The worldwide impact of the Coronavirus disease (COVID-19) pandemic has been unparalleled, and organizations are forced to navigate a maze of risks. As the search for a vaccine or a series of vaccines continues, supply chains will come under significant pressure to develop, manufacture, store and distribute the vaccines to a global population. And, all this could happen in the next 6 months. This acute timing pressure will add to the challenges of preparation for distribution, and pharmaceutical companies will need to ensure they have effective, robust and secure supply chains.
Third-party relationships have become routine and are a cornerstone of most companies’ day-to-day operations, and this will only increase with the logistical requirements involved in the delivery of vaccines. Third parties in a vaccine supply chain are diverse. They include manufacturers, distributors, transportation companies, agents, advisors and consultants. Any external partner, whether it is a company or individual, that a firm works with is a third party, and therefore a potential risk. The objective of third-party due diligence is to discover any potential “red flags” or risks associated with the potential partner. Ultimately, an effective due diligence screening program allows a firm to make an informed decision about whether it is safe to proceed with a proposed business partnership.
The engagement of third parties usually starts with an onboarding questionnaire to obtain basic but complete company information including ownership details, company principals and licensing information. That information is then searched in a database which runs companies and individuals against a wide range of sanctions registers, global watchlists and politically exposed person lists to uncover any adverse results. Effective due diligence also should include searches of online media and other internet sources to identify potentially adverse information or red flags. Depending upon the third party’s jurisdiction, foreign language checks may also be required to ensure a wide-enough net is cast. For third parties deemed more critical, additional checks may be warranted, such as investigating local and national civil and criminal litigation, bankruptcy, or insolvency records and general, consumer and industry-specific regulatory records. If relevant, due diligence should also seek to verify an individual’s education and license claims. In extreme cases, such as for third parties that are deemed most likely to expose a firm to risk, discrete local source inquiries can be made using on-the-ground agents. These types of inquiries evaluate the third-party’s reputation and validate potential adverse information identified using online searches.
This approach is usually sufficient for most businesses, but in the case of vaccine supply chain due diligence, the process should be more thorough and not restricted to a typical compliance exercise. Extensive practical information will be required regarding security, capacity and resilience. Supply chain partners will need to provide assurance that their part of the chain is secure. The ultimate success of a vaccine program, although mostly due to the protection from infection the vaccine provides, will also be impacted by the public’s trust and confidence, and effective due diligence and comprehensive security measures support public confidence.
Vaccine supply chain security programs should be comprehensively reviewed (or developed if not already in place), to ensure companies reduce their vulnerability to supply chain disruptions by identifying, assessing, mitigating and monitoring security risks throughout the chain’s many component parts. There are typically numerous entities involved in the flow of goods from the point of manufacture to the final destination. For supply chain integrity to be preserved, each link and transfer point needs to be examined, understood and protected. Time pressures and capacity around manufacturing, storage and distribution should form an important element of a thorough vaccine supply chain due diligence process. Information will need to be assessed regarding organization’s ability to meet the demands and pressures that are likely to occur, as was evidenced in the manufacture and distribution of personal protective equipment.
Organizations need to understand if third parties are dependent on their own partners/third parties, as this will determine who is actually providing the service within the supply chain. It is vital to understand how many pieces there are to the chain, and if each piece has a plan. Is that plan acceptable? Are they delivering the service in accordance with the plan? Companies and individuals in the chain must acknowledge what their roles and responsibilities are, and that they have identified risks and taken the necessary steps to mitigate them.
The security risks associated with vaccine supply chain security vary significantly. Some of these are the opportunity for an accident or some carelessness to occur, others are where threat actors with specific motivations arise. The chain can be very short with only a few links or points of transfer, or it can be lengthy, far reaching and complex with dozens of links and points of transfer or delivery. A failure, theft, pilferage, adulteration or penetration may arise due to a security breach. This may not be immediately noticed, and detection of the event may itself be missed. A complete security plan should reflect all the vulnerabilities and include the security functions provided by third parties who may be located globally. Businesses involved in vaccine supply may need to improve the security of their sites. A layered approach to security is advisable, so if one layer is circumvented, another layer would identify any potential infiltration. The complete security plan should also include the protection of intellectual property (IP) as the goal of business should be to protect its own IP, as well as the IP of those it deals with. Organizations within the supply chain should also have procedures in place to mitigate the threats associated with a potential cyber-attack, which should include tight policies and control frameworks, strict access control to networks and email platforms, and have an incident response plan to act quickly to a data breach.
Understanding the supply chain process, analyzing the process and then allocating resources to validate the process are key to effective supply chain risk management. It is crucial the vaccine supply chain be secure and there be comprehensive confidence that risks have been identified, assessed and detailed mitigation plans put in place.