From The Editor | October 20, 2022

What Is A Risk-Based Approach To CRO Oversight?

Ed Miseta

By Ed Miseta, Chief Editor, Clinical Leader


Ian Wyglendowski has experienced the pharma industry with companies of every size. He started his career at a small biotech (35 employees) and then went to work for Genetics Institute/ Wyeth and BMS. Throughout his career, he also worked with numerous CROs and today is the head of strategic clinical partnering at UCB. For him, CRO oversight always has been top of mind.


Wyglendowski recommends taking a risk-based approach to CRO oversight, and the first step is understanding the risk that exists. If an inspector walked in today and asked how you, the sponsor, could ensure that an activity you have outsourced, like clinical site monitoring, complies with ICH GCP regulations, would you know how to answer that question?

“For us, answering the question begins with the request for information and RFP,” he states. “When deciding on a CRO, perform an audit and conduct your due diligence — understand how the CRO conducts monitoring and what SOPs they have, and determine how sound and robust those processes are. If you are overly confident that their processes are good, you can adjust your oversight based on that assessment.”

He notes that evaluation of the CRO’s SOPs is performed by having SMEs review the procedures and processes from a technical perspective. The review ensures that they meet basic expectations from a functional point of view. Additionally, a representative from a quality group would partner with that operational SME to review the same SOPs and processes from an ICH/GCP perspective, ensuring that they comply with the appropriate regulations.

Oftentimes, sponsors may not have confidence in those processes. If there are gaps, oversight may need to be heavier and more focused. Foundational to that oversight should be the establishment of KPIs, which should be based on the risk assessment.

“When I came to UCB eight years ago, we spent a lot of time discussing oversight of our CROs,” notes Wyglendowski. “There was a general feeling that we were spending too much time on it. Many of our colleagues looked at resource allocations within the company and felt we were putting too many project managers on outsourced studies. For example, should we have one project manager covering two or three outsourced studies instead of one or two per study?”

Wyglendowski knew things had to change. For some studies, UCB was reviewing every site monitoring report, something he did not feel needed to happen. A proper risk assessment would have determined that their preferred CRO had robust and compliant processes in place.

In this case, the risk assessment would have ensured what was on paper matched what happened in practice. A certain percentage of reports could be spot-checked. Provided no issues were identified, the spot-checks could then be reduced over time. That approach is preferred to reviewing 100% of reports, which is not efficient and does not add value.

“The CRO had been through multiple inspections that did not turn up any critical issues with the site-monitoring reports,” he says. “Their infrastructure and processes were likely better than what we had. Based on that information, we determined we could confidently rely on this CRO.”

UCB worked to understand what the company was interested in knowing when it came to the monitoring performed by the CRO. When the company started asking questions, it realized the start of the study was critical. At the onset of trials, it wanted to know what issues were arising (such as sites not correctly adhering to study protocols or inclusion/exclusion criteria) and whether the CRO was filing reports on time. KPIs were developed to focus on those issues. A clear plan was in place that everyone felt confident in because of the due diligence and early alignment.


The focus of CRO oversight will vary based on the size of the company. “In a small company, my oversight would be focused on KPIs around deliverables in that startup process,” he says. “Once you provide your protocol to the CRO, how quickly are they getting it to sites? What are the turnaround times to get it through the review process? Those are some of the KPIs on which I would focus.”

Data are another key area of focus. When an asset finally makes it to the FDA or EMA, issues that arise can relate to vendors and data. Those issues can include how a vendor manages the data received throughout the study from a cleaning, programming, and transfer perspective.

Wyglendowski says small companies should have at least two or three people assigned to overseeing a study. “I always recommend getting to know your project manager, regardless of the size of your company,” he adds. “What demands do they have from their organization? What is their area of focus? What are their objectives? How are they getting measured for their performance, and how do their goals differ from yours? If your company has an audit function, audit the systems of your CRO on a regular basis. That will give you confidence that data is being reviewed and processed appropriately and that medical reviews of adverse events are happening.”


Wyglendowski believes a large part of oversight these days relies on reports. For example, during study startup, expectations can be discussed around cycle times for activities. Then, each month during startup, you can determine whether timelines are being met. “You want to know whether the CRO hit the 30-day cycle time that it agreed to. If it did not, you want to know why and whether there is any way you can help. Proper oversight comes down to a combination of that report as well as the in-person meeting.”

The final piece is team meetings, which inspectors will want to look at. They want meeting minutes, actions, and decisions to be key components of your oversight.


For further clarification, Wyglendowski shares the story of when one of UCB’s preferred CRO partners was not hitting its objectives, and consequently, the companies lacked a strong relationship.

“One step we took to improve the situation was to create an ‘embedded partner liaison’ position,” he says. “We took a senior clinical operations person from our CRO and had them sit in our office for several years. They were not assigned to a project, and they were not an escalation point for any program. They were there to get to know our functional and operational leads and to try to understand how we work. It’s such a simple idea, but the impact it had was night and day. We learned we had differing definitions of things and ways of working, which resulted in a difference in expectations and cycle times. Working with this liaison enabled us to develop a new and more effective oversight model.”

"For us, answering the question begins with the request for information and RFP. When deciding on a CRO, perform an audit and conduct your due diligence."

Ian Wyglendowski, Head Of Strategic Clinical Partnering, UCB


The partnership with the embedded partner liaison entailed hosting a series of workshops. The workshops involved conducting risk assessments from startup to execution and closeout. The company redefined its oversight model, created new KPIs, and put reporting in place. It then conducted training and implementation over a period of 6 to 12 months.

“The new model fundamentally changed how we worked,” adds Wyglendowski. “There were activities we had been conducting that we were able to eliminate, such as reviewing site-monitoring reports. The reviews were replaced with spot-checking, which eventually was eliminated as well. We had the CRO conduct those activities, and we would oversee them, which reduced wasted time. It’s a different internal competency to oversee an activity rather than do it yourself. We came to terms with the fact that we were part of the problem. We had a group of people who wanted to perform day-to-day tasks rather than conduct oversight. They ended up taking different roles or they left the company. We shifted completely in our approach to how we collaborate with partners and made that relationship successful.”