Considerations for Third Party Vendor Management in a Risk-Focused Environment

Surgical Translational Research: Operations and Compliance

Besides being a new expectation by regulatory agencies Good Clinical Practice (GCP), Quality by Design (QbD) and Risk-Based Quality Management (RBQM) concepts are receiving attention world-wide. According to FDA and EMA guidelines, Key Risk Indicators (KRIs) and Critical to Quality (CTQ) metrics should focus on safety of research subjects and data integrity.1,2

Sponsors continue to struggle with the risks and benefits of transferring the burden of managing third-party vendors to their CRO partners versus maintaining tight control. Some feel the lack of direct management can lead to negative implications to quality, cost, and efficiency of clinical trials conduct. Regulatory agencies expect that there are quality standards set for outsourced work and sponsors are evaluating the vendors on quality with respect to the deliverables.3

One major reason for unsuccessful partnerships is disconnect between study protocol development at the sponsor level and outsourcing start up and execution of the study to a CRO and/or third party vendors. A risk-based quality management strategy needs to be developed jointly with all parties involved, one that will have a major impact on strategic partnerships and be allowed to meet stringent regulatory expectations in risk-focused environment.

Successful vendor relationship have many components, but one of the key factors is a well-defined communication plan. Transparency, upfront goals, cross check for key milestones and adoption of common quality and risk management strategies are vital in establishing and maintaining strong partnership throughout life cycle of the project.


During the last decade contract research organizations (CROs) have become very involved in the design and conduct of clinical trials. According to ICH GCP 1.20, a CRO is "a person or an organization (commercial, academic, or other) contracted by the sponsor to perform one or more of a sponsor's trial-related duties and functions.” 4 In addition, ICF GCP 5.2.1 states that a “sponsor may transfer any or all of the sponsor’s trial related duties and functions to a CRO, but the ultimate responsibility for the quality and integrity of the trial data always resides with the sponsor.“4

Sponsors such as pharmaceutical, biotechnology and device companies chose to share responsibilities with CROs to reduce risks and costs by not hiring full time employees, and at the same time to gain an advantage of the CRO’s specialized knowledge in the disease area, trial designs, geographic location and/or particular expertise (i.e. database management, monitoring, etc.) which is expensive to develop inter- nally.5 If CROs have acted as strategic partners with the sponsors, these benefits have often been realized. However, in reality the relationships between sponsors and CROs are not always seamless, and outsourcing to a CRO ends up causing different issues for the sponsors such as duplication of effort, additional time to get approvals from the Sponsor by the CRO can increase time to make decisions, failure to communicate effectively in identifying important issues with trial design and/or execution, increased rates of study staff turnover, and other administrative issues such as delayed payments to clinical research sites and third party vendors.5

Sponsors continue to be challenged with the risks and benefits of transferring the burden of managing third party vendors to their CRO partners versus maintaining tight, centralized and direct control.5-7 Some sponsors stated the lack of direct management can lead to negative implications to quality, cost, and speed. The reason for this perception seems to stem from the belief that CROs as a contractors are less committed than sponsors to oversight, and that issues tend to be minimized or escalations delayed, while the CRO is working to fix them.5-7 This can create a culture of mistrust between partners. However, lack of complete control is a challenge for sponsors because while they can delegate responsibility, the sponsor ultimately holds all the risks. Even if the sponsor delegates vendor management to the CRO, in the end, the sponsor is still responsible for its regulatory obligations and integrity of the data obtained. Many times a sponsor will pay a CRO to manage vendors and allocate internal staff to oversee both the CRO and subcontractor; this practice duplicates efforts and therefore increases costs.8 Further promoting inefficiency, CROs with control over service delivered by third party vendor may still sometimes need to engage the sponsor regarding additional authorizations, resulting in the sponsor being involved in the very activities they have delegated to the CRO.7,8 Finally, if accountability for delivery of services is unclear, quality and/ or delivery issues usually result in finger pointing and a corresponding increase in overall risks such as higher costs, operational delays, damaged reputations and a general degradation of the relationship between partners.7,8

Considerations for Third Party Vendor Management in a Risk-Focused Environment

Another major reason for unsuccessful partnerships is a disconnect between study protocol development at the sponsor level and outsourcing start up and execution of the study to a CRO and/or third party vendors.6 Risk-based quality management needs to be developed jointly with all parties involved, that will have a major impact on strategic partnerships and allow to meet stringent regulatory expectations in risk-focused environment.

Successful vendor relationship have many components, but key factors are a strategic partnership plan and a well-defined communication plan. Transparency, upfront goals, cross check for key milestones and adoption of common quality and risk management strategies are vital in establishing and maintaining strong partnership throughout the life cycle of the project (Figure 1).

The strategic plan will define deliverables, resources needed to achieve project goals, establish schedules, communicate overall strategy, assumptions, risks, alternatives, obtain organizational commitment and legitimize the project. It also will empower project teams and provide mechanisms to monitor overall project (Figure 2). The strategic plan should also address and define critical data and processes supporting primary and secondary objectives such as:

  • Critical to subject safety: Serious Adverse Events (SAEs) and events leading to investigational drug/device discontinuation
  • Critical to trial design and statistical endpoints
  • Adherence to subject eligibility
  • Adherence to study protocol and procedures
  • Adherence to applicable regulatory requirements
  • Adherence to region/country specific regulatory agency
  • Adherence to country trial registration requirements (initial, update, trial closure)
  • Study Plans completed and timely updated
  • Project timelines/milestones
  • Budget and periodic reconciliation of budget

Once the number of partners on the project increases beyond two, the number of communication channels will increase, which will add more complexity in delivering messages across the board in a timely manner and making decisions. The following parties should be involved in development of communications plans in the strategic partnership: steering committee, sponsor, operational team, project manager, database manager, information analyst, administrative support, biostatistician, programmer, meeting planner, monitors, enrolling site team representative, Data Safety Monitoring Board (DSMB), vendor teams. In the communication plans it should be made clear who will be communicating with site investigators/personnel and third party vendors (i.e. centralized communications through Sponsor or this function will be outsourced to CRO, which will manage and communicate with sites and vendors) (Figure 3).

Considerations for Third Party Vendor Management in a Risk-Focused Environment

What Does Risk-Based Quality Management in Clinical Trials with Third Party Vendors Mean to the Investigator’s Site?

The paradigm in conducting clinical trials is changing from traditional monitoring when representatives of the Sponsor used to visit participating sites every 4-6 weeks for source data verification towards remote, risk-based monitoring and quality management.1,2 Often monitoring is performed by third party vendors and process heavily relies on technology and robust data management platforms to detect key risk indicators.9,10

Participating sites will no longer have the “routine” monitoring visit, but targeted monitoring visits to address issues. If risks drive visits, then the goal is to have a site that has evidence of low risk. What was routinely done by a monitor will now need to be done by the site personnel with increased reliance on technology, timely data entry becoming critical and shift of responsibilities and time commitment to the sites. Therefore, investigators should request to review protocols in draft stages to assess complexity of the study protocol, procedures upfront and adequately estimate workload of site personnel.

Monitors will focus on source data review remotely and Key Risk Indicators (KRIs) such as:

  • Quality of source data
  • ALCOA principles of obtained data - Attributable, Legible, Contemporaneous, Original, Accurate
  • Protocol compliance
  • Evidence of investigator involvement
  • Investigational Product (IP) accountability
  • Assessment of abnormal laboratory values for clinical significance in laboratory reports by site investigator
  • Safety and efficacy parameters

Investigator oversight and involvement is very crucial in the following assessments:

  • Screening data with formal, documented approval for enrollment
  • Diagnostic reports
  • Adverse events and assignment of causality
  • Investigational New Drug (IND) reports
  • All notes to file
  • All protocol deviations
  • All study and informed consent amendments

Vendor Contracts

The Sponsor may contract directly with other vendors and CRO will be managing/or not be managing all third party vendors. All vendor contracts should be completed prior to Investigator’s meeting, since vendors should be present at this meeting to conduct training of participating research sites personnel. Typically third party vendors such as central laboratory for safety labs and pharmacokinetics (PK) analysis, core laboratories/ central laboratories (imaging, ECG, Holter monitors, etc.); database creation, maintenance; data management (i.e. eCRFs, electronic diaries, etc.), recruitment service will be utilized in clinical trials.7,8

Considerations for Third Party Vendor Management in a Risk-Focused Environment

In vendor contracts aspects regarding Investigational Product (IP) should be specified (i.e. which aspects of IP processing will be handled by the Sponsor and/or external vendors: manufacturing of IP versus packaging/distribution/accountability/forecasting).

Cross training on the Sponsor’s Standard Operating Procedures (SOPs) for CRO and third party vendors should be conducted prior to study initiation to make sure expectations of the Sponsor are clear for all parties involved. For example, expectations of Sponsor for routine study monitoring and safety monitoring (i.e. frequency of monitoring visits, costs, communications with participating sites, Sponsor and DSMB, etc.) by CRO or independent contractor should be discussed upfront and specified in the contract.

Third Party Vendor Assessments

Companies which are developing biomedical products have a growing need to examine their relationships with third party vendors as a result of increased international, federal and state regulations.8 There is also a continued focus on the revenues generated and a rising number of contracted responsibilities. Third party vendors are used in a number of capacities. Companies routinely employ the services of Clinical Research Organizations (CROs), medical education vendors, healthcare technology firms, meeting planners, centralized laboratories to process specimens, imaging facilities, research subjects recruitment agencies, and data management.8

Areas of concern for many pharmaceutical and device companies are focused on vendor efficiency, quality, security, fulfillment of contractual obligations, and compliance with the ICH and FDA’s GXPs.7,8 Across all vendor relationships, pharmaceutical companies should be interested in the sufficiency of contracts and vendor policies currently in place, whether current operating controls adequately regulate vendor activities, the extent to which potential risks are identified by current monitoring techniques and sufficiency in the degree of oversight by sponsor.8

The Importance of Risk Assessment in Strategic Partnership with Vendors

Quality Assurance (QA) specialists from the Sponsor should be involved in risk assessment of a vendor in which it is proposed to build a strategic partnership with. This evaluation of the potential vendor will ensure that CROs/vendors conduct trials per regulatory, industry standards and Sponsor’s expectations, data that will be provided are credible and accurate, the CRO/vendor will protect the safety, integrity and confidentiality of subjects in the trials they conduct; while they can meet contractual obligations remain financially viable.8 Sponsor should conduct routine assessments of their potential vendors at a pre-defined timeline (often every two years) and to reassess again as needed.8

The Audit Process for Vendors

When performing vendor’s assessment and/or conducting initial, “on site” qualification audit, Sponsor should review the vendor’s role and responsibilities against the defined scope of the project, check on vendor’s awareness of sponsor’s expectations and applicable regulatory requirements.8 Sponsor should establish written processes (i.e. standard operating procedures (SOPs)) for implementation phase; data protection, ownership and confidentiality should be discussed as well as staff qualifications, expertise in relevant therapeutic area and workload. In addition to the initial audit, other types of vendor audits such as: routine, for cause and virtual audits (i.e. vendor assessment via quality surveys) can be conducted by the Sponsor as needed.8,10 The timing of the audit is very important, and if a proactive approach is chosen for any changes that need to be made, it will address any issues with the vendor upfront and mitigate risks and improve quality of the work performed by the vendor.8-10

The audit process for vendors at planning phase should include the following steps:

  • Planning and preparation – define audit scope and ensure key personnel is available
  • Review of contracts, Request for Information (RFIs)/ Request for Proposals (RFPs), project plans, scope of work, protocols etc.
  • Signed Confidentiality Agreement is in place
  • Utilization of contracted auditors is preferred
  • Draft Audit Plan and discuss it audit with vendor
  • Send confirmation letter/e-mail
  • Request documents in advance from the vendor – Organizational Chart, list of SOPs, quality policy
  • Review any previous audit reports/assessments
  • Review websites/promotional materials
  • Check for any issues with vendor’s performance from project teams
  • Finalize audit agenda

At execution phase vendor’s audit should cover following items:

  • General Items Audited
  • SOPs in place and adequate control
  • Quality Control (QC) steps for key processes
  • Contracts and agreements
  • Subject confidentiality
  • Data security, transfer and protection
  • Staff experience and training
  • Facility assessments
  • Equipment – maintenance, calibration and records
  • IT/ disaster recovery/business continuity
  • Document storage and archiving

Sponsor should discuss standard operating procedures (SOPs) with potential vendors to make sure there are some processes in place at the vendor level that correspond to SOPs and expectations of the Sponsor. Typically, at a minimum the following SOPs will be discussed and put in place between Sponsor and vendors:

  • A process for pre-selection of vendors, on-going management and follow up of issues
  • The audit process (preparation, conduct, reporting and follow up)
  • A process for contracts and contract amendments
  • A list of all SOPs, templates etc. that are being used on a project (as part of the Project Plan)
  • A process for handover and any staff changes
  • Business continuity, disaster recovery plans
  • All the necessary process SOPs on monitoring, data management, training, etc.

Once audit is completed the report/follow-up letter should be issued by the Sponsor/or contracted auditor. The audit report should be prompt, clear and concise, include timelines for response and format. A copy of this report should be provided to senior management and relevant study teams, so recommendations and changes to the SOPs and/or processes can be made, and corrective/preventive actions implemented.

In summary, by doing frequent audits the most common failures with third party vendors were identified such as poorly defined roles and responsibilities at the contractual stage, poor communication throughout the project, plans were not in place/approved in a timely manner, poor training on the project/sponsor SOPs, mixture of SOPs/ forms/templates being used that have not been adequately assessed.


The key aspect to keep in mind on any clinical research project is that data integrity, rights and welfare of human subjects is a priority. The sponsor cannot just sign away responsibilities and forget about them, which means that timely assessments, change management and approvals/audits are needed. The key to success with third party vendors is building strategic partnership, maintaining open communications and discussion of any issues as they occur, ongoing reviews and management (not micro- management, but support of vendors in a strategic partnership).


  1. FDA Guidelines for Industry: Oversight of Clinical Investigations - A Risk- Based Approach to Monitoring, August, 2013. pdf.
  2. Selema, Ramasela J. "A Risk-Based Monitoring Management Approach to Clinical Research." Monitor 27.6 (2013): 25-30.
  3. Atlas L., Pam Sobotka P. “Third-Party Vendor Management” Applied Clinical Trials (2013) 22 (9). Epub.
  4. Integrated Addendum to ICH E6(R2): Guideline for Good Clinical Practice. (2015) E6(R2) E6_R2 Addendum_Step2.pdf
  5. The State of Clinical Outsourcing. In-depth survey reveals trends, outlooks, and future plans of both sponsors and service providers. (2010) by Applied Clinical Trials Editors.
  6. Getz K, Stergiopoulos S, Short M, Surgeon L, Krauss R, Pretorius S, Desmond J, Dunn D. The impact of protocol amendments on clinical trial performance and cost. Therapeutic Innovation & Regulatory Science. (2016); 22, Epub before print.
  7. Getz KA, Lamberti MJ. The unintended inefficiencies of outsourcing practice. Pharmaceutical Outsourcing. 2015;16(4):28-30.
  8. Atlas L. and Sobotka P. Third-Party Vendor Management. (2013) Applied Clinical Trials. 22(9). management?pageID=1
  9. ICH Guidelines, Sections Q8, on Pharmaceutical Development; ICH Q9, on Quality Risk Management, ICH Q10, on Quality Systems. quality/article/quality-guidelines.html
  10. U.S. Food and Drug Administration. Guidance for Industry: Oversight of Clinical Investigations – A Risk-based Approach to Monitoring. RegulatoryInformation/Guidances/default. htm
  • <<
  • >>