We Are DIA

Career Column

Selecting a Risk-Based Monitoring Vendor: Ensure Compliance


isk-based monitoring (RBM) has received significant endorsement, not only through major industry consortia such as TransCelerate BioPharma, but through key guidances issued by the ICH, FDA, and EMA.

The November 2016 ICH E6 RS GCP guideline gave significant weight to RBM and the responsibilities of sponsors, and also requires investigators to take a greater role in study design and risk management and monitoring, while the FDA guidance describes RBM, as “focused on the risks to the most critical data elements and processes necessary to achieve the study objectives.”

Thus, while industry is still in the process of determining its return on investment (ROI) in RBM, there is a somewhat rapid desire in industry to adopt RBM methodology, even from previous naysayers. Pharmaceutical companies often lack core RBM expertise and are therefore frequently partnering with vendors to drive their RBM strategy. Because RBM methodology is fundamentally data-driven, it’s crucial for chosen vendors to have a clear understanding of regulations impacting these data.

Which Vendor? The Tyranny of Choice

Because RBM hinges on the complex interplay of clinical expertise and data management, vendor selection can be tricky and seems to raise challenges at each decision point, for example:

  • Scalability versus flexibility
  • One-stop shop or multiple niche players
  • Global versus regional player with a better cultural fit and awareness of local regulations
  • Specific therapeutic expertise versus greater general RBM experience.

Other aspects to evaluate when choosing a technology vendor include the vendor’s data integration and transformation expertise, the ability of its technology platform to accept data from diverse databases and third-party systems, and the core team’s RBM-related subject matter expertise. The vendor’s technology team must be internally supported by people with deep RBM domain expertise who truly add value.

Moving Target of Dynamic Risks

Key risk indicators (KRIs), such as unreported adverse events and timeliness of data entry, can help identify study sites that present the greatest risk for protocol deviation. It is important that the vendor’s platform supports a flexible data model and allows for adjustments to KRIs or threshold triggers in response to protocol amendments. Likewise, appropriate knowledge management systems are essential to leverage key insights from multiple studies to redefine these KRIs and thresholds. User-friendly, navigable visualization tools with customizable views, automated systems to monitor key performance indicators (KPIs), and integrated online document review and version control systems, are all valuable assets. Therefore, vendors with access to KRI libraries and the ability to harness artificial intelligence (including natural language processing and predictive analytics) are more desirable.

Crucial Considerations for RBM Vendors

Vendors, too, must take into account certain important considerations:


ICH E6 requires that sponsors have “written procedures to assure that changes or corrections in CRFs made by sponsor’s designated representatives are documented, are necessary, and are endorsed by the investigator. The investigator should retain records of the changes and corrections.”


There has been a call for a Quality Management (QM) approach which addresses risk at both the system and clinical trial levels. This call also stresses the importance of documenting all QM activities, establishing the right SOPs, and highlighting in the clinical study report any deviations from quality tolerance limits.


Sponsors have oversight responsibility of CRO activities.


Regulatory guidelines emphasize the importance of validating the electronic trial data systems used for risk assessment and establishing SOPs for setting up, installing, and using these data systems.


In RBM, data is often migrated from diverse databases and assimilated into a single repository, creating the need to ensure data privacy, security, audit trails, back-ups, and blinding. Furthermore, it’s crucial to maintain the integrity of both the data and the metadata describing the context, content, and structure of the data. This is particularly important after software upgrades or data migration.


There is a clear requirement to specify in the monitoring plan the different types of monitoring that will be used, the critical data and processes that will be reviewed along with the supporting rationale, and to create monitoring reports not only for on-site visits but for centralized monitoring.

Regulations and Other Requirements

Vendors must also comply with various regulations, such as the EU GDPR (General Data Protection Regulation), which will become effective in May 2018 and requires compliance with 21 CFR part 11 (Electronic Records and Electronic Signatures). The EU GDPR regulates the portability of EU data outside the EU, ensures that EU citizens’ data are kept private, and requires that data breaches be reported within 72 hours of the breach. It also establishes specific new data monitoring roles such as Data Protection Officers (DPOs), data controllers, and data processors.

The 2013 FDA Guidance on Oversight of Clinical Investigations — A Risk-Based Approach to Monitoring – discusses using eConsent tools and using internet portals to review informed consent forms. This Guidance also moves away from 100% source data verification (SDV) and refers to investing in SDV of only those source records likely to provide the most meaningful information about a patient’s participation and the trial conduct. It also specifies that the monitoring plan should define the specific risks that the monitoring must address.

Since all quality management processes are dynamic, the 2013 EMA Reflection Paper on Risk-Based Quality Management (RBQM) in clinical trials recommends that risks be monitored continuously. It further recommends establishing risk-based approaches at the program level first, followed by determining approaches at the protocol level, with sponsors and regulators regularly discussing the steps taken to manage risk.

While many other regulations and guidelines directly and/or indirectly impact RBM, it is very important to choose a vendor who has not only the relevant expertise and capabilities, but also the requisite knowledge of RBM guidelines and regulations.

References available upon request.

About the Authors

Dr. Nimita Limaye is CEO of Nymro Clinical Consulting Services. She has worked with pharma, contract research organizations, and information technology-enabled service companies, leading global risk-based monitoring (RBM) and clinical data management businesses, for more than 20 years. In 2010, she became the first non-North American chairperson of the Society for Clinical Data Management (SCDM). Nimita Limaye is on the DIA India Steering Committee, has chaired various conferences (including two DIA meetings on RBM), and is a featured interview in the book How India Found Its Feet: The Story of India Business Leadership & Value Creation 1991-2010.

Ranjeet Gutte is a post-graduate pharmacy student and has worked for more than twelve years with multinational pharmaceutical companies and the world’s largest contract research organizations. As General Manager of Global Clinical Development at Wockhardt, Ranjeet Gutte is responsible for global vendor management, site operations, and business operations for the company’s global clinical programs. He has implemented risk-based monitoring for phase 2 and 3 clinical studies in India and globally.