FUNDAMENTAL #2: DETERMINING OVERSIGHT STRATEGY FOR CONTRACTED ACTIVITIES
Numerous recent 483 observations and deficiencies cited in warning letters have emphasized the current FDA expectation that
outsourced activities must have the appropriate controls in place, with adequate oversight provided by the contract giver.
However, one of the primary benefits of outsourcing work is that it frees internal resources for other purposes. If significant
internal resources must be used to verify and double-check everything that happens at a contract site, much of the benefit
of outsourcing will be negated. Tactical determination of adequate oversight for the outsourced activities becomes vital.
Risk assessment exercises may be used effectively to determine and prioritize appropriate and adequate oversight strategies
for the contracted activities. Levels of oversight should be commensurate with the risk associated with a given activity,
and additional oversight resources should be directed toward activities with higher risk ratings.
When performing a risk assessment for contract operations or services, the process should take into account (or weigh) factors
such as the level of experience with the contract organization, audit, or inspection histories (types of audit findings, status
of audit findings, or occurrence of repeat findings), and personnel turnover rates, in addition to the nature and criticality
of the contracted activities themselves. The customary elements of visibility or detectability of an event or non-conformance
and severity, should be thoughtfully weighted when using risk assessment tools for determining oversight requirements. One
simple example of a risk assessment tool is detailed in Table 1. Although not an exhaustive list of all the possible failure
modes that might be associated with the subject activity, Table 1 illustrates the process. The severity ratings used may be
based on several types of potential impact; regulatory, compliance or quality, patient safety, and development time lines.
The site- or organization-specific considerations mentioned previously are accounted for and weighted within the critical
Table 1. Example of a risk assessment tool for outsourced activities (detectability x severity = overall risk factor)
The example in Table 1 is just one of endless possibilities. Each organization must make its own decisions regarding what
risk factors it will assess, how it will weight risk factors, and the implications associated with a given risk rating or
level. The point is to be able to demonstrate that all risk factors have been taken into consideration when evaluating oversight
requirements. Another important benefit of performing a risk assessment as part of the oversight strategy determination is
that it provides documented rationale supporting the application of more moderate levels of oversight for lower risk activities,
as well as highlighting those activities requiring increased levels. In other words, it guides application of control measures
used to appropriately mitigate and manage the identified risks.