A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,

Medical Device and Allied Industries

Part 2 - Risk Management Toolbox

Under development

Description Page

2.1/2.2 Introduction to the Toolbox

2.3 Risk Identification Tools

2.4 Risk Analysis Tools

2.5 Risk Evaluation Tools

2.6 Risk Reduction Tools

2.7 Risk Acceptance Tools

2.8 Risk Communication Tools

2.9 Risk Review Tools

Page 1 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

2.1/2.2 Introduction to the Toolbox

These tools have been used in a variety of industries successfully and are proven effective
methods. They comprise mainly of simple tools commonly used to gather / organise data,
structure, project manage and facilitate decision making. Some tools in, 6-sigma and right
first time are similar but here are applied in different ways. They are useful in the overall Risk
Management process whether the intention is the application of simple or more advanced
analysis tools.
The drivers for which tool to use when is dependent on:
• Scope
• Experience of the user
• The level of Risk or Hazard identified
• Availability of appropriate data
• Time
Some tools are very effective in all areas of Risk Management and some are better employed
for specific areas. This toolbox provides guidance in use and some examples where
appropriate.

There will be other tools / methodologies not mentioned in this guide which may be
appropriate to use and new techniques will always be developed. Care must be exercised as
some tools appear suitable but are designed for retrospective analysis (Root Cause Analysis),
whilst Risk Management tools are intended to be prospective tools to determine the potential
future consequences.

Page 2 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

2.3 Risk Identification Tools

This section describes some of the tools that are useful for identifying potential risks at the
Risk Identification stage of the Risk Management process.

• Brainstorming
• What If? & SWIFT (Structured what If checklisT)
• Mind Mapping
• Checksheets
• Flowcharting
• Process Mapping
• Value Stream Mapping
• Cause and Effect/Fishbone Diagrams
• HEA ((Human Error Analysis)

Brainstorming
Brainstorming is often referred to as a creative technique and aims to achieve quality through
quantity. The technique is usually utilised where you have a group of people trying to find a
solution to a problem. It provides a means of capturing a wide spectrum of ideas from all
stakeholders in an open and encouraging atmosphere. The method is simple, requires little in
terms of resources but there are a number of simple rules that should be followed to gain the
most value from this technique:
• Appoint a facilitator – it is beneficial to assign one individual as a facilitator to ensure
that all participants’ voices are heard.
• Encourage a focus on quantity – aim to ensure that a large number of ideas are
generated in relation to solving the risk problem - the more potential risks identified
the more comprehensive subsequent analysis and evaluation will be.
• No discouragement / no criticism – all ideas no matter how unusual should get a fair
hearing. It also encourages participation of all stakeholders and prevents areas or
items being overlooked.
• Combine and Improve – as the list of ideas increases, it is prudent to review the ideas
being put forward and group those that are identical or similar under a single heading.
The environment and atmosphere in which brainstorming is conducted can be very important,
and should wherever possible be removed from external distractions. A means of capturing
ideas is important e.g. using a whiteboard or flipcharts or other means. The method for
recording ideas generated during the brainstorming session should be set out for everyone to
understand.
The facilitator should open the session with a clear description of the subject to be
brainstormed e.g., “this session is focused on identifying risks with repacking sodium chloride
before distribution to our customers.”
Often people find it beneficial to make use of colour or symbols or other distinguishing means
to collate ideas into subgroups e.g., all risks identified with machinery in black ink, all risks
associated with raw materials in red ink etc.
The final output of the exercise should be a list of ideas as to what risks can occur. These can
then be subjected to the subsequent steps of the risk management process.

What If?

What if? is a technique commonly used in Engineering to determine hazards associated with
a facility, equipment or a process. It is easily adopted as a risk identification tool. What if? is
similar to brainstorming. The process under review is broken down into sub-processes and a
series of questions is brainstormed by asking what if there is a failure in the sub-process or

Page 3 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

what if there is a failure in the operation of the sub-process? The answers to the questions will
highlight if a potential hazard exists.
For example a process may contain the sub-processes of equipment, people, materials etc.
What if questions for Equipment sub-process would be;
What if the agitator fails? Æ product does not meet specification => hazard
What if the seals leak? Æ product becomes contaminated => hazard
What if the valve is left open? Æ product is lost => hazard

Mind Mapping
Mindmaps are diagrammatic representations of ideas arranged radially around a central idea
or theme. They have been used as study aids, problem solving and decision making tools.
Mindmaps can be constructed manually by hand-drawing or electronically using freely
available software packages. This tool promotes the brainstorming / idea generation sub
processes by way of its structure leading to the capture of large volumes of information in a
concise visual representation.
To construct a mind map a central idea is placed in the centre. Branches are drawn from the
central theme or concept radially. Each branch represents a single sub idea of the main idea.
On each of these branches are drawn sub branches, each one drilling down further into the
idea represented by the main branch. Experts promote the use of colour for different branch
trees as well as graphics to aid the conceptualisation process in the brain. It is also
recommended that the least number of words is used to describe each idea or branch in the
diagram.

Page 4 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

Check-sheets

Check-sheets are tools that allow collection of information from a process in a systematic,
organised way in real time at the location where data is generated. Check-sheets are
commonly used and the data collected on check-sheets is easily used as an input to other
tools. Date can be collected quantitatively e.g. counts or qualitatively e.g. attributes like yes /
no or go / no go type data. There are 4 main types of check-sheets commonly used. These
are:
• Item Check-sheets – used to identify what type of risks are occurring in the process
e.g. the check-sheet will have a list of potential problems and provision to count
occurrences or frequency
• Location Check-sheets – used to identify potential areas or location in the process
where risk occurs. E.g. the check-sheet may be a diagrammatic flowchart of the sale
and distribution of a product that illustrates the main processing steps involved. A
mark is placed on the location where the problem occurs most often giving data on
counts / frequency.
• Defect Check-sheets – used to try and identify causes of risk e.g. may be used to
identify the potential causes associated with mislabelling of products and provides
means of recording data about the operators, labelling machines, batch code printers
etc.
• Checklist Check-sheets – used to identify risk by checking if procedures are followed
e.g. check-sheet will have a list of tasks that need to be performed or risk to be
mitigated.

Page 5 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

Flowcharting

Flowcharting is the process of charting a process / information by representing the individual

steps as boxes and displaying the order of occurrence by connecting each box with an arrow
showing the direction of process / information flow. It is through process understanding that
flowcharts can be used to aid risk identification in identifying potential issues, defects,
bottlenecks, restrictions. Flowcharting of processes is often more commonly known as
process mapping.
Process Mapping
A process map is a diagrammatic representation of a process that utilises geometric shapes
representing actions or stages interconnected by flow-lines. Over the years various
conventions have been adopted by various organisations on the shapes and symbols to be
used for representing steps such as start and end points of the process, individual actions,
decision steps and documentation steps. It is not necessary to adopt any of these
conventions.
Process mapping enables interactions and flow of materials, people and services to be
visualised and is useful tool to map supply chains. It helps prevent oversights and omissions
in considering potential sources of risk.
Diagram x shows a typical process map
Insert Example Diagram
Process maps can help further identify risk when they are stratified into lanes. For example
each lane can be a unit of a business or an organisation’s structure which has defined
responsibilities for the steps / stages of the process falling into that lane. This helps identify
risks associated with cross-functions in organisations e.g. risk associated with communication
between departments, risk associated with inter-dependency of business units. Diagram Y
illustrates a process map showing lanes.
Insert Example Diagram
The final output of the exercise should be full diagrammatic representation of the process that
provides process understanding and a means to identify where risks can occur in that
mechanism. The risks identified can then be subjected to the subsequent steps of the risk
management process.
Value Stream Mapping
This is an allied tool to flowcharting and process mapping which is the process of mapping the
information and raw material flows involved with producing a deliverable for the customer.
The steps to value stream mapping are typically
• Identify the system to be mapped – in terms of identifying risk this will be the focus
subject of the risk management process.
• Map the current state of the process i.e. what is the process now
• Capture and eliminate risks in the current process i.e. identify the risks associated
with the current process and eliminate them from it.
• Draw the future process state – map the desired future process – in applying this
tool to the risk management process this may involve performing the risk analysis
and risk evaluation stages of the process first.
• Implement the desired future process by mitigating or eliminating the identified risks
– in applying this tool to the risk management process this may involve performing
the risk reduction and risk acceptance stages of the process first.
Insert example diagram

Page 6 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

Cause and Effect/Fishbone Diagrams

Fishbone Diagrams (also known as cause and effect diagrams or Ishikawa diagrams) are
primarily used to identify causes associated with an event, but are easily adopted to identify
potential risks associated with an event. Diagram Z illustrates a typical fishbone diagram.
Insert Example Diagram
The diagram is constructed with a box on the right hand side (the head of the fish). This box
contains the subject under examination. The spine of the fish has a number of main bones
coming off it. Each one represents a subject category. These can be tailored to specific
needs but some commonly used categories are the 6M’s, 8P’s or 4S’s
6M’s = Materials, Man (People), Machinery (Equipment), Method (Procedures), Maintenance
(Management), Mother Nature (Environment)
8P’s = Price, Promotion, People, Processes, Place/Plant, Policies, Procedures, Product
4S’s = Surroundings, Suppliers, Systems and Skills
Finer bones come off each category bone to list potential risks associated with for example
materials. Often the more populated the bone is the more influential that category is to overall
risk. This technique is very powerful when used in conjunction other tools such as
brainstorming and Pareto analysis,
The final output of the exercise should be a list of ideas as to what risks can occur. These can
then be subjected to the subsequent steps of the risk management process.

Page 7 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

2.4 – General Risk Analysis & Assessment Tools

These tools require input whether hard data from statistical analysis or soft data from more
subjective analysis
The Tools in this section range from Simple Æ Complex Æ Advanced

2.4.1 Statistical tools

• Control Charts
• Pareto Charts
• Process Capability

Description: Enable effective data assessment and aid in determining the significance of the
data set(s).

Basic Analysis tools

The following two methods are simple methods to analyse risks
Risk Ranking and Filtering Description: Under construction
A method to compare and rank hazards/risks, typically involving evaluation of multiple diverse
quantitative and qualitative factors for each hazard / risk, weighting factors and risk scores.
Example:
Prioritizing sites for audit / assessment or comparing suppliers based on cause and effect.
Useful for situations when the hazards / risks and underlying consequences are diverse and
difficult to compare using a single tool.

Potential Risks Risk Analysis Risk Evaluation

(Risk Identification) Probability Severity Score
Risk 1 Low (1) High (3) Low (3)
Risk 2 Med (2) Low (1) Low (2)
Risk 3 Med (2) Med (2) Med (4)
Risk 4 Med (2) High (3) High (6)
Risk 5 Low (1) Low (1) Low (1)
Risk 6 High (3) High (3) High (9)
Risk 7 Low (1) Low (1) Low (1)

Page 8 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

A Practical example of its use in Supply chain management for a manufacturer is given below
A set of key parameters is determined where the probability of an event based on a history or
event occurs in a quality metric and is measured against the likely severity if a failure or event
occurs. For the purposes of having a simple measure to high- medium and Low, the Medium
Risk defined as between High and Low Risk. Note that lack of adequate measurement
defaults to higher risk. No Measurement or new Supplier defaults to highest risk element.
Risk*
Risk Element High Medium Low Weight Score
cGMP > Significant quantity and/or severity of > Few or no regulatory 3
Compliance regulatory observations observations
History > Adverse Regulatory Status (e.g., FDA > Few Findings
Consent Decree, Severe or multiple > CAPA on target per schedule
Warning Letters, Official Action > Audit closed on time
Indicated)
> An Area of Special Concern
> Several Major Findings
> Past Due CAPA items
Quality System > High number of deviations per batch > Few to no deviations/significant
Processes > Significant deviations deviations
> Multiple events requiring a major > No market related events 2
quality review > Few to no reworks or
> Product recall and/or market actions reprocessing
> Significant reprocessing of
manufacturing step indicating a
Probability of event

requirement to change process step

Complaints > Customer complaints as a result of > Few or no complaints justifiable 2
significant failure of manufacturing based on failure of manufacturing
controls and associated quality systems controls and associated quality
system
Investigations > Not thorough or poorly written, > High quality investigations that 2
> No or greatly inadequate root cause are RFT,
analysis > Root cause analysis clear and
> Not completed in a timely manner effective
> Scope is not adequately defined > Well documented and written
> The number, type & frequency of > Prompt response and timely
deviations suggest systemic cGMP completion
and/or quality issues > Appropriate number of
> CAPA’s are not identified, are not investigations
effective or are well overdue > CAPA’s are identified,
implemented in a timely manner
and are effective
Change > Changes are not communicated > Changes are communicated in 3
Management > Change control documentation is a proactive manner with complete
routinely incomplete and/or inaccurate and accurate documentation
> Changes implemented without X > Changes are implemented in a
approval timely manner after the
> Significant gaps with regulatory appropriate regulatory approval
file/license due to contractor > No gaps with regulatory
file/license

Page 9 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

Risk*
Risk Element High Medium Low Weight Score
Quality/ > Supplier is not willing to accept X > Supplier is in compliance with 2
Technical terms in the quality agreement all the significant requirements of
> Significant deviation(s) from the the quality agreement
Agreement quality agreement
> No Quality Agreement or Quality
Agreement not effective
Technical > Older facility with Poorly operating > Newer facility with 1
Capabilities equipment contemporary technology and
> None or significance Non adherence automation
to maintenance schedule > Highly capable, well-trained
> Lack capable personnel and high staff personnel
turnover > Low staff turnover
> Significant Items for SQRT due to > High volume (non necessarily
technical & supply issues company X brand)
> Infrequent volume - 3 or less batches > Long-term experience with
per year product
> Newer product - Less experience with
product
> Lack of RFT throughout facility > RFT environment 3
operations > Risk assessment is accurate
> Poor Risk Assessment (i.e., Quality (e.g., Science-based compliance
Management is ineffective in assuring decisions)
appropriate decisions) > Quality Management applies
> Lack of continuous improvement appropriate control at the facility
Quality and (e.g., trending, CAPA) > Continuous improvement (e.g.,
Risk Culture > Lack of internal audit and external trending, CAPA)
supplier audit program > Strong internal audit and
> Financially unstable, privately held, external supplier audit program
low investment willingness > Financially stable,
demonstrated willingness to
invest
Supply Chain > Broker in supply chain (Complex) > Supply of API from area of high 5
Security material origin from area of high quality regulatory control
concern > Supply of excipients from area
> supply of API from area of high of high quality regulatory control
concern > non complex supply chain
> Supply of excipients from area of high
concern
Communicatio > Supplier deficient in reacting to and > All issues requiring notification 3
ns notifying X of deviations/changes to X are communicated in a timely
affecting X products manner per the appropriate
with X > Difficult to visit, contact/liaise with. agreement.
> visits are readily accepted and
communication lines smooth
Product > Critical device or injectable/parenteral > Non-registered products 4
Criticality for X > Tablets, capsules and topicals
Consequences of Risk

> Highly potent narrow therapeutic (Non sterile products and API)
range > Not medically critical
> Controlled release pharmaceutical > High Therapeutic Index
> Life-saving product
> Sterile API for use in a non terminally
Sterilized Finished product
Supply Chain > No or very limited product for supply > No issues with supply of 5
continuity > Top value product (may have relative Product to markets
low volume) > Non-critical product or market
> Critical markets

This is plotted onto a Risk Evaluation score matrix of the X – Y plot with Probability the Y axis
and Consequences the X axis.
Some companies may wish to have one total score however this can lead to distortion of the
scoring and the obscuring of a critical risk. Where approach is of value is to use as a metric
on just the probability of an event scoring (single axis) and revisit on a very regular basis.

Page 10 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

Preliminary Hazard Analysis (PHA) Under construction

Description: PHA applies prior experience and knowledge of a hazard or failure to identify
future hazards or failures.
Examples:
Useful when analyzing existing systems where circumstances prevent a more extensive
technique from being used. Useful early in the development of a project when there is little
information, knowledge, design details, or operating procedures. Can be used on product,
process, or facility design

Risk Threshold examples

High – Risk must be reduced
Intermediate – Reduce risk to As Low As Reasonably Possible (ALARP) or otherwise termed
As Low As Reasonably Achievable (ALARA)
Low – Reduce risk according to ALARP principles considering cost vs benefit criteria or
determine if acceptable risk.
Trivial – Generally acceptable level of risk with no action required.
Reference for ALARP/ALARA – International Commission on Radiological Protection (ICRP)
in Publication 26 (ICRP 1977) as quoted in Textbook of Radiopharmacy, Theory and practice
Ed. Charles B Sampson 3rd 1999.

Page 11 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

Moderate to Advanced Risk Management Tools

Hazard Analysis and Critical Control Points (HACCP)
HACCP was developed in early 1970s by NASA protecting food safety for astronauts using
science-based controls to prevent hazards that could cause food-borne illnesses. Well
established as a requirement within the food industry, its application is increasing in other
industries including pharmaceutical.
In preparing for HACCP:

• Assemble team
• Describe product / process
• Identify intended use
• Construct process flow diagram (see earlier in tool box)
• Confirm flow diagram on-site.

HACCP is a seven step process that provide for both Risk Assessment and Risk Control. In
essence it is a detailed process flowchart map from raw materials to finished product and
testing, with each identified critical control point on the flowchart identified. The seven steps
are as follows:

1. Conduct hazard analysis

A hazard is defined as the potential to harm the consumer (safety and for
pharmaceuticals also efficacy) or danger to the product (contamination).
In considering hazard analysis, all hazards should be listed that reasonably may
occur from incoming materials, production, testing, distribution up to point of use.
Hazard analysis identifies which hazards are such that elimination or reduction to
acceptable levels is essential. It is advisable to separately identify quality, safety and
business risks. Note: FMEA (see below) may be an appropriate hazard analysis tool.

2. Determine critical control points (CCP)

A critical control point is defined as a stage in the manufacturing process (including all
raw materials), which, if not controlled correctly, will cause a threat to safety or a
contamination issue. Having identified the hazards on the flowchart, determine if
there are any that have no critical controls – need to install controls at these points.

3. Establish target levels and critical limits

Specify critical limits for each CCP. Typical criteria for measurement could be
temperature, time, etc or subjective criteria. Data should be scientifically based and
more than one limit may be necessary for a CCP.

4. Establish system to monitor critical control points

Monitoring must detect loss of control at a CCP and should be recorded. Real time
monitoring enables timely response to trends and prevents deviation from the limit.

5. Establish corrective actions when critical limit deviation occurs;

6. Establish record keeping system; and
7. Establish procedures to verify HACCP system is working correctly.

HACCP is unlikely to be a single document!

Page 12 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

Example: Common use is to identify and manage physical, chemical and biological (including
microbiological contamination) related risks in a process and assess impact of change. This
has been used in the Food industry to identity the key areas in supply and production chain.
In the supply chain can look at multiple supplier chain from a high end customer down to the
base supplier or as part of the whole process flow of components to final service or product
For further information refer to WHO Technical Report 908 (37th Report of expert Committee
on Specifications for Pharmaceutical preparations, 2003).
Reference Microbiology for the analytical chemist, RK Dart, 1996, RSC p100-102

Hazard Operability Analysis (HAZOP)

Description: HAZOP assumes that risk events are caused by deviations from the design and
operating intentions, and uses a systematic technique to help identify potential deviations
from normal use or design intentions.
Examples: Evaluate manufacturing processes, facilities, and equipment; one of the most
common Risk tools known used to evaluate safety hazards in Environmental Health and
Safety.
For further information refer to IEC 61882 (first edition, 2001)

Failure Mode Effects Analysis (FMEA)

Under construction example to be included
Description: Evaluates potential failure modes for processes, and the likely effect on
outcomes and/or product performance. Once failure modes are known, risk reduction can be
used to eliminate, reduce, or control potential failures. Relies upon product and process
understanding as both product and process FMEA should be performed. Output is a relative
“risk score” for each failure mode.
Examples: Evaluate equipment and facilities; analyze a manufacturing process to identify
high risk steps/critical parameters.

Page 13 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

For more detailed information refer to IEC 60812 (1985)

Failure Mode, Effects and Criticality Analysis (FMECA) Under construction

Description: FMECA extends FMEA to incorporate the degree of severity for consequences
and the respective probability/detect-ability of each consequence. Product and process
specifications should be established to utilize FMECA
Examples: Typically used in failures, and risks associated with manufacturing processes.

Fault Tree Analysis (FTA) Description: FTA is a method to identify all root causes of an
assumed failure or problem. The method evaluates system/sub-system failures one at a time,
but can combine multiple causes of failure by identifying causal chains. FTA relies upon
process understanding to identify causal factors.
Examples: Investigating complaints or deviations.

Page 14 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

2.5 Risk Evaluation and Control

Part of Risk Evaluation is can the Risk Acceptance step be taken.

ALARA & ALARP

Risk management has been widely practised in the field of Nuclear medicine and the nuclear
industry, from which the principles of ALARA (As Low As Reasonably Achievable) were
developed for safety of personnel. It is more commonly referred to a ALARP (As Low As
Reasonably Practical) in the UK from UK Health and safety legislation.
The ALARP principle is that the residual risk shall be as low as reasonably practicable. To
apply the principle it must be possible to show that the cost or practicality would be grossly
disproportionate to the benefit gained. The principle arises from the fact that infinite resources
(time, money, effort) could used to try and reduce a risk but that is not achievable in the real
world. It is not a simple quantitative measure of benefit against detriment. It is interlinked to
the assessment if a risk is tolerable and/or controllable.
In the determining that a risk has been reduced to ALARP, an assessment of the risk to be
avoided is carried out and compared with the actions involved in taking measures to avoid
that risk, otherwise known as a Cost Benefit Analysis.

Carrot Diagram
A carrot diagram is often used to display risks. The high risks (to be reduced) are at the top
and the low risks at the bottom. The middle risks may be described as the tolerable region as
the risks are not insignificant but not practically reduced.

Page 15 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

Brainstorming
This is a key tool to evaluate the risk and identify possible controls. More detail is given in
section 2.3.1

The 4T’s
Risk acceptance is part of risk evaluation and a more details are provided in section 2.7.1.

Page 16 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

2.6 Risk Reduction

Root Cause Analysis

Many of the tools described in 2.3 were initially developed as methods of determining root
cause for events that have already occurred e.g. Fishbone Diagrams, Brainstorming etc.
Risk Management aims to be proactive process in addressing risk before it occurs. However
in terms of risk reduction, root cause can be applied to the determination of potential root
causes for potential risks and then strategies or actions can be taken to address these root
causes. By addressing the root causes identified risk is reduced or potential for a hazard to
constitute a risk. Basic steps to application of root cause analysis irrespective of the tool used
are as follows;

• Define the risk to be reduced = output of Risk Evaluation

• Define potential root causes for this risk to occur
• Define which root causes if removed will prevent or reduce the risk
• Implement risk reduction measures = address the root causes
• Document & observe the effect of implementing the risk reduction measures
• Review and repeat as required

CAPA
CAPA (Corrective and Preventative Action) is a term used in Quality Management Systems
such as ISO in a variety of industries but is often poorly understood. Essentially there are
three elements to CAPA.

• Correction = correction of effect of an event to bring the process, product or service

back into a state of compliance with specification
• Corrective Action = implementation of an action to address root cause of an event to
prevent reoccurrence of that event in the future (reactive)
• Preventative Action = implementation of an action to address the root cause of an
event to prevent that event ever occurring (proactive)

In terms of Risk Reduction CAPA is a process that compliments other techniques such as
Root Cause Analysis. In order to utilise CAPA for Risk Reduction these basic steps are
followed.

• Define the risk to be reduced = output of Risk Evaluation

• Define the appropriate action i.e. correction, corrective action, preventative action
• Document the CAPA to be taken including, responsible person(s) and due date.
• Implement the CAPA
• Document and observe the effect of the CAPA implemented
• Review and repeat as required.

Risk Management aims to be proactive approach. It is likely then that once embedded in an
organisations culture the majority of CAPAs being implemented as risk reduction measures
will be preventative actions rather than corrections or corrective actions.

Risk Avoidance Strategy

Risk avoidance strategy is a risk reduction technique commonly exploited in financial and
business arenas. It involves the elimination of risk by avoiding the process or activity that

Page 17 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

carries the risk e.g. not driving a car so as not to have a traffic accident. It could be argued
that this strategy is the safest option to avoid risk completely. In reality however it is difficult
to take this approach to many activities as this strategy would simply mean no process, no
product or no service. Every risk avoided in this way is a loss in potential gain in terms of
business, profit, end-user benefit and/or customer satisfaction.
Risk avoidance is a practical and sometimes only viable approach to risk reduction. However
it must be applied cautiously to ensure the benefit outweighs any alternatives.

Page 18 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

2.7 Risk Acceptance

Risk Acceptance is a stage that can incorporate information from the tools in risk Evaluation
and control and it is decision are we at a tolerable level and is it controlled When deciding to
accept a risk there is always the no as a possible answer so risk evaluation is interlinked to
acceptance.
An additional tool for ALARA (2.5.1)and carot diagrams (2.5.2) is the 4Ts

Mitigation strategy and actions based on the "4 T’s":

TREAT a risk to prevent it occurring or reduce its potential impact.

• Have processes in place that improve the control effectiveness.

• The amount of effort to control risk should be proportional to the significance of
the risk

TRANSFER the risk to someone else

• Risk financing, insurance, contracting out, etc.

• Some of the impact of the risk is transferred, not the responsibility the business
has for managing the risk.

TERMINATE the risk – i.e. stop doing whatever it is that is exposing the business to the risk.

TOLERATE the risk after deciding that the risk has been reduced to an acceptable level.

Checklist

See 2.3 for general detail but a checklist would assist in determining if all steps have been
completed and a decision can be made.
Check the Pareto example in risk acceptance in original versions

RACI – A RACI matrix will ensure that people and their responsibilities in the process are
clearly defined. [LINK]

Page 19 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

2.8 Risk Communication

The method of communication depends what is being exchanged, audience (external or
internal) and importance regardless if related to risk or other management activity.

Below are common methods used:

1. Contracts: The most formal method is a business contract however this is normally the
method of communicating legal and basic business expectations. A supplementary
technical agreement is a regulatory requirement for pharmaceutical industry to agree,
control and define such matters as: communications, information flow, capabilities,
regulatory requirements and expectations, duties and responsibilities, however the main
sections of these can be torturous to amend quickly.
2. Letter/memo: A formal communication normally reserved for agreeing or approving
actions and expectations. It may contain formal certificates, specifications, processes and
other technical information.
3. E-mail: These may contain electronic copies of draft documents and scanned
agreements, technical information, certificates etc, may be used for agreeing, requesting
or discuss information. This now takes the place of a letter in most matters as well as
being a vehicle for less formal communications.
4. Telephone: Ideas, arrangements, informal agreement and discussion. These may be
added to by use of net meetings and video conferencing if appropriate to the task.
5. Fax: Normally considered as formal as a letter but its use is being replaced by the use of
e-mail.
6. Internet: this is a way of advertising and a source of information however care should
taken to verify information freely adaptable in this way.
7. Face to face meeting to exchange ideas, presentations, carry out audits and come up
with assignments, actions and agreements, Agreements and actions should formally
recorded in minutes or a letter.
8. Minutes are formal records of any type of meeting (or conference) that includes
decisions, agreements and actions. These should be retained as documents in a Quality
management system for audit of a decision or review. An example of this practice is the
retention of meeting minutes for development and design of Medical devices as part of
the device master file.
9. Presentations including graphs, mapping and plans may be shared to show general
proposals and action points but these reflect the author(s) ideas and situation progress.
This is a common way of quickly getting essential points across to explain a situation or
proposal for a wider, possibly less knowledgeable, audience or to get outline
management approval, not normally detailed plans.

Page 20 of 21
 A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries

2.8 Risk Review

6sigma CAPA

KPI, Performance metrics

Key Performance Indicators (KPI) are measures or metrics used to help an organization
define and evaluate how successful has been in meeting targets, typically in terms of making
progress towards its long-term goals.

KPIs can be specified by answering the question, "What is really important to different
stakeholders?". KPIs may be used to assess the present state of the process or business and
to assist in prescribing a course of action. The act of monitoring KPIs in real-time is known as
business activity monitoring (BAM). KPIs are frequently used to "value" difficult to measure
activities such as the benefits of, engagement, service, and satisfaction.

The type and number of KPIs used differ depending on the nature of the organization, the
process/es being monitored, outputs of the organisation and future strategy. They assist in
evaluating progress towards objectives, especially toward difficult to quantify knowledge-
based goals. However care must be exercised in specifying the correct parameters and
criticality. Too many indicators may swamp the critical indicator that some thing is awry with a
supplier.

A KPI is a key part of a measurable objective, and may be used as a tool in a bench marking
process.

Benchmarking (see section on proactive and reactive)

Benchmarking is the process of comparing the performance of a specific process or method

to another that is widely considered to be an industry standard or best practice. Essentially,
benchmarking provides help in understand where you are in relation to a particular
requirement. The result often leads to changes in order to make improvements. Bench
marking has been described as "learning, sharing information and adopting best practices to
bring about step changes in performance”. It has a subset of tools which can be adapted
depending on what is being benchmarked: "Improving ourselves by learning from others".

Bench marking is most used to measure performance using a specific indicator resulting in a
metric of performance that is then compared to others.

This then allows organizations to develop plans on how to make improvements or adopt best
practice, usually with the aim of increasing some aspect of performance

Benchmarking usually involves:

• Regular comparison of functions or processes with best practice examples

• The identification of gaps in performance
• Exploring new ways of improving how things are done
• Introducing and using the improved processes
• Monitoring and reviewing of processes, measuring progress and beneficial outcomes.

Page 21 of 21