatory, financial, and technological factors
Interdependencies and interconnections Contractual relationships and commitments
Information systems and information pathways Complexity of networks and dependencies

Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. At the beginning of the risk assessment process, the organization needs to define its risk criteria. The organization should identify and evaluate the amount, type, and level of risk that it is willing to accept, relative to objectives. These risk criteria should be aligned with the risk management framework and customized to the organization’s needs. Due to the dynamic nature of the pharmaceutical, biologic, and medical device industries, where changes occur frequently because of regulatory requirements, business opportunities, or in response to safety commitments, the risk criteria should be continually assessed and updated.
Risk identification involves consideration of the following factors, and the relationship between them:
  • Threats and opportunities
  • Vulnerabilities and capabilities
  • Changes in the internal and external context
  • Consequences and their impact on objectives
  • Time-related factors
  • Limitations of knowledge
  • Reliability of information
 When considering and selecting vendors, the following should be assessed:
  • The criticality and nature of the operation being outsourced
  • Quality requirements of the product or service
  • Timelines associated with delivery of the product or service
  • The ability to sustain delivery of the product or service throughout the duration of the agreed contract
It is critical to manage risk proactively when selecting and working with third-party vendors for regulatory affairs functions, because any misalignment between the third-party vendor and the sponsor company can expose the company to risk. This can be effectively accomplished by properly evaluating vendors to ensure their services meet a sponsor’s needs.
In recent years, there has been an increased emphasis on the regulatory intelligence function and its role within a company’s strategic planning, such as developing a regulatory strategy for a new product filing. Some organizations do not have a dedicated team to support a regulatory intelligence function. Considering the mass of data available, a successful program can be difficult to implement without adequate allocation of resources. Outsourcing this service to a third-party vendor to gather applicable information that can be leveraged by the organization to save sponsor resources on this time-consuming and taxing task. Ultimately, using regulatory intelligence function reduces risk to an organization by ensuring compliance with current standards and regulations, and therefore reducing risk of product recalls, fines, and other penalties.
A pharmaceutical company that is planning to enter an unfamiliar product space, such as biologics, may not be aware of the best approach, expectations, and regulatory considerations to gain FDA approval. In this scenario, it is advantageous to hire a consultant who has expertise in the preparation for FDA advisory committee meetings. The consultant can ensure the key messages are provided in a concise and persuasive risk assessment manner to optimize the outcome of the meeting.8 Previous FDA employees are sought after within the industry to provide insight into the agency’s thinking. Similarly, industry professionals with several years of expertise are highly sought after by companies to provide regulatory guidance and support business needs. However, because of the sensitivity of the information being shared with consultants, it is necessary to have a nondisclosure agreement to minimize the risk of publicizing proprietary information, company strategy, and pipeline.
One approach to assessing a vendor is to perform an audit of the vendor during the selection phase. The necessity of this activity would be dependent on the nature of the function being outsourced. For example, an audit may not be necessary if the sponsor is looking to outsource annual reports for low-risk products. However, audits may be a helpful tool when assessing third-party vendors for critical services, such as completing all labeling submissions for the sponsor company’s product portfolio. Audits provide the sponsor company with direct access into the inner workings of the vendor. They also provide the organization with an opportunity to make an informed decision on whether the vendor has adequate resources and proper processes in place to consistently provide the respective products or services that align with expectations in terms of company needs and quality. An audit will also help determine whether the company being considered for services has in place an effective quality management system that includes requirements for risk management, such as documentation procedures and corrective/preventive actions as needed.
After the vendor selection phase is complete, quality agreements need to be established before any activities are initiated. These agreements are an example of a risk control, which helps reduce or eliminate risks. Quality agreements clearly outline expectations between interested parties and are essential to mapping the framework for the organization’s expectations of the vendor and ensuring alignment of consistent product quality and safety. The risk management process continues throughout the remainder of the partnership. Audits are another example of a risk control that can be performed on a predetermined or ad hoc frequency. Audits help control and minimize risk associated with the vendor deviating from established policies and procedures, which ensures continued alignment.
Use of third-party vendors in pharmacovigilance
There are many functional areas in regulatory affairs in which third-party vendors can assist in special projects or day-to-day activities. One of these functional areas is pharmacovigilance (PV). which includes such requirements as reporting of AEs. PV is vital to ensuring the safety of products in the pharmaceutical and medical device industry. Companies that are the marketing authorization holder (MAH) for their product must comply with pharmacovigilance regulations in order to obtain and maintain the authorization to commercialize their products in countries where they are registered. The MAH must ensure that it has in place adequate written procedures that demonstrate that proper PV activities are being performed. The following general key elements are required:
  • Surveillance (e.g., monitoring of all sources of AE reporting data)
  • Receipt (e.g., processing of AE data from healthcare providers)
  • Evaluation (e.g., interpretation of the AE data)
  • Reporting (e.g., 15-day reports, periodic safety reports)9
 The above pharmacovigilance activities may be outsourced to a third-party vendor if appropriate controls, such as quality agreements, are in place to ensure compliance with regulations. It is important to identify which key elements of a PV surveillance program can be outsourced, and which should remain in-house. Programs that can be outsourced will be dependent on the level of expertise the MAH has in-house or the resources available. The MAH, which becomes the sponsor when using a third-party vendor, should also determine if the third-party vendor has enough expertise in PV and enough resources to support the workload. Quality agreements should be used to address these key elements, and requirements should be clearly stated to ensure product quality and safety.
There are risks involved with failing to ensure that proper controls are in place to manage an outsourced pharmacovigilance program. Past audits that have taken place for outsourced PV programs have had findings in which there were missing cases and the reconciliation numbers were not consistent between the AEs that were reported back to the sponsor compared with what was received by the third-party vendor. These infractions can result in the sponsor receiving a form 483 (relating to compliance with the Food, Drug and Cosmetic Act and related acts), or worse, a warning letter from the FDA, or the agency can revoke an approved license, which results in loss of the ability to market and distribute your product. In addition, a company that does not properly follow through on safety information opens itself up to litigation. Regardless of who is performing the PV activities, the sponsor is ultimately liable for ensuring the quality of the reporting to health authorities. This gives more reason for the sponsor to ensure that the proper controls are in place when using a third-party vendor to complete PV tasks.
The state of regulated industries, such as pharmaceutical and medical device organizations, is continuously evolving due to economic and technological pressures. The use of third-party vendors is one way to optimize processes and achieve desired results efficiently and cost effectively. There are many variations of business agreements between an organization and third parties, and these services can be used to provide expertise in niche areas. Some examples would include completing a medical device submission for a company that is primarily pharmaceutical focused or providing additional support for initiatives that require temporary resources, such as assisting with an initial regulatory filing for a new product.
Internal outsourcing is another option for companies looking to gain support for regulatory affairs functions. Third-party companies offer support for internal functions, such as drafting regulatory reports, filing submissions, and labeling. Vendors can also be hired to complete a project or task that follows procedures external to the hiring company if the vendor’s procedures are considered best practice. An example of this would be when a company hires a contract manufacturing organization and uses the contracted organization’s pre-established infrastructure to fulfill production needs.
With these changes, it is important to develop and implement a robust risk management plan in your organization. Considerations should address the unique situations that are introduced when hiring a third-party vendor to perform the various tasks for your organization. If the proper controls are in place, then risk management plans are an effective way to anticipate, manage, and mitigate risks within an organization, which helps ensure the quality, safety, and efficacy of your products.
AE, adverse event; FDA, Food and Drug Administration; ICH, International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; ISO, International Organization for Standardization; MAH, marketing authorization holder; PV, pharmacovigilance
  1.  5 risks of hiring independent contractors. MBO Partners Blog. https://www.mbopartners.com/blog/misclassification-compliance/what-are-the-risks-of-hiring-independent-contractors/. Published 18 October 2019. Accessed 15 May 2020.
  2.  Risk management—guidelines (ISO Standard No. 31000:2018). International Organization for Standardization. https://www.iso.org/standard/65694.html. Published February. 2018. Accessed 15 May 2020.
  3.  International Organization for Standardization. 2013. Information technology — Security techniques — Information security management systems — Requirements (ISO Standard No 27001:2013) Purchased through BSI.
  4.  Center for Devices and Radiological Health. Food and Drug Administration. 2018. Postmarket requirements (devices). https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/postmarket-requirements-devices. Last updated 27 September 2018. Accessed 15 May 2020.
  5.  Speer J. Understanding ISO 14971 medical device risk management: Risk management and regulatory affairs quality management system (QMS), complaint management and traceability, and ISO 14971. Greenlight Guru website. https://www.greenlight.guru/blog/iso-14971-medical-device-risk-management. Published 6 August 2015. Accessed 15 May 2020.
  6.  Understanding the risks posed by your medical device suppliers and how supplier quality fits. Oriel. https://www.orielstat.com/blog/medical-device-supplier-quality-risks/. 19 October 2018. Accessed 15 May 2020.
  7.  Did you get what you paid for? Evaluating products purchased from medical device suppliers and contractors. Oriel. https://www.orielstat.com/blog/medical-device-contractor-evaluation/. 19 October 2018. Accessed 15 May 2020.
  8.  Southey F. FDA advisory committee prep: ‘Work hard on Q&A ‒ that’s where you’ll win it,’ says consultant. Outsourcing-Pharma.com. https://www.outsourcing-pharma.com/Article/2018/06/19/FDA-advisory-committee-prep-Work-hard-on-Q-A-that-s-where-you-ll-win-it-says-consultant. Published 19 June 2018. Accessed 15 May 2020.
  9.  A guide to the US FDA safety requirements for pharmacovigilance. QViligance website. https://www.qvigilance.com/blog/usa-fda-safety-requirements-pharmacovigilance. Published 31 July 2019. Accessed 15 May 2020.

About the authors
Jessica Schlegel, MS, is a senior specialist in the Global Regulatory Affairs and Clinical Safety Device and Digital Health Group, focusing on medical devices and combination products, at Merck (Upper Gwynedd, PA). She has held several roles at Merck, initially as a scientist in the Clinical Regulated Bioanalysis Group, then as a regulatory writer. Currently, she manages global regulatory intelligence and landscape execution for medical devices and combination and digital health products. Schlegel has a master’s degree in quality assurance/regulatory affairs from Temple University and holds ISO certifications in Medical Devices Quality Management Systems (ISO 13485), Quality Management Systems Requirements (ISO 9001), Information Security Management (ISO 27001), and Information Technology‒Service Management (ISO 20000). She can be contacted at Jessica.mcdade@merck.com.
Jessica L. Hale, PharmD, is a senior specialist in the Global Regulatory Affairs and Clinical Safety Device Digital Health Group, focusing on compliance and system support, at Merck (Rahway, NJ). She joined Merck as a regulatory affairs intern in 2017, with prior pharmacy experience in both the hospital and community settings, in addition to conducting pharmaceutical formulation research. Hale’s has a Doctor of Pharmacy degree from Western New England University College of Pharmacy and Health Sciences. She holds ISO certifications Quality Management Systems Requirements (ISO 9001), Information Security Management (ISO 27001), and Information Technology Service Management Systems (ISO 20000). Hale supports regulatory aspects of medical device and combination product and digital health solutions business across Merck. She can be contacted at Jessica.hale@merck.com.
Darin S. Oppenheimer, DRSc, FRAPS, RAC, PMP, is executive director of the Device and Digital Health Group, focusing on medical devices and combination products, at Merck (Upper Gwynedd, PA). Before joining Merck, he accumulated 16 years of experience in many facets of the product development lifecycle, including regulatory submissions and due diligence. He has actively participated with industry trade organizations and on standards committees. His time as a research and development scientist focused on pharmaceuticals and medical device diagnostic applications for biomarker and drug discovery. Oppenheimer has two master’s degrees, in biotechnology and in regulatory science, and has a graduate certificate in biotechnology enterprise, all from Johns Hopkins University. He completed his DRSc in regulatory science at the University of Southern California in 2016. He is a RAPS Fellow and serves on the editorial advisory committee for RAPS Regulatory Focus and the editorial board of the Institute of Validation Technology. He can be contacted at darin.oppenheimer@merck.com.
George A. Cusatis, MS, RAC, is an associate director in the Device and Digital Health Group at Merck (Upper Gwynedd, PA). He supports the Medical Device and Combination Product and digital health solutions business across the company, providing guidance and support for more than 40 products, including autoinjectors, prefilled syringes, digital health software, and contraceptives. He has extensive experience with the product development lifecycle, including product safety, regulatory submissions, quality assurance, and clinical affairs. Cusatis has a master’s degrees in regulatory affairs/quality assurance from Temple University and in bioengineering from Syracuse University. He is a member of RAPS, ASQ, ACRP, and DIA professional societies, and holds ISO certifications in Quality Management Systems Requirements (ISO 9001), Information Security Management (ISO 27001), Information Technology Service Management Systems (ISO 20000), and Medical Devices Quality Management Systems (ISO 13485). He can be contacted at george.cusatis@merck.com.
William Mejias is an associate director in the Device and Digital Health group, within Global Regulatory Affairs and Clinical Safety, at Merck (Upper Gwynedd, PA), where he supports the medical device and combination product, and digital health solutions business across the company. He has more than 20 years’ experience in the pharmaceutical industry. Since joining Merck, Mejias has held several positions relating to quality assurance, regulatory affairs, compliance, and, most recently, device and digital health. During his time at Merck, he has managed external and internal audits, risk assessments, and noncompliance investigations. Currently, Mejias is working to expand the functional uses of existing validated databases to allow tracking of global registration information on medical devices and combination products. He has a bachelor’s degree in chemistry from the Bayamon Central University, Puerto Rico, and holds ISO certifications in Medical Devices Quality Management Systems (ISO 13485) and Quality Management Systems Requirements (ISO 9001). He can be contacted at william_mejiasbidot@merck.com.
Dan Visco is an associate director working in the Drug Device Center of Excellence, focusing on medical devices and combination products, at Merck (Upper Gwynedd, PA). Since joining Merck, Visco has had several roles within regulatory affairs, including working in the Worldwide Product Labelling Group, and Regulatory Affairs International. He is currently, in the Device and Digital Health group, where he supports regulatory strategy for numerous medical device combination products and acts as the lead for the business process forum. Visco has a bachelor’s degree in biomedical engineering from Drexel University and is currently pursuing a master’s Degree in Quality Assurance/Regulatory Affairs from Temple University. He holds ISO certifications in Quality Management Systems Requirements (ISO 9001), Information Security Management (ISO 27001), Lead Auditor (ISO 20000), and Medical Devices Quality Management Systems (ISO 13485). He can be contacted at dan.visco@merck.com.
Suraj Ramachandran, MS, RAC, is the director of regulatory affairs in the Device and Digital Health Group at Merck (Rahway, NJ), where is currently responsible for supporting various medical devices and combination products, such as autoinjectors, prefilled syringes, inhalers, and contraceptives. Ramachandran is also involved in providing guidance for digital solutions and has led many development efforts regarding medical device software, intended for both domestic and international markets. In previous roles within the industry, Ramachandran was responsible for an infusion pump platform, as well as supporting all new product development and lifecycle maintenance activities, including regulatory submissions, design control, audits, and corrective and preventive actions. Suraj has a master’s degree in biomedical engineering from the University of Michigan, and has earned the RAPS RAC. He can be contacted at suraj.ramachandran@merck.com.
Cite as: Schlegel J, Hale JL, Oppenheimer DS, Cusatis GA, Mejias W, Visco D, Ramachandran S. Using risk management to support outsourcing activities. Regulatory Focus. May 2020. Regulatory Affairs Professionals Society.

Regulatory Focus newsletters

All the biggest regulatory news and happenings.