Don't Get Stranded: Derisk the Supply Chain

Identify the top risks and uncertainties, and then optimize manufacturing and supply networks.

By Martin Lösch and Venu Nagali, McKinsey & Company

To increase the agility of their end-to-end supply chains, pharmacos can apply a systematic approach to identify the top risks and uncertainties, and then optimize manufacturing and supply networks. This helps them ensure the availability of supply, achieve greater cost savings and encounter fewer quality and compliance issues. Coordinating risk management activities among functions is critical to success.

Supply chains have become increasingly fragile for pharmacos, which has taken a toll on the availability of certain drugs. For example, recent reports indicate that there is a shortage of some cancer drugs, especially certain low-margin generics, forcing doctors to delay treatment. The Food and Drug Administration (FDA) lists a range of supply chain risk issues that are currently causing drug shortages, including greater-than-expected demand, manufacturing delays, commodity shortages and supply issues.

Drug shortages stemming from demand-and-supply issues are only part of the story. Manufacturers have also experienced a surge in quality problems that have resulted in recalls, regulatory settlements, lost revenues and diminished brand equity. A reliance on single sourcing has exacerbated these quality issues for some manufacturers. For example, a large diversified health care company in the United States has been losing about a billion dollars of revenue annually as a consequence of quality issues for certain over-the-counter medicines produced at manufacturing plants that rely on single sources.

Despite the apparent and growing cost associated with fragile supply chains, most pharmacos still do not have a systematic approach for assessing and managing the risks arising from supply chain shortcomings.

To help pharmacos address this critical issue, we have developed and implemented a comprehensive approach to improving supply chain agility and risk management. The approach addresses the following questions:

  • Which sources of supply chain risk and uncertainty at the enterprise, sector and product levels are the most important to address? How can the company identify its more important products that require a robust supply chain?
  • How can the company determine the optimal manufacturing, sourcing and inventory strategies for each product, and mitigate its top-priority risks efficiently? What are the optimal levels of single versus dual sourcing and risk inventory for the different product segments?
  • What governance structure is best suited to embedding risk management throughout the organization?

By delving into the issues raised by these questions and taking the necessary actions in response, companies can significantly increase the sophistication of their efforts to manage supply chain risks.

All parts of the healthcare supply chain are exposed to risks: suppliers can raise prices or deliver products that are inadequate or insufficient, in-house manufacturing capabilities can fail to produce sufficient quantities to meet demand, and regulators can delay manufacturing or stop delivery.

Managing risks in the supply chain entails a cross-functional effort to comprehensively identify the most important risks, understand their potential impact on the organization’s objectives and mitigate them as necessary. The fullest picture of risks will come from a combination of sources, including the knowledge of executives in different functions, the company’s past experience, the lessons learned from competitors’ experiences and insights into external trends (such as rising commodity prices or regional political instability).

This cross-functional effort to manage supply chain risk has three major steps:

STEP 1: Create product groupings based on risk. The company should start by identifying all of the top risks (those with the highest expected impact) that could impair its ability to supply a product to the end customer, result in higher production costs, or cause regulatory issues with respect to quality or compliance. Some risks may affect a combination of supply, cost and regulatory objectives. To efficiently identify the top risks across the enterprise, we recommend a three-part approach focusing on products and functions: First, a company should identify and assess the risks individually for a select set of its most important products; then, it should identify and assess the risks for individual functions such as procurement, manufacturing and distribution; and, finally, it should combine the findings of the two assessments.

To identify its most important products for purposes of this analysis, a company needs to consider its risk appetite — that is, the extent to which it will accept a particular risk rather than actively mitigating it. The appetite for risk will vary dramatically from one company to another and even from one product to another within a company’s offerings. A company may have a substantially lower risk appetite for products that can adversely impact public health. That said, given the complexity of many companies’ portfolios, management should specify risk appetite not by individual products but by product groupings. These groupings can be based on products’ importance to one or more enterprise objectives, such as financials, public health, reputation and brand name.

For example, a major health care company recently categorized its entire product portfolio into three groups with regard to risk appetite. It based these groupings on a product’s financial, public-health and brand characteristics, as illustrated in Exhibit 1. The company also categorized its production facilities into risk segments based on the type of products they manufactured. The site segmentation enabled the company to prioritize investments, properly allocate management attention among multiple facilities, more accurately determine the frequency and duration of quality audits, and better assess its overall business continuity preparedness.

STEP 2: Set exposure thresholds. Next, each company should define its risk appetite by setting exposure thresholds for each product grouping. These exposure thresholds can be pegged, by product grouping, to supply chain metrics such as meeting demand (fill rate or service level), cost-saving targets or quality and compliance levels (Exhibit 1 illustrates an example of a process that concludes with setting exposure thresholds). Defining risk appetite will enable managers throughout the organization to make quantitative and consistent decisions when faced with trade-offs between risk levels and investment.

Companies must estimate each identified risk’s potential impact on supply, cost and regulatory objectives. They can determine this impact on the basis of the risk’s size and likely duration and the company’s preparedness for it. For example, a commodity-packaging supplier’s failure to deliver its materials might disrupt production for several weeks or months while an alternative is found. If the company has six months of finished goods in its warehouses, then such a disruption is unlikely to affect customer supply. The same failure by a single-source supplier of critical APIs, by contrast, might threaten supply for several months, creating the real potential for lost sales.

For example, delays in the qualification and approvals process for a new API supplier caused an 18-month shortage in the supply outside North America of one important drug for a common neurological condition. FDA action to fix quality problems at a United States plant also led to yearlong shortages of important drugs for two different genetic disorders.

Companies should also estimate the probability that a particular risk event will occur in a given year. This estimate can be based on a statistical analysis of internal data sources (such as historical deviations and rejection rates, to assess quality risks in manufacturing and sourcing), and external data sources (such as credit scores from Dun & Bradstreet and Standard & Poor’s, to assess a supplier’s financial strength).

STEP 3: Quantify exposure. By analyzing impact, preparedness and likelihood with respect to a risk, companies can quantify their risk exposure and prioritize their supply chain risks. This typically allows them to reduce an initial list of several hundred risks to a few dozen top-priority risks that require immediate attention. A standard evaluation approach will enable management to make an apples-to-apples comparison of risks across products, functions and sites in order to identify the most immediate potential disruptions facing the company.

To conduct the assessment comprehensively and efficiently, companies can identify risks individually from each of the functions in the end-to-end supply chain: new-product introduction, plan, source, make and deliver (see Exhibit 2 for an illustrative set of risks from each of the functions). The range of risks assessed should include event-driven risks, which are low-likelihood but high-impact risks that may or may not have occurred at any point in time (such as regulatory and compliance incidents or earthquakes), as well as continuous risks, which materialize as a range of values at any point in time (such as uncertainty in demand, supply and cost).

After the company has identified all the risks, it can categorize them as either strategic or operational based on the level of investment required to mitigate them:
The top strategic risks typically arise from high levels of single sourcing; significant investment is required to mitigate these risks, through dual sourcing maintaining higher inventory levels, or both.

Typical operational risks can stem from several factors: insufficient manufacturing capacity in cases where the company would benefit from more capacity to address greater uncertainty; an insufficiently robust production process, resulting in significant yield issues; or inadequate quality and compliance practices. These operational risks can be mitigated by small, targeted investments (see Exhibit 3 for a representative list of the operational risks at a pharmaco).


Companies can employ a range of measures to mitigate specific risks. Some measures (such as process and component standardization and upgrading of production machinery) decrease the likelihood that a risk will occur. Other measures (maintaining higher inventories of components, works in process and finished goods, for example) increase preparedness. And others (such as dual sourcing) reduce the impact if risks do occur.

Small, targeted investments (for example, upgrading or repairing production machinery) can address specific sources of risks. Measures such as dual sourcing and maintaining additional inventory can systematically address several sources of risk at once. Because these measures can be expensive, it is critical to determine the optimal levels with respect to top products. Further, companies may be able to more efficiently mitigate a source of risk within a particular function by taking steps within another function. For example, they can manage a potential raw-material shortage by increasing the inventory of the finished product.

As opposed to safety stock, which companies use to manage day-to-day uncertainty in demand, “risk inventory” is used to manage low-likelihood, but potentially high-impact disruptions in the supply of raw materials or production. Companies can determine the optimal combination of risk inventory and dual sourcing for each top product through a careful calculation that accounts for the incremental cost of these measures, the current inventory level and its shelf life, and the required risk protection level. A higher level of risk inventory may be needed in cases where the cost of dual sourcing is prohibitive, such as for production of biologic-drug substances and certain APIs. In other cases, such as for finished-product production and packaging, dual sourcing may be cheaper and more effective than maintaining risk inventory (see Exhibit 4). In addition to mitigating downside risks, optimal levels of dual sourcing and risk inventory will also address upside opportunities.

To determine the optimal manufacturing and supply network across all of its top products, a company should make this calculation for each major production step for each product, and then combine the individual product-specific strategies.

We recommend using similar risk-informed approaches to make other supply chain decisions. These include network optimization, manufacturing footprint, supplier contracts, inventory policies, level of outsourcing and offshoring, and level of flexibility for a manufacturing plant. This broad application increases the complexity of making such decisions, because it introduces additional factors that are difficult to quantify. Yet we find that the additional effort yields useful results. Companies can reach vastly different outcomes by going beyond traditional practices to explicitly account for risk in certain supply chain decisions — such as the level of risk inventory and dual sourcing and the size of backup manufacturing facilities. This is particularly true in the health care sector, where rigorous supply chain risk management programs are still relatively rare. Only by adopting a risk-informed approach will management be able to make more robust decisions that can withstand the future’s inherent uncertainties.

Finally, while companies most commonly seek to reduce their exposure to risk by determining the optimal set of mitigating actions, this is not always the right response.
In some cases, a company may find itself able to tolerate greater exposure for certain products, processes and facilities. In this way, a rigorous risk-based approach can not only mitigate threats but also unlock incremental value, by freeing time and attention that had been devoted to keeping certain risks unnecessarily low.

Although most companies in the pharmaceutical sector have risk management programs in place, those programs are typically confined to particular organization units or functions. For example, companies may have business continuity management (BCM) programs for individual manufacturing sites that focus on recovering from disruptive events, measures within the procurement organization to mitigate sourcing risks from suppliers, or compliance and audit management initiatives in the quality organization. Yet there is little, if any, coordination of these efforts. Furthermore, most BCM plans typically specify similar time-to-recover goals for each manufacturing site without explicitly considering the relative importance of the products being produced or the likelihood of bad events. They also often fail to include proactive steps to mitigate the risks from such events.

Companies should recognize that risk management is inherently a cross-functional activity, because different functions within the supply chain can identify and manage the sources of risks only within their own domain. This interconnectedness makes establishing a cross-functional risk management process critical to success.
The process must explicitly define roles and responsibilities of the different supply chain functions, with clear lines of demarcation. A dedicated supply chain risk management team may be needed to facilitate this cross-functional process.

Its responsibilities should include the following:

  • Developing standard taxonomy, analytics and tools that all functions will use to measure and manage risks
  • Working with senior management to define the risk appetite, and translating it into operational metrics
  • Providing independent oversight of the risk management strategies implemented by the different functions
  • Consulting, as needed, with the operational teams to make risk-informed strategic supply chain decisions
  • Facilitating cross-divisional risk management strategies
  • Aggregating risk exposure across functions and divisions and reporting on it to different management levels.
  • In addition, the company must periodically reassess risks to ensure that its mitigation strategies remain appropriate for the market’s changing dynamics.

Given the scope and complexity of most companies in the sector, managing the sheer volume of information from this process is a challenge. A set of customized risk reports and dashboards can help. One major health care company is implementing a series of dashboards that can be customized to specific levels within the management structure. For example, the company compiles all of the top risks for a particular product and displays them on a single dashboard for the product’s manager. It displays information for multiple products, functions and sites on a division level dashboard for risk officers and other senior leaders. Furthermore, the BCM plans for an individual manufacturing site should be explicitly tied to the specific set of top risks affecting that site. These risks should be determined through a detailed assessment and aligned with the established risk appetite associated with the products manufactured there.

Finally, developing the right culture is a key element of managing risk in any organization. Management should foster an open environment in which individuals feel empowered to discuss risks and potential disruptions and even to challenge line managers on specific decisions where appropriate. Individuals should be as candid in discussing bad news as they are when sharing good news. And workers within the different supply chain functions should share actions and best practices across functional boundaries. For example, an employee in manufacturing should be aware of and able to leverage a mitigation action that has worked well in procurement. Establishing this culture requires a high degree of communication, in which management establishes the right set of incentives for individuals to respect rules and procedures and to work for the organization’s greater good.

Pharmacos’ senior executives can start the process of improving risk management by asking the supply chain organization to identify the greatest sources of risk to the enterprise. This information can be provided through specific deliverables, such as a “heat map” that describes where the top sources of risk are concentrated across various supply chain functions. It could also include an analysis of strategic investments that includes both conventional metrics, such as expected net present value (NPV) and return on invested capital (ROIC), along with risk-adjusted measures like standard deviation or worst-case NPV and ROIC.

This information will help catalyze a set of initial activities that ideally constitute the first two components of the framework we have described. Companies should categorize all products into a few types and then define the risk appetite for each type. This should lead to an assessment of supply chain risks for the top products that determines the greatest sources of risk and the specific mitigation actions for each. With this as a foundation, risk organizations can become progressively more sophisticated in implementing risk management across the supply chain.

By implementing a comprehensive supply chain risk management program, companies can capture a wide range of benefits.

They will be well positioned to understand the likelihood of certain risks, proactively and cost-efficiently mitigate those risks, and obtain incremental value by making risk-informed strategic supply chain decisions. However, management must understand that risk management is not a one-time activity. To capture the wide range of benefits, companies must embed risk management within their operations.

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments