Data Governance For Outsourced Facilities Management Services

Table of Contents

Outsourcing of facilities management has been progressing for some time and much has been written and experienced in this journey. This maturity in outsourcing has culminated in the common terminology of “Integrated Facilities Management” (IFM). This integrated movement is the consolidation of the fragmented facilities management services under one provider, further enhancing reduction of complexity in the eyes of the pharma operating company. 

Maintaining your company’s strong compliance position and assurance of future market access is no easy task. Often, compliance strategies are in competition with top line initiatives to grow revenue and bottom-line initiatives to save operating costs. Outsourced services, and particularly outsourced facility management, has been gaining popularity as a way to cut operating costs. Facilities management, which can consume 10-25% of total indirect spending, is an attractive target for cost savings initiatives.1

Amidst the fervor of promising savings, early approaches to outsourced facility management focused too much on the delivery of the service itself, and not on the less tangible, but essential element of data integrity. Legal contracts and quality agreements must work in concert to set GxP compliance and the relationship for success.

Why is data integrity essential to outsourcing of services? There are two key reasons. The first reason is that many outsourced services generate GMP raw data as part of completing the service. This raw data supports key service deliverables such as a calibration or maintenance certificate or completion of facility cleaning or a pest control report. While the data may be generated by the service provider, it is the responsibility of the company procuring the service to ensure the necessary controls are in place to assure the integrity of all GMP data produced while performing that service. This leads us to the second reason, which is that data integrity is essential to give trusted evidence as to the level of service quality and compliance, so in essence, data integrity is an essential part of establishing the quality of the service being provided.

Data integrity is essential to achieving the power of the “AND”:  cost efficiency AND compliance, which is achieved via a governance model that leverages good data and a strong partnership. Great facilities management services are verified with great data. Trust and accountability and compliance are achieved through transparent and effective data governance. 

Data integrity is a growing and mainstream concern within our industry. Publications of regulatory guidance such as the FDA Guidance: Data Integrity and Compliance with Drug CGMP – Questions and Answers,2 MHRA Guidance: ‘GXP’ Data Integrity Guidance and Definitions,3 and the PIC/S Guidance: Good Practices For Data Management and Integrity in Regulated GMP/GDP Environments4 are indicators of the increased levels of understanding, expectation and scrutiny around data integrity.

In addition to these, consider that between 2015 and 2020 there has been an approximate 400% increase in FDA pharmaceutical warning letters (Figure 1).5 When warning letters were analyzed by Redica Systems using advanced unstructured text algorithms, Redica found that data integrity themes are global and on average are featured in over half of the warning letters trended (Figure 2).6

Figure 1. Warning Letter Issues

Figure 2. Countries with 7 or More Drug GMP Warning Letters

The effects of the global pandemic have only temporarily slowed in person inspections and the issuance rates are already rebounding.7

In addition to the FDA, the MHRA is developing a more mature view of data integrity that includes increased focus on behaviors, such as pressure and rationalization.8

The U.S. House of Representatives recently passed the “COMPETES Act”, which includes fines ($1M per violation, capped at $10M) against “the alteration, falsification, fabrication, destruction, omission or removal of the whole or any part” of certain records or information.9

Lachman Consultants has identified clear trends that data integrity related enforcement actions are moving to all parts of the pharmaceutical value chain with particular emphasis on all GxP data in manufacturing and the related areas of utilities and facilities management.

Data integrity has shifted far beyond the time when it was perceived as just a computer system topic to a much more impactful and holistic concept of overall data governance. While the changes are large, the benefits to quality and public health are too, and industry and regulators alike must work together to successfully navigate into the new paradigm.

Outsourcing of facilities management is a fast-growing business segment and needs to be calibrated against the regulatory appetite. Since product quality is an inherent risk to pharma operating companies and reliance of third parties is often identified in SEC filings, this topic should be managed as a strategic quality risk utilizing principles in ICH Q9.10 Much research exists on the growth of IFM, however nothing more than COVID-19 has made facilities management a common term and visible risk. 

Company cultures engrained with scientific principles and analysis can often be challenged in areas of service management. The interface between clients and IFM service providers requires good governance and oversight design.

The relationship must be rooted in data that is believed. It is widely accepted that key performance indicators (KPIs) are the focal point to determine contractual compliance, but the next move must be to assure the integrity of the KPIs to reflect the actual state of compliance of the service. Additionally, due to the lack of visibility of many IFM services, good data drives good detection and confidence in oversight.

Companies would be well advised to understand the FDA Quality Metrics program.11 The intent of this program is that “metrics can also be useful to FDA: to help develop compliance and inspection policies and practices, such as risk-based inspection scheduling of drug manufacturers; to improve the Agency’s ability to predict, and therefore, possibly mitigate, future drug shortages; and to encourage the pharmaceutical industry to implement state-of-the-art, innovative quality management systems for pharmaceutical manufacturing.”12 Section 6 below outlines a simplified method to identify minimal steps to design confidence of decision making in an IFM model by utilizing data governance.

Before KPIs can be determined, a framework must be agreed. This can occur by mapping data governance elements to typical IFM elements. Once complete, then principles of Quality Risk Management can be applied. As stated in the FDA Guidance: Q9 Quality Risk Management, “Quality risk management activities are usually, but not always, undertaken by interdisciplinary teams.”13 This guidance should help the team emphasize that this is not a procurement activity but owned by the functional owners to ensure quality is designed into the service (Figure 3). 

Figure 3. Data Governance Framework


Data collection starts with people. Employment costs can be 70% of the cost of service. By inference, people are the greatest asset and largest potential source of errors. Data governance needs to consider the negative and positive influence of staff behaviors. Indicators such as overtime, backlog and turnover are good indicators that can be reviewed at governance meetings to foresee pressures that may cause unfortunate behavior. Training of staff needs to include a thorough understanding of what the data they generate will be used for. Leaders must emphasize the importance of the data generated as well as the fact that the only evidence of service is the data left for future decision making.


Consistency of the service should produce a standard and stable output. This consistency is usually dictated by written procedures. Early in the framework design, care should be taken to ensure whose procedures the service partner will follow (i.e., operating company’s or service partner’s SOPs). Risk increases when the roles defined are generic. The decisions required by the procedures should be clear and well understood. Key procedures to identify include, but are not limited to, data reviews, audit trail reviews, deviations & investigations, data retention schedules, training programs, auditing and employee feedback mechanisms. Conflicting SOPs can put undue pressure on employees and create complexity, especially when the service partner utilizes the operating company’s IT systems and equipment. Ownership of the data must be defined unambiguously. The service partner should be encouraged to speak up without retribution.


Agreements should be in place to clearly identify what systems are used and for what service. Many service partners want to leverage value by introducing novel tools and systems to add value, but the official system of GxP record must be established. Additionally, quality oversight should be established for routine oversight and not modeled as if the service partner is an off-site entity. Additional controls for systems may need special attention in an outsourced on-site relationship, including:

  • Data: Ownership of the data needs to be established. Will data generated from the service be handed over to the operating company or only a summary, report or certification? This may be different from the system or service owner. Archiving and data disposition must be addressed in the event of termination of the contract.

  • Computer system validation: If the supplier owns the system, is data generated on site and transferred to a different off-site repository? Data mapping for the application would be valuable as well as consideration that the system URS and PQ has challenged the overall data flow into, through and out of the system including the operating environment and geographical location of the data capture.

  • Change control: Changes need to be assessed for impacts to the processes and integrity of data and the division of responsibilities.

  • Shared repositories: Data that is housed in a supplier’s repository must have appropriate controls to assure integrity of the data and protect not only intellectual property, but also financial reports that may be captured in systems such as CMMS systems that may have specific commercial agreements or specialized manufacturing equipment information.

Application of risk management thinking can be effective in identifying emerging issues. The strategic partnership should include incentives for mutual risk recognition and collective mitigation. Risk management should not just be a “process” to follow for “process” sake, but a valued method of critical thinking. A series of Key Risk Indicators (KRIs) should be established to enhance not only contractual governance, but also data governance all with the goal of minimizing data integrity risks.

Good data gives confidence in GMP decision making. The relationship should be carefully designed and executed, making great data governance a competitive advantage for both the service partner and the operations company (client). The regulatory environment is quickly moving toward the requirement for Quality Metrics. This trend, coupled with the ever-growing perceived risk of outsourcing, make this integration of Data Governance with your third party IFM provider no longer a luxury, but a fundamental expectation. As stated in the FDA Draft Guidance: Submission of Quality Metrics Data, “a self-selection bias may increase the risk of signaling an outlier where none exists” can be mitigated by utilizing experienced consultants in IFM to design and deploy a mature data governance program.12 In outsourced facilities management, data integrity is a risk to be managed with priority and data governance is the key to managing that risk. 


1. McKinsey & Company, Hoffman, Steve; Lietke, Britta. (2019, November 15). Six emerging trends in facilities management sourcing. Retrieved from

2. Food and Drug Administration. (2018, December). Data Integrity and Compliance with Drug CGMP, Questions and Answers, Guidance for Industry. Retrieved from

3. Medicines & Healthcare products Regulatory Agency. (2018, March). ‘GXP’ Data Integrity Guidance and Definitions. Retrieved from

4. PIC/S, Pharmaceutical Inspection Convention / Co-Operation Scheme. (2021, July 1). Good Practices for Data Managemetn and Integrity in Regulated GMP/GDP Environments. Retrieved from

5. Food and Drug Administration. (2021, August). Report on the State of Pharmaceutical Quality: Fiscal Year 2020. Retrieved from

6. Stauffer, Rebecca. (2021, August 31). What Can Regulatory Data Tell Use About Data Integrity Trends? Redica Systems. Retrieved from

7. Food and Drug Administration. (2022, February 4). FDA Roundup: February 4, 2022. Retrieved from

8. Churchward, David. (2017, March 10). Too much pressure: a behavioural approach to Data Integrity (Part 1). MHRA Inspectorate Blog. Retrieved from

9. Cox, Bowman. (2022, March 2). Penalties For Poor Data Integrity. Pink Sheet.  Retrieved from

10. International Conference on Harmonization of Technical Requirements for Registration of Pharmaceuticals for Human Use. (2005, November 9). ICH Harmonised Tripartite Guideline, Quality Risk Management Q9.  Retrieved from

11. Food and Drug Administration. (2022, April 5). Quality Metrics for Drug Manufacturing. Retrieved from

12. Food and Drug Administration. (2016, November 25). Submission of Quality Metrics Data; Draft Guidance for Industry. Retrieved from

13. Food and Drug Administration. (2006, June). Guidance for Industry, Q9 Quality Risk Management. Retrieved from

Scott Deckebach is a director in the compliance practice at Lachman Consultants with more than 25 years of experience in the life sciences including APIs, pharmaceuticals (RX and OTC) biopharmaceuticals, aseptics and medical devices.

Patrick Day is a principal consultant in the compliance practice at Lachman Consultants and an established pharmaceutical executive and practitioner with proven leadership in proactive risk identification, deployment of strategies to enhance compliance controls and implementation of detection systems to eliminate blind spots.