Risk Management Outside Your Four Walls: Implementing

Risk Management outside Your FourWalls: Implementing Risk Strategiesfor the Supply-ChainTim Lozier, EtQ, Inc.CONFIDENTIAL: This document contains information that is confidential and proprietary to EtQ, Inc. Disclosure, copying,www.etq.com 1.800.354.4476distributionor use withoutthe express permission of EtQ is prohibited. Copyright 2016 EtQ, Inc. All rights reserved.ISO 27001Certified

Agenda Looking at the challenges surrounding the Supply‐ChainUnderstand the risks associated with Supply‐Chain ComplianceWhat is the Supplier Network and how does it impact operations?Identify the Gaps and Fillers the Supplier Network can controlUnderstanding the Risk Management dynamic in the Supply ChainTools for assessing risk in the Supply‐Chainwww.etq.com 1.800.354.4476

Increasing Rate of Changewww.etq.com 1.800.354.4476

There is an Increasing Rate of Change We are more complex Global Scale of Production, Design, Sourcing More Mergers, Acquisitions Growing Supply‐Chain There is more competition Competition leads to shorter product lifecycles Increases in product complexity More variety of goods in more areas Companies need to maintaincompliance AND keep up with thepace of business!www.etq.com 1.800.354.4476

Challenges in the Supply Chain Outsourcing On the Rise17% of companies have true end‐to‐end visibility into supplieroperationsJust 25% of a typical company’s end‐to‐end supplychain is being assessed in any way for risk.53.5% of companies are planning toinvest in additional IT to improve supplychain visibility by 2018.www.etq.com 1.800.354.4476

Challenges in the Supply Chain Factors driving these trendsTime to MarketReduce CostsTransfer riskFocus on brand owner core competenciesLeverage new technology fasterSpecialized knowledge and skills in SuppliersGreater flexibility in the Supply Chain Challenge: increased outsourcing creates new risks!www.etq.com 1.800.354.4476

Challenges in the Supply Chain: Trends The Internet of Things (IoT) Digitization of Data Shift to Big (but Usable) Data SCM Organizations Will Begin to AdoptApplication Convergence Strategy Risk Management Comes to the Forefront Operations Planning and Inventory OptimizationGo Under the Microscopewww.etq.com 1.800.354.4476

Challenges in the Supply Chain Risks Associated with the Supply ChainDependenceon SuppliersDifferentVisionsLoss ofOperationalControlLoss of IP &CounterfeitingLoss of CriticalSkillswww.etq.com werVisibility inPerformanceand Quality

Challenges in the Supply Chain How can we mitigate Risk?Dependenceon SuppliersDifferentVisionsLoss ofoperationalControlLoss of IP &CounterfeitingLoss of CriticalSkillswww.etq.com werVisibility inperformance/quality

Challenges in the Supply ChainHow can we mitigate Risk?Disaster recovery plan for supplychain interruptions, Contingenciesin the Supply Chain DependenceDifferentVisionson SuppliersDifferencesPromote industry groupsLoss of andoperationalstandards adoption,Invest inControlTrack‐and‐Trace technologies,Integrate business systemsLoss of IP &Risk Managementplan to protectCounterfeitingIPLoss of CriticalWhat skillsshould we retain?SkillsWhat are the core activities?www.etq.com 1.800.354.4476Supplier selection based on morethan specs and cost, Move fromSupplyChain to Supplier lement an automatedSupplierperformanceQuality Network/quality

Challenges in the Supply Chain Top risk mitigating strategiesSource: Aberdeen Groupwww.etq.com 1.800.354.4476

How your QMS Supports the Supply ChainExtendQuality tothe SupplyChainQMSComplianceManagementin the SupplyChainImplementRiskManagementto ImproveCompliancewww.etq.com 1.800.354.4476 Change controlSupplier performanceOut‐of‐specification managementComplaints handlingCAPA programSpecification management Culture?Processes?Quality system?Sub‐contractors? Define acceptable level Real time monitoring

Current Gaps: Supplier OnboardingAuditSupplierwww.etq.com 1.800.354.4476ApprovedSupplierSpecificationManual or Offlineprocess

Filling the Gap: Automating Supplier Approval1.2. 3.Access provided to relevant modulesDashboard assigned to the SupplierAllow the supplier administrator to build their profileFilters applied to the User’s profile to showonly the relevant datawww.etq.com 1.800.354.44764.

Current Gaps: Existing Supplier CollaborationManual or OfflineprocessApprovedSupplierwww.etq.com 1.800.354.4476Specification

Filling the Gap: Automate Specification ApprovalInternal cation& ProfileA copy of specification is createdalong with the information neededfor the supplier to approve the specwww.etq.com 1.800.354.4476Internal SystemsThe Supplier signs off on the Specification.If the Supplier cannot deliver to thespecification, it is sent back and forth tilla version is agreed uponSpecificationApproved

Current Gaps: Annual Supplier AuditsAuditManual or OfflineprocessSelf AssessmentAudit PerformedSCAR Issuedwww.etq.com 1.800.354.4476Supplier

Filling the Gap: Automate the Supplier AuditInternal SystemsAuditSupplierNetworkSolutionAuditA Planned Supplier Audit is scheduled.It is sent to the supplier to provideSelf‐Assessment informationwww.etq.com 1.800.354.4476Internal SystemsSelf AssessmentThe supplier does a self assessmentand sends the results back

Supplier Audit (cont.)Internal SystemsAudit ResultsSupplierNetworkSolutionAudit ResultsThe Results of the Audit are reviewedwith the supplier. The Supplier has anopportunity to provide additional feedbackor agree to Nonconformitieswww.etq.com 1.800.354.4476Internal SystemsCompleted AuditThe Supplier signs off on the agreedAudit results and SCARs/Actions areIssued as necessarySCAR

Current Gaps: Receiving ShipmentsManual or Rwww.etq.com 1.800.354.4476Execute theDisposition

Filling the Gaps: Resolving nal SystemsInternal SystemsNonconformanceA nonconformance with batch/lotinformation is sent to Supplier alongwith the nonconformance informationSCARwww.etq.com 1.800.354.4476Execute theDispositionThe Supplier investigates the issueand recommends a disposition. ThisInformation is then sent to the InternalRep for Review

Current Gaps: Supplier Corrective ActionsSCARSCAR Verified& Completedwww.etq.com 1.800.354.4476SupplierSCAR ImplementedManual or Offlineprocess

Filling the Gap: SCARInternal SystemsSupplierNetworkSolutionInternal SystemsSCARSCARA SCAR is sent to the Supplier.This record is assigned to a Suppliercontact, and is assigned a due datewww.etq.com 1.800.354.4476The Supplier performs Root Causeanalysis, determines corrective action,and due dates and sends it back

SCAR (cont.)Internal SystemsSCARApprovedSupplierNetworkSolutionSCARThe SCAR is approved and sent backto the Supplier. It is assigned to theSupplier contact with respective due datewww.etq.com 1.800.354.4476Internal SystemsSCAR Verified& CompletedThe Supplier Implements the SCAR,provides evidence of completion andsends it back

Filling the Gap: Supplier Deviations/WaiversSupplierNetworkSolutionThe Supplier sends a Waiver requestto deviate from the Approved specification.www.etq.com 1.800.354.4476Internal SystemsSupplierNetworkSolutionThe Deviation is reviewed and approvedInternally and upon receiving internalApprovals, is sent back

Risk Management Process Risk Management is a broad standard (ISO 31000)Risk IdentificationRisk EvaluationDevelopment and evaluation ofrisk assessment methodsRisk management decisionsImplemented solutionwww.etq.com 1.800.354.4476Identify all relevant risks (e.g., hazardanalysis)Quantify the risk (e.g., probability andseverity)Implement a processUse objective and proven toolsAccept (worth it), reduce (mitigate),compensate (insure), transfer (partner),avoid (stop)Change management to introduce orimprove controls

Common Tools for Risk Management Treatment(a sample) Decision Tree Risk Matrix Failure Modes andEffects Analysis (FMEA) Bowtie Risk Registerwww.etq.com 1.800.354.4476

Decision Tree AnalysisEasy to integrate with everyday processeswww.etq.com 1.800.354.4476

Risk MatrixQuick, easy, colorfulwww.etq.com 1.800.354.4476Quantifies the risk level usingtested assumptions

Failure Modes and Effect AnalysisFor design of products and processeswww.etq.com 1.800.354.4476

FMEA Processwww.etq.com 1.800.354.4476

Sample FMEA Formwww.etq.com 1.800.354.4476

Bowtie ModelFor low-occurrence events that are catastrophicwww.etq.com 1.800.354.4476

Bowtie ExampleFor low-occurrence events that are catastrophicwww.etq.com 1.800.354.4476

Risk Register Monitors risk levels over time Library of hazards (typically known for each industry) Collects risk assessment data from many processes Provides visibility into critical events and data for trend reportingPDCA Cyclewww.etq.com 1.800.354.4476

Summary Supply Chain is Becoming More Complex Many risks associated with growing supply chain Mitigating risks is primarily a strategic initiative Supplier Quality Network Cornerstone of Compliance Comprehensive, standardized QMS extends to Supply Chain through the This network Key quality processes encompass supplier operations Risk management is critical to maintaining compliance Apply Risk Management to the supply‐chain Use a objective and repeatable risk management tools Integrate risk assessment into the compliance processes Risk Management is also a Strategic Initiativewww.etq.com 1.800.354.4476

Thank you! Questions?Designed for smallworkgroups in Quality, EHSand Compliance looking totrack events, issue actionitems and launch correctiveactions.Designed especially for SMBcompanies that are lookingfor full functionality in anaffordable SaaS solution.Designed for global, multi‐site deployments, with theneed to integrate complianceacross the enterprise.Free DownloadTake a Free TrialRequest a q.comwww.etq.com 1.800.354.4476

Risk Management Process Risk Management is a broad standard (ISO 31000) Risk Identification Risk Evaluation Development and evaluation of risk assessment methods Risk management decisions Implemented solution Identify all relevant risks (e.