Guest Column | July 5, 2016

On The Selection Of CMOs And Strategic Suppliers Evaluating Compliance, Consistency And Resilience In Operations

On The Selection Of CMOs And Strategic Suppliers Evaluating Compliance, Consistency And Resilience In Operations

By Dr. Friedhelm Lotz, Global Risk Experts AG, Switzerland

As part of the selection process of CMOs and strategic suppliers, three issues related to operations deserve particular attention: Compliance, Consistency, and Resilience.

After auditing compliance at the document level, a more difficult task follows: verification that written statements of requirements are followed in practice. No gaps means consistency and shows that management walks the talk, hence it generates trust, a fundamental pre-requisite for any business relationship. High level operational resilience (if diagnosed using a sound risk management approach) adds confidence to all stakeholders regarding continuity of supply.

Possibly the most gap-prone areas to look at in industry are EHS (environmental health and safety) management systems, including related issues such as business continuity management (BCM) and security.

EHS management system audit processes should thus be adapted to:

a) Verify the compliance status in EHS towards external and internal regulations, as baseline requirement

b) Reveal the general walk-the-talk status (consistency) of a company (not just in EHS)

c) Evaluate the company’s operational resilience by identifying most hazards and loss scenarios that may cause disruption and assessing the risk mitigation and emergency strategies in place.

Conventional EHS auditing may be barely equipped for task. A more shop-floor focused and risk management-based EHS auditing approach such as reverse auditing, hybrid auditing, or team-based assessments as described in the this paper, is better prepared for the challenge.

Sound risk-management practices are key in the planning of long-term outsourcing agreements with CMOs and purchasing contracts for APIs and/or finished formulations. This is more important when facing unfamiliar companies that are embedded in foreign cultures, and — last but not least— if quotations are “too good to be ignored.”

Compliance/Performance Gaps In EHS, BCM, Emergency Response (ER) And Security As ’Walk-The-Talk Indicators’ In Operations

After clearing the primary aspects regarding commercial aspects, legal terms and conditions, liabilities, delivery and quality systems, etc., EHS management systems are among those issues to be audited at a rather advanced stage in most evaluation processes. Usually, the main focus here is on legal compliance and specific certifications (e.g. those from the ISO series). According to experience though, mere compliance-centered EHS system audits tend to miss important disruption risks along the operational supply chain. This applies equally to auditing of Business Continuity Management (BCM), Emergency Response (ER) and Security systems.

Having all of the required written policies and certifications at hand is certainly a baseline requirement; more important though is that these documents are thoroughly understood and embraced by all employees down the line. The magnitude of gaps between the levels of EHS compliance on paper and at the shop floor are good “walk-the-talk“ or “performance” indicators, as they tell if a company’s management leads with single or double standards. It is widely recognized in the industry, that considerable and sustained management effort is required to close these gaps. This is illustrated for example in the wording of the mission statement for the Roche Group EHS Policy (2012): “Safety, security, health and environmental matters are handled with the same sense of responsibility, and just as methodically, as issues concerning quality, productivity and cost-efficiency“. (See

In fact, this sentence suggests that issues concerning quality (Q), productivity (P) and cost-efficiency (CE) tend to be handled methodically and with a sense of responsibility ’by default’, while EHS issues require additional, focused efforts to be raised sustainably to a comparable level of importance.

The reason is that P and CE directly impact the bottom line, while Q has a direct influence on the product itself, which is a reason why Q system compliance is so tightly inspected and enforced in pharma by government-linked agencies like the FDA. By contrast, matters such as EHS, BCM, and ER are, roughly speaking, cost factors. Despite being widely governed by regulatory frameworks, regulations are neither homogeneous nor equally enforced around the globe (with the exception of companies with global controlling systems in place for the issues mentioned). In addition, the quality of EHS performance depends very much on barely measurable factors such as housekeeping, maintenance, human behavior, etc., which also may exceed typical audit scopes and hence tend to be neglected.

Not surprisingly, investments and operating costs in EHS tend to be kept at a basic level, just enough to keep processes in place and also because the return on investments for prevention efforts that go beyond that basic level are difficult to estimate. Instead of following a risk-management rationale, important EHS expenditures are usually triggered by a high probability of receiving fines or penalties and by wake-up calls related to serious near-miss incidents in-house or at similar premises in the neighborhood.

Imposed or copied policies are often perceived as nuisance, hence not embraced with conviction if the rationales are not understood. This can generate bizarre distortions, one of which is that compliance efforts tend to go only as far as the inspecting agents are expected to look. It requires tremendous management effort to convincingly sell such policies to employees with the result of generating true awareness.

Does The Conventional EHS Audit Process Need To Be Redefined To Identify Gaps And Obtain Realistic Risk Insights?

Auditing processes typically start on-site with a kick-off meeting, introductions, site presentations, etc. followed by verification of compliance on paper, to evaluate if external and internal regulations are met from a documentation point of view. Being mandatory, this scrutiny at desktop level tend to be very time consuming though, creating time shortage for proper walk-troughs and field-interviews to verify if written policies are reflected in the field, in maintenance operations, housekeeping and in the behavior of employees and management. Gaps may then be overlooked because of lack of time and/or improper setting of priorities. In addition, as hazards with serious disruption potential typically are to be found in operational and in ancillary/support areas, incomplete shop floor evaluations mean that most disruption risks remain un-assessed resulting in incomplete or flawed reports.

Table 1. Levels of insights in EHS auditing – Some Examples

It is cautiously stated, that many conventional, ’generic’ audit schemes mostly focus on paper compliance (up to level II in Table 1), being only barely prepared to go into the next level of detail that is required for proper hazard identification and risk assessment.

Double Standards In EHS And Q

As stated above, Q system compliance is an aspect that by ’default’ gets special attention because it has direct influence on the product itself and is tightly inspected and enforced. Q system failures in Pharma can have severe business consequences that may even lead to bankruptcy. Hence, from an enterprise risk management point of view, Q system non-compliance may easily lead the list of hazards with business disruption potential. Important gaps between compliance on paper and at the shop floor in EHS suggest a general double standard mindset that sooner or later may affect quality system compliance as well. Q-evaluations will therefore certainly benefit from thorough EHS audits.

Alternative EHS Audit Approaches For Better Risk Assessment

Depending on the size/complexity of the site and strategic importance of the products to be produced or supplied, some of the approaches may be combined.

Reverse Auditing (Fig. 1)

  • Inverts the audit process: shop floor scrutiny precedes paper inspection. This approach requires auditors with a high level of field experience; it ensures that most hazards with disruption potential for operations are discovered. High priority is given to physical inspection of ancillary/support areas, e.g.: workshops, ‘remote‘ areas, e.g. ’low salary’ areas, waste collection yards, waste solvent shelters, hazardous waste stores, hazardous materials storage, incinerators, emergency utilities, power generation and distribution, other critical utilities, fire pump houses, waste water treatment plants, perimeter fencing, critical neighborhood, alarm and emergency response systems, etc., workshops, ‘remote ‘areas, e.g. ’low salary’ areas, waste collection yards, waste solvent shelters, hazardous waste stores, hazardous materials storage, incinerators, emergency utilities, power generation and distribution, other critical utilities, fire pump houses, waste water treatment plants, perimeter fencing, critical neighborhood, alarm and emergency response systems, etc. Good performance, behavior, awareness and housekeeping in these areas almost guarantees good performance and compliance in the areas of ’direct’ interest, where products are generated.

Splitting of the audit process

It may be advisable on occasion to split the process into two parts:

1) Compliance on paper and

2) Operational risk assessment.

Hybrid Auditing

  • Maximizes the use of online and videoconferencing tools for most meetings and paper-compliance issues, which frees up time for walk-throughs at a later stage.
  • Cost optimization and time flexibility are additional benefits.

Identification of focal areas for in-depth inspection at a later stage

  • First identifying and later in-depth scrutiny of particular installations, design, maintenance and other specific issues, e.g. power supply resiliency, fire suppression systems, storage of dangerous goods, emergency response, electrical distribution/arc flash safety, environmental issues, etc.

Team-based assessments

  • Combines auditing with training.
  • Effective in helping already pre-selected companies to close their gaps.
  • Leverages the experience and site knowledge of employees for more effective risk assessments, while providing valuable know-how and awareness training.
  • Can be applied for general and focused audit issues, e.g. occupational health, process safety and for those areas requiring specialized chemical or engineering knowledge, e.g. electric safety, natural hazards, waste water treatment, data systems, building safety, emergency systems, etc.
  • There is a much higher likelihood that issues will be seriously addressed since they are freely discussed in a team, which generates better understanding and commitment by all stakeholders in the process.


Trust is a key decision driver in the selection process of strategic partners like CMOs. Important trust-building virtues like compliance, management consistency and operational resiliency can be effectively evaluated using special EHS audit approaches. These are based on sound risk management, include BCM elements and prioritize shop floor over paper scrutiny.