Guest Column | September 21, 2021

Best Practices for Risk Assessment of GxP Vendors and Inspection Readiness

By Kamila Novak, KAN Consulting


In my last article, I examined what risk-based oversight of GxP vendors is and is not in clinical trials. In this article, I'll delve into the best practices for risk assessment of those vendors and inspection readiness.

General requirements for risk management in clinical trials are outlined in GCP (R2) sections 5.0.1 through 5.0.7 and provide you, as the sponsor, with the main steps for risk management in your studies. The implementation will vary from vendor to vendor depending on their delegated duties and functions. In addition to that, there are three other important considerations.

First, you should identify risks pertaining to the vendor’s company. Although this is typically done as part of the vendor qualification, you should periodically monitor and review the risks during the collaboration time frame. The risk sources may include geography, the company’s size and financial stability, the vendor’s reputation and experience, its history of inspection and audit findings, previous collaboration experience with the vendor, its use of subcontractors, operating model, staffing and turnover rates, how widely the vendor’s product is used in the industry (specific for technology providers), etc.

Second, you should evaluate the criticality of each GxP vendor’s deliverables for the study outcomes. Would errors in the vendor’s performance put participants’ safety and well-being at risk? Would errors compromise data quality and reliability? Would errors undermine the trial integrity? Would errors result in non-compliance with regulations or laws? Would errors cause trial delays, and hence, increase the cost? As for technology providers, how critical is it if their product is nonfunctional for a certain time? What does matter – an hour, a day?

The outcome of the first two assessments will help you group vendors in high-risk, medium-risk, and low-risk categories and focus on the high-risk ones.

Third, you should follow steps of a general risk management life cycle (Figure 2).

It is important to decide on a fitting granularity of scales for impact, probability, and detectability, and define what each number means to ensure consistency of assessments. A practical approach is to use scales of 1 – 5 for impact and probability and a scale of 1 – 4 for detection, where 1 means a reliable detection with sufficient time to take actions and 4 means no detection exists.

The initial assessment may reveal high-risk areas, where you should optimize conditions to reduce risks to acceptable levels. This optimization includes actions to decrease probability, improve detection, decrease impact, or a combination of these.

Apart from risks, you should identify risk triggers that help you watch out for potential risk occurrences, as well as project constraints.

Components Of A Risk-based GxP Vendor Oversight Plan

A comprehensive risk-based GxP vendor oversight plan (RBVOP) should include the components presented in Table 1.1 The RBVOP can be developed per GxP vendor or as one document outlining the general approach with vendor-specific details in each vendor’s profile.

Table 1. Sample VOP Contents

What Do Auditors And Inspectors Expect?

Inspectors and auditors expect you, the sponsor, to demonstrate compliance with the oversight requirements by having:

  1. A quality management system that includes oversight procedures of delegated duties.
  2. Standard operating procedures (SOPs) on vendor management, handling quality-related findings, auditing, risk management, etc.
  3. Processes and procedures to plan and execute oversight of each vendor based on risk assessment.
  4. Adequately qualified personnel assigned to oversee the vendors.
  5. Documentation of oversight activities.
  6. Periodic assessment of processes and procedures to verify the oversight is effective.
  7. Lessons learned and oversight procedure improvements.

This follows the well-known Plan (steps 1, 2, 3) – Do (steps 4, 5) – Check (step 6) – Act (step 7) process, or PDCA cycle.

Minimum Documentation To Demonstrate Risk-based Oversight

If your company is audited, the auditor will likely request the following documents to assess your vendor oversight compliance:

  1. Relevant SOPs, CVs, and training records.
  2. The list of approved vendors and subcontractors working on your study, including their qualification status and date of (re)qualification.
  3. The RBVOP and documented evidence that you follow the plan.
  4. Periodic assessments of vendors’ performance.
  5. Risk assessment documentation.
  6. Issue log and CAPA plans, including CAPA status.
  7. The assessment of your oversight processes, their outcomes, and improvements.

The list above is based on the WCG presentation, Day 1, Clinical Trial Risk and Performance Management Summit2 and the author’s experience.

Audit And Inspection Readiness Tips

  • Develop a project organizational chart that includes all vendors and their subcontractors.
  • Note vendors’ and subcontractors’ approval dates and set calendar alerts for requalifications.
  • Maintain an updated RBVOP and documented evidence of oversight activities, including the assessment of your oversight effectiveness and actions for improvements.


In today’s complex clinical trials, holistic vendor management is a challenging mandatory activity. A thorough process review and continuing improvements are key to achieving the planned quality and staying inspection-ready.


  1. Clinical Risk Management for Small Companies including a toolkit (DIA Focus team) TIRS (Therapeutic Innovation & Regulatory Science) publication 2020.
  2. WCG presentation, Day 1, Clinical Trial Risk and Performance Management Summit, September 4-5, 2019, Philadelphia, PA USA

About The Author:

Kamila Novak, MSc, got her degree in molecular genetics. Since 1995, she has been involved in clinical research in various positions in pharma and CROs. Since 2010, she has been working as an independent consultant focusing on QA and QC, as a certified auditor for several ISO standards, risk management, medical writing, and training. She is a member of the Society of Quality Assurance (SQA), the World Medical Device Organisation (WMDO), the European Medical Writers’ Association (EMWA), the Drug Information Association (DIA), the Continuing Professional Development (CPD) UK, and other professional societies.