Supply Chain Risk Management: Don’t Bolt On, Build In

Aug. 31, 2011
The best companies build SCRM into their culture, allowing it to inform all business decisions.

The pharmaceutical business has always been a risky one. Events—from disappointing clinical trials, to changes in medical practice or the emergence of new competitors—constantly threaten to jeopardize investments in new product development and damage consumer confidence. Problems in the supply chain are one particularly important source of risks for companies in this sector. McKinsey recently analyzed more than 60 significant negative events—that is, those which result in a drop in share prices of 10 percent or more—over the past ten years in the medical device industry; we found that supply chain issues, including product recalls and disruptions to supply, were at the root cause of a third of these events.

Supply chain risks are rising, too. Regulators are becoming much stricter about quality issues, increasing the size and frequency of mandatory product recalls. The number of drug recalls by the FDA increased by more than 28 percent in 2009 to 2010, for example. The rapid growth in sourcing and manufacturing in low-cost countries has also stretched supply chains, increasing the opportunities for disruption and making tight control more challenging.

For pharmaceutical industry leaders, this environment raises some pressing questions: How can companies understand where the most important risks in their supply chains are? How much risk should they tolerate? How can they reduce their exposure to unacceptable risks today, and prevent their occurrence in the future?

As with many supply chain issues, the drug industry is fortunate in that others have trodden the same path before. Leading pharmaceutical companies are now adopting and adapting Supply Chain Risk Management (SCRM) techniques developed in the automotive, aerospace and hi-tech sectors. These techniques provide an end-to-end view of supply chain risks, helping manufacturers to make balanced decisions about appropriate mitigation strategies.

Building an effective SCRM infrastructure involves three basic steps:
1) Understand the risks and their potential impact;
2) Decide on the organization’s “risk appetite”—the amount of risk it is willing to carry as the price of participation in a particular market or product sector;
3) Make appropriate risk mitigation decisions based on 1) and 2).

Importantly, both the risks and a company’s appetite for them will vary significantly across different markets and product groups, so a segmented approach is necessary.

SCRM is not a one-off process. Risks change over time, as does a company’s willingness to carry them. The best companies go on to build SCRM processes into their culture, informing all business decisions with an understanding of their implications for supply chain risk.

Identify, Understand, Prioritize

All parts of the pharmaceutical supply chain are exposed to risks. Suppliers can raise prices, or deliver inadequate or insufficient product. In-house manufacturing capabilities can fail to produce in sufficient quantities to meet demand. Regulators can delay manufacturing or stop delivery. Supply chain risk management begins with cross-functional effort to list all the most important risks, and understand their potential impact on the organization’s objectives. The fullest picture of risks will come from a combination of sources, including the knowledge of executives in different functions, past experience (of the company, and its competitors) and insights into external trends (rising commodity prices, or regional political instability, for example).

For each risk they identify, manufacturers can estimate its potential impact on the business. Impact is determined by the size and likely duration of the risk, and by the company’s preparedness for it. The failure of a commodity-packaging supplier might disrupt production for several weeks or months while an alternative is found, for example. If the company has six months of finished goods in its warehouses, then such a disruption is unlikely to affect customer supply. The same problem at a single-source supplier of critical APIs, by contrast, might threaten supply for several months, creating the real potential for lost sales. For example, delays in the qualification and approvals process for a new API supplier caused an 18-month shortage in the supply outside North America of one important drug for a major neurological condition. FDA action to fix quality problems at a U.S. plant also led to year-long shortages of important drugs for two different genetic disorders. 

The third element companies must understand is the likelihood of occurrence of particular sources of risk. The probability that a risk event will occur in a given year can be estimated from a statistical analysis of a number of internal and external data sources.

Analysis of impact, preparedness and likelihood allows companies to quantify their risk exposure and prioritize their supply chain risks, typically trimming initial lists of several hundred into a few dozen top-priority risks that require early attention.

This ability to assess the impact and exposure from sources of risk made a big difference to the fortunes of Nokia and Ericsson, which were leading cell phone vendors in 2000. In March 2000, a fire broke out at their common supplier Phillips NV’s semiconductor plant in New Mexico, forcing the plant to remain shut down for several months. The difference in outcomes between the two companies was dramatic—Nokia came out of the disruption stronger and gained market share, while a substantially weakened Ericsson lost more than €400 million that year and ultimately exited the cell phone market in 2001 [1]. 

This difference was primarily due to Nokia’s comprehensive supply chain risk management program, which helped the company immediately—and accurately—estimate the impact of the shutdown on its business, and then react accordingly. Nokia switched orders to other Phillips plants and to Japanese and American suppliers, and redesigned chips to reduce its reliance on Phillips products. By comparison, Ericsson was unable to assess the potential impact of the fire on its business and could not respond quickly to the incident.

Quantifying Risk Appetite

To make rational decisions about its response to supply chain risks, a company must understand whether particular risks are an acceptable price of doing business, or whether it should make investments to reduce or eliminate them. The acceptability of risk will vary across products and markets. Disruption in the supply of a relatively minor product with many competitors in the market, for example, will have little effect on the welfare of customers or on the profits or reputation of the company. The same problem in the supply of a market-leading blockbuster drug, by contrast, could have serious public health effects, as well as long-term damage to a brand’s reputation and investor confidence. For this reason, companies should segment their products in order to focus risk mitigation activities where they matter most.

At one large pharma manufacturers, products were divided into three different segments according their potential impact on public health, brand reputation and corporate finances. The company then defined its “appetite” for risks in each segment with specific exposure thresholds. The result was a risk dashboard showing exactly which products were exposed to unacceptable risks. 

Making Risk-informed Decisions

Where risks exceed a company’s appetite for them, action is required. Risk mitigation activities can take a range of forms, according to the exact nature of risks. Sometimes, simply ensuring the right monitors are in place is enough. Monitoring a supplier’s financial results—and looking for potentially significant events such as requests for shorter payment terms—may allow alternative suppliers to be identified before supply is disrupted. In other cases, it may make sense to adopt a dual sourcing strategy to ensure that production capacity exists elsewhere in the event of problems at one supplier. Other mitigation actions include adjustments to levels of raw material, work-in-process and finished goods inventory, and the development of alternate or back-up manufacturing sites.

Risk needs to be brought into other business decisions, too. The best companies require all staff to include explicit risk-evaluation criteria in all their product development, production and sourcing decisions. Like most apparel companies, Zara faces significant challenges that can substantially increase supply chain risks. Lead times between concept design and product delivery are typically long in the industry—up to a year or more. Customer behavior is extremely difficult to predict, resulting in either substantial excess inventory (and subsequent discounts) on slow movers or stockouts on fast movers.

To address these risks, Zara designed a manufacturing network that prioritized preparedness and flexibility over mere costs. As a result Zara has become a perennial leader in the fashion industry, with concept-to-delivery lead times as low as six weeks (compared to industry average of 52 weeks). Zara’s net profit margin is about three times higher than the industry average, and shareholder performance of 1.7 times the industry average over the past few years.

Embedding RM Into Business Processes

Effective SCRM is an on-going process, not a project. The risk environment is constantly changing, and it is always more effective to build in risk-mitigation strategies as supply chains are set up, rather than bolting them on when risks are identified after the fact.

Once they have identified their main supply chain risks, manufacturers can continue to update and monitor their risk dashboards. Has the changing economic environment increased the risk of a supplier failure? Is rising demand in a different product sector likely to increase prices or reduce availability of a key commodity? On-going monitoring should be supported by a periodic review of risks, to ensure that emerging or increasingly significant risks are added to the dashboard.

Implementing a holistic and comprehensive supply chain risk management program can deliver a wide range of benefits, enabling companies to: a) understand the likelihood of certain risks; b) proactively and cost efficiently mitigate those risks; and c) obtain incremental value by making risk-informed strategic supply chain decisions. The effort is worth it: Hewlett-Packard reports having obtained more than $500 million in incremental value from its supply chain risk management program through lower material costs and inventory, increased upside revenue opportunities and more predictable commodity costs [2].
About the Authors

Katy George is a Director in McKinsey’s New Jersey office, Venu Nagali is a Risk Expert in the New York office, and Lou Rassey is a partner in the Chicago office.

1. Mukherjee, A. The Spider's Strategy: Creating Networks to Avert Crisis, Create Change, and Really Get Ahead.” Financial Times Press, 2008.
2. Procurement Risk Management at HP, INFORMS Interfaces Journal. Vol. 38, Number 1, Jan 2008.

About the Author

Katy George | Venu Nagali and Lou Rassey