Procurement Risk Management

Our suppliers’ expertise and capabilities enable us to deliver medical solutions to address the needs of our patients and benefit society. Their work is an extension of our own.

Roche’s procurement risk management program assesses supplier risk on a routine basis to ensure continuity of supply.

Our Supplier Risk Process

Identify, Analyze, Treat, Review, Repeat

Theprovides the foundation for supplier risk management. Foundational concepts in our approach to risk management includes:

  • Risk identification,

  • analysis and evaluation of risks,

  • the appropriate response, and

  • tracking and reporting of risks to provide assurance regarding the achievement of objectives.

The Supplier Risk Management Cycle

We assess and actively manage supplier risk as follows:

  • Risk is assessed before we enter into a business relationship through an automated due diligence tool. The tool receives information about the supplier and the nature of their expected product or service and generates customized risk management guidance, including needed additional risk screening. Examples of recommended actions include risk-specific contractual requirements and inclusion of the supplier in a specialized supplier audit program for sites with high risk associated with safety, health and the environment (SHE).

  • Based on the supplier’s inherent and assessed risk, they can be included in a number of specialized risk management programs for ongoing assessment and mitigation. These include, but are not limited to, the following:

    • Regular risk assessment and mitigation planning using our customized online Supplier Resilience Platform. The platform provides risk scores for standardized risk categories and provides corresponding, guided risk mitigation.

    • Formal teams dedicated to monitoring and actively managing specific risks to material flows (e.g. critical suppliers, constrained materials).

  • Events such as storms, geopolitical unrest, fires, and explosions are managed through a program that includes customized and automated alerts from a third party service provider, established stakeholder networks to ensure rapid response, and continuously improving playbooks to guide both response and follow-up.

  • Our supplier risk management programs have systems in place to ensure that risk is reassessed if there are substantive changes to the nature of the product or service provided or if the nature of the relationship with Roche changes. Examples are described below.

    • Changes in supplier location

    • Changes in supplier product or service portfolio

    • Changes in or amendments to contractual terms and conditions

    If changes such as these occur and they impact or could impact the supplier’s risk profile, the supplier is reassessed. Significant incidents, such as regulatory investigations, penalties or negative media attention can also trigger reassessment. A third party risk monitoring service assists us in identifying incidents associated with Roche suppliers. We ensure relevant procurement colleagues and relationship managers are appropriately trained in our Risk Management program.

Supplier Sustainability Assurance Visit Program

Compliance with the Roche Supplier Code of Conduct is assessed through Roche’s Supplier Sustainability Assurance Visit (SSAV) program. The Roche Supplier Code of Conduct includes the Pharmaceutical Supply Chain Initiative (PSCI) Principles and uses the PSCI audit program and tools as the foundation for the Roche SSAV program. Key aspects of the PSCI Principles are depicted below.

The SSAV Program is a Group-wide program that is applicable to all Roche suppliers (Pharma, Diagnostic and Diabetes Care).

The SSAV program aims to:

  • Strengthen collaboration between Roche and its suppliers, regardless of the level of cooperation and division

  • Minimize the risk of cooperating with suppliers not following legal obligations, or our core principles and values

  • Meet the legal requirements of proper due diligence of our supply chain, in particular regarding sustainability aspects and human rights

The SSAV Program and audit process follows the Plan-Do-Check-Act (PDCA) cycle:

  • Plan: Supplier Audits are triggered based on a risk-based approach considering country-based criteria, business-related characteristics (e.g. business volume, spend category), and other elements supporting prioritization for planning purposes ( need).

  • Do: Independent third party auditors assess a supplier’s compliance with the Roche Supplier Code of Conduct and other rules and regulations (e.g. Responsible Business Initiative, German Supply Chain Act). The audit process comprises six steps and is presented below.

  • Check: In case of findings classified as critical or major, Roche works together with the supplier to achieve a higher standard and arranges a follow-up audit within a year. The program manager and dedicated internal governance body perform monitoring of the SSAV Program, audit results and KPIs.

  • Act: We monitor the quality of external audit service providers on an ongoing basis and communicate the results and KPIs on a quarterly basis. We cooperate with global and local procurement to improve the relationships with the suppliers, realize the Corrective Action Plan (CAP) and close the SSAV findings.

A Risk based approach is used to identify high-risk suppliers among the Roche group significant suppliers*. It consists of two criteria-based steps that assess the suppliers:

  • Human Rights Risk Criteria uses risk ratings from respected external social and human rights risk indices such as Children’s Rights at the Workplace - Unicef Index, Global Slavery Index, OECD country classification, and Global Rights Index

  • Other Sustainability Risk Criteria such as country CAHRA index (conflict minerals), Minamata, Basel and Stockholm convention status are considered to assess external sustainability parameters

Internal business-related criteria as well as Audit history are also taken into consideration (industry segmentation, spend etc.)

Final risk assessment scoring decides whether a supplier will be the subject of a SSAV or not.

The SSAVs are performed by a third party service provider that has been included in the list of accepted audit service providers in accordance with the PSCI protocol. The process is depicted below and involves close coordination between Roche, the supplier and our third party audit service provider.

External auditors are SA8000 certified or equivalent, and corrective action plans are mutually agreed upon. Roche wants to ensure that suppliers meet our sustainability performance expectations and will assist them in planning to meet these expectations. We regularly follow up with our suppliers on their progress and close the CAP. If the mutually agreed goals are not met we take appropriate remediation action.

2023 Roche Supplier Audits

In 2023 we conducted 69 sustainability audits (Supplier Sustainability Assurance Visits) and 37 Safety, Health and Environment (SHE) audits of contract manufacturers worldwide. The 2023 Roche SSAV Progam KPIs are presented

In addition to SSAV and SHE, Roche conducts other audits to ensure that our suppliers are best positioned to help us deliver what patients need next. These include, but are not limited to, quality and information technology (IT) audits to ensure effective cybersecurity.

Discover more

e-learning for Suppliers on the Roche Supplier Code of Conduct

This website contains information on products which is targeted to a wide range of audiences and could contain product details or information otherwise not accessible or valid in your country. Please be aware that we do not take any responsibility for accessing such information which may not comply with any legal process, regulation, registration or usage in the country of your origin.

ContactLocationslinkedinfacebooktwitterinstagramyoutubeCovid-19Pharma solutionsRoche careersMedia libraryAnnual Report 2023Privacy policyLegal statement