How To Strengthen Risk Management Practices In The Pharmaceuticals Supply Chain

By Peter Murray, quality and GMP compliance expert, former quality director, GlaxoSmithKline, and Sid Deshpande, manager of customer advocacy, MetricStream

Pharmaceutical manufacturers increasingly rely on a complex chain of suppliers to manage various aspects of their product production cycle. Supplier A might process the pharmaceutical ingredients, while Supplier B assembles the dose forms. Supplier C provides some specialized test services, Supplier D packages and delivers the products, and so on. This creates multiple supplier interfaces, each interface representing a potential risk to product safety and compliance. Good Manufacturing Practices (GMPs) require effective and consistent management of these potential risks.

The end customers — i.e. the patients — are largely uninterested in the complexities of the pharmaceutical supply chain or the challenges involved in managing multiple suppliers. What’s important to customers is that they get their medicine delivered on time, in the correct dosage, and at an affordable price. If something goes wrong — for instance, a product delivery is delayed, or a medicine has been incorrectly labeled — the responsibility and consequences are inevitably borne by the pharmaceutical manufacturer listed on the product pack, even though the issue may have occurred somewhere in their supply chain.

In addition to requiring the reliable supply of essential medicines, regulators have additional demands: they want to see evidence of compliance with Good Manufacturing Practices (GMPs), combined with effective risk management systems and controls throughout the pharmaceutical supply chain. If an incident of non-compliance arises, it’s again the pharmaceutical manufacturer who is held accountable.

Management of these risks in order to ensure supply continuity is a significant challenge. Here are a few key best practices:

1) Establish thorough procedures for initial supplier assessments and approval audits

Before you choose a supplier, define exactly what you’re looking for. What facilities or specialized capabilities do you need? What are the constraints in terms of location, capacity, timing, investments, and licenses? What is the expected duration of the supplier engagement – fixed or long term?

Once you’ve thought through these questions, identify a supplier who can possibly meet those needs. Evaluate their track record. Send out questionnaires to assess their potential risks and issues. Then, estimate the costs, resources, and time needed to manage those risks.

After the initial due diligence is completed, perform a formal approval audit. Determine if your suppliers have systems to appropriately manage risks around product safety, quality, and efficacy. Do their facilities have sufficient capacity, and have they been built to appropriate standards? Is there enough staff with the right amount of experience and training?

Answering these questions will help you identify if there are any issues, and, should there be issues, to recommend changes or improvements that the supplier needs to take before they can become approved.

2) Make quality and risk management a key element of supplier contracts

While negotiating contracts, don’t leave out the quality assurance and technical functions. Their inputs are essential in ensuring that no serious quality or compliance issues arise later in the supplier engagement.

Define how your company will manage supplier risks in order to meet ethical and legal obligations. Then, explicitly describe all the arrangements required by the supplier to minimize issues around quality, safety, or compliance. Finally, establish clear rights to terminate the contract for critical or sustained quality failures.

Ultimately, contracts might not guarantee effective risk management or GMP compliance, but they do serve as an important reference document for suppliers — especially in the longer term for those who weren’t involved in the initial discussions.

3) Ensure that supplier risk management is an on-going activity, not a one-time effort

For many companies, supplier risk management takes a back seat once the initial assessments and due diligence are completed. Yet, supplier risks change all the time and need to be monitored regularly.

Start by identifying and ranking all supplier risks and then implementing risk mitigation measures routinely. Define metrics to monitor supplier risk, quality, and performance. Finally, review the contract at regular intervals to determine if risk management and quality elements need to be updated, or if the contract itself needs to be renewed.

Also, remember that supplier risk management isn’t just the responsibility of one group. The best organizations set up a cross-functional team consisting of experts from procurement and logistics, quality, compliance, and legal and financial functions. This way, supplier risk can be assessed from multiple perspectives to provide a holistic picture of how it affects the company.

4) Enhance communication across the supply chain

Communication with suppliers can often be hindered by differences in language, culture, and geography. Recognize and find ways to manage these differences, so that the timeliness and effectiveness of communication isn’t compromised.

To measure supplier compliance and quality, ensure that suppliers provide prompt and sufficient details around batch disposition data; changes to, or deviations from agreed facilities, processes, and standards; trends suggestive of a product or process problem; periodic product or process reviews and performance metrics; and regulatory inspection outcomes.

Timely communication with suppliers is particularly critical when a safety or quality incident arises — such as an Adverse Drug Event (ADE), recall, or customer complaint. Effective management of these incidents relies on a common understanding of responsibilities – who is responsible for the product in the market, who makes the decisions, and who communicates with regulators, customers, and if applicable, the media.

This division of responsibilities is important in cases of multiple IP ownerships where one third-party has the license to sell in certain markets, while another party has the license for other markets. If there isn’t a seamless chain of communication across these organizations when an incident arises, there could be significant risks to patient safety and business continuity.

5) Maintain comprehensive systems, metrics, and records

Regulators expect organizations to have a well-defined system specifying GMPs and compliance responsibilities for each supplier. They simply won’t accept verbal assurances that all the issues are being appropriately managed.

Some of the key supply chain areas regulators will typically investigate include: Is there a clear, contractual definition of quality and compliance responsibilities? Is there evidence of the management team reviewing quality, compliance, and risk in a timely and consistent manner? Are changes and deviations being identified, risk assessed, and managed in a timely manner by the right people? Are appropriate risk assessments and decisions being taken to effectively manage incidents such as ADEs and recalls? Are various stakeholders being proactively informed about regulatory commitments and compliance information? Does the company have systems to effectively manage supplier risks?

Organizations should have comprehensive systems and records that spell out clearly how supplier risks are being managed. Appropriate metrics assist in demonstrating ongoing performance is as expected.

6) Leverage technology to support supplier risk management

As pharmaceutical companies continue to source, manufacture, and sell across the globe, the complexity of their supply chains is rapidly increasing. Robust software systems or applications can help by simplifying and improving the efficiency of data analysis and communication critical to various supply chain governance processes.

An example of the effective use of software would be the process of supplier contracts management. Many companies have adopted a centralized system to manage the entire lifecycle of creating, reviewing, and approving contracts, running periodic compliance surveys, managing contract risks, tracking contract expiry, and resolving contract issues. At the click of a button, users get complete and real-time visibility into all contract information across the supply chain.

Some systems have the ability to automatically integrate updates, alerts, and feeds from various regulatory intelligence sources – be it the FDA, Complinet, or D&B’s supplier validation database. This regular flow of information helps organizations proactively implement tasks to anticipate changes necessary to ensure continuing regulatory compliance.

Other systems automatically populate supplier compliance scorecards with data, while also monitoring supplier metrics against pre-defined KRIs and KPIs, and raising alerts if a threshold is breached. Since these processes are automated and work towards a pre-defined set of rules, companies save considerable time and effort in achieving a consistency of evaluation often not possible with manual systems.

Supplier risk management is complicated since there are so many potential risks and controls involved. Many companies have implemented systems that map risks to the associated suppliers, regulations, product lines, business units, supplier locations, controls, performance goals, and testing processes within one cohesive framework. Thus, users get a centralized view of supplier risk and compliance, aligned with business objectives, which in turn, helps them proactively identify and address areas of opportunity or improvement.

Some systems seek to integrate the entire supplier risk management process for optimal efficiency – right from risk identification and scoping, to risk assessments, ranking, what-if analysis, and mitigation. Often, these systems can be extended to manage the complete supplier audit lifecycle, as well as recalls, customer complaints management, and issue management processes. Enabling a systematic and closed-loop approach to these processes helps improvement of efficiency and minimizes redundant activity.

Many companies opt for a centralized system that consolidates all non-conformance data in one place. This assists users understanding of the relationships between various non-conformances, helping identification of root causes and allowing these root causes to be identified and addressed in a timely manner.

Visual presentation of key data in such formats as dashboards, risk heat maps, and reports is a key tool to provide a readily understandable picture of supplier performance and risks. Compared to the traditional process of thumbing through the numeric/word based data of multiple spreadsheets and word documents, software can visually provide users with the information necessary for decisions in one common view. This software also grants the ability to drill down to study the raw data where the visual presentation indicates need for more detailed evaluation.

Conclusion

Faced with increasing patient demands and increasingly complex products, pharmaceutical companies are only likely to continue working with more suppliers and sub-suppliers in the supply chain in order to support their growing business. As a result, the risks associated with supplying a product that is safe, effective, and compliant are only likely to increase, and regulations addressing the risks of complex supply chains are likely to become more prescriptive.

The key to dealing with these challenges is to be prepared — to plan ahead and to develop a robust risk management strategy, enabled and supported by technology. As the supply chain grows more complex, there are appropriate, effective controls and procedures in place to proactively manage and mitigate the potential risks to patient safety and compliance caused by increased complexity in supply chains.