International – Using risk management to support outsourcing activities

This article outlines organizational risks and benefits with respect to third-party vendors and partnerships in regulatory affairs functions. It also discusses the different controls available to apply an effective risk management program in an organization.


The use of contracted or third-party services can be an effective way for organizations to resource projects or programs. This way of working has been a growing trend in business operations, especially in the US. It is estimated that, by 2027, more than 40 million Americans will be, or would have been, independent workers at some point in their careers.1 The cost of research and development is known to be a financial strain on many organizations (especially considering the development of biologics, combination products, or digital health solutions, without any guarantee of regulatory approval or successful market acceptance. Considering these constraints, it is prudent for organizations to consider the use of third-party vendors, when feasible, to transfer or mitigate some of the inherent risks with respect to development activities. However, these solutions require advanced capabilities with suitable business processes to ensure the creation or distribution of safe and effective products. An organization may not be equipped to manufacture on a large-scale basis, but through a business partnership with a third party that has these capabilities and competencies, they can together effectively produce new solutions.

Although these contracted services can be beneficial for overall business strategies and operations, they can create or further exploit vulnerabilities within the organization. This in turn can introduce risks, which need to be evaluated, mitigated or transferred. It is critical for organizations to understand how risk is determined and what the appropriate scenario for application would be to ensure that they can satisfy regulatory requirements across all functions and processes. Given that risk is determined by probability, severity of harm, and often, rate of occurrence, it is important to understand that using third-party vendors can add additional risk to the manufacturer of products…