Introducing layers of risk management to build a true risk program

Eric Elbel, Senior Manager, Supply Chain Logistics, AVROBIO

Below is an insight into what can be expected from Eric’s session at Third Party & Supply Chain Risk USA 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

How can introducing a layered risk management program enable organizations to build a true risk program? What benefits will this bring in comparison to a one-size-fits-all approach?

It is vital that all layers of an organization are brought into the conversation regarding risk mitigation. Training on the quality of materials and methods, safety of materials and people, and general efficiency training to mitigate waste are all part of this process and can provide great benefits in these areas. Additionally, companies benefit from a proper risk-averse mindset in that it builds a quality-first culture, which can help to streamline regulatory activities, shorten audit timelines, and raise expectations and standards for service providers and suppliers.

The introduction of a proper layered risk management program should be done as soon as possible in a company’s lifecycle, as early introduction allows for the reduction of future events and simplification of any ongoing event resolution. As with any quality-related program within an organization, it is important to build documentation that proceduralizes all risk management activities and can also be used to train all personnel involved in the process. Training can be completed using many methods, but it is best to employ hands-on training as opposed to read-and-understand training whenever possible. This will benefit the organization in that operators will have a full capability to understand the risk within their remit, and they will also be able to train others that enter their sphere on proper risk mitigation as well.

What can be learned from the way financial services conduct supply chain oversight? How does this differ from current industry approaches from pharmaceuticals?

Much can be learned from financial services regarding cost savings, but it is important to keep the end goal in mind for different industries. The pharmaceutical industry should have the perspective that patient care and safety are the ultimate goals and drivers of success. Once a patient-centric culture has been established, many gains follow, including financial.

That said, it is important to recognize that there are long-term risks that must be navigated in the pharmaceutical industry and continual testing, management of documents and reporting, and diligence with patient follow-up must be maintained in order to ensure long-term financial success. Lessons from the financial industry that can be applied to the pharmaceutical industry include material safety, security against counterfeiting, speed and efficiency of logistical operations, and safety and security of personnel. In both industries, there is a significant risk of theft, which must be made apparent to all personnel involved in supply chain and logistics operations.

What would a successful third party risk management infrastructure look like?

A successful third party risk management system would operate seamlessly from a company’s internal departments and systems. There should be strong communication between all parties, training will be robust, expertise will be openly shared, and accountability will be managed in such a way that quality improvements are commonplace.

It is difficult to implement a proper quality and risk management system with third-party suppliers, mainly due to the lack of direct control and oversight that a company can maintain. Documented controls such as contracts, supplier quality agreements, and regular audits can be beneficial. Additionally, there must be an understanding with third parties that any subcontractors are to maintain the same standards that are expected of their parent organizations. Strong communication, such as regular monthly, quarterly, and annual business review meetings, is vital to maintaining a strong and cohesive vendor relationship.

Typically, third party risks are tiered as high, medium, and low. How else can organizations quantify such risks and move beyond just conducting risk assessments?

There are several other metrics that can be used in addition to risk. Potential frequency, impact resolution time, productivity loss potential, regulatory intervention needs, and other aspects should be considered in order to build a properly robust risk management system. Again, all of these potentialities must be documented and taught to personnel in order to ensure that they are apparent should they arise during regular processes. Operators also must be taught risk mitigation practices, and a proper quality system must be introduced such that any adverse events or even potential adverse events (near misses) are available as learning opportunities.

The best trainers within an organization are often those who regularly take part in the activity determined to include risk. Regular workday activities do not take the place of proper training; all personnel should be put onto a training calendar so that assurance of updated training can be gained.