The Roche Risk Management methodology provides the foundation for supplier risk management. Foundational concepts in our approach to risk management includes:

• Risk identification,

• analysis and evaluation of risks,

• the appropriate response, and

• tracking and reporting of risks to provide assurance regarding the achievement of objectives.

We assess and actively manage supplier risk as follows:

• Risk is assessed before we enter into a business relationship through an automated due diligence tool. The tool receives information about the supplier and the nature of their expected product or service and generates customized risk management guidance, including needed additional risk screening. Examples of recommended actions include risk-specific contractual requirements and inclusion of the supplier in a specialized supplier audit program for sites with high risk associated with safety, health and the environment (SHE).

• Based on the supplier’s inherent and assessed risk, they can be included in a number of specialized risk management programs for ongoing assessment and mitigation. These include, but are not limited to, the following:

  • Regular risk assessment and mitigation planning using our customized online Supplier Resilience Platform. The platform provides risk scores for standardized risk categories and provides corresponding, guided risk mitigation.

  • Formal teams dedicated to monitoring and actively managing specific risks to material flows (e.g. critical suppliers, constrained materials).

• Events such as storms, geopolitical unrest, fires, and explosions are managed through a program that includes customized and automated alerts from a third party service provider, established stakeholder networks to ensure rapid response, and continuously improving playbooks to guide both response and follow-up.

• Our supplier risk management programs have systems in place to ensure that risk is reassessed if there are substantive changes to the nature of the product or service provided or if the nature of the relationship with Roche changes. Examples are described below.

  • Changes in supplier location

  • Changes in supplier product or service portfolio

  • Changes in or amendments to contractual terms and conditions

  If changes such as these occur and they impact or could impact the supplier’s risk profile, the supplier is reassessed. Significant incidents, such as regulatory investigations, penalties or negative media attention can also trigger reassessment. A third party risk monitoring service assists us in identifying incidents associated with Roche suppliers.

Compliance with the Roche Supplier Code of Conduct is assessed through Roche’s Supplier Sustainability Assurance Visit (SSAV) program. The Roche Supplier Code of Conduct includes the Pharmaceutical Supply Chain Initiative (PSCI) Principles and uses the PSCI audit program and tools as the foundation for the Roche SSAV program. Key aspects of the PSCI Principles are depicted below.

Roche partners with a third party service provider to perform audits of supplier compliance with our Roche Supplier Code of Conduct. The process is depicted below and involves close coordination between Roche, the supplier, and our third party audit service provider.

Supplier Sustainability Assurance Visits are collaborative. Auditors are SA8000 certified and corrective action plans are mutually agreed upon. Roche wants to ensure that suppliers meet our sustainability performance expectations and will assist them in planning to meet those expectations.

In 2022 we conducted 51 Supplier Sustainability Assurance Visits and 40 Safety, Health and Environment (SHE) audits of contract manufacturers worldwide.

In 2022, 75 supplier audit reports and self-assessment questionnaires were shared under the Pharmaceutical Supply Chain Initiative (PSCI) program, of which Roche is a long-time member.

In addition to SSAV and SHE, Roche conducts other audits to ensure that our suppliers are best positioned to help us deliver what patients need next. These include, but are not limited to, quality and information technology (IT) audits to ensure effective cybersecurity.

Our suppliers’ expertise and capabilities enable us to deliver medical solutions to address the needs of our patients and benefit society. Their work is an extension of our own.

Roche’s procurement risk management program assesses supplier risk on a routine basis to ensure continuity of supply. The program identifies and actively manages risk throughout the lifecycle of the supplier relationship while ensuring that suppliers continue to meet Roche’s performance requirements and standards as described in our Roche Supplier Code of Conduct.