Printer Friendly, PDF & Email

Third-party vendor management: Getting started

Calvin London ( is Principal Consultant at The Compliance Concierge in Beaumaris, Victoria, Australia. Reyna-Chris Comeros ( is the Compliance Manager, and An Nguyen ( is the Quality Liaison, Australia and New Zealand, Celgene Pty Ltd. in Southbank, Victoria.

The management of third-party vendors continues to be one of the main areas of challenge for compliance. Considering that 90% of reported Foreign Corrupt Practices Act[1] (FCPA) cases involve a third-party intermediary, and one in two global enforcement actions involve a third party, a third-party risk management program would seem to be a crucial part of any compliance program.[2]There are numerous examples of where the lack of an effective program has resulted in trouble for companies; the issues in China over several years and involving multiple companies show the importance of effective vendor management. Fresenius Medical recently settled $231 million because it devoted insufficient resources to compliance and failed to train employees or perform any due diligence of third-party agents.[3]

One of the most pertinent examples of “blind ignorance” is the Unaoil case where hundreds of international companies relied on Unaoil to secure lucrative contracts for local expertise.[4]

TheDOJ’s Resource Guide to the Foreign Corrupt Practices Act includes third-party management as one of 11 key topics in the evaluation of corporate compliance programs.[5] Furthermore, the DOJ endorses a risk management approach.

Adam Frey, associate managing director at K2 Intelligence,[6]has pointed out that the risk appetite and risk rating criteria for third-party compliance can maximize program efficiency while saving time and effort. Given that all third parties bring risks, and every business has a different risk tolerance, the absence of a previously established risk rating mechanism can significantly hamper any effort to achieve an effective program. This is particularly apt for pharmaceutical companies where there can often be three distinct areas of third-party management: those associated with Good Manufacturing Practice (GMP), those associated with healthhare compliance (HCC), and finally, those that do not seem to fit neatly into either of these two.

Although for many companies it may seem that having a third-party management program seems logical, and many recognize that a proactive approach is far better than a reactive one, “getting started” is a daunting task. The following discussion outlies a process that has worked well for us and enabled us to make a significant impact in the area of third-party management based on a risk assessment approach.

This document is only available to members. Please log in or become a member.