A Roadmap to Pharma Resilience

COVID-19 brought in enormous attention to Pharma resilience as the world faced a global pandemic and prepared for an unprecedented vaccine rollout across the world. But the importance of this topic is not limited to the pandemic. Climate changes, geopolitical tensions/wars, cyber-attacks, reputational damages, financial risks, currency risks, natural disasters, solar flares, and many unforeseen issues can cause massive supply chain network disruptions and impact the availability of life-saving drugs and critical therapies. Many similar disparate incidents caused disruptions in the global pharmaceutical supply chain. In addition to this constant challenge of counterfeiting, regulatory changes, etc., are challenges that a pharma organization needs to plan for. A study by Cytiva highlights that global pharma resilience has weakened since 2021.¹

The potential consequences of not investing in resilience and recovery are not just severe but can be catastrophic, including loss of brand reputation, compromised consumer safety, and financial instability. Hence, in this modern age, it has become more critical for any pharma organization to have a robust strategy for any disasters to protect its brands and ensure its consumers' safety. Pharmaceutical organizations bear a crucial responsibility for patient safety and ensuring the uninterrupted production of drug substances for the final product is not just a business imperative but an ethical obligation.

This article will focus mainly on the business continuity and recovery of Information Technology (IT) systems, but other aspects of resilience are equally important. One stark example of the impact of IT on global pharmaceutical operations is the cyberattack that Merck reported in 2017, which caused revenue impacts of $260 million in 2017 and $150 million in 2018.²

It is crucial to be prepared for supply-chain disruptions caused by malicious activities such as cyberattacks and accidental issues such as the recent CrowdStrike, which caused major disruptions worldwide. Such issues can lead to significant data loss for businesses, with 96% of victims experiencing more than a day of downtime, which impacts production.

There are crucial steps for pharma organizations to practice resiliency. The first step for a pharma organization is to assess its vulnerabilities and strengths. The second step is prioritizing initiatives to address the gaps, reinforce strengths, and monitor critical external events. The final step is to implement, monitor, and adapt the initiatives and learnings to the resilience and recovery plans, making this an ongoing process. Preparedness, response, and recovery strategies must be meticulously laid out to face any eventuality and to reduce the impact, with patient safety at the forefront of these efforts. Overall, these steps can be encapsulated in a robust Information Security Management System (ISMS). A pharma organization should do the following to establish ISMS:

• Establish policies with clear roles and responsibilities.
• Identify and assess information security risks.
• Implement controls and safeguards to mitigate identified risks and protect information assets.
• Develop procedures for detecting and responding/recovering from information security incidents.
• Monitor the effectiveness of information security controls through regular reviews and audits.
• Ensure compliance with relevant legal, regulatory, and contractual requirements related to information security.

Now, pharma executives must dive into other common risks and how they can be managed and mitigated.

Low inventory risks

Pharmaceutical companies typically maintain high inventory levels to minimize supply chain vulnerabilities, but these are not immune to risks. Diversifying material sources, localizing supply chains, and using scenario planning and digital twin simulation to gauge the impact of production slowdowns/ shutdowns help mitigate these risks.

Drug shortage risks

Capacity buffers and considering geopolitical developments are also crucial for minimizing drug shortages. Pharmaceutical manufacturers are subject to strict regulations regarding traceability and batch serialization. Any downtime during a batch run would likely result in the entire batch being discarded, disrupting the continuity of the batch data. This waste has significant cost implications regarding materials, time, and profit. Additionally, backlogs at shipping ports can lead to short-term disruptions, while global events, trade wars, and geopolitical risks pose long-term threats to capacity and capability. Businesses in heavily regulated sectors such as healthcare and personal finance face severe fines and penalties for data breaches due to the critical nature of the data they handle. Implementing a robust disaster recovery strategy can help reduce response and recovery times after an unplanned incident, which is particularly critical in sectors like pharmaceuticals, where the financial penalty often depends on the duration of the breach.

Regulatory risks

These risks encompass the potential for new drugs not being approved by regulatory agencies, alterations in regulations, and heightened scrutiny of drug pricing. Companies can mitigate these risks by staying informed about regulatory changes and ensuring compliance with current regulations. Investing in research and development can help companies ensure that their products meet the required safety and efficacy standards.

Legal risks

Legal risk may arise from product liability, intellectual property, and antitrust issues, potentially leading to lawsuits. Companies can reduce these risks by seeking legal advice and establishing strong compliance programs. These financial risks include declining revenues, heightened competition, and the high costs associated with research and development. To reduce these risks, companies can diversify their product portfolio, implement cost-cutting measures, and invest in new technologies to enhance their operations.

Reputational risks

Reputational risks encompass negative publicity and harm to brand image. To address these risks, companies should prioritize transparency, clear communication, and upholding high ethical standards. In the pharmaceutical industry, managing above risk is of paramount importance. Having disaster resilience and business continuity systems in place is essential to minimizing the impact of these risks. The main goal of BCDR (Business Continuity and Disaster Recovery) is to minimize the impact of outages and disruptions on business operations. Planning documents are crucial for an effective BCDR strategy and aid in resource management. They provide information such as employee contact lists, emergency contacts, vendor lists, test procedures, equipment lists, alternate shipment routes, technical diagrams of redundant systems and networks, etc.

Business continuity (BC) mainly focuses on the organization, while disaster recovery (DR) emphasizes the technology infrastructure. A business continuity plan includes contact information, change management procedures, guidelines for plan usage, step-by-step procedures, and a schedule for reviewing, testing, and updating the plan.

Disaster recovery is a component of business continuity planning that deals explicitly with quickly retrieving data following a disaster. A disaster recovery plan includes crucial action steps during a disaster, contact information, DR team responsibilities, plan usage guidelines, policy statement, geographical risk information, and incident response and recovery steps.

The primary goal of pharmaceutical companies' resilience strategy is to use their risk management functions to enhance patient outcomes. To achieve this, an internal risk committee should be formed, consisting of the company's operational leadership team and risk experts, potentially at different levels of the organization. This helps ensure accountability for assessing and managing risk across the company. The committee should have strong analytic capabilities and access to tools that provide useful data. It's important to establish strong connections with existing governance forums to secure ownership of risk by functional leaders. Leadership teams should map out production sites, distribution centers, and material flows to increase transparency against potential hazards. Regular employee training on Disaster Recovery Plans, roles, and responsibilities is crucial. Conducting mock drills periodically to assess and improve response is recommended. In addition to backing up computer data, keeping an offsite list of insurance policies, banking information, phone numbers, and email addresses of employees, key customers, vendors, suppliers, and other key contacts is essential. There should also be an inventory of business equipment, supplies, and merchandise. By digitizing and centralizing data related to resource allocation and utilization, pharmaceutical companies can optimize resource planning, prevent shortages or overages, and improve operational efficiency.

Pratik Maroo, Head of Healthcare and Life Sciences, Zensar

References

1. 2023 Global Biopharma Resilience Index, by Cytiva. Link: https://cdn.cytivalifesciences.com/api/public/content/dfNVgLAyxEGcOE2XCy8Ydg-original
2. Merck Announces Fourth-Quarter and Full-Year 2018 Financial Results. Link: https://www.merck.com/news/merck-announces-fourth-quarter-and-full-year-2018-financial-results/