Menu

Carpe Diem: A Holistic Strategy for Assessing Supply Chain Compliance Risk in a COVID-19 World

The current COVID-19 pandemic presents important supply chain issues for many life science companies. Product shortages in Personal Protective Equipment (“PPE”), the acceleration in manufacturing of potential therapeutic treatments and preventative vaccines, and new demands for using a remote workforce to support these efforts, all raise challenges for life sciences companies and emphasize the importance of a thoughtful approach and careful strategy for supply chain management and risk mitigation. Now more than ever, companies should assess their supply strategies, including refreshing compliance risk assessments, to ensure a holistic strategy for regulatory compliance in the COVID-19 world.

In addition to the unique challenges of the current global pandemic, companies have been confronted with a barrage of guidance—sometimes preliminary and occasionally reversed—from the U.S. Food and Drug Administration (“FDA”) and other regulators on managing manufacturing activities during a pandemic. FDA guidance has addressed the need for risk assessments related to product quality,[1] ramping up production in the wake of pandemic-related slowdowns or shutdowns in manufacturing,[2] and managing expectations regarding on-site regulatory inspections.[3] Although these guidance documents provide some—at times shifting—guidance from the FDA on COVID-19 concerns, they do not fundamentally alter the underlying supply chain risks that many companies face.

As if the pressures of a pandemic were not enough, supply chain strategies have been further complicated by the geopolitical environment, with uncertainty regarding import tariffs and the trade tensions between the U.S. and China, for example, and an Executive Order from the Trump administration seeking to bring drug manufacturing back to the U.S.[4] These efforts, still in their initial stages, build upon concerns raised previously about U.S. dependence on Asia for the production of Active Pharmaceutical Ingredients (“APIs”) and finished drug products as drug and device manufacturing has increasingly shifted to China and other countries in Asia as companies look to take advantage of lower production costs. This shift is under growing scrutiny from policy makers and others—further fueled by the current pandemic—in the wake of concerns about product quality[5] and supply chain stability.[6]

Of course, even without this public focus, many life sciences companies have experienced the reality that the actual cost of operating in foreign markets often proves higher than anticipated in light of regulatory and compliance challenges as the FDA and other regulators increasingly focus inspection and enforcement resources on foreign sites to account for the shift of manufacturing to these locations. As examples, the FDA has issued Warning Letters to scores of manufacturing sites in India and China focused on data integrity concerns, often entailing significant expense by manufacturers to analyze and implement appropriate corrective actions and controls. Moreover, regulatory risks are not limited to Good Manufacturing Practice (“GMP”) issues, and recent guidance and enforcement activity has not been limited to the FDA. By going global with manufacturing, companies open themselves to a host of additional risk areas such as corruption, trade / sanctions, data privacy and security, and human rights and sustainability, as they engage in the various activities involved in manufacturing, including: inspections, permitting, and licensure; import of materials and export of product; monitoring employment practices; and managing the community impact of manufacturing and waste disposal. For example, in two instances, U.S. Customs and Border Protection (“CBP”) issued Withhold Release Orders and seized medical gloves manufactured in Malaysia because of concerns they were created with forced labor. Although CBP revoked one Withhold Release Order at the height of the pandemic, CBP issued another over the summer against subsidiaries of a large PPE manufacturer.[7]

All of these activities come against the backdrop of continued enforcement focus and activity by the corruption enforcement arms of both the Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”),[8] highlighting the need for companies to remain vigilant in combatting corruption—not just in commercial activities, but across global activities, including supply chain.[9] Echoing a similar framework put forward by the U.S. Department of Commerce on the trade / sanctions front,[10] the DOJ in its most recent compliance program guidance expressly emphasized the need to avoid fixed-time risk assessments and one-time third-party reviews, noting that companies must engage in ongoing risk assessment and continuous oversight of third-party relationships throughout their duration.[11]

The current geopolitical environment and global pandemic combine with the chorus of enforcement authorities and regulator guidance across risk areas and statutory regimes to send a clear warning: whether in the U.S. or around the world, manufacturers must have a holistic, dynamic strategy for identifying and mitigating the full risk profile presented by their supply chain. All too often, regulatory and compliance efforts are cabined by risk area and siloed within various internal departments and/or with a team of external resources focused on one particular risk area. This structure drives both inefficiency and business frustration as similar activities are assessed and overseen by multiple groups for differing purposes. Without anyone to look holistically at risk, these efforts often result in misallocation of resources and compliance efforts—or worse, leave a company vulnerable to unidentified risk. Consider instead an approach integrating all the relevant internal stakeholders—likely to include operations, quality, supply chain, legal, and compliance—supported by external resources as needed to identify and assess the full panoply of risk presented by the specific supply chain strategy. While these assessments, like all compliance efforts, must be tailored to the company’s particular supply-chain strategy for maximum efficacy, some considerations for success include:

  • Refreshing plans for redundant sourcing of key raw materials or intermediates and manufacturing of finished product;
  • Reviewing third-party manufacturing relationships, including:
    • Ensuring initial due diligence and contracting address the full slate of risks presented (e.g., quality, corruption, trade / sanctions, Environmental, Social, and Governance (“ESG”), money laundering);
    • Ensuring monitoring and oversight strategies are tailored to the particular relationships, cover each attendant risk area, and are accompanied by metrics and information providing visibility into the relationship and transparency into key or emerging risks;
    • Identifying and assessing holistic site activities (e.g., sourcing, licensure / permitting, labor, import / export) and related policies, procedures, guidance, training, and monitoring at both the corporate and site-specific levels;
    • Benchmarking and identifying best practices across the industry, the company, and the company’s third-party manufacturing partners as to how to address identified risks, particularly in the context of the current pandemic and, where appropriate, updating processes (and related guidance and training) to reflect these practices, as waiting until the pandemic passes may result in lost opportunities as other priorities arise;
    • Reviewing processes for escalating quality and compliance issues (e.g., Are reporting mechanisms available, functioning, and understood across sites? Are issues routed correctly, reaching the appropriate Subject Matter Experts (“SMEs”) and management levels in a timely manner? Are issues—regardless of subject matter area—consistently tracked, appropriately followed up on, and addressed? Are issues considered at a macro level to ensure appropriate root-cause assessment and related program and control enhancement?);
    • Assessing compliance culture and understanding, including training and the implementation of the company’s compliance and quality management systems—recognizing that many significant supply chain issues can be identified and mitigated where front-line employees understand the risks and expectations and where the culture encourages them to speak up;
    • Ensuring testing and assessment of key supply chain controls, including integrating assessments—not just of risks, but of the compliance program and controls—in key internal efforts, such as compliance reviews and internal audits, and in reviews by external resources to ensure a fresh perspective and analysis against industry best practices and regulator expectations; and
    • Evaluating the integration and interactions between relevant areas within the company (e.g., operations, quality, legal, compliance, and audit) to ensure open and meaningful exchange among those charged with supply chain responsibilities on key topics including risk assessment, issue escalation, remediation, and the development and execution of holistic strategies for continued evolution of compliance efforts.

The current geopolitical environment and global pandemic raise significant challenges for companies across the life sciences sector as they look for strategies to secure and optimize their supply chains. In considering COVID-19 supply chain strategies, companies should undertake holistic compliance risk assessments to ensure their supply chains are not vulnerable to undetected risk or disjointed compliance strategies.


1   FDA Guidance for Industry: Good Manufacturing Practice Considerations for Responding to COVID-19 Infection in Employees in Drug and Biological Products Manufacturing (June 2020).

2  FDA Guidance for Industry: Resuming Normal Drug and Biologics Manufacturing Operations During the COVID-19 Public Health Emergency (September 2020).

3  FDA Guidance for Industry: Manufacturing, Supply Chain, and Drug and Biological Product Inspections During COVID-19 Public Health Emergency Questions and Answers (August 2020).

4   Executive Order, Executive Order on Ensuring Essential Medicines, Medical Countermeasures, and Critical Inputs Are Made in the United States (Aug. 6, 2020).

5   See, e.g., FDA Guidance for Industry: Control of Nitrosamine Impurities in Human Drugs (September 2020).

6   See, e.g., Coronavirus Aid, Relief, and Economic Security Act (CARES Act), § 3101, P.L. 116-136, 134 Stat. 360 (requiring the Secretary of Health and Human Services to enter into an agreement with the National Academies of Sciences, Engineering, and Medicine to assess and evaluate the dependence of the United States, including the private commercial sector, States, and the Federal Government, on critical drugs and devices that are sourced or manufactured outside of the United States); Securing the U.S. Drug Supply Chain: Oversight of FDA’s Foreign Inspection Program, Testimony of Janet Woodcock, M.D., Director, FDA CDER, before the U.S. House Energy and Commerce Committee, Subcommittee on Oversight and Investigations (Dec. 10, 2019).

7   See U.S. Customs and Border Protection, Withhold Release Orders and Findings, https://www.cbp.gov/trade/programs-administration/forced-labor/withhold-release-orders-and-findings.

8   See, e.g., Andrew Ceresney, Dir., Div. of Enforcement, U.S. Sec. & Exch. Comm’n, Remarks at CBI’s Pharmaceutical Compliance Congress in Washington D.C. (Mar. 3, 2015), available at https://www.sec.gov/news/speech/2015-spch030315ajc.html (“[C]ompanies should perform risk assessments that take into account a host of factors . . . and then place controls in these risk areas. The pharmaceutical industry operates in virtually every country, including many high risk countries prone to corruption. The industry also comes into contact with customs officials and may need perishable medicines and other goods cleared through customs quickly. They may also come into contact with officials involved in licensing and inspections. These are just a few examples of risk factors that a risk assessment should be focused on in this particular sector.” Going on to warn that “the pharma industry is one on which [the SEC has] been particularly focused.”).

9   See, e.g., Criminal Div., U.S. Dep’t of Justice & Div. of Enforcement, U.S. Sec. & Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act (2d ed. 2020), https://www.justice.gov/criminal-fraud/file/1292051/download (“Effective compliance programs are tailored to the company’s specific business and to the risks associated with that business. They are dynamic and evolve as the business and the markets change. . . . One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas.”).

10   See Bureau of Industry & Security, U.S. Dep’t of Commerce, Export Compliance Guidelines: The Elements of an Effective Compliance Program (Jan. 2017), https://www.bis.doc.gov/index.php/documents/pdfs/1641-ecp/file.

11  See Criminal Div., U.S. Dep’t of Justice, Evaluation of Corporate Compliance Programs (June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download. The DOJ guidance notes that in evaluating a company’s risk assessment process, prosecutors should ask the following questions: “Is the risk assessment current and subject to periodic review? Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?” Id. at 3. In evaluating third party management, prosecutors consider whether the company “engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process” and “should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.” Id. at 7–8. For a full analysis of the updated DOJ Guidance, see Paul Hastings Investigations & White Collar Defense Practice Group, “‘Lessons Learned’ by DOJ Provide Further Guidance on Developing a Dynamic Compliance Program” (June 4, 2020), https://www.paulhastings.com/publications-items/details/?id=4841756f-2334-6428-811c-ff00004cbded.


Click here for a PDF of the full text