Tools and Frameworks for Vendor Risk Management – Part 2

Featured post image
Published: 2023/10/04 Last updated: 2023/10/31 By: Tom Lazenby

Welcome to Part 2 of our three-part blog series, “Tools and Frameworks for Vendor Risk Management.” [Part 1] explored fundamental risk management methodologies, including flowcharts, check sheets, process mapping, cause and effect diagrams, and Failure Mode Effects Analysis (FMEA).

In Part 2, you will learn about some more advanced risk management techniques, introducing:

  • Failure Mode, Effects, and Criticality Analysis (FMECA)
  • Fault Tree Analysis (FTA), and;
  • Hazard Analysis and Critical Control Points (HACCP).

We will detail what these methodologies are, why and when to use them, and how to effectively employ them in vendor risk management for clinical trials.

Failure Mode, Effects, and Criticality Analysis (FMECA)


FMECA extends upon the FMEA methodology by incorporating an additional step: evaluating the ‘criticality’ of each potential failure mode. This involves a detailed analysis of the consequences and impacts of each failure mode, helping teams prioritize risks more effectively.


FMECA enables your team to focus on the most critical risks that could have severe consequences on your clinical trial processes and outcomes.


Like FMEA, FMECA is most beneficial during the vendor selection process, assisting in assessing potential vendors’ risk profiles, and throughout the vendor’s engagement for ongoing risk management.


After identifying potential failure modes, their causes, and effects using the FMEA approach, the FMECA methodology further scores each failure mode based on its criticality. The Risk Priority Number (RPN) is then calculated considering the severity, occurrence, detectability, and criticality, thereby providing a more granular prioritization of risks.

When selecting a central laboratory services vendor, the team uses FMECA to assess each potential vendor’s risk profile.
The team might identify “improper sample handling” as a potential failure mode. The criticality of this failure mode would be high because it could significantly impact the integrity of the trial data and patient safety.
Based on the criticality analysis, the team might choose to implement robust audit procedures and regular performance monitoring for the selected vendor to mitigate this risk.

Fault Tree Analysis (FTA)


FTA is a top-down, deductive analytical method used to explore the causes of undesirable outcomes or ‘faults’ in a system. In vendor risk management, FTA can help you understand the chain of events that could lead to vendor-related failures.


FTA helps to trace back the root causes of potential failures and provides a visual representation of the interrelationships between failures and their causes.


FTA is particularly useful in the risk identification stage of the vendor risk management process.


To conduct an FTA, start by identifying the undesirable event or ‘top event.’ Then, using deductive logic, identify potential causes or ‘events’ that could lead to the top event, and link these using logical gates. Continue this process to drill down to the root causes.

Suppose a clinical trial team is concerned about the risk of data breaches from a data management vendor. They use FTA to visualize the chain of events that could lead to a data breach, such as inadequate security measures, human error, or malicious activity.By identifying these potential causes, the team can implement appropriate risk mitigation measures, such as additional security controls, training, or monitoring activities.

Hazard Analysis and Critical Control Points (HACCP)


HACCP is a systematic preventive approach to food safety and pharmaceutical safety that addresses physical, chemical, and biological hazards as a means of prevention rather than finished product inspection.


HACCP can be adapted to manage and mitigate risks associated with vendors in clinical trials. It helps to identify and control potential hazards before they pose a threat to the quality, safety, and integrity of your clinical trials.


HACCP can be used throughout the vendor management process but is particularly valuable in the planning and initiation stages of a clinical trial.


The HACCP process includes seven steps: conducting a hazard analysis, identifying critical control points, establishing critical limits for each control point, monitoring critical control points, establishing corrective actions, verification procedures, and record-keeping and documentation.

Consider a clinical trial team working with a drug manufacturing vendor. They could use HACCP to identify hazards like potential cross-contamination or inaccurate labelling during the manufacturing process.
By establishing critical control points and limits, such as stringent cleaning procedures and rigorous label checks, the team can mitigate these risks and ensure the quality and safety of the trial drug.

Integrated Use of FMECA, FTA, and HACCP in Clinical Trial Vendor Management

The trial team is partnering with a Contract Research Organization (CRO) to conduct a multi-centre clinical trial. They need to ensure the CRO maintains compliance with the protocol, regulatory standards, and quality measures across all sites while ensuring patient safety and data integrity.

The team decides to use FMECA, FTA, and HACCP in an integrated approach to manage the risks.


  • The team identifies potential failure modes associated with the CRO’s responsibilities. One failure mode is “inconsistent implementation of trial protocol across sites.”
  • The team assesses the effects of this including compromised data integrity and potential patient safety issues.
  • They evaluate the criticality of this failure, and it could lead to significant delays, costly rework, or even trial failure.
  • This high level of criticality prompts the team to prioritise stringent monitoring of protocol adherence across all trial sites.


  • The team then use FTA to map out the causes that could lead to “inconsistent implementation of trial protocol across sites.”
  • They identify inadequate site training, communication breakdowns, and varying interpretation of protocol procedures.
  • Understanding the potential root causes, the team devise preventive strategies including:
    • comprehensive training
    • establishing communication channels
    • clarifying ambiguous elements in the protocol


  • Finally, they apply the HACCP framework to identify potential hazards, establish critical control points, set critical limits, and monitor these control points.
  • In this case, they identify “protocol deviation” as a hazard.
  • The critical control points include regular site visits and audits, and the critical limits are the acceptable number of minor or major protocol deviations.
  • If the deviations exceed this limit, the team has corrective actions in place, such as providing additional training or escalating the issue to senior management.
  • This mitigates the risk of further major deviations.

By using FMECA, FTA, and HACCP in an integrated manner, the clinical trial team can effectively identify, assess, and manage the risks associated with partnering with a CRO, ultimately safeguarding the trial’s success.


Expanding on the basic risk management methods explored in Part 1, these advanced techniques offer further ways to identify, assess, and manage vendor-related risks in your clinical trials.

By adopting FMECA, FTA, and HACCP methodologies, you can ensure a more thorough and nuanced approach to vendor risk management, safeguarding the success of your clinical trials.

In “Risk Management Frameworks for Vendor Risk Management Part 3,” you will learn:

  • Hazard Operability Analysis (HAZOP)
  • Preliminary Hazard Analysis (PHA), and
  • risk ranking and filtering methodologies

These approaches allow for a more in-depth analysis of potential hazards and risk factors, enabling you to make informed decisions about your vendor risk management processes.

Tom Lazenby

Tom is the Founder and CEO of Mayet. Using his experience in streamlining operations and driving innovation in clinical research, Tom is dedicated to enhancing the efficiency, cost-effectiveness, and risk mitigation strategies for vendor management and oversight.

See other posts »