Keeping the lights on

Beware the black swan: That was the warning from GlaxoSmithKline quality assurance and compliance manager Stephen Mitchell at a recent conference in London.

“We’ve got to refocus on areas of potential vulnerability in the supply chain,” he’s reported as saying. “If there’s a massive power failure or your IT goes down, what do you do? You need a plan B and even a plan C, which we don’t see often enough.”

Mitchell’s surely right about the need to look at supply chain weaknesses in the pharmaceuticals industry. Whether a power failure qualifies as a “black swan” is another question, though.

In author Nassim Taleb’s original use the term had in mind “highly improbable” events that have an extreme impact. Power cuts are, as many businesses and homes have recently discovered, all too common – whether as the result of flooding, storms or technical problems.

For the most part, the pharma industry is able to mitigate the impact of such cuts, so that they don’t interrupt the operation.

Power cuts do have the potential to seriously challenge the supply chain, however. First, as Mitchell pointed out, human error can rapidly undo resilience – and, as this tale makes clear, quickly make highly improbable events materialise. There are also a number of more recognisable black swan events, such as EMP attacks or geomagnetic storms, as well as ever-present threats such as terrorism.

For many parts of the world, however, fragile and unreliable power networks are not the results of black swans but business as usual. The challenge for businesses not directly affected is, most obviously, to have robust strategies in place to ensure they know which parts of their supply chain are in vulnerable regions and the strategies those suppliers have in place to ensure resilience.

But there is another element to robust continuity planning, too: looking ahead to potential future problems much closer to home, where we take reliable power for granted. As ever, the best way to keep the lights on is to make sure you’re not in the dark about the potential risks.

Find it, File it, Flog it: further thoughts.

Last week, we briefly mentioned Hedley Rees’s excellent new book Find It, File It, Flog It: Pharma’s Crippling Addiction and How to Cure it (well worth £14 of anyone’s money at Amazon).

The book quotes our own Catherine Geyman saying: “The (lack of) resilience of global pharmaceutical supply chain networks has been laid bare in recent years by the global drug shortage crisis.”

She is included as one of several “expert witnesses” in the book. Another is Professor Andrew Cox, Chairman of the Advisory Board & Vice President at the International Institute for Advanced Purchasing & Supply. He says this: “Unfortunately for the major Pharmaceutical companies that used to be the ‘channel captains’, who controlled the industry and all of its major supply chains through a judicious control internally of critical assets, there has been considerable evidence of very poor practice in outsourcing in recent years.”

This outsourcing has led to a significant decline in the visibility and control of the supply chains and is one of several problems identified in the book. Furthermore, while the focus is on big pharma, it makes clear that the problems with supply chains are not limited to the major companies.

In his introduction, Rees describes a visit to a small drug developer to try to persuade them to consider improving the supply chain: “As we progressed through the meeting, it became clear that he was explaining to me why what I offered was of no interest, because he was aiming to make an exit once proof of concept was achieved. The chance to exit would be almost entirely based on the clinical efficacy data. The supply chain thus created would be someone else’s problem.”

Whether it’s start-ups or the industry leaders, then, the supply chain is far too often seen as someone else’s problem. That leaves a lack of clarity around big questions such as where inventory is, its condition, its transportation, its storage and suppliers’ reliability.

Rees’s book is excellent at making clear many of the problems with the current model, and it is badly needed. Hopefully, though, some of its arguments are increasingly gaining traction. The point that the industry has focussed too much on new product development (the “find it, file it” part) at the expense of the supply chain, for instance, is one we’ve heard before.

There are some encouraging signs of action to address weaknesses, too. A recent survey of the wider healthcare industry in the US, for example, shows increasing numbers tackling risks in the supply chain such as security and compliance. However, in other respects there is still considerable work to do: only 60% of those surveyed, for example, think contingency planning is important – a majority, but not a very big one.

As the report notes: “Unplanned events have impacted healthcare supply chains in the last 3-5 years, but a large percentage of supply chain decision makers still do not consider the subject important.”

Changing such attitudes will take time, but it is vital. Rees’s book is a most welcome contribution to that effort.

Disrupting Big and Mid Pharma: Pharma’s Crippling Addiction and How to Cure it

Challenging Big and Mid Pharma Industry paradigms

A superb new book: Find It, File It, Flog It: Pharma’s Crippling Addiction and How to Cure it, includes expert witness from Catherine Geyman of Intersys.

Hedley Rees issues his challenge to the Drug Industry paradigms and orthodoxies, calling for a wholesale and radical reappraisal of an arguably outdated and inefficient Research and Development Value Chain and Supply Chain model.

This necessarily irreverent, but highly insightful, new book from the highly respected Rees, aims to disrupt and transform a model which has remained essentially unchanged since the 1950s.

Shifting sands

The Paris attacks have been another harsh reminder that the risks the world faces are increasingly global. Being in the West does not make us immune to the threat of ISIS.

Unlike terrorism, however, natural disasters are often assumed to be more predictable; if we don’t know when, we can often make good guesses at what and where they might strike. Risk modelling for the likes of hurricanes, floods and – perhaps most all – earthquakes is predicated on that. Nevertheless, it is vital to regularly review supply chain exposures, and keep in mind the uncertainties that should prompt us to be prepared for the unexpected.

This has been a key lesson from previous catastrophes. The Japanese earthquake of 2011 was a good example: the place was not a surprising, but the magnitude – 9.0 on the Richter scale – was far stronger than anything thought possible at the time. And, of course, the impacts were felt worldwide, with US automotive supply chains, for example, suffering impacts comparable to some in Japan.

The US itself is not immune from the danger of direct shocks either. The risk from the San Andreas fault is so well known it has had its own summer blockbuster. In reality, any quake there is unlikely to live up to Hollywood’s imagination, but the devastation that follows, from fires to floods could be significant. Moreover, once activity starts, it could continue for years.

In fact, San Andreas is not necessarily the biggest geological threat the US faces; near it is the Cascadia subduction zone, much less well known but with the potential to produce a quake and tsunami that could kill nearly thirteen thousand people and displace one million, according to the US Federal Emergency Management Agency (FEMA). The 1980 eruption of St Helens, meanwhile, was a reminder of a volcanic risk where understanding is still developing both in relation to St Helens, and Yellow Stone National Park.

The point is that businesses cannot afford to look to their supply chain resilience purely in the light of historic disasters. Resilience is only possible by assuming the worst could happen, and that you probably haven’t yet thought of what the worst actually is.

Supply chain slavery battle sees a regulatory push

Labour is riding up the supply chain agenda. On October 29 requirements under the Modern Slavery Act came into force obliging companies to make an annual statement on their policies for excluding slavery from their own organization and their supply chains. The government has also published guidance on how to adhere to the new regime.

The requirements only affect those with a turnover of more than £36 million (although that includes worldwide revenues), and those with financial years ending after 30 March 2016. That will give most organisations time to get to grips with the regulations. Many will need it.

In reality, if ensuring labour abuses in the supply chain were simple, legislation would scarcely be necessary. For the vast majority of companies, the reputational risks, if not the moral imperative, should be enough to focus attention on the issue. From the supermarket giants to technology leaders the potential for adverse publicity has been well demonstrated.

In fact, obligations to screen international as well as domestic sources under the Act were in part a result of pressure from big businesses for a level playing field for those already taking responsibilities seriously. As the Parliamentary joint committee examining the proposed law noted: “IKEA told us that ethical supply chains were ‘absolutely’ more profitable, Tesco said that a good reputation ‘more than pays for itself’ in the long run, and Marks & Spencer told us that trust was ‘a key part of [their] competitive advantage’.”

So, why is legislation necessary? Well, we have to admit that there obviously are some unscrupulous businesses, even if they are small minority. Two other reasons are probably more relevant, though.

First, many businesses don’t think it’s a problem for them. Inevitably, much of the attention around modern slavery has focused on retailers and consumer goods companies; they’re among the best known household names, with the biggest reputations at stake.

It’s a misconception that other sectors aren’t at risk, however, and it’s good to see this appreciated by the likes of the PSCI (the Pharmaceutical Supply Chain Initiative). It included a discussion of modern slavery in its agenda for its annual AGM this month.

The other reason legislation is necessary, of course, is that it is complex. The commitment required from companies in terms of time, money and technology to drill down and have confidence and visibility of each layer of the supply chain is significant. The regulation tells us that it is exactly what is expected, however.

As the Home secretary Theresa May writes in the foreword to the government guidance: “It is simply not acceptable for any organisation to say, in the 21st century, that they did not know. It is not acceptable for organisations to ignore the issue because it is difficult or complex.”

There will, in other words, be no more excuses.

SCAIR Secure SAAS (Software As A Service) Cloud Hosting

SCAIR (Supply Chain Analysis of Interruption Risks) is available as a Cloud Hosted  Software As A Service model.

You can expect your Supply Chain Risk Management provider to take data security seriously and we work hard to ensure that sensitive data is treated with care and respect.

We use Tier 1 Enterprise hosting, which complies with stringent security standards, as well as providing excellent service quality SLAs (Service Level Agreements) to ensure great resilience of our service to you.

Our preferred Cloud Services Enterprise hosting:

  • is committed to annual certification against the ISO/IEC 27001:2005, a broad international information security standard.
  • has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2.
  • has been audited against the Cloud Controls Matrix (CCM) established by the Cloud Security Alliance (CSA).
  • has been granted a Provisional Authorities to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB).
Risk Management Perspectives Part 3: enterprise wide information gathering and supply chain tools

The final installment to a Q&A series, generated following a prominent Risk Management publication’s request for industry expert opinion.

q. “What tools can companies use to manage their supply chains and ensure they have up-to-date information on their whole extended enterprise?”

a.”For a multi-national organisation, the risk management of thousands of suppliers is not practical unless a prioritisation method is applied. This method should not be based purely on volume of spend; a more robust approach to SCRM is needed which should include quantification of financial exposure to all critical supply points (both internal and external, and 1st tier and Xth tier suppliers).

Having built up a detailed picture of critical supply points, and taken steps to reduce key exposures, the final step is to monitor the status of those locations. In a recent KPMG report entitled ‘Enhancing supply chain networks for efficiency and innovation’ only 9% of the respondents said they could assess the impact of disruptions within a matter of hours. The 9% have a competitive advantage by being able to respond quickly to failures in their supply chain. In our data rich world, there are many information feeds ranging from natural hazard alerts to financial monitoring, which can help supply chain managers to stay on top of the status of critical supply points.”

Risk Management Perspectives Part 2: challenges and Risk Management in global supply chains

The second part of a series in which Catherine Geyman, of Intersys Risk, answers questions posed by a prominent Risk Management publication.

q.”What are the challenges to managing the risks a modern, global supply chain presents? Can you give any examples specific to your own experience?”

a.”Two of the biggest challenges for global companies with complex supply chains are i) lack of visibility of the actual manufacturing source (particularly in Tier 2, or 3 suppliers) ii) the ability to prioritise and focus on managing the most critical supply chain exposures based on value at risk; this is a particular challenge for complex multi-nationals with thousands of key suppliers.

Examples:
i) Lack of visibility of the End to End supply chain. When a fatal explosion occurred in a German manufacturing plant in 2012, the automotive industry felt secure that it had alternative sources of nylon-12, but it was unprepared for the loss of a precursor to nylon-12, cyclododecatriene (CDT) made at the same plant. The whole industry was dependent on CDT production from that plant and its impairment caused a shortage of nylon-12 which continued for months.

ii) A large pharmaceutical manufacturer sourced a particular grade of lubricant (used in tablet formulation of a wide range of its key products) from a sole source. As it was an inexpensive material, bought in relatively small quantities, it was not a management priority for Procurement. However, when the value at risk on this supplier was analysed it was realised that a major problem there would result in significant supply interruption across a range of products. In this instance, the solution was straightforward – a relatively small investment in a manageable volume of safety stock would mitigate the majority of the exposure.”

Risk Management Perspectives Part 1: are we learning from recent Supply Chain experiences?

Catherine Geyman, of Intersys Risk, was asked by a prominent Risk Management publication to give her opinion on a number of topical issues. The publication summarised and, for clarity, her full answers are shown below.

q: Have lessons been learned from the issues emanating from the Thai floods and the horsemeat scandal?

a: “Certainly the horsemeat scandal has put a greater emphasis on understanding the true source of a material. A common problem across both the Food and Life Science industries is in pinpointing where a material is actually made when so many are sourced through agents and distributors. A similar provenance problem was experienced by the pharma industry in 2008 when the heparin scandal broke and it became obvious that a number of significant western manufacturers had no idea of the origin of the starting material – pigs intestines harvested in tiny, unregulated workshops across China. That particular issue put pressure on western regulators to increase their presence overseas and since then the US Food & Drug Administration has opened more centres in overseas locations which in turn have resulted in a greater number of inspections of foreign facilities and an increase in regulatory actions preventing non complying drugs and foodstuffs from entering the US.

From an internal controls point of view, the pressure to extend auditing activities further back up the supply chain has increased and the auditor’s skill set has been redesigned in an attempt to better detect fraudulent supply chain activities. There has also been a push in the food sector to simplify the most complex supply chains and to exploit more opportunity to source locally. The Food industry is not alone in reassessing its ability to reverse some of the outsourcing activities of the last decades, the pharma industry too is also seeking more manufacturing opportunities at home, with projects such as REMEDIES co-funded by the UK government and industry partners to redesign the UK pharma supply chain.”

The cyber supply chain risk

In a digital world, cyber risks are an increasing concern for businesses – as our colleagues within the InterSys technical group are well aware. This deals with the findings of the government’s Information Security Breaches Survey 2015, which shows both the prevalence and impact of cyber breaches. There’s a lot more businesses can be doing, they note.

There are obvious implications for the supply chain, too. As research by Standard Chartered (picked up by the FT) highlighted, technology has transformed the global supply chain, bringing massive benefits. Radio-frequency identification (RFID) technology and the Internet of things, for example, have made it much easier to track and monitor orders and shipments through the supply chain. Similarly, technology facilitates much greater coordination between businesses.

“Supplier companies can be completely integrated in managing the supply chain. Instead of an ordering department sending orders to suppliers, everybody can be linked directly to inventory management systems,” the report states.

While the benefits of that are obvious, so too are the risks. Increased connectivity, if not properly handled, brings the potential for increased vulnerabilities. Moreover, the reliance on technology exacerbates the potential problems in cases where a breach does occur (one reason, possibly, why the government survey shows the average cost of security breaches soaring).

The other, and related, point is that a company cannot afford to look just at its own cyber security. As delegates heard at the Infosecurity Europe event where the Security Breaches survey was launched, businesses need to work not just on their own procedures and practices, but also with their suppliers.

Experts are urging businesses to work with suppliers to raise the level of their “cyber hygiene” – encouraging them to follow principals such as those laid out by the government’s the Cyber Essential Scheme. The view is based on a number of cases where attackers have targeted suppliers to circumvent big firms’ security.

“Try to be an intelligent customer,” Jon Townsend, head of cyber intelligence and response at the UK’s Department for Work and Pension (DWP), advised the audience. “And if you think suppliers are not meeting your information security requirements, instead of beating them up with the contract, work with them to put it right.”

That’s good advice. As a first step, though, businesses need to have visibility of the supply chain to identify where the potential vulnerabilities are, and identify who has what information. Fortunately, that’s an area where technology can help as well, with the growing market for supply chain management software.