Case Study

Third-party risk management: A global pharmaceutical addresses the ethical dimensions of supply chain management

Print This Page

Global pharmaceutical company

Life Sciences

Business need addressed:
With regulators taking greater interest in third-party risk management (TPRM) around the world, the company wanted to improve its ability to assess its thousands of vendors and partners. The firm lacked standard processes for supplier risk management, could not provide timely or accurate risk reports, and could not keep up with the volume of assessments required

Genpact Solution:

  • Transformed the pharmaceutical firm’s TPRM operating model by defining and executing a scalable, five-step process for assessing third parties against its standards of excellence
  • Introduced metrics, data-driven process management and technology to industrialize the process

Business impact:

  • Increased coverage to assess close to 100% of the company’s third parties over a certain level of spend
  • Reduced assessment cycle times by up to 40%
  • Enabled more accurate, timely reports
  • Achieved a high ranking among its peers on the Dow Jones Sustainability Index

To stay compliant with local and international regulations, a pharmaceutical giant needed to reimagine its approach to third-party risk management. While working with thousands of suppliers and third parties around the world and a large base of specialized products, its procurement organization required a scalable model for assessing the working practices of suppliers and third parties.

A partnership with Genpact delivered an advanced operating model for risk assessments that increased operational bandwidth, delivered timely risk reports, and resulted in industry recognition.

Global supply chains and greater scrutiny increase exposure

With organizations’ supply chains stretching well beyond domestic borders, companies must assess if the conduct and working practices of their suppliers and third parties are aligned with their own principles of corporate responsibility to avoid severe repercussions.

Regulators are increasing their scrutiny of third-party risk management with far-reaching regulation, while consumers are taking greater interest in the ethical practices of the companies that they buy from. Few events can tarnish a company’s reputation or financial position more than widely publicized reports of a vendor’s unethical, illegal, or substandard practices. Apologies after the fact do little to soften the impact. Therefore, when selecting suppliers or partners, financial merits must be carefully balanced against risks.

A global pharmaceutical company was keen to manage the third-party risk presented by its vendors, and only work with companies that embraced the same standards of ethical behavior. Legislation such as the Foreign Corrupt Practices Act in the US and the UK’s Bribery Act state that a company does not need to have known about or sanctioned a bribe to be liable, but it can mitigate a charge of failing to prevent bribery if it has adequate procedures in place.

Ensuring a company’s third-party relationships are aligned with its principles of corporate responsibility requires exhaustive one-time and ongoing due diligence of suppliers, sub-suppliers, and third parties, such as wholesalers or retailers. Audits and regular reassessments review and analyze multiple external and internal information sources, such as supplier performance data, regulatory actions, and financial disclosures. With the added complexity of a large global supplier base, specialized products, and local and international regulations, the pharmaceutical firm needed a scalable operating model.

Business challenge

Internally, the company lacked a standard process and guidelines for conducting supplier risk management. With no tools or technology to support the function, it could not provide timely or accurate supplier risk reports and could not address the risks from third parties. And while pressure increased to have greater supplier visibility, the procurement team had limited bandwidth for carrying out risk assessments at the required volume and level of detail.

Embedding an advanced operating model for a sustainable supply chain

Advanced operating models based on technology, process re-engineering, and advanced organizational structures (e.g., shared services, global business services, process outsourcing) can deliver intelligent risk operations that routinely evaluate and respond to a company’s ethical standards and practices. And these models can do so cost effectively and at scale.

The pharmaceutical firm opted to pursue this approach to third-party risk management with Genpact, and fundamentally transformed its third-party risk management strategy.

Process standardization

Genpact’s first task was to define a single process for evaluating supplier risk based on a rigorous end-to-end approach, which included supplier segmentation and prioritization.

Take a copy for yourself

Download PDF

The diagnostic process involves a risk assessment of suppliers and sub-suppliers, due diligence, and audit and reassessment. Existing processes are benchmarked against industry standards, and any process variations, value leakages, or other inferior practices are evaluated and addressed in a robust plan for optimizing procurement.

This methodology was important to the pharmaceutical firm to ensure its suppliers were in line with its standards of excellence, and commitment to risk assurance, while also enhancing the procurement team’s capacity. The vital “how” part of this mission was managed by Genpact through supplier risk assessments, which the pharmaceutical company soon expanded to cover all third-party risk assessments.

A multifaceted assessment

As the company’s business is built on its reputation, its global standard for third-party risk management offers a single set of criteria that all suppliers must subscribe to. The company’s internal procurement organization is responsible for strategically sourcing direct and indirect materials and services for its operations and R&D functions from a global supplier base. Genpact assesses vendors’ performance across the entire supply network to determine if they conform to the client’s ethical standards. Genpact then monitors compliance and provides risk mitigation where necessary. This role is vital to protect the client’s reputation and, more importantly, the health of patients who use its medicines.

The third-party risk management process is facilitated in five languages and includes a comprehensive five-part supplier review process:

  • Risk assessment
  • Due diligence
  • Monitoring and support
  • Reporting
  • Governance and continuous improvement

Smart decoupling of functions, advanced use of metrics, and data-driven process management combined with specialized organizational design and effective IT enable the company to industrialize complex processes and achieve consistent quality at lower costs and superior scale.

If, during the initial assessment, a supplier is identified as posing certain risks, a software solution provides the due diligence process. It asks questions on policies and practices, and the supplier must upload supporting information or evidence to validate its answers. Genpact manages both the tool’s technical support and reporting.

In addition, Genpact conducts its own research on suppliers, accessing financial documents, news reports, and other publicly available information from the web and social media channels. In this work, Genpact evaluates suppliers to ensure appropriate policies are in place for:

  • Anti-bribery and corruption
  • Confidentiality
  • Conflict of interest
  • Data privacy
  • Employment practices
  • Fair trade and competition
  • Governance
  • Product security
  • Product communication
  • Research and development ethics
  • Health, safety, and environmental principles

Once the company is assured that a supplier does not represent undue risk to its reputation, the mutually agreed principles of responsible procurement are documented in the contracts signed with suppliers. In situations where a supplier is deemed not to pose undue risk, but nonetheless requires mitigation of specific risks, these elements are identified and bound within the contract.

Through ongoing monitoring and support, the supplier maintains its contractually mandated standards of ethical performance, which are routinely measured against key performance indicators. When practices that deviate from the contractual obligations are unearthed, corrective actions are prescribed. Finally, scheduled and unscheduled on-site audits, varying in length from one to four days, ensure timely remedial actions are being taken.

Delivering a positive impact on sustainability performance

By working with Genpact to standardize and manage its approach to third-party risk, the pharmaceutical company has seen benefits across the organization, in particular to its sourcing, procurement, and payables teams.

With clear processes, roles, responsibilities, and technology in place, the company has:

  • Dramatically increased its coverage and now assesses close to 100% of its strategic third parties and suppliers over a certain level of spend, and eliminated duplicate assessments
  • Reduced the cycle time for conducting assessments by up to 40%
  • More accurate, timely reports
  • Enhanced supplier relationships
  • Improved third-party master data

In addition, this model has had a strategic impact. While the business is meeting its risk targets, employees also have increased bandwidth to focus on maintaining a world-class supply chain rather than evaluating every supplier decision that could cause problems in the future. View figure 1 to see how the firm has enabled intelligent operations for third-party risk.

As clear evidence of the strategy’s success, the company ranked highly among large pharmaceuticals on the Dow Jones Sustainability Index, which analyzes organizations’ economic, environmental, and social performance by assessing issues such as corporate governance, risk management, supply chain standards, and labor practices. With Genpact’s support, the company is set to continue building on this reputation.

Figure 1: Transforming third-party risk management by creating Intelligent Operations with Data-to-Insight-to-Action

SeeClose detailed view
Continue Reading

Ready to