Quality Violations and Lack of Third Party Vendor Monitoring in Indian Pharma
The latest news making the rounds in the pharmaceutical industry in India concerns the Central Drugs Standard Control Organisation. The CDSCO — India’s central drug regulator — recently announced that it has set up an intelligence cell, “to track illegal activity in the country’s pharmaceutical sector.” This nine-member team will gather information on all the drugs imported or exported in India and investigate complaints regarding quality violations received from overseas regulatory agencies such as the USFDA. This is seen as a strategic move to keep in check the rise in the number of Warning Letters or 483s being issued to Indian pharma companies.
One of the biggest challenges faced by the pharma industry in India today is the lack of third party vendor monitoring. In 2012, a top pharmaceuticals company was charged for, among other things, using third party intermediaries to make improper payments to foreign officials in order to increase the sales of its products. In 2009, a healthcare provider in the United States found that one of its contract security guards had hacked into several computers, including systems that contained confidential patient information.
An average company has countless number of third party relationships that influence and affect every aspect of their day to day operations. These relationships include contracts with suppliers, distributors, lawyers, and even clients. All these third party relationships contribute to the overall growth of the business but can all pose a whole new set of risks such as IT security risks, environmental risks, safety and health risks and most importantly — quality and regulatory compliance risks.
While most companies assess these risks during the initial on-boarding process, risk management and due diligence usually takes a back seat once the contract is signed. And here lies the biggest mistake. If third party vendor problems are not identified and dealt with in time, there is a very strong possibility of the issue ultimately costing the company in terms of financial losses as well as posing a substantial hit to their reputation. It needs to be noted that ultimately it is the company’s fault and the vendor will rarely be held responsible by the powers that be — i.e. the customers and the regulatory boards.
There is no doubting that all companies require a robust due diligence and third party governance program in place. This will allow for collating and analysing insights that can mitigate future risks such as unethical behaviour and fraudulent practices. For any Vendor Risk Management Program to be successful it must include the following:
Ethics compliance
From the very beginning it must be made clear what activities are considered zero-tolerance by the company. If these policies are common knowledge to all concerned it becomes easier to monitor and follow.
Transparency
All sides need to know the how, whys and whens of what to expect. This way the needs of both parties can be met or even exceeded as per the terms of the agreement. There must be no guesswork involved when it comes to regulations, quality or compliance.
Agreement on practices
People in positions of responsibility need to be identified from the outset. This encourages discipline and an easier review of procedure and protocol. Time frames regarding schedules, deliverables and how they will be measured must also be determined in advance.
Consistency
Protocols must be followed to the T. A large percentage of breaches by third party vendors are caused by someone’s failure to follow rules and regulations. There is no point in having such a program in place if people do not follow it.
Ongoing management
Extra attention must be taken with respect to specific compliance requirements and security risks. Every aspect of the relationship between management and the third party vendor needs to be regularly monitored and reviewed. Maintenance of paperwork to support these checks should be collated as well as this makes future audits easier.
There are endless ways a vendor can put a company at risk, from active criminal acts like theft or consciously leaking confidential information, to accidental issues like not taking appropriate security precautions. Delays in the schedule, failing to fulfil contracts, going over budget, and cutting corners on a project can also result in company damage. If a vendor risk management framework was put into place at the beginning of the project, the company needs to act quickly to follow the already-laid-out protocol for the outlined consequences. These can include anything from a reprimand to termination of the third-party relationship, to legal redress. The best way to manage risks vendors pose is to identify a protocol early on that mitigates or even eliminates those risks.
Did you find this article interesting? Would you like to be updated when we post the next one?
Sign up for our mailing list by clicking here, and stay up to date with the latest news, tips and articles on the Indian Pharmaceutical Industry.
