Back to resources

Risk assessment in CRO relationships

October 30, 2024
4 min read
Risk assessment in CRO relationships

This article outlines an initiative I led for a global biopharmaceutical company to modernize and streamline the risk assessment process for alliances and partnerships.

The biopharmaceutical company lacked an effective system to identify, categorize, monitor, and review risks, resulting in inefficiencies, missed opportunities, and potential vulnerabilities in managing strategic partnerships.

To address this situation, I led the development of a comprehensive tool designed to assess the risk profile of our company’s partnerships with Contract Research Organizations (CROs).

Criteria in the risk assessment

The model evaluates multiple facets of performance and impact, focusing on the critical aspects that could potentially affect an organization. The tool considers the following criteria:

  1. Information Sharing: The type of information shared between partners: non-public data poses higher risk, while public information is lower risk, highlighting data sensitivity and potential vulnerabilities.
  2. Information Confidentiality: Confidentiality clauses are key in assessing risk. High risk arises when no agreements exist or data lacks safeguards, while low risk is linked to protected confidential information.
  3. Operational Reliance and ease of Replacement: These criteria assess alliance dependency and service replaceability. High risk arises if disruption critically impacts operations, medium risk if moderately affected, and low risk if services are easily replaced or internalized.
  4. Reputation and Financial Impact: Assessing reputational and financial impact from alliance failure. High risk indicates significant negative effects on reputation or substantial financial losses for the institution.
  5. Regulatory Exposure: This factor assesses regulatory compliance. Alliances with greater regulatory demands pose higher risks, as non-compliance can result in severe legal consequences.
  6. Expenditure Amount: Capital expenditure influences risk, with higher annual spending indicating greater financial risk than lower-cost alliances.

Applying weights and nuances in the scoring

In this matrix, each category is assigned a score from 1 (least/no risk) to 3 (highest/greatest risk) based on risk severity, with a cumulative total determining the level of due diligence required.

There are some key nuances to consider:

  • Weighting of Criteria: Though each criterion has an equal score, different weights can be assigned based on risk appetite. For instance, if data confidentiality is critical, it may be weighted more heavily than operational replacement.
  • Management Adjustments: Management can adjust the overall risk level up or down, allowing practical judgment when quantitative methods miss nuances like past performance or subjective concerns.
  • Segment-Specific Scorecards: Current scoring is uniform, but different segments could have tailored scorecards, e.g., technology for cybersecurity, financial for regulatory compliance.

Applying the risk scoring tool

Here is an example of how this risk scoring system could be applied in practice.  Consider a Contract Research Organization (CRO) that delivers essential technologies and data management services to a biopharmaceutical company, focusing on the secure handling and analysis of patient information to ensure regulatory compliance and enhance clinical trial outcomes.

Below is how their risk assessment might be evaluated:

  • Information Sharing: The CRO has access to non-public, sensitive data during their support operations, resulting in a high-risk score of 3.
  • Information Confidentiality: The CRO has a confidentiality clause in their contract, giving them a medium-risk score of 2.
  • Operational Reliance: If CRO's services are disrupted, it could significantly hinder the institution’s IT operations, leading to a high-risk score of 3.
  • Operational Replacement: Their services could be replaced with another CRO but would require considerable time and transition cost, resulting in a medium-risk score of 2.
  • Financial Institution Reputation: The impact on reputation is moderate if there is a data breach involving CRO, giving them a medium-risk score of 2.
  • Financial Impact: Any disruption would have a moderate financial impact, resulting in a medium-risk score of 2.
  • Regulatory Exposure: CRO is subject to significant data protection regulations, which results in a high-risk score of 3.
  • Expenditure Amount: The annual expenditure is below $50,000, resulting in a low-risk score of 1.

Total Score: 18 points. This score suggests that CRO falls into the category requiring ongoing annual due diligence. This ensures evolving risks are continuously assessed, and measures are in place to mitigate them.

An updated risk score would be categorized as high (above 8), moderate (6 to 8), or low (at or below 5), offering a more accurate reflection of the CRO’s comprehensive risk profile. It considers potential challenges and vulnerabilities across critical areas, including previous performances, operations, business risk, regulatory compliance history, and information technology and infrastructure risk to data impact. This enhanced classification better aligns with the broader risk landscape, allowing for a more informed and strategic assessment of the CRO’s overall reliability and potential risk exposure.

Benefits of this approach

Our global cross-functional team—comprising IT, R&D, procurement, quality and regulatory —transitioned to a digital approach. This initiative not only enhanced CRO evaluations and improved collaboration but also enabled proactive risk management strategies. It allowed our biopharmaceutical company to systematically assess risks, aligning each alliance with the institution's risk tolerance and strategic objectives. This approach effectively reduced costs, eliminated redundancies, and significantly enhanced quality.

This article was written by Johanna Hoyos, Independent Consultant, Insights Consulting Alliance

About the alliance leadership spotlight series

The alliance leadership spotlight series is a joint initiative of The Association of Strategic Alliance Professionals (ASAP) and allianceboard.  It aims to showcase Alliance Management professionals taking the lead in addressing challenges and driving alliance success - to share experiences in the alliance management community.

Visit our websites to read more stories of alliance leadership or let us know if you have a story to contribute by contacting us.

ASAP and allianceboard are long-standing strategic partners combining state-of-the-art resources, best practices, and software to support ever-evolving collaboration models.

Alliance Leadership Spotlight: Risk assessment in CRO relationships.pdf
Share this post
Best Practice
Partnering Strategy