Microsoft word - pharmaceutical2.docCREATING A BUSINESS CASE FOR SECURITY
IN THE PHARMACEUTICAL SECTOR
Report prepared by: JOHN GLOVER CONSULTING, INC.
Copyright 2006 Council on Competitiveness
CREATING A BUSINESS CASE FOR SECURITY
IN THE PHARMACEUTICAL SECTOR
TABLE OF CONTENTS
Pharmaceutical Industry Background
Industry Trends and their Impact on Security
Pharmaceutical Industry Risks and Threats
A Business-Oriented Approach to Security
VII. Program Management Approach to Valuing
VIII. Business Case for Security
Highlights of Interviews Conducted
Best Practices/Gap Analysis
Summary of Key Findings
Copyright 2006 Council on Competitiveness
The U.S. health care system has been identified by Homeland Security as a key resource
and prescription medicines are a primary component of this system. A prosperous
pharmaceutical and biopharmaceutical industry is critical to a strong U.S. economy and global competitiveness. Two strategic concerns of the pharmaceutical industry, patient safety and public confidence, are inextricably linked to security. The most serious threats are theft of intellectual property and counterfeit and adulterated medicines. Supply chain security is at the very heart of ensuring that the medicines are safe and effective. The supply chain is increasingly vulnerable to attack, notwithstanding increased spending and cooperation among stake-holders in industry and government. As spending on security increases, primarily on track and trace and authentication technologies, companies are seeking ways to rationalize the costs. Companies are beginning to grasp the potential negative consequences of a biochemical terrorist attack on their strategic concerns. Improvements in technology, combined with threats to intellectual property and electronic data, vulnerability of the pharmaceutical supply chain to counterfeiters, diverters and terrorists, outsourcing and license agreements, among other threats, have heightened the need to focus on security. DHS and local government's responses to hurricanes Katrina, Rita and Wilma serve as a warning of their inability to react quickly and effectively to a bioterrorist attack or pandemic. Significant improvement in funding and coordination at all levels of government and with the pharmaceutical industry are needed. This study provides insights with respect to the role of security in the business model of pharmaceutical companies and the pharmaceutical industry as a whole. A business case for security must be made. If pharmaceutical companies fail to grasp the need to better integrate security into strategic business plans, they increase the risk of encountering crisis after crisis and resulting damage to their reputation and loss of public trust.
II. PHARMACEUTICAL INDUSTRY BACKGROUND
The U.S. is responsible for more than 40 percent of new drug introduction in the world,
and it dominates the world in terms of research dollars expended on biotechnology. The
Food and Drug Administration (FDA) provides the necessary oversight, by requiring
approval for each new drug as safe and effective before marketing. The FDA oversees the production of drugs whether manufactured in the U.S. facility or imported from abroad.
Good Manufacturing Practice (GMP) is an international set of regulations, codes and
guidelines by which prescription drugs, medical devices, diagnostic products and active
pharmaceutical ingredients are manufactured.
The purpose of GMP is to ensure quality product. An essential part of GMPs is documenting every aspect of the process, activities, and operations. If the documentation is not correct and in order, showing how the product was made and tested, that allows for traceability, and recall from the market in the event of future problems, then the product is Copyright 2006 Council on Competitiveness
considered adulterated. U.S. GMP is a higher standard than any international GMP.
Every aspect of the manufacturing process is closely monitored, including sterility,
electronic documentation, visual surveillance and numerous other requirements for tablets,
capsules, liquids and packaging. While some vulnerabilities exist, this process is less likely to be compromised. Most interviewees agreed that the greatest vulnerability in the supply chain exists after finished product leaves the manufacturer. The Centers for Disease Control and Prevention (CDC) has two primary roles to protect lives and improve health. Its overarching goals are to prepare for terrorist health threats and protect the health and quality of life of all Americans.
III. INDUSTRY TRENDS AND THEIR IMPACT ON SECURITY
Many current trends in the pharmaceutical industry involve competitiveness and security
issues. An aging U.S. population and increased spending on prescription drugs have resulted in downward pressures on drug prices and a desire for lower cost drugs. Many foreign sourced medicines are unregulated and pose safety and efficacy concerns. This search for low cost medicines has resulted in the purchase of medicines from Mexico, Canada, via the Internet and from other questionable sources. Some of these drugs have proven to be counterfeit, diverted from other markets, adulterated, and non-efficacious. To reduce costs, U.S. manufacturers have partnered with foreign chemical and R&D companies, packagers, and suppliers. These developments have improved U.S. competitiveness, but have heightened the risks of intellectual property loss and supply chain disruption. The U.S. pharmaceutical industry's vulnerability to cyber crime increases as pharmaceutical companies store and transmit more critical data electronically. In fact, a 2004 survey disclosed that fewer pharmaceutical executives (in comparison with their colleagues in other industries) are "very confident" (12 % vs. 22 %) in their IT security practices even though they spend more (12.8 % vs. 11.2 %) on their IT budgets. How many pharmaceutical companies assess the cost of the security investment against the expected return? Only 14 % of the respondents reported changing the role of security "from roadblock to enabler". Only 9 % of the executives think their firm is running security as a business.
Department of Homeland Security
The Department of Homeland Security (DHS) is the most comprehensive reorganization
of the federal government in a half-century, unifying federal functions into a single agency to protect Americans from terrorism. The national strategy embodied into Homeland Security focuses on six key areas: intelligence and warning; border and transportation security; domestic terrorism; protecting critical infrastructures; defending against catastrophic threats; and emergency preparedness and response against anthrax. Copyright 2006 Council on Competitiveness
Project Bio Shield was established to develop vaccines and other medical responses to biological, chemical, nuclear and radiological weapons. A Bio Watch program was created to monitor major cities for biological releases, procure sufficient smallpox vaccines for citizens and increase stocks of antibiotics. The Visa issuance process has been tightened to better screen foreign visitors.
U.S. Customs Service
U.S. Customs regulates importation of goods and products into the U.S., including
containerized products. Thousands and thousands of containers from throughout the world come into America's seaports every day of the year. While this is good news for the U.S. consumer, it represents a security risk. Since 9/11, concern has increased that terrorists could smuggle weapons of mass destruction in the seven million ocean-going containers that arrive annually at U.S. ports. In response to this concern, two programs were instituted by the U.S. Customs Service. They are the Container Security Initiative (CSI) and the Customs-Trade Partnership Against Terrorism (C-TPAT). The CSI was implemented to screen for high-risk containers at overseas ports, while C-TPAT was designed to improve global supply chain security in the private sector in return for the reduced likelihood that their containers will be inspected for weapons of mass destruction. These programs, while intended to combat the terrorist threat, have commercial benefit as well. However, the business benefits to participating companies have not been realized. Their containers are processed at U.S. ports along with nonparticipating companies. To move the containers out of port more swiftly, the government must resolve the privacy issues with other countries. The very information required to fast track containers is not available to U.S. companies. FDA inspectors are required to confirm that imported drugs meet the necessary requirements. If there is a question whether the drug can be legally imported, FDA can detain the product and allow the importer several days to demonstrate the drug's acceptability. If the importer is known, the drug is usually returned to its foreign source. If
the importer is unknown, the drug is destroyed.
Supply Chain Management / Vulnerability
Most raw materials are sourced outside the U.S. Sourcing companies are thoroughly
vetted, inspected, and audited by the U.S. manufacturer, to the extent allowed by local
laws. Consequently, it is highly unlikely for this system to be compromised. If it is, the problem is easily detected. Active ingredients are usually company controlled and subject to vigorous Quality Control, Copyright 2006 Council on Competitiveness
and inspections. Distribution System The U.S. market is currently considered the largest pharmaceutical market in the world. In 2002, U.S. manufacturers produced and distributed $172 billion of finished product to the U.S. market. The federal government and state agencies are responsible for ensuring the safety and efficacy of medicines in the U.S. While federal laws regulate the production and distribution of pharmaceuticals, state governments are responsible for regulating the practice of medicine and for licensing and policing pharmacies and drug wholesalers. The drug distribution system for legal prescription drugs in the U.S. is a "closed" system of laws, regulation and enforcement activities at the federal and state level. This closed system provides the American public with layers of protection against receiving unsafe and ineffective drugs. While the U.S. supply chain distribution is among the safest in the world, vulnerabilities exist. These vulnerabilities include counterfeit, diversion, adulteration, incomplete pedigrees, inadequate or no authentication, repacking and illegal importation. Legalizing the importation of drugs provides an opening in this system that
will result in increased risks.
A reliable pedigree that documents the chain of custody from the manufacturer to the point of dispensing is critical to ensure the integrity of prescription drugs. Pedigree is a statement of origin that traces the drug from the point of manufacture and contains information about all transactions that the product undergoes until it reaches the end user. Under federal law, not all wholesalers are required to provide pedigrees. When they are required, products with incomplete pedigrees are difficult to track and trace to establish their authenticity. Paper pedigrees are subject to forgery and inaccuracies and can provide
a false sense of authentication of product.
Counterfeit Prescription Drugs
Counterfeit drugs are fake medicines. In many countries, these fake drugs are common,
but in the U.S. they are rare because of the closed distribution. In recent years, there have
been efforts by increasingly organized counterfeiters, using sophisticated technologies and
criminal and terrorist organizations, to compromise this system.
Diversion occurs when products, intended for one market, are distributed and sold in other markets, usually at a higher price. Diverted drugs can originate in foreign markets and can facilitate the introduction of counterfeit drugs into the U.S. distribution system. Individuals who sell diverted drugs are less able to verify the integrity of the drugs because they are traded outside the normal distribution chain. This makes these products more vulnerable to compromise.
Repackaging is a legally approved activity when done by manufacturer's approved
repackagers. While being legitimate, it may destroy anti-counterfeit and antiterrorist measures used to prevent or detect these criminal acts. Repackaging may also provide a point of entry for the counterfeit, adulterated or diverted medicines into the distribution system since these appear to be legitimate product, and can easily be commingled with Copyright 2006 Council on Competitiveness
legitimate products during the repackaging process.
There are many track and trace and authentication technologies that have the potential to
improve efficiency of the supply chain while improving security. Some examples include holograms, color shifting inks and watermarks. Track and trace technologies, such as RFID (Radiofrequency Identification) and other EPCs (electronic product codes) and sophisticated bar coding, can provide effective monitoring of a drug's movement from the manufacturer, through the U.S. distribution chain. FDA believes that the use of RFID technology is critical to ensuring the long-term safety and integrity of the U.S. drug supply. However, FDA has not issued any regulation or requirements for the implementation of RFID studies. It is relying on private sector momentum. Some wholesalers and retailers have expressed concern that it is too costly to implement RFID, leaving the supply chain vulnerable. The FDA allows for an alternative approach to be used if it satisfies the requirements of the applicable statutes and regulations.
IV. PHARMACEUTICAL INDUSTRY RISKS AND THREATS
The U.S. pharmaceutical industry is poised for change as the pressures on its current
overall business scenario becomes increasingly unsustainable. The industry is presently immersed in a succession of technological innovations to help accelerate drug discovery and development. Some of these changes will also improve security. Additionally, strategic collaborations with external research organizations and regulatory agencies are a significant component of this business plan and will involve the security department of the company.
However, selecting the most beneficial systems requires a substantial commitment of a
company's R&D focus, pipeline commitment and analysis of risks and competition. It also
involves the FDA due to the high-risk stakes of substantial company investment with the
uncertainty that FDA will accept the results of the innovation and allow for continued
In 2004, the FDA made a pointed statement that it was restructuring its organization in order to be more responsive to the rapidly changing technological, business risk and terrorist environment. The FDA strengthened the security of the nation's food supply against terrorist attacks. However, there are continuing risks brought about by changes in global market forces, increased competitiveness and improved technological development. FDA is developing a versatile applied science toolkit containing scientific and technical methods such as animal and computer-based predictive models, biomarkers for safety and effectiveness and new clinical evaluation techniques. The goal is to predict product failure early during clinical trials and reduce development uncertainties and cost. FDA is also overhauling pharmaceutical cGMPs, (current Good Manufacturing Process), encouraging manufacturers to modernize their methods, equipment and facilities. These Copyright 2006 Council on Competitiveness
improvements will not only help eliminate production inefficiencies, but undue risks for consumers and also reduce the cost of security. While FDA is taking an introspective look at itself in order to create a stronger, more unified agency, standardizing its processes, enhancing its infrastructure and improving planning, these strategic moves do not include meaningful security input. FDA could also set the standard for the pharmaceutical industry by expanding the role of its own security organization beyond criminal investigations, and involving it in its strategic planning process at an early stage. For example, FDA inspectors need greater discretion to destroy drugs that are being improperly imported into the U.S. rather than returning them. FDA's constrained resources result in only a limited number of inspectors being available to staff the 14 international mail facilities in the U.S. The inspectors have noted an increase in the number of personal drug shipments coming into mail and courier facilities, overwhelming the staff. FDA would need a meaningful investment in new information technology and personnel to ensure adequate inspection of commercial quantities of medicines, if importation were legalized. Further, FDA is proposing to set up a new Drug Watch Web page for emerging data and risk information. This electronic evolution is intended to bring information directly to the consumer and increase the transparency of the agency's decision making process.
In recent years the CDC has taken substantial steps in public health in its approach to such
threats as terrorism and the Avian influenza. The changes add greater flexibility and
accountability, and include a wide range of business service improvements. Collaborating agency-wide CDC has launched Community Guide Information program to ensure that information quickly reaches a broad range of public and private sector audiences and encourages sound health action. While acknowledging the noteworthy improvements in the recent past, more improvements are necessary to cope with the continual and evolving terrorists and health threats.
Department of Homeland Security Secretary, Michael Chertoff, addressing the U.S.
Chamber of Commerce on May 2, 2005, advised that the private sector controls 85-90
percent of the assets in the country. Private security must work in partnership with the government to protect these assets. Chertoff's goal is to create a security environment that works with commerce and leverages the great American ingenuity. In this regard, DHS has developed ways to better protect critical infrastructure and to minimize vulnerabilities by establishing Information Sharing and Analysis Centers (ISACs). These centers have been established to facilitate regular and timely exchange of information between the private sector and DHS to help better protect the economy. To date, these centers do not include the FBI, CIA and other federal intelligence gathering and law enforcement agencies. There is no representative from the pharmaceutical Copyright 2006 Council on Competitiveness
industry participating in these centers and no one from the pharmaceutical industry in a leadership role within DHS. Another issue of concern is that ISACs have been established in agriculture, food, water, energy and transportation, among other sectors, but not for the pharmaceutical industry.
The possibility of a manmade threat against the U.S. has gained much public attention since 9/11. Various studies have shown that America's prescription drug supply is a potential target for terrorists. This conclusion resulted from the following known facts: Terrorists use profits from counterfeit drugs to finance their operations. For example, the efforts by the Lebanese militant group Hezbollah in smuggling an ingredient used in making methamphetamine from Canada into the U.S. Hezbollah has joined forces with al Qaeda to provide logistics and training. Tainted products could be shipped into the U.S. drug supply through one of thousands of small wholesalers that trade in prescription drugs. The Internet could be used by terrorists, who would lure buyers with promises of lower prices, then ship them tainted drugs. According to the CDC, large-scale, manmade threats are extremely difficult to carry out and threatening agents extremely difficult to manufacture. There are a small number of biological agents that are viable as terrorist weapons, though most cannot survive outside narrow temperature ranges and are rare and difficult to grow. Anthrax, smallpox, plague, botulism and ricin are the biological agents most likely to be used as a terrorist weapon, but are rare and difficult to cultivate. They pose potential bioweapons threats because they are extremely potent and require prolonged intensive care in affected persons. Copyright 2006 Council on Competitiveness
The DHS chart below identifies where medicines are missing in four key areas: While the actual damaging effect of biological weapons may be limited to a few affected persons, the fear factor caused by these acts of terrorism would be far greater than the actual damage. To create fear, terrorists need only to issue a public warning that a certain biological agent has been released or that a certain pharmaceutical drug has been contaminated. To deal with these threats, the FDA plans on finalizing implementation of new security regulations and expand their capabilities through new mobile laboratories, inspections and closer inter-agency collaboration. Further, FDA advised that it will continue to work closely with public and private sector partners to accelerate the development and availability of safe, medical countermeasures against biological agents. The U.S. Congress is considering actions to provide incentives and liability protection for vaccines and antibiotics to U.S. manufacturers. Vaccines and bioterrorist drugs are particularly susceptible to law suits because they may be administered quickly in an emergency to millions of Americans. Further, drugs that treat diseases such as anthrax cannot be fully tested in humans because it would be highly unethical to poison people with the disease to test the drug. The emerging consensus is that private drug makers have to be encouraged to produce more medicines protecting public health. Copyright 2006 Council on Competitiveness
V. A BUSINESS-ORIENTED APPROACH TO SECURITY
Three regimes for security that can be used to characterize security programs have been
identified. They are as follows:
1. Security as a cost of doing business 2. Security as a functional strategy 3. Security as a business opportunity Security as a cost of
Security as a functional
Security as a business
-"Guards, Guns and Gates" -Increase productivity -Formalize processes and -Integrate security throughout the firm as a -Key drivers for investment: strategic business partner -Business case revolves around cost savings and -Establish a risk -Insurance guidelines preventing losses management approach -Safety and liability -Invest in innovative measures with both business and security benefits -Enhance business case through new revenue streams Source: M.C. Wilhelm Associates, 2005
Security as a cost of doing business
At U.S. pharmaceutical manufacturers, security is viewed by some executives as a cost.
Security is not integrated into business decisions, but is an "add-on." Security-related
questions were directed to the CSO.
Security as a functional strategy
Companies in this category rationalize security across all business units. More business
decisions are based on risk assessments and the realization of the business benefits of
proactive security measures. Most pharmaceutical companies function, in some fashion,
but not entirely, in this category. Copyright 2006 Council on Competitiveness
Security as a cost of doing business
This view of security represents a leap from the current way of thinking. Security is
embedded more deeply into operations, and companies actually look for synergies with
core business units that enhance the business case for security. Furthermore, companies
look externally to search for ways that security can be used as an advantage. Security in the pharmaceutical industry does not yet approach this category. Security in smaller, administrative offices and at regional sites was more closely aligned to the business units than at corporate headquarters. See overall results below: First Stage:
Security as a cost of Security as a strategy doing business (1-5) Pharmaceutical
Each firm was asked to place their organization along the continuum, indicating the strength with which security is viewed as fundamental to the institution's business strategy. A score of 1 indicates that security is viewed solely as a cost of doing business. On the high end, a score of 15 reflects a progressive approach where security is viewed as a strategic opportunity. Source: Council on Competitiveness, 2005
VI. SECURITY METRICS
Throughout any company, there are a number of measurements for performance. One of
the most successful metrics is the profit and loss statement (P&L). This financial document provides viewers with key measurement criteria such as revenue, expenses and profits. This statement allows one to quickly gauge the health of a company. Unfortunately, there are currently no generally accepted metrics for measuring security effectiveness. Until metrics are developed to value security performance, security will always be seen as a cost. More importantly, because 85 percent of the critical infrastructure is owned by the private sector, if industry does not develop metrics, the government will. The following metrics can help gauge the quality of a security program: • quantify and calculate the asset's value or the incident's cost • quantify the critical nature of the threat • quantify the severity of the vulnerability. Copyright 2006 Council on Competitiveness
Ultimately, with knowledge gained through metrics, CSOs are in a better position to answer questions from senior company executives such as: • Are we more secure now than we were previously? • Are we secure enough? Even while more quantitative approaches to measuring security effectiveness are being developed, a program management and evaluation methodology is being advocated and will address more of the organizational concerns in this study than will metrics.
VII. PROGRAM MANAGEMENT APPROACH TO VALUING SECURITY
The primary purpose of a program management/evaluation approach to security would be
to maximize achieving the security mission or delivering security services. The essence of the program is to provide feedback leading to a successful outcome defined in practical terms. Its steps are: 1) Objectives need to be clearly stated in measurable or observable terms. 2) Determine how objectives will be accomplished through various strategies and 3) Determine whether the objectives were, in fact, accomplished. Select and develop metrics to evaluate attainment of each objective. Program management will address several gaps identified in this study, i.e., no common definition of security, security not fully integrated into the company and no common agreement on security effectiveness. This approach is a process that engages the entire company, both directly and indirectly. But most importantly, key company executives and others must collectively agree to the mission, goals and objectives of the program. This process reduced ambiguity and brings about a common collective company understanding of these elements. Second, on an enterprise-wide basis, the company must agree on the measures for accomplishing the goals and objectives. Each organizational component must assign someone to manage the program within their unit. Third, this approach includes establishing objective measurements wherever possible. Effective working relationships would be formalized to a degree where each unit will create a dialogue with the CSO to determine at what organizational level responsibility for unit security would reside. Communication would be ongoing and relevant. An individual within each organization will be accountable for ensuring the adequacy of program performance. The CSO will be responsible for achieving overall security program objectives, and furnish regular feedback to appropriate executives. Copyright 2006 Council on Competitiveness
VIII. THE BUSINESS CASE FOR SECURITY
First, the marketplace itself creates a very strong incentive to enhance security. It is in a
company's self-interest to ensure that its assets are secure. In today's threat / risk
environment, effective security measures are critical to businesses themselves. This is as true in the pharmaceutical industry as it is in any other important business sector. In recent years, the risk environment for U.S. pharmaceutical manufacturers has heightened in many ways. New technologies have created new security requirements on pharmaceutical companies. The risk of another terrorist attack since 9/11 and the resulting disruption of the supply chain, the theft of intellectual property and increased counterfeiting have all added to this risk. As an immediate consequence of 9/11, commerce in the U.S. came to a stop and remained shut down for several days. Appropriate threat assessment and mitigation procedures were not in place to limit negative impact of the terrorist attack on U.S. commerce. This scenario needs to change. U.S. business must develop security and competitiveness strategies that ensure continuation of business operations in the face of natural and
manmade disasters and with minimum interruptions.
As pharmaceutical companies continue their growth in high-risk markets such as China, India and Russia, the importance of security in establishing local, business arrangements and monitoring the practices of local partners, cannot be overstated. Without a constructive security role, the company stands not only to lose intellectual property, but to unwittingly contribute to its loss. Perhaps the best way to look at making the business case for security is to consider that security is responsible for handling many of the critical incidents facing pharmaceutical companies that have the potential to shape or reshape the future of the company. Further, a business case for security can be made by security addressing many of the risks of theft and counterfeiting endemic to developing countries, and beginning to thrive in industrial nations. Companies can benefit positively when their security operations provide input which facilitates continuing business operations in a crisis or hostile environment as other companies vacate the market. Sometimes one of the best business cases that can be made for security is not only in the value of the companies well earned reputation, but in trust that consumers place in its products. A company's business reputation is inextricably linked to security. Security's role is to protect the positive value of the company's name and its brands. A business case for security can be made in the expanding collaboration among pharmaceutical companies and regulatory agencies. Historically, pharmaceutical companies have collaborated with competing companies on a limited basis. This approach to security and competitiveness could foster more needed collaboration among companies. Copyright 2006 Council on Competitiveness
A strong business case can be made for investments in technology. While standards are
needed to reduce uncertainty and cost, RFID and electronic product codes (EPC) hold
some promise. When fully developed, in addition to the obvious security benefits, these
technologies can provide greater flexibility and more accurate tracking of product than paper pedigree manual tracking, reducing the number of lost products. These technologies can lower the cost of inventory levels and overall cost due to automation. RFID and other EPC technologies can also provide real-time data regarding products in the supply chain, which can further reduce the size and cost of inventories and help ensure that medicines are available when customers need them by creating a more effective delivery system. Numerous other business benefits can be derived from EPCs such as improved return management, improved expiration date management and recall management. In 2003, FDA announced a mass recall of the largest selling prescription drug in the world, Lipitor ($12 billion sales annually), a cholesterol lowering medicine. The recall was triggered by the discovery of counterfeit product, effecting more than 130,000 tablets and costing the manufacturer tens of millions of dollars. This recall could have been managed more effectively or eliminated altogether had appropriate EPCs been in use. Moreover, with the introduction of EPCs, there is less need for supply chain stake-holders to check, audit or verify product quality pedigree. With certain technological innovations, business and security effectiveness become inseparable. These will bring reduction in theft and shrinkage, counterfeiting, diversion and reduce the risk of bio-terrorists attacks. FDA is betting that RFID technology will be effective in authenticating products and has mandated its use by 2007. If this technology is effective and widespread, pharmacies and consumers may not want to purchase products whose pedigree has not been authenticated through this technology much in the same way that many consumers will not purchase OTC products lacking tamper-evident packaging.
IX. HIGHLIGHTS OF INTERVIEWS CONDUCTED
Industry Primary Association Group
PhRMA (Pharmaceutical Research and Manufacturing Association)
The U.S. pharmaceutical industry is one of the most highly regulated industries in the U.S.
PhRMA is an association which represents America's leading pharmaceutical research and
biotechnology companies. Its mission is to conduct effective advocacy for public policies that encourage discovery of important new medicines for patients by pharmaceutical companies. PhRMA has accepted the challenge to educate and inform U.S. citizens regarding the "good and effective" that underlies its work, concerning costs, risks, benefits and safety of pharmaceutical products. PhRMA acknowledges that it must embrace a mission to communicate to the American public that the pharmaceutical industry is about saving lives and battling disease and is committed to ensuring that the health system works to bring affordable medicines to all Americans. Copyright 2006 Council on Competitiveness
PhRMA has no perspective on companies or industry security leadership organizational structure or policy. The association has no security arm. When security matters arise, they are passed along to outside security consulting companies to be addressed. Domestically, there is a lack of accountability in the distribution market where non-U.S. approved drugs are imported. Although PhRMA supports RFID technology, its position is that this technology would be more effective if it resides with final dispensers of
medicines, I.e., retailers and pharmacies.
Background of the Chief Security Officer (CSO)
As with security in most industries, security in the pharmaceutical industry began as a physical security concern, starting at corporate headquarters and expanding to key manufacturing locations and regional offices. The Corporate Security Director, as the position was known at the time, was typically a retired police official in the city where corporate headquarters was located. He obtained the position through his relationship with senior company officials. His responsibilities were limited to controlling access to company space, reacting to theft/loss of products, and maintaining a relationship with his former agency. Over time, as the corporate security profession became more professional, organizations such as the American Society for Industrial Security International (ASIS), emerged, and began to identify security best practices. At the same time, pharmaceutical companies and companies in other industries became more proactive in their security operations by designing and implementing security programs to prevent losses. As U.S. companies became more global, and security problems became more international in scope, different skills were seen as necessary for the security director to function effectively in the global work place. Accordingly, beginning in the early 1960s, two pharmaceutical companies hired two former FBI agents as their security directors. Both brought with them investigative skills and the ability to communicate effectively with the CEO and other company leaders. However, the companies were not yet ready to publicize the presence of a security director in the company. A principal reason for the early success of the security chief was the conducting of so called security surveys. This vehicle allowed them to visit company sites, review procedures and make recommendations in areas needing improvement without drawing too much attention to themselves. With the above model for Security Directors as a prototype, companies began hiring former or retired senior, federal law enforcement officials or intelligence agents as chief of security. Although companies upgraded their top security position with former federal agents, the selections were nonetheless reactive, often responding to a major security incident or issue that existed at the time. Copyright 2006 Council on Competitiveness
Consequently, the CSO (Chief Security Officer), as it is now called, is not viewed as a strategic partner with other business executives, but only as an expert in security matters. Unfortunately, information security is not an area where the CSO is perceived to have expertise. It is also clear that the CSO is not on par with other company leaders such as the Chief Financial Officer (CFO) or senior Human Resources (HR) executive. Ideally, security should be involved in business projects as early in the planning stages as possible to ensure that risk and associated security measures are thoroughly analyzed and
employed at the earliest opportunity and in the most cost-effective manner.
Convergence of the CSO and CISO Positions
There is a convergence in the CSO and CISO (Chief Information Security Officer)
positions taking place in some companies. This convergence is defined as the integration
of information, physical security, personal security, disaster recovery, business continuity and safety risk management. When this takes place, there is clearly better alignment of security with the business operations since more and more of the vital company functions are electronic, and IT security is more strategically aligned with the business than traditional security functions. The title of CSO could be changed to incorporate a more inclusive term. One such term is Chief Asset Protection Officer. This term denotes that the position is responsible for the protection of all company assets in the same way that the CFO is responsible for all finances. Another term that bears some consideration is Chief Risk Officer. This term also suggest that the position has responsibility for company risks. While the issue of an appropriate title will not be solved with this study, we want to acknowledge that serious consideration needs to be given since the current term limits and frames how the CSO is viewed in the company. By establishing the CSO as the single point of contact for all security matters, there will be one security organization rather than two. It also allows for increased information sharing and cross training of personnel and more efficient problem solving and cost savings. But there are obstacles to this convergence. The CSO Magazine 2005 annual survey on the State of the CSO, reports that respondents are mixed on whether convergence of security functions is a good idea. Twenty-four percent of the respondents said that convergence is always a good idea, 31 percent said that yes it is a good idea in my industry; 38 percent said not in my industry; and 6 percent stated that it is never a good idea. Although there may be obstacles to convergence of the CSO and CISO positions, expanded use of technology is generating cost savings at the intersection of physical and information security. These cost savings can be readily seen in an IT-based security management system for both offices and headquarters that encompasses closed-circuit TV, door controls, access card sensors, alarm monitoring and panic buttons. This system has eliminated the need for local security guards, instead implementing a centralized location that uses electronic surveillance. Since the business world is different from law enforcement, with different demands, the CSO must have general leadership and management skills that transcend law enforcement. He/she must also be someone who is capable of understanding the language of business. Copyright 2006 Council on Competitiveness
One has only to look at key parts of a typical CSOs job description to understand the nature of the difficulty in expecting the CSO to become a more strategic business partner. The CSO's job description typically includes the following: Identifying protection goals and objectives consistent with the company's strategic plan; Managing the development and implementation of global security policies, guidelines, and procedures to ensure an acceptable level of security; Overseeing a network of proprietary security officers and vendors who safeguard the company's assets, including employees, products, facilities and information; Conducting and overseeing investigations of security breaches, theft and losses; Maintaining relationships with local, state, federal and international law enforcement agencies and other related government officials. The preliminary findings from a survey in the June 2005 CSO Magazine showed that 50 percent of the respondents believe senior management views the role of CSO as a strategic and permanent position, compared with 17 percent the previous year. Forty-eight percent of respondents also believed security is viewed as essential to business as opposed to an overhead cost. This is up from 25 percent in 2004. While it is apparent that more effective proactive security strategies and operational tactics are replacing reactive practices, these do not necessarily seem to be fully integrated into pharmaceutical companies overall strategic planning. Moreover, overlapping and redundant physical protection models are being replaced by a data-driven, risk-threat management model, where companies are willing to accept a certain amount of risk. The traditional model is proving to be too costly in the current
Varying Definitions of Security
Pharmaceutical companies have no common definition of security. The following are how
various companies in this study defined security:
1. Security is worldwide compliance with regulations and making sure employees 2. Security is physical security – plus the protection of people and facilities, but not products and intellectual property. 3. Security means securing products and protecting people and company facilities. 4. Security covers all assets protection, including employees, products, facilities and intellectual property. Copyright 2006 Council on Competitiveness
5. Security is not corporate security, but company security; physical, voice and data, and product security.
Security budgets are generally linked to the goals of the company, not as part of strategic
planning, but in the normal budget process. Security budgets have grown over the years
with pharmaceutical companies and in response to security issues that evolve with growth. Many budgets have also grown through benchmarking against "good security practices" of other pharmaceutical companies and companies in other industries. Since 9/11 overall security spending is up. Most of the increase has been in IT security, which is often separate from the security budget. There is no system to capture security spending across the entire company. However, IT security spending is tracked and monitored more effectively than other security areas. Security Risk Management
Risk assessment involves the integration of threat, vulnerability and consequence
information. Risk management involves deciding which protective measures to take based
upon risk reduction strategy. Many models/processes are deployed by pharmaceutical companies by which threats, vulnerabilities and risks are integrated and then used to inform the cost–effective location of resources to reduce the risks. In one company, the risk management process is enterprise-wide and managed by a risk management group, of which security is a part. All departments have input in the process and meet periodically to discuss the threats and possible mitigation. However, the focus of the group tends to be narrow rather than broad. Another company has a formal business risk assessment group, chaired by the CSO. They use a Sandia Labs business / risk model for identifying and mitigating risk. Their formal process requires affected departments to come together to identify potential threats and devise strategies for addressing them. The risk management group reports to Corporate Audit. Still another company has a risk management process and a risk management officer where relevant departments participate. The Board of Directors drives the process and manages the top five risks. Other risks are managed by a steering committee. In one company, risk management is limited to strictly to insurance-related issues. For its part, PhRMA has introduced a risk-based approach to accelerate approval of medicines and processes. Security Metrics
There is a continuing need for the CSO to develop metrics to measure security performance. CSOs need to develop benchmarks and determine best practices in a manner that is more quantitative and acceptable than the current practices. Copyright 2006 Council on Competitiveness
In order to foster a more inclusive role for security among corporate executives, the CSOs need to be able to demonstrate to senior executives how spending on a particular project is cost effective and how this will help them to solve business problems. This cannot be achieved unless the CSO understands the business plan and recognizes his role in enabling business success.
In recent years, security associations have also taken giant steps to professionalize the corporate security profession. Through membership in associations, attainment of certifications, attending meetings, publishing of security best practices, establishing of guidelines and more, these organizations are improving the quality of corporate security and aligning it more with the business structure. Recognizing the need for baseline security standards, some CSOs have had their departments certified through the International Organization of Standards, or (ISO). The ISO is an international organization recognized for setting generic security standards.
Security Training and Awareness
Many CSOs have collaborated through professional associations. ASIS has partnered with
the Wharton School at the University of Pennsylvania to develop an educational program
for its membership. The program is a two-week program, taught by the same faculty that teaches Wharton's MBA program, and is designed to enable the security professional to become a more effective business partner with key executives in his / her company. The International Security Managers Association (ISMA) has coordinated with the Kellogg School of Management at Northwestern University to develop a senior executive seminar. This is a one- week broad based leadership program that focuses on key areas of managerial effectiveness. ISMA also collaborates with Georgetown University to provide a three-staged management program for security professionals. Further, certain security management companies that provide training to security professionals, such as the Guardsmark Security Company, have added the topic "The Business Case for Security"to their training programs. The survey results revealed that effective communications skills are crucial to CSO success. Additionally, the survey disclosed that one in five CSOs have their MBAs and 48 percent have professional certification such as Certified Protection Professional (CPP) and Certified Informational Systems Security Professional (CISSP). An important role for the CSO is to educate company executives regarding the threats the company faces and the likelihood and consequences of those threats, and about the costs and effectiveness of managing the risk at an acceptable level. The CSO can also use the organizational tool of process management to reinforce the position that security is more than a one-department responsibility. Linking security to a business context suggests to others that they are accountable for security as well. As many different functions should be involved in security as possible. The notion that security is every employee's responsibility requires ongoing and progressive employee training programs. Copyright 2006 Council on Competitiveness
Industry / Government Partnership
Security professionals are doing more benchmarking and networking since 9/11. In this
regard, security professionals join several security associations where ideas, strategies and
best practices are exchanged. Although the guidance provided by these associations is
helpful, they are not industry specific. Legislation is needed to fight importation; government and the pharmaceutical industry need to work more closely together to make this happen. Unfortunately, the legislation is going in the opposite direction. FDA is coordinating a series of meetings where new technologies, such as RFID, are being considered. FDA has also created a workshop that led to numerous improvements in the industry. These collaborations could serve as models for future partnerships and cooperation in the pharmaceutical industry. DHS has not created an Information Sharing and Analysis Center (ISAC) for the pharmaceutical sector, nor does the pharmaceutical sector participate in any existing ISAC.
X. BEST PRACTICES / GAP ANALYSIS
The government could provide greater economic incentives for U.S. pharmaceutical companies to invest in certain biochemical solutions to counteract a biochemical attack against the U.S. There could be funding of research, tax breaks, subsidies and litigation relief flowing from an emerging consensus to develop vaccines and antibiotics to combat biochemical threats. Legislation is currently being introduced to address these concerns. The effort to protect Americans against biological weapons is a loose arrangement of shared responsibilities between DHS, HHS, Defense and other government agencies. Even within HHS, there is shared responsibility between the National Institutes of Health and a separate emergency planning division which administers contracts under the Bio Shield program. Better coordination is needed to form an effective bioterrorist response. Better coordination is also needed between the Securities Exchange Commission (SEC), where financial reporting is required under Sarbanes / Oxley, and the FDA, which requires manufacturers to make certain regulatory filings. Harmonizing regulations, as well as local privacy laws, will reduce costs to pharmaceutical manufacturers.
All pharmaceutical companies perform well at the physical security level. Many have
implemented security standards that measure performance. However, these standards may vary from company to company where industry best practices have not been established and where there is no uniformity. The pharmaceutical industry could improve security and save cost by establishing a set of standard security principles. When security is fragmented in various departments, with different individuals responsible for physical security, IT security, business continuity, and crisis management/contingency Copyright 2006 Council on Competitiveness
planning, no one has responsibility for total security in the company. In fact, in a crisis situation, each function may come up with a different solution. This could cost the company time, money and effort. If no one sees security across the enterprise, different responses should be expected. A single point of contact for security issues simplifies the process and makes it more effective. The CSO could be responsible for all of the company's critical assets as follows: Developing a global security policy; Hardening infrastructure targets; Curbing employee theft; Crisis management/contingency planning; Business continuity planning; Employee security awareness training; Role in risk management. While CSOs meet with their counterparts in professional associations and in an anti- counterfeiting body, there is no industry security group where pharmaceutical security best practices are discussed and vetted, and where benchmarking takes place. Such an organization is needed to improve efficiency and reduce cost.
Supply Chain Management
It is acknowledged by all stakeholders that the pharmaceutical supply chain is vulnerable to compromise and the introduction of harmful products. While there is consensus about the threat, there is no general agreement on a potential fix. FDA is promoting RFID technology along the manufacturers and large retailers. However, large wholesalers say implementation of the technology is too expensive. PhRMA is promoting the technology only at the dispensing level. Notwithstanding these varying opinions, the technology is moving forward even though there is no national or international standard or infrastructure in place. Although that it will take some time to implement electronic product code technology to track and trace pharmaceutical products throughout the distribution system, a paper
tracking requirement has not been implemented.
A risk management approach is central to making the business case for security. A
company simply cannot protect itself from all potential threats. A risk-based approach
allows a company to look at the possible consequences, vulnerabilities and threats as a template for corporate decision-making. This approach obviously benefits both business and security. With this process a company becomes more efficient, and by integrating security at the earliest stage in the process, more cost effective. Because there is no industry group that functions strategically, industry-wide risk management does not appear to be a function of the pharmaceutical industry as a whole. Either, PhRMA's role should be expanded or a new strategic group of CEOs formed Copyright 2006 Council on Competitiveness
While FDA and the pharmaceutical industry are developing RFID technology, Los
Alamos National Laboratory has demonstrated that RFID technology can be easily and
counterfeited. In addition, incorporating technology into packaging and products will, no doubt, increase the cost of medicines. To be practical, taggants or tags need to be inexpensive, difficult and/or expensive to counterfeit and easy for non-technical people to verify. Such taggants, in practical terms do not exist. Los Alamos concludes that they may not even be possible, especially since all anti-counterfeiting technologies can be defeated. As far as clandestine taggants are concerned, Los Alamos concluded that such measures as secret inks and surreptitious packaging marks appear to be "particularly impractical," especially for use by consumers. Besides, the trace contaminants in pharmaceuticals already serve as a unique, hard to counterfeit, "fingerprint" that can be analyzed in a laboratory, though at great cost. The industry's challenge is to develop covert technology which can be used to field-test product and not require costly laboratory testing. This improves both security and efficiency.
XI. SUMMARY OF KEY FINDINGS
A better case for security needs to be made in the pharmaceutical industry.
• The U.S. medicine supply chain is becoming increasingly vulnerable to attacks on its safety with the significant inflow of un-approved pharmaceuticals. • Unregulated prescription drugs routinely enter the U.S. via mail and courier • Electronic track and trace technology holds promise and could significantly assist in maintaining the integrity of the U.S. medicine supply and improve security, but this technology is years away from implementation. • Anti-counterfeiting technologies, while increasing costs, will also produce some benefits. These include improved inventory management and control; reduced labor costs due to automation; cost savings through fewer and more targeted recalls; and protection of medicines from tampering and acts of terrorism. • Federal laws governing pedigree requirements that trace pharmaceutical products back to manufacturers to guard against counterfeiting or adulteration would significantly contribute to the integrity of the U.S. medicine supply, but have not been implemented. Copyright 2006 Council on Competitiveness
Industry Association Groups
• The pharmaceutical/biopharmaceutical industry association is an advocacy group which is not strategic or pro-active, but rather reactive and responsive to directions set by member companies. Therefore, there is no strategic approach to risk identification or risk mitigation at the industry association level and no strategic model to address risks and threats. • There is an industry level security group (the Pharmaceutical Security Institute), which is membership-based, that addresses public health issues primarily through dismantling criminal groups involved in counterfeit medicines. No direct linkage exists between the industry association and this security group. Also, until recently, there was no reporting of counterfeiting cases by member companies to the PSI. A policy of voluntary reporting is now in effect. • Unlike many other industry associations, the pharmaceutical industry advocacy group does not have a security arm to address industry unique problems. Security matters that warrant professional security responses are contracted out to various firms. No single security firm is used by the association and, therefore, no cumulative knowledge or institutional learning takes place regarding industry security issues. Security industry association groups have collaborated with universities to develop business case for security training programs for executives. These programs, while in their infancy, provide a framework for industry leaders and security professionals to come together and build consensus around these issues. The transition from security as a cost to security as a strategic opportunity will be led jointly by CSOs and CEOs, since pharmaceutical companies are CEO driven and security programs are CSO driven.
• There is an increasing trend toward cooperation among regulators, industry advocacy groups and companies concerning anti-counterfeiting issues, importation and technology. This collaboration could lead to greater efficiencies and improved • Industry regulators have implemented provisions establishing guidelines for the conduct of studies on RFID technologies, and have urged adoption of this technology by 2007, but have not established standards for the technology. • The FDA has not implemented legislation that would set national pedigree requirements. (Pedigree requirements mandate that a record of all transactions involving shipments of pharmaceuticals be kept.) Currently, pedigree requirements are implemented at the state level with varying degrees of rigor. • The limited FDA resources available to investigate import activities into the U.S. are considered to be overwhelmed by the volume of imports. Copyright 2006 Council on Competitiveness
• Pharmaceutical and biopharmaceutical companies and their suppliers use two U.S. Customs programs that address the threat of terrorists smuggling bio-terrorists products in containers into the U.S. While both programs reduce the probability of a terrorist attack, the business benefits have not been realized. • Stronger penalties against pharmaceutical crimes need to be implemented as a • Reporting requirements under the SEC and Sarbanes / Oxley need to be
y Pharmaceutical companies are CEO driven. Therefore, successful business/ security integration will require the active involvement of the CEO. • All pharmaceutical/biopharmaceutical companies have CSOs, and most of these individuals have federal law enforcement or federal protective service background. However, these experiences are not deemed critical. What is critical is to have some business acumen and the ability to communicate effectively in a business environment. • The background of the CSO in pharmaceutical and biopharmaceutical companies is predicated upon a specific security need or needs that existed at the time the CSO was hired and not because of strategic considerations. This creates substantial obstacles for the CSO when he/she attempts to expand their security portfolio into more strategic areas. • Companies vary in what duties the CSO performs. In almost all instances, security is a cost of doing business, and to a lesser degree, a strategy. Security has not yet reached the level of being seen as a strategic opportunity. In some cases the CSO is involved in certain risk management functions, due diligence inquiries, and business development issues. But for the most part, these assignments come late in the process. • The success of the CSO in accomplishing his goals is not necessarily dependent upon which organizational department he is in or who he reports to. What is critical is that the CSO is placed at a high enough level in the company to have influence across the enterprise. • While access to the CEO is crucial to the success of the CSO, unless there are structural and process changes within the company, the CSO will have minimal impact upon the business operations of the company. • Security is not fully integrated across business units in any of the companies, and the departments do not function as a strategic whole. However, in some instances, security is involved in due diligence inquiries, business risk assessments and other business-related activities. Copyright 2006 Council on Competitiveness
• A key obstacle for the CSO's ability to impact business decisions is the emergence of the CISO and a lack of convergence in the two roles. • Pharmaceutical companies fully support the security function at the cost level, and security is rather comprehensive and in-depth from this point of view. The highly regulated nature of the industry with very sophisticated security policies and practices in place essentially mandates this acceptance. • CSOs welcome this study as an opportunity to improve their status in their companies. Many appear to be unappreciated and underutilized in terms of the skills they possess. • While most pharmaceutical companies have a risk management process and use some form of risk mitigation matrix, others do not. In one company, risk management is limited to insurance considerations. If the security department is brought into the process at all, it is brought in toward the end, and has minimal influence. As a result, there are serious weaknesses in the risk management process in pharmaceutical companies. • Security best practices, if embraced by companies and appropriately marketed, could be a "differentiator," much in the same way as was done with the introduction of tamper-evident packaging in certain OTC products. • With companies having more responsibility for protecting their own assets and being the first line of defense against a terrorist attack, greater emphasis needs to be placed upon employee training; not only personal safety and security awareness training, but as the eyes and ears of the company.
y The government needs to work closely with the pharmaceutical industry to ensure that adequate amounts of vaccines and other medical countermeasures are available in the event of a bioterrorism attack. In this regard, government funding is needed to manufacture certain countermeasures in advance and stockpile, and distribute them when necessary. y Government leaders and pharmaceutical executives can use the experiences gleaned from the existing collaborations in developing track and trace technology and improving the manufacturing process to guide the direction of future y A program management and evaluation approach to measuring security effectiveness will successfully address many of the security issues identified in this study. Copyright 2006 Council on Competitiveness
y The Office of Criminal Investigation (OCI) within the FDA could be more effective if it had a more strategic role in addressing security and competitiveness issues at the national level rather than only addressing some anti- counterfeiting matters. y Given the national importance of competitiveness and security to the U.S. pharmaceutical industry, PhRMA needs to have a security arm to provide input with respect to its strategic initiatives. y Pharmaceutical CSOs need to form a security association to address industry-wide security matters that are unique to the industry. • Many physical security functions have been reduced to standards that are implicated through checklists. These and other basic standards should be more fully developed by association groups and promoted throughout the security profession. y Universities have a role in making the business case for security by bringing the intellectual capacity of government leaders and industry executives together to generate ideas and solutions that are realistic and achievable. Copyright 2006 Council on Competitiveness
O caráter normativo dos princípiosjurídicos Emílio Peluso Neder Meyer 1 – Introdução. 2 – A teoria dos sistemas de Niklas Luhmann. 2.1 – O direito como sistema em Luhmann. 2.2 – Fechamento operacional eacoplamento estrutural dos sistemas. 2.3 – O Poder Judiciário e sua posição no sistema jurí- dico. 3 – O direito entre faticidade e validade:uma crítica à opção metodológica pela juris-
IBU CUP BIATHLON 8 10. – 14.03.09 Ridnaun / ITA IBU CUP BIATHLON 8 - 09. – 14.03.2009 WELCOME IN RIDNAUN After successfull and great Europaen Cup Final 2006-2007 come this year we organize the IBU CUP BIATHLON 8. The organizers will do their best again to offer the worlds biathlon family a successful event into the season 2008/2009. We would like to extend a very warm welcome to all