Supplier Risk Management: Regulations require MedTech companies to take the next step.

Supplier Risk Management: Regulations require MedTech companies to take the next step

Wouter Vandeplassche Posted 03 March 2021

Supplier risk and its impact on corporate risk

One of the main goals of MedTech companies is trying to minimize business and operational risks, while also ensuring legal and regulatory compliance. The probability of suppliers causing an interruption within the supply chain is defined as the supplier’s risk. Even though lean, just-in-time, off-shoring, and outsourcing strategies have allowed companies to reduce overall costs while improving efficiencies and expand more quickly into new markets, they also expose companies to higher supply risks. Shortcuts in quality, capacity issues and delivery delays are just a few examples of possible issues. The current pandemic has only emphasized the fragile balance between companies and their suppliers. Therefore, a well-considered strategy regarding Supplier Risk Management is of great importance.

The Medical Device regulatory landscape is impacting supplier control.

Regulatory bodies around the globe have increased their control over organizational supply chains, and they have increased the penalties for corporate non-compliance. A short overview of the requirements for purchasing control applicable to manufacturers of medical devices and issued by the different regulatory bodies is provided below.

ISO 13485:2016

  • Evaluate and select suppliers based on their ability to supply product in accordance with the organization’s requirements. Criteria for evaluation and re-evaluation shall be established.
  • Establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements, including specifications, product acceptance, supplier personnel qualifications, and quality system requirements.

EU Medical Device Regulation (MDR)

MDR requires adherence to ISO 13485:2016. However, it adds its own declarations. Article 10.8(d) & 10.12-14 (Supplier Controls and Corrective Action) and Article 88.3(b) (Market Surveillance) call for announced and unannounced inspections of suppliers and subcontractors, and the facilities of professional users.

The Medical Device Single Audit Program (MDSAP)

Like MDR, MDSAP requires adherence to ISO 13485:2016. At a high level, Chapter 7 of MDSAP requires that the purchasing process covers the regulatory needs for supplier management for all the participating countries (USA, Canada, Brazil, Japan, and Australia) and therefore, covers the evaluation, selection, and re-evaluation of suppliers, outsourcers, and service suppliers.

21CFR Part 820 - FDA

Articles regarding evaluation of suppliers:

  • Evaluations must be documented.
  • Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants based on the evaluation results.
  • Maintain records of acceptable suppliers, contractors, and consultants.

Turning regulations into practice: Supplier Risk Assessments & Vendor Rating System

Before actual contracts are closed, a profound evaluation of the (future) suppliers is advised. The key areas that need to be evaluated to minimize risk include:

  • Manufacturing capability and capacity: can the supplier produce the volume required?
  • Technical Capability: can a supplier manufacture or deliver the desired specifications?
  • Financial Stability: does the supplier have the financial resources to fulfill long-term commitments?
  • Service Levels: how flexible and responsive is the supplier to the purchasing organization’s needs?
  • Commitment to sustainability: does the supplier have policies and guidelines promoting environmental, social, and economic sustainability? Have the processes been certified?
  • Location: how does the supplier’s location affect risk levels and transportation costs?

When suitable suppliers have been chosen, regular monitoring of these vendors is crucial to maintain the production of your medical devices at prescribed levels of quality and quantity. Different types of inspection and analysis can be carried out to rate the current suppliers. Examples are vendor rating systems or supplier scorecards. Every MedTech company needs its personalized approach. However, they are all based on the same procedures:

  • Incoming material inspections
  • Supplier nonconformance or deviations
  • Supplier audits
  • On time delivery of goods


Supply chain risks grow as organization's suppliers expand geographically and companies increase offshoring and outsourcing activities. The increasing sophistication in technology, and ever-increasing regulatory oversight are important factors leading to an increased supply chain risk. Resulting supply chain issues are impacting medical device manufacturers around the globe, costing billions of dollars in market devaluations, recalls, regulatory fines, and settlements. Therefore, supplier risk management is an indispensable tool in the arsenal to mitigate the most important risks while maintaining high levels of business excellence.


At Modis Life Sciences, our experienced supply chain consultants and managers can help you to analyze your specific needs regarding Supply Risk Management and deliver personalized solutions for your problems.

Wouter VandeplasscheProject Manager Life SciencesTweet this

Are you looking for a challenging new opportunity within our Modis Life Sciences community?

At Modis, we prioritize your professional development. By putting your talents and ambitions first, we can offer you projects that inspire, challenge and reward you – all in line with your unique profile. It’s a win-win.

Then check out our careers portal!

Interested in our expertise in this field?

Please do not hesitate to get in touch with us!

Get in touch