Securing every link in the chain during COVID-19
The unknown risks businesses face
The Harvard Business Review recently made a stark statement with regards to global supply chains: The vast majority of global companies have no idea of what their risk exposure is; that's because few, if any, have complete knowledge of all the companies that provide services or parts to their direct suppliers.
The unfolding coronavirus pandemic has thrown into sharp relief just how complex and interdependent today's international supply chains are – and how little visibility companies can have over those interdependencies. Organisations are being forced to adapt and plan for dramatic impacts up and down their supply chains, with some deploying all-new tools and solutions in order to facilitate last-minute remote working – often with very little understanding of how those new solutions might affect their own security and risk levels.
These issues go far beyond third parties alone. The chain of security and risk responsibility goes much further; a substantial proportion of supply chain disruption is due to problems with fourth parties. Fourth parties are the suppliers of your third party who more often than not you do not have clear visibility and assurance over them.
Effective visibility over today’s global and fast-moving supply chains needs to strike a careful balance. Members of that supply chain need to be properly scrutinised – certain processes, tools and technologies need to be confirmed. Yet this scrutiny needs to be done in an efficient and agile way, without requiring organisations who may be several links away in the chain to undertake really onerous processes.
What’s the solution?
The answer, then, is a lightweight assessment question set focused on the most important aspects of managing business operations through adversity. This assessment must be able to be pushed out to any organisation in your supply chain –whether they are third parties, qualified fourth parties or beyond – to rapidly gain a clear picture of their response to security and risk in the current climate. To provide additional business context, users of the application should be able to add their own questions to the assessment.
Organisations deploying such a solution need to combine documentation of their own key assets and processes with assessment of their critical suppliers’ management of security and risk. And all this intelligence needs to be reported in a clear and intuitive way, through flexible dashboards which can be tailored to the needs of different stakeholders within the organisation. SureCloud’s free solution for supply chain risk does all of the above and more.
The questions you need to ask
Supply chain assurance need to take in a broad spectrum of information. It's not just about the obvious – what cybersecurity tools do they have in place, who is responsible for which process, what the contingency plans are – but also 'softer' information like where their offices are based and who their customers are. Supply chain audit solutions need to be able to collect all this data as efficiently as possible, which means that cloud-based solutions are often most appropriate. Third and fourth parties and beyond can respond to digital questionnaires with the information collated and aggregated automatically. The result is a snapshot view of the health – or risk – of the supply chain at any time.
This approach gives businesses a time advantage as questionnaires can be sent directly to crucial suppliers in a matter of days or even hours, enabling a quicker understanding of affected products and/or services. This, in turn, helps measure the potential impacts posed by supplier risks and determine wider impacts on the supply chain.
Global insights: giving back to the community
There are broader impacts with a cloud-based solution too. With multiple organisations using the same tool, they can collectively build valuable global insight into the current state of the supply chain, which then supports other organisations with their resilience strategy.
If the results of such supply chain audits are anonymised and aggregated, suppliers can use them to measure and report on global trends relating to the impact and readiness of supply chains. In turn, such analysis can be used to develop new guidance and create a dialogue to further improve supply chain management. It’s about building an international, dynamic knowledge base.
Effective supply chain management is particularly important in this time of global crisis. The effects of the coronavirus pandemic have transformed the way suppliers are managed and relied upon and created uncertainty for third party risk programmes. As with so many other areas of response to COVID-19, by working together, organisations can make a really powerful difference.
Medical device companies: how to prepare for Brexit
Over the last decade, medical device businesses have been no strangers to regulatory changes and new compliance requirements. Companies with devices in the EU market have been working hard to achieve conformity with the requirements of the EU Medical Device Regulation 2017/745 (MDR) and In Vitro Diagnostic Regulation 2017/746 (IVDR), but the UK’s exit from the EU, effective as of 1st January 2021, demands yet another change: to comply with the new UK regulatory regime.
The Medicines and Medical Devices Act passed into law on 11 February 2021 does just that; it enables the UK to build its own regulatory system, although when this new framework will be fully in place is not yet known.
The transition to the UK’s new regulatory regime officially began on the 1st of January 2021, and with it a series of deadlines and phases that medical device manufacturers exporting to GB and Northern Ireland would do well to take close notice of. During the transition period, the UK Medical Devices Regulations (UK MDR) 2002, not to be confused with the EU MDR, will continue to apply in England, Scotland and Wales, whilst CE marked medical devices will still be accepted up to 30th June 2023.
The conformity assessment processes defined in the UK MDR 2002 (as amended) will require that medical devices carry the UKCA mark for entry in the GB market or the UKNI mark for entry in Northern Ireland (where the devices are not CE marked for the EU). In Northern Ireland, where the rules for placing a device on the market differ, the EU MDR and IVDR will apply in 2021 and 2022 respectively, in line with the EU’s implementation timeline.
This easing-in period of transition is valuable time that should be used productively by manufacturers to ensure that they get up to speed, keep up with relevant updates and prepare strategies and product portfolio for the next phase. To do this, businesses should make sure they consider the following areas as they assess their strategy for UK market access:
Potential Overlap with EU MDR and IVDR
Medical device manufacturers have been working to implement measures to ensure they comply with EU MDR and IVDR for quite some time. The experience, processes and objective evidence that they have gathered in these efforts are certain to be of use when applying for UKCA marking.
Product portfolios and new product pipelines should be evaluated against both overall compliance risk and commercial and strategic value. By identifying the regulatory compliance status for each product for the UK market and the efforts required to maintain that compliance, manufacturers can plan to use the grace period up to June 2023 to complete their activities. These plans should also be evaluated in consideration of the commercial importance of the individual products to help prioritise the workload. This may well result in the decision to discontinue certain products in the UK or to introduce new products on the UK market ahead of other markets.
Engage with Approved Bodies
This activity cannot take place too soon; as of the 1st of January 2021, UK organisations that were acting as EU Notified Bodies have become Approved Bodies in the UK, while EU Notified Bodies are no longer able to provide conformity assessments under the UK regulations. As there are currently only three UK Approved Bodies offering this service, there is a very real risk that latecomers will struggle to find a UK Approved Body to carry out the conformity assessment required to attain their UKCA mark in time.
Just as EU Notified Bodies are no longer relevant to pursuing UK certifications, UK-based Authorised Representatives are no longer valid when CE marking against the MDR or IVDR. Manufacturers using UK-based EU Authorised Representatives must switch to an EU-based Authorised Representative.
For the UK market, the role of the EU Authorised Representative is also no longer applicable. Non-UK manufacturers must have a UK-based Responsible Person (UKRP), which is equivalent to the EU Authorised Representative in terms of roles and responsibilities. Only one UKRP may be appointed, unlike EU Authorised Representatives, and they must have a registered place of business in the UK in order to register with the MHRA. Approved Bodies may be able to provide details of organisations acting as UKRPs and once this role has been assigned it will be critical for manufacturers to determine exact procedures for managing documentation and that clear communication channels are established.
Labelling and Import/Export
New UK regulations require that medical devices bear a UKCA mark in addition to the name and address of the UKRP for non-UK based manufacturers. Manufacturers who use the same products/packs for the EU and UK markets will need to consider the impact of adding more content to their labels in terms of usability for the supply chain and end-users.
While CE marking and certificates will continue to be recognised by the UK until June 2023, import/export administration is likely to change and become more burdensome. Manufacturers using separate products for GB (UKCA) and the EU and Northern Ireland (CE marked) will need to plan for how to ensure that the CE marked product is not shipped to GB post June 2023. Ensuring that processes and resources are in place to deal with developing situations will help manufacturers hit the ground running.
Many businesses will find that clinical investigations are carried out across multiple sites, some of which are outside the UK. In these instances, manufacturers will do well to have a plan for implementation and management of investigations, in compliance with local requirements. It is likely that the MHRA will also continue to update their requirements for clinical trials in the UK.
Data Protection and Standards
New tensions are emerging between the EU and the UK concerning UK data protection rules and the EU’s General Data Protection Regulation (GDPR), suggesting that maintaining ‘equivalency’ may involve a number of different phases.
Compliance with applicable standards also requires close attention; the list of designated standards for medical devices issued by the UK’s Department for Health and Social Care is based on the list of harmonised standards published in the Official Journal of the EU, which in turn are harmonised to the MDD, AIMDD and IVDD. More recently published standards, however, have not been harmonised to the latter European directives and are thus not in the UK’s designated list, despite being considered state of the art. It would be prudent for manufacturers to monitor the state-of-the-art standards and apply where applicable, rather than rely on superseded and outdated standards.
As the UK moves into a new regulatory regime, medical device manufacturers who have already invested time and resources to comply with EU MDR and IVDR can use this to attain their UKCA mark. However, a dynamic compliance environment combined with the new onus relating to export policies means that close attention needs to be paid on numerous fronts. Keeping pace with this changing environment will ensure that manufacturers face the future with confidence and do not lose important space on their markets.