The Role of Risk Analysis in Expanding Business Activities

Selecting the right partner is the key factor in every outsourcing relationship. Risk analysis can be the ideal instrument for obtaining preliminary information when evaluating a potential contract service provider and can become an integral part of the sponsor's supply chain. This article describes the main factors in risk analysis when transferring drug-manufacturing activities to a third party.

Initial evaluation

When evaluating a potential partner, the following factors should be taken into account:

• Partner's knowledge, experience, professionalism, and technology

• Cost analysis; verification that requirements are met (e.g., regulatory, qualitative, technological, safety and environment, backup, and disaster recovery)

• Clear definition of the critical steps of the process and allocation of responsibilities (e.g., supply and analysis of raw materials, in-process controls, analytical controls on the finished product and release, preservation and shipment of the finished product)

• Activities planning and intermediate testing

• Formalization of the relationships (e.g., legal supply contract, secrecy agreement, quality agreement)

• Continuous communication

Collaboration between the customer and the partner during risk analysis allows an integrated and shared evaluation of risks and benefits. The key element of this process is to identify and understand risk and to determine how much investment is needed to reduce each existing risk.

Acceptance level and control

The acceptance level of risk and the margin of control must be determined. In addition to risk understanding, the main factors are identification, management, and weight-up.

Identification. Risk analysis is a continuous process that begins with the identification of all risks. During the first phase of analysis, opportunities and threats should be identified (see Figure 1). The probability of each opportunity and threat is determined, as well its their consequences, to assess the effect and benefit of each item.

Figure 1

Management. The results of the identification phase determine the level of risk management (see Figure 1). First, one should plan activities by taking into account the availability of various resources (e.g., economic, number of personnel, experience, knowledge). Risk-management planning must be continuously monitored and documented, and a periodic follow-up of the status should be performed. The management-reviewing step can be a learning process because it provides an opportunity for partners to share knowledge and experiences and exchange analytical data.

The last phase of the continuous review process—understanding—is the most important because it involves shareholders in the activity, uses the analysis performed in the previous phases, and helps set the boundary conditions of subsequent steps in the process (see Figure 1).

Useful instruments in risk analysis. An important instrument in risk analysis is the protocol of the preliminary evaluation. To analyze the risk of the suppliers and contract service providers, it is necessary to resort to a predefined instrument, adaptable to the demands of each partner, in which it is possible to include all the activities in the preliminary evaluation. The protocol document should include the following chapters: technical aspects; qualitative aspects (prerequirements); logistical aspects; organizational aspects and communication; vulnerability; safety; and environment. Elaboration of this protocol document is up to the contract provider. The compilation of various questions to be answered is up to the contract acceptor.

Another important instrument is the inspection audit and the checklist of risk analysis. These documents are prepared by the sponsor, using the evaluation's protocol as a basis. They help the contract service provider verify all the risk elements and their weight.

The final instrument is the evaluation's report, including the risk's weight-up and the action plan. The final report preparation is submitted to the sponsor. The report's basic chapters are the risk assessment, formulated starting from the compilation of the checklist indicated above, and the remediation and action plan that describes the interventions necessary to reduce the risk factors in the exposed analysis areas.

The assessment must differentiate the areas of higher risk (threats) from those that represent chances for improvement (opportunities). The operative tools necessary to identify risk areas are then finally presented to define the value (risk analysis) and to attribute the level of gravity and acceptance for business (risk assessment), the possible need for remedial actions, and the resolution time and responsibilities (action–remediation plan).

Weight-up. Risk weight-up considers the effect and probability of threats and opportunities enumerated in the risk identification phase; these can be weighted using the different levels shown in each quadrant in Figure 2. The levels are defined as follows: very high (VH), high (H), medium (M), low (L), and very low (VL). Because the defined levels are five in the ordinate and five in the abscissa of each quadrant, the worst-case risk is associated with the couple VH–VH (5 × 5 = 25). Similarly, the best-case risk is associated with the couple VL–VL (1 × 1 = 1).

Figure 2

The quadrants are highlighted in colors corresponding to probability and impact-level combination. The yellow areas are where the risk is acceptable for threats and opportunities. The red and pink areas are associated with the unacceptable risk for threats and opportunities.

For example, if you must transfer an industrial process in an emerging country in which partner knowledge (or experience, etc.) may be very low and the cost is very low, then the evaluation of the risk is:

threat: impact VH(5) × probability VH(5) = risk 25

opportunity:impact VL(1) × probability VL(1) = risk 1

Therefore, there is a big threat to transfer the industrial process, with a very low confidence level and a very big economic opportunity. In this case, management must decide whether the economic opportunity is acceptable while considering the risk associated with the partner's inexperience or whether it is better to partner with another more knowledgeable service provider for an acceptable increase of cost. In this alternative case, the threat risk may be considerably less, and the opportunity could be less interesting.

Example of a supplier evaluation questionnaire

Essential elements of a preliminary evaluation protocol

The evaluation of a selected partner may involve several financial and industrial aspects (see sidebar, "Example of a supplier's evaluation questionnaire"). The evaluation should also contain information about the following:

• Identification of the designated contact person

• Date of the company's foundation

• Company turnover during the past three years and turnover percentage connected to exportation(availability of the company's financial statements)

• Number of employees, their turnover and distribution on the basis of the competence areas (e.g., logistics, administration, production, control)

• Organization chart, roles, and responsibilities

• Analysis of the processes and activities performed internally and externally

• Main products and customers and their percentage division

• Proprietary products registrations

• Problems from natural disasters (earthquakes, typhoons) in the contract manufacturing areas and protective actions

• Dimension and layout of the property (covered and open warehouses, production, offices, etc.), including their building standards, age, and possibility of expansion

• Management of main energy resources (electricity, water, etc.)

• Protection of the area against damages and fire

• Protection from intrusions and terrorism

• Protection and backup of critical and reserved information

• Production organization (e.g., number of shifts)

• Costs for developing starting materials into the finished product

• Saturation level of the most important systems (free capacity) and their age

• Activities automation and information-technology levels

• Existence of management procedures for major good manufacturing practice processes (e.g., review and release of the batches, complaints, market's traceability and recall, deviations, changes, staff education, and training)

• Manufacturing management and product control (e.g., written specifications defined for each product and its components, equipment, and critical validated processes; written analytical methods; batch documentation; and functions dedicated to the planning of productive activities and to materials stocks)

• Main customers, their qualification, and reliability

• Materials management and its status (e.g., conditions of preservation, quarantine status approved and rejected, cleanliness of the areas, shipment conditions and related documentation)

• Local authorizations, licenses, and voluntary certifications (ISO, etc.)

• Preventive-maintenance programs

• Calibration and validation scheduling for control devices and critical equipment

• Materials control and approval levels of the various stages of the manufacturing cycle (e.g., raw materials and packaging materials, bulk and finished product).

• Management of company safety, contingency, and emergency plans

• Control of emissions in the atmosphere and of environmental compatibility

• Company politics in human resources (e.g., no discrimination, equal opportunities, rights, and duties).

Main risk areas

The following are examples of major risk areas:

• Absence of a reference person or reduced professional competence. If the sponsor does not have a stable and competent reference person from the service provider tocollect and discuss the troubles, the company cannot obtain the interdisciplinary supplier evaluation that is often needed in this kind of partnership.

• Inadequate equipment (e.g., inappropriate scale-up equipment)

• Old equipment or bad maintenance

• Absence of backup or contingency procedures

• Difficulty establishing the transformation's costs (e.g., supplier ignorance of the goods and industrial formulation costs, resulting in price variance after the contract is signed)

• Lack of structure or procedures (e.g., personnel experience, culture, and structure).

Check audit

The evaluation questionnaire alone is not enough. Several inspective checks should be conducted before considering the risk and defining the action plan. If the sponsor company wants to know in detail the status of the service provider's capability, more than one audit should be conducted, particularly in the main areas considered critical for business continuity. Focused checks in the critical areas help to better define the risk and the subsequent remediation plan.

It is also essential, when the action plan has been defined, that the sponsor company monitor the carrying out of the interventions contemplated in the action plan and that the partner be reliable and transparent when executing the plan.

The corrective actions defined in the remediation plan must be realized in a defined timeframe and as requested. Any problem during the advancement of this action plan could postpone the project start and have a negative, and sometimes disastrous, effect on business.

Maurizio Battistini is general manager of APP Pharmaceutical Partners Switzerland GmbH, Via Cadepiano, 24 CH-6917 Barbengo, Switzerland, MaurizioBattistini@appdrugs.ch.