Carpe Diem: A Holistic Strategy for Assessing Supply Chain Compliance Risk in a COVID-19 World
September 28, 2020
The current COVID-19 pandemic presents important supply chain issues for many life science companies. Product shortages in Personal Protective Equipment (“PPE”), the acceleration in manufacturing of potential therapeutic treatments and preventative vaccines, and new demands for using a remote workforce to support these efforts, all raise challenges for life sciences companies and emphasize the importance of a thoughtful approach and careful strategy for supply chain management and risk mitigation. Now more than ever, companies should assess their supply strategies, including refreshing compliance risk assessments, to ensure a holistic strategy for regulatory compliance in the COVID-19 world.
In addition to the unique challenges of the current global pandemic, companies have been confronted with a barrage of guidance—sometimes preliminary and occasionally reversed—from the U.S. Food and Drug Administration (“FDA”) and other regulators on managing manufacturing activities during a pandemic. FDA guidance has addressed the need for risk assessments related to product quality,
As if the pressures of a pandemic were not enough, supply chain strategies have been further complicated by the geopolitical environment, with uncertainty regarding import tariffs and the trade tensions between the U.S. and China, for example, and an Executive Order from the Trump administration seeking to bring drug manufacturing back to the U.S.
Of course, even without this public focus, many life sciences companies have experienced the reality that the actual cost of operating in foreign markets often proves higher than anticipated in light of regulatory and compliance challenges as the FDA and other regulators increasingly focus inspection and enforcement resources on foreign sites to account for the shift of manufacturing to these locations. As examples, the FDA has issued Warning Letters to scores of manufacturing sites in India and China focused on data integrity concerns, often entailing significant expense by manufacturers to analyze and implement appropriate corrective actions and controls. Moreover, regulatory risks are not limited to Good Manufacturing Practice (“GMP”) issues, and recent guidance and enforcement activity has not been limited to the FDA. By going global with manufacturing, companies open themselves to a host of additional risk areas such as corruption, trade / sanctions, data privacy and security, and human rights and sustainability, as they engage in the various activities involved in manufacturing, including: inspections, permitting, and licensure; import of materials and export of product; monitoring employment practices; and managing the community impact of manufacturing and waste disposal. For example, in two instances, U.S. Customs and Border Protection (“CBP”) issued Withhold Release Orders and seized medical gloves manufactured in Malaysia because of concerns they were created with forced labor. Although CBP revoked one Withhold Release Order at the height of the pandemic, CBP issued another over the summer against subsidiaries of a large PPE manufacturer.
All of these activities come against the backdrop of continued enforcement focus and activity by the corruption enforcement arms of both the Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”),
The current geopolitical environment and global pandemic combine with the chorus of enforcement authorities and regulator guidance across risk areas and statutory regimes to send a clear warning: whether in the U.S. or around the world, manufacturers must have a holistic, dynamic strategy for identifying and mitigating the full risk profile presented by their supply chain. All too often, regulatory and compliance efforts are cabined by risk area and siloed within various internal departments and/or with a team of external resources focused on one particular risk area. This structure drives both inefficiency and business frustration as similar activities are assessed and overseen by multiple groups for differing purposes. Without anyone to look holistically at risk, these efforts often result in misallocation of resources and compliance efforts—or worse, leave a company vulnerable to unidentified risk. Consider instead an approach integrating all the relevant internal stakeholders—likely to include operations, quality, supply chain, legal, and compliance—supported by external resources as needed to identify and assess the full panoply of risk presented by the specific supply chain strategy. While these assessments, like all compliance efforts, must be tailored to the company’s particular supply-chain strategy for maximum efficacy, some considerations for success include:
Refreshing plans for redundant sourcing of key raw materials or intermediates and manufacturing of finished product;
Reviewing third-party manufacturing relationships, including:
Ensuring initial due diligence and contracting address the full slate of risks presented (e.g., quality, corruption, trade / sanctions, Environmental, Social, and Governance (“ESG”), money laundering);
Ensuring monitoring and oversight strategies are tailored to the particular relationships, cover each attendant risk area, and are accompanied by metrics and information providing visibility into the relationship and transparency into key or emerging risks;
Identifying and assessing holistic site activities (e.g., sourcing, licensure / permitting, labor, import / export) and related policies, procedures, guidance, training, and monitoring at both the corporate and site-specific levels;
Benchmarking and identifying best practices across the industry, the company, and the company’s third-party manufacturing partners as to how to address identified risks, particularly in the context of the current pandemic and, where appropriate, updating processes (and related guidance and training) to reflect these practices, as waiting until the pandemic passes may result in lost opportunities as other priorities arise;
Reviewing processes for escalating quality and compliance issues (e.g., Are reporting mechanisms available, functioning, and understood across sites? Are issues routed correctly, reaching the appropriate Subject Matter Experts (“SMEs”) and management levels in a timely manner? Are issues—regardless of subject matter area—consistently tracked, appropriately followed up on, and addressed? Are issues considered at a macro level to ensure appropriate root-cause assessment and related program and control enhancement?);
Assessing compliance culture and understanding, including training and the implementation of the company’s compliance and quality management systems—recognizing that many significant supply chain issues can be identified and mitigated where front-line employees understand the risks and expectations and where the culture encourages them to speak up;
Ensuring testing and assessment of key supply chain controls, including integrating assessments—not just of risks, but of the compliance program and controls—in key internal efforts, such as compliance reviews and internal audits, and in reviews by external resources to ensure a fresh perspective and analysis against industry best practices and regulator expectations; and
Evaluating the integration and interactions between relevant areas within the company (e.g., operations, quality, legal, compliance, and audit) to ensure open and meaningful exchange among those charged with supply chain responsibilities on key topics including risk assessment, issue escalation, remediation, and the development and execution of holistic strategies for continued evolution of compliance efforts.
The current geopolitical environment and global pandemic raise significant challenges for companies across the life sciences sector as they look for strategies to secure and optimize their supply chains. In considering COVID-19 supply chain strategies, companies should undertake holistic compliance risk assessments to ensure their supply chains are not vulnerable to undetected risk or disjointed compliance strategies.