Mitigating Risk to Secure the Drug Supply Chain

Published on: 
Pharmaceutical Technology, Pharmaceutical Technology-12-02-2019, Volume 43, Issue 12
Pages: 16-19

Communications and planning are crucial to recovering from supply, operations, and facility disruptions.

As the pharmaceutical supply chain becomes more complex, potential vulnerabilities are increasing. Adding to the challenge are random and unpredictable supply disruptions caused by acts of violence, fires, floods, or natural disasters. Survival depends on understanding and collaborating with suppliers, customers, and insurance companies to manage risk, and ensuring that effective emergency response plans are in place. 

Without the right approach, the economic losses from inability to operate, product contamination, or loss of income can be devastating, says Frank Russo, founder and principal of Procor Solutions LLC, a risk management and claims consultancy. Manufacturers that have been slow to develop strategies may soon get a push from regulators. FDA has proposed requiring drug companies to conduct periodic risk assessments to identify and mitigate supply chain vulnerabilities (1).

This legislative proposal is in President Trump’s fiscal year 2020 budget, which notes that many companies do not have such plans in place and are thus at risk for lengthy drug supply disruptions, especially after hurricanes or other natural disasters. Based on results of the assessment, some companies would be required to have risk-mitigation plans, such as having redundant manufacturing capacity in place. FDA would use a risk-based approach to determine which companies would have to do this. The agency plans to apply these requirements to drugs that are considered “life-supporting, life-sustaining, or intended for use in the prevention or treatment of a debilitating disease or condition, including any such drug used in emergency medical care or during surgery” (2). They would apply to drugs that have been on the FDA drug shortage list within the past five years, or that meet one or more criteria that FDA has determined will increase the risk of shortage. 

Some smaller companies may not have business continuity or crisis response plans in place. Overall, however, pharmaceutical companies are quite sophisticated about risk management when compared to companies in other industries, says Russo. 

Natural disasters a key threat

Russo sees natural disasters, which have stepped up in frequency and severity over the past 15 years, as the industry’s top business continuity threat today. Other problems are more frequent upstream outages that occur when key suppliers cannot ship APIs or other materials that are required to make the drug. Often, these glitches occur because of quality and compliance problems (e.g., when regulators place a supplier’s facility on import ban) or result from accidents or other problems at supplier plants. “Given pharma’s complex and increasingly efficient just-in-time supply chains, these scenarios can be a recipe for disaster,” says Russo. “A minor calamity at a supplier’s location can have a significant impact, interrupting production and revenues for extended periods upstream, ultimately reaching the retail pharmacy level,” he says. Although the severity of each loss depends on the companies and products involved, each blip can cost in the tens of millions of dollars if it goes on for too long without mitigation options, he says.

Ransomware and IT

Cyberattacks and computer hacks are also a factor. Ransomware can make discussions with insurance companies difficult, says Russo, because these programs are often installed well before they are detected, so it can be hard to pinpoint when the company’s financial loss actually began, he says.

New pharmaceutical products also challenge manufacturers to quantify losses once a supply disruption occurs. “Without a history of revenues from that drug, companies may struggle to demonstrate lost income to insurers,” he says. Therefore, they must document everything, have clear projections of product revenue from the start, and share that information with insurers, Russo suggests. “Companies need to accurately and adequately convey what the loss was, one component at a time,” he says. 

In order to ensure cash flow, Russo recommends that companies maintain steady communication with their insurers. Instead of waiting to have the claim paid in full, it is better to request payment in installments, he says. 

A growing number of websites, applications, and other platforms are available to help companies better respond to crises and to sharpen their resiliency and business continuity efforts. One example that Russo cites is In Case of Crisis, a mobile application that helps team members communicate, share standard operating procedures (SOPs) and checklists, and file incident reports. 

Investing in risk mitigating technology will help speed recovery. Not only can it prevent damage to company assets, it can also reduce insurance costs, says Russo, as a growing number of insurers take a more holistic approach that considers the total cost of risk. Some insurers now offer discounts and other benefits to companies that invest in preventive technologies, for example Internet of Things water sensors that collect real-time data on plant equipment. “This kind of approach is becoming more common,” says Russo. 

In 2017, Hurricane Maria provided the ultimate test of pharmaceutical company emergency response and business continuity programs, as companies with production facilities in Puerto Rico, including Amgen, Johnson & Johnson (J&J), AbbVie, and Eli Lilly faced flooding and loss of power and communication systems. Most of the island was without power for months, with some areas enduring blackout conditions for almost one year; in some cases, companies were not able to locate employees for several weeks. Pharmaceutical manufacturers in Puerto Rico were equipped with diesel power generators but many struggled with communication and network connectivity. 

Speeding data and IT system recovery after a major disaster demands careful planning and documentation well in advance, says IT consultant Orlando Lopez. Not only should all possible failures and risk scenarios be determined and written down, but their impacts should be carefully assessed and staff mobilized, he says. In addition, he says, alternative systems should be made available, and teams should be dedicated to handling corrective actions, troubleshooting, error diagnostics, and preventive actions.

“Procedures to be followed in case of failures and outages should be carefully described and documented, as should the system rebooting process after bugs have been fixed,” says Lopez. The same goes for maintaining data that were first entered using alternative means (e.g., cell phones or paper) and later entered into computerized systems. Lopez notes that the National Institute of Standards and Technology’s (NIST’s) Contingency Planning Guide for Federal Information Systems can be very helpful in these efforts. One lesson that emerged from the hurricane was the importance of testing the procedural controls used to restore computer systems after the storm struck, says Lopez, who notes the need to avoid a single point of failure by having diverse sites for recovering basic IT and communication functionalities.


In the end, companies continued to operate after a devastating storm. What may have enabled productivity was the fact that companies supported their staffers, some of whose homes had been damaged or destroyed or who had lost loved ones. This driving force, which risk-management and business continuity consultant Steve Goldman calls “the duty of care,” may ultimately be the key to business continuity. “At Amgen, one of our priorities is to prepare all our staff so they can manage a crisis event, not only from a business-continuity perspective but from a personal one,” says Arleen Paulino, the company’s senior vice president of manufacturing. “Following Hurricane Maria, we mobilized resources to support our staff with pay continuity, access to food, water, showers,  laundry service, as well as gas and generators. Their safety and well-being were our priority,” she says. 

After Hurricane Maria, Amgen was able to maintain supply of products to patients without any misses or shortages. Paulino attributes this fact to a robust business resilience strategy that leverages investments that the company has made, not only in staff training and support, but in infrastructure, technology, inventory, diversification, and business continuity. Well before the storm hit, Amgen had already upgraded its sites on Puerto Rico so that they could withstand the force of a Category 5 hurricane. In addition, she says, staff had been trained and [crisis response] tools had been continuously tested to ensure that plans would work as expected. 

Inventory strategy was also crucial, Paulino says, and safety stocks helped ensure sufficient product supply, while back-up manufacturing locations relieved pressure, aiding recovery. A mindset of continuous improvement is essential for any business continuity strategy to work, says Paulino. “At Amgen, business continuity plans are tested constantly, across the company,” she says, noting that internal critique sessions are crucial. “They help us better understand potential disaster scenarios in the future, to learn how we can be more effective,” Paulino notes.



Avoiding complacency 

When operations are running normally, it can be easy for companies to become complacent about keeping records updated, even documents as basic as organizational charts. At one customer facility, Goldman found that organizational contact lists included the names of people who had left the company or died. 

Another missing link for some manufacturers is any deep knowledge of their suppliers, and little regular communication with them. The automotive industry is a model for doing this right, says Russo, and proactive companies such as J&J and Amgen have adopted supply chain mapping, a tool first used in other industries, for pharmaceutical manufacturing operations. 

Amgen began to explore the approach in 2011 after the tsunami in Japan, and began mapping its supply chain in 2013, running a small pilot with close suppliers. Efforts have paid off so far, and by 2018, the company reported having visibility into all tier 1 suppliers and a large percentage of tier 2 suppliers. It can even get down to tier 3 suppliers in some cases (3). 

At the highest level, management and customer expectations will drive emergency response plan development, and each must be thoroughly documented, said Aaron Duff, global director of EHS process excellence and standardization at J&J, in a webcast hosted by Pharmaceutical Supply Chain Initiative (PSCI) in June 2019 (4). There must be alignment and agreement between the two if efforts are to succeed, he said. 

On the ground, however, all utilities must be evaluated, including wastewater and fire wastewater operations, as well as electric power outage preparedness. One important detail with floods is determining in which direction the storm water will run, he said.

Both engineering controls (e.g., fire or water-level emergency alarms) and administrative controls (e.g., staffing, and who has specific training) must be examined, Duff said in the webcast. Another crucial step is to communicate and develop a relationship with local emergency response organizations. “They should be involved in drills and training exercises. You don’t want to be meeting them for the first time when an emergency occurs,” he said. 

Identifying high risk operations is then key, and examining any gaps between existing control measures and what will be needed to keep the facility safe. The next step is developing a risk matrix to define the severity and likelihood of the emergency occurring and designating a cross-functional crisis-management team of at least three people. The team will need an incident commander, and training and drills should be scheduled at least once or twice a year, involving site management and staff as well as emergency responders and even government responders. Drills should be challenging, and engage employees to imagine emergency conditions if they are to be effective, says Goldman.

Communications and silo-busting 

A formal written policy must also be established for communicating with the public, says Goldman, in particular, a social media strategy geared to mobile phone users. He suggests that companies dedicate a website, and have several Facebook pages, a Twitter, and a LinkedIn account ready to go and that a dedicated team monitor and respond to comments on social media as the event unfolds, to avoid the propogation of “fake news” and rumors.

Business continuity is becoming more prominent as a field, with a number of companies staffing at the vice-president level, says Goldman. It may build upon emergency response, but can be weakened by a disconnect between enterprise-level risk management and site-level efforts. At some companies, silos may separate business continuity from enterprise risk management (ERM) teams, even though both involve the same stakeholders and both focus on risk.  

Experts note the need for a common language and for synchronizing efforts (5). Ideally, they say, data from business continuity exercises should be used to improve ERM activities, while key risks that have been identified by ERM teams should be used to frame business continuity exercises. Operations and business continuity teams should also work more closely together, says Goldman, but senior management support is essential. “Risk is not a crisis response, it’s a probability of something happening, and once a disaster hits, it’s 100%. In the end, it’s not what got you into the crisis but how you deal with it that counts,” he says.


1. FDA, Fiscal Year 2020, Justification of Estimates for Appropriations Committees,,,
2. FDA, “Drug Shortages: Root Causes and Potential Solutions,”, p. 76,
3. “How Amgen Manages Supply Chain Risk,” Video,, March 15, 2019.
4.   A. Duff, Emergency Preparedness and Response, Webcast, Pharmaceutical Supply Chain Initiative, June 27, 2019.
5. “ Are Your Business Continuity and ERM Teams Collaborating?” Podcast, The Continuity Forecast, April 23, 2019.

Article Details

Pharmaceutical Technology
Vol. 43, No. 12
December 2019
Pages: 16-19


When referring to this article, please cite it as A. Shanley, "Mitigating Risk to Secure the Drug Supply Chain," Pharmceutial Technology 43(12), 2019.