Supplier management is one of the fundamental processes in MedTech. Not only is it a regulatory requirement in both the US and the EU, your ability to manage your suppliers and obtain the goods and services you’ve contracted for is paramount to producing safe and effective medical devices.
However, not all suppliers are created equal. Some will supply you with more critical products and services than others, and some suppliers may require more monitoring than others. The upshot of this is that MedTech companies need to take a risk-based approach to their supplier management. And the cornerstone of that risk-based approach is your supplier risk assessment.
BONUS CONTENT: Use this Supplier and contract manufacturer checklist to help you choose the right suppliers for your business!
What is supplier risk assessment?
A supplier risk assessment is the process by which a company identifies, evaluates, and controls potential risks associated with each of the company’s suppliers. These potential risks include a variety of factors, including the supplier’s ability to deliver the goods or services as agreed upon, their financial stability, and their compliance with various regulations and standards.
Why supplier risk assessment matters in MedTech
A risk-based approach to supplier management depends on a comprehensive assessment of the risks involved with each of your suppliers. Different suppliers will have different risks associated with the products or services they provide, and you have to take those differences into account when you are qualifying new suppliers and deciding on monitoring and contingency plans.
Without a good understanding of the potential impact to your product that each supplier carries, you may end up blindsided by supplier issues that could have been controlled (or at least foreseen) with a proper risk assessment.
Remember, your medical device is only as good as its parts. If the products or services you receive from suppliers are low-quality, your device will be low-quality—and that puts patients at risk.
How do you assess risk when evaluating suppliers?
Your supplier risk assessment is part of your general supplier qualification process, and should occur before you sign formal agreements with your suppliers. That’s because your formal agreement will include things like an audit schedule and other supplier monitoring activities. The particulars of those activities should stem from the level of risk associated with each supplier.
1. Determine whether the supplier is critical or non-critical
While this is not the only way to begin determining the level of risk each supplier poses, it is a useful starting point that many MedTech companies use.
Each new supplier will go into one of two categories:
-
Non-critical suppliers have no direct or indirect relationship with the product or manufacturing processes, such as a business that supplies your stationary or caters meals for you. These are still suppliers, but they don’t have to go on your Approved Supplier List (ASL) and you won’t need to assess the risk associated with them.
-
Critical suppliers have a direct or indirect relationship with the product or process and they must be qualified and placed on your ASL if you want to order anything from them. Any supplier that is deemed a critical supplier will move onto the next step in the risk assessment process.
2. Organize critical suppliers by potential risk
Every critical supplier should be categorized based on its potential impact on product safety. Many companies use a three-tiered risk system, though you can add more tiers to yours if you feel it’s necessary to delineate more carefully.
-
Tier 1 - Highest Risk: Includes any integral component of the device that impacts safety. Also includes contract manufacturers assembling the device. This would also include services like sterilization that impact the safety of the device.
-
Tier 2 - Medium Risk: Includes custom, device-specific components that don’t directly impact device safety. This tier also includes services like pest control and your logistics and shipping provider.
-
Tier 3 - Lowest Risk: Standard, “off-the-shelf” items such as office and cleaning supplies. Any consultants you use that provide a service related to the product or processes would likely fall under this tier.
Keep in mind, it’s important to consider business risks when assessing suppliers. For example, let’s say you have a single supplier on your ASL that supplies you with a complex component of one of your devices. If that supplier were to go out of business or otherwise stop providing you with that component, how long would it take you to qualify another supplier? Are there any other suppliers who could make that component?
In other words, even if a specific part doesn’t carry an enormous risk to patient safety, the supplier could still be deemed “high risk” if you don’t have other options. That might require you to manage the relationship more carefully and put a contingency plan in place.
3. Choose your monitoring activities based on risk
Knowing the risks involved with each of your suppliers is one thing; using that knowledge constructively is another. Your supplier risk assessment should inform how you monitor your suppliers throughout your relationship, which means you need to answer questions like:
-
Will we be auditing this supplier? If so, how often will we audit them?
-
How often will we fill out a supplier scorecard for this supplier? Every month? Every quarter?
-
Will we check every batch of product they send us? Or will we accept their certificates of analysis?
For instance, you’ll need to audit all of your Tier One suppliers before adding them to your ASL. After that, you would generally audit them every one to two years to ensure they are still able to supply products that meet your specifications—and do so in a manner that is compliant with regulations. Higher risk means you’ll also want to fill out a supplier scorecard more frequently than you would for Tier Two or Tier Three suppliers. You might also perform spot checks on incoming product, or even choose to inspect 100% of the first few shipments.
Tier Two suppliers will also likely need an onboarding audit, but you may decide on less frequent on-site audits. You may also decide to fill out their supplier scorecard on a less frequent basis. And for Tier Three suppliers, you may not need to audit them at all unless you have cause, such as a poor supplier scorecard or a high number of complaints.
Keep in mind that risk-mitigation strategies are often dependent on context and individual circumstance. For instance, you might decide to reduce the monitoring of a well-performing supplier who has been providing consistently good product and service—maybe auditing them once every two years instead of every year.
On the other hand, a low-performing supplier may require you to work with them to improve their performance. That may mean a heavier audit schedule or submitting Supplier Corrective Action Requests (SCARs).
BONUS CONTENT: Use this Supplier and contract manufacturer checklist to help you choose the right suppliers for your business!
Greenlight Guru makes it simple to manage all your supplier relationships, all in one place
MedTech companies with a single device can easily need dozens of suppliers—larger businesses may have hundreds of them. Managing all of those relationships, especially when you’re taking an individualized, risk-based approach, can be a headache for even the most organized company.
But with the right supplier management solution, you can bring all your suppliers into a single system and navigate all your relationships with ease. With Greenlight Guru Quality, you’ll have a dedicated Supplier Management workspace that’s connected to the rest of your QMS software. You’ll be able to see all your suppliers in a single view, search by name or ID number, filter by criticality or status, and quickly find what you’re looking for.
You’ll also be able to attach supporting documents to individual suppliers, add contact information, and set reminders for upcoming events like audits, scorecards, or renewals. And you can do it all in the same QMS software you use for risk management, product development, and all your other related QMS processes.
If you’re ready to see how a connected supplier management solution can take the hassle out of your supplier relationships, then get your free demo of Greenlight Guru today!
