Third-party vendor management: Getting started

By Calvin London, PhD; Reyna-Chris Comeros; and An Nguyen

Calvin London (calvin@thecomplianceconcierge.com) is Principal Consultant at The Compliance Concierge in Beaumaris, Victoria, Australia. Reyna-Chris Comeros (rcomeros@celgene.com) is the Compliance Manager, and An Nguyen (annguyen@celgene.com) is the Quality Liaison, Australia and New Zealand, Celgene Pty Ltd. in Southbank, Victoria.

The management of third-party vendors continues to be one of the main areas of challenge for compliance. Considering that 90% of reported Foreign Corrupt Practices Act[1] (FCPA) cases involve a third-party intermediary, and one in two global enforcement actions involve a third party, a third-party risk management program would seem to be a crucial part of any compliance program.[2]There are numerous examples of where the lack of an effective program has resulted in trouble for companies; the issues in China over several years and involving multiple companies show the importance of effective vendor management. Fresenius Medical recently settled $231 million because it devoted insufficient resources to compliance and failed to train employees or perform any due diligence of third-party agents.[3]

One of the most pertinent examples of “blind ignorance” is the Unaoil case where hundreds of international companies relied on Unaoil to secure lucrative contracts for local expertise.[4]

The DOJ’s Resource Guide to the Foreign Corrupt Practices Act includes third-party management as one of 11 key topics in the evaluation of corporate compliance programs.[5] Furthermore, the DOJ endorses a risk management approach.

Adam Frey, associate managing director at K2 Intelligence,[6]has pointed out that the risk appetite and risk rating criteria for third-party compliance can maximize program efficiency while saving time and effort. Given that all third parties bring risks, and every business has a different risk tolerance, the absence of a previously established risk rating mechanism can significantly hamper any effort to achieve an effective program. This is particularly apt for pharmaceutical companies where there can often be three distinct areas of third-party management: those associated with Good Manufacturing Practice (GMP), those associated with healthhare compliance (HCC), and finally, those that do not seem to fit neatly into either of these two.

Although for many companies it may seem that having a third-party management program seems logical, and many recognize that a proactive approach is far better than a reactive one, “getting started” is a daunting task. The following discussion outlies a process that has worked well for us and enabled us to make a significant impact in the area of third-party management based on a risk assessment approach.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings