Resource constraints, global complexities, and changing business demands are challenging the traditional approach to supplier auditing. Are companies auditing too frequently? Not frequently enough? Are they sending the right experts to evaluate specific suppliers?
We sat down with David Festa, Director of Corporate Quality at Thermo Fisher Scientific, to answer these critical questions. With extensive experience in global supplier quality management across a massive organization with thousands of suppliers, David shares insights on balancing quality, compliance, and business needs through smarter audit strategies.
Need support planning, resourcing, executing, and managing your supplier audits this year? We’re currently supporting 50+ multi-site supplier audit programs for drug and device companies across the industry. Get in touch with us to start the conversation.
Apple Podcasts | Spotify | YouTube | Web + Others
Summary, Key Points, and Practical Takeaways
This interview has been edited for clarity and length.
Nick Capman: Why is the question "Are we auditing too much?" coming up in the pharmaceutical and medical device landscape?
David Festa: When we're putting together audit schedules and evaluating how we're monitoring our suppliers, discussions often default to "we need to do an audit." But with growing business constraints, we need to question whether it makes sense to always visit suppliers that are producing good product on time and not presenting much risk. We need to balance understanding the products they're providing against resource deployment. Are we sending the right people? That's really a key conversation we have constantly.
You mentioned "exception-based." How does exception-based and risk-based connect?
When looking at suppliers, we want to examine two different aspects: the supplier profile (their organization and quality management system) and the product they provide. How do those two work together to create a good supplier-customer relationship?
For risk-based assessment, we understand where the supplier is located, what their system is, and what percentage of their revenue we represent. Then we look at the material risk and the product risk of what they're providing to us. That's a very key part to that.
When you overlap that with performance, we want to understand the full picture. Yes, they're an important supplier or a risky supplier we need to keep an eye on, or the material is very important to our end product and customer or patient. But when looking at exceptions, we ask: Are they performing well? Are they meeting requirements, regulations, and standards? Sometimes that's a no, and that's what will get you in trouble down the road.
Is this approach an evolution of how we need to look at these things, or is there a better way of doing it?
Honestly, Nick, I think it's a combination of both. Looking at the evolution, when ISO and QSR came into being, it really was "we need to audit suppliers and go on a very regular basis to ensure supplier quality." Over time, we've understood there are many other constraints on quality when evaluating suppliers. You can't just go to every single supplier.
You need to choose who to visit, but it has come down to how well you're monitoring those suppliers. Do you have the right metrics and KPIs in place to understand their performance? In the big picture, how strong is your supply base? Understanding where to focus your limited resources on the right suppliers is key.
I go back to: if they're performing well, giving you good product on time, they're stable, they haven't changed their manufacturing location or process or anything significant – is there a need to go?
Let's say there isn't a need to go this year because of their performance and consistency. Can you completely write them off, or do you have to put them on a schedule for every so many years? What would you recommend?
That gets you into trouble sometimes. You might say, "We're going to visit every two years or every three years." But there might not actually be a need, yet your SOPs and requirements say you need to. Then you're out of compliance. When the inspector comes in and says, "Show me your schedule. Oh, you didn't go?" – there's a non-conformance.
You need to understand what key indicators should prompt a discussion about whether you should go. Or is it heightened inspections on inbound materials? Rather than just reviewing their CofC or CofA, are you actually doing some product testing in certain cases? There are other ways to ensure they're still meeting compliance on an ongoing basis.
There's a difference between quality and compliance. From my perspective, you're looking at this from a quality standpoint. But as you mentioned, there's the compliance aspect. Even if somebody is not high risk, is there a minimum that you need to at least go out and see them to stay compliant?
When we look at the Supplier Lifecycle Management, there's the onboarding (supplier selection, evaluation, and initial onboarding) and then the sustaining model. We look at those very differently.
For initial onboarding, I 100% absolutely agree you should go visit, because of the skill set of the supplier that we can get into in a bit. But in the sustaining model, any one of your suppliers can shut down your manufacturing line – whether it's missing screws or the wrong screws that are part of your assembly, or a PC board that doesn't work.
When we're looking at our supply base holistically and on an exception basis, we focus on: who is the supplier that is really affecting your inbound product, outbound product, customers, and ultimately your revenue?
I'm going to push back on you, David. What is the minimum?
That's a great question, Nick, but it really comes down to your company's tolerance. At what point do you say, "Because of the poor yields of this supplier, we're going to add inventory just to cover those gaps and issues"? It really comes down to individual cases with companies and your risk tolerance.
Let me insert my opinion. I think you have to visit your supplier at least once every three years. Do you agree or disagree?
I disagree. It comes down to how robust your monitoring system is, how well you know those suppliers, and how well you've built in those service level agreements or KPIs that you agree with. It depends on the supplier and where they fall in the different tiers – you're going to manage them differently. Unless there are key items that change, which might prompt the discussion to go.
Two questions: What do you think about remote or desk audits to address the compliance aspect? And let's say the FDA comes in and you have not visited this client site in five years. How do you respond to that?
For remote or document audits, I understand the need. Remote audits involve having a conversation about their system where they can display it, versus a document audit where I ask them to email me their 17 SOPs to review.
I tend to prefer the remote option because of the conversation and feeling you get when talking with a supplier. When you go on-site to audit, part of the skill set we're talking about is understanding what level of control a supplier has over their manufacturing process. That's not something you can get through reading SOPs, and it's very difficult to do remotely.
When you're physically with someone, you can read body language, see if they're struggling to get records or provide answers in a controlled manner. Of the options, on-site makes the most sense – you see their housekeeping, etc.
I love that your perspective is truly quality-focused, not just checking boxes. But there is the necessary evil of compliance. How would you respond when the FDA comes in and asks about a supplier you haven't visited in five years?
It goes back to how strong your supplier selection and evaluation process is upfront. The more work you do upfront, the better. Obviously, if you're just checking boxes and onboarding via a supplier questionnaire, there will be gaps in understanding.
The supplier selection process isn't done in a vacuum – it's done with other functions in the organization (procurement, ESG, sustainability, finance, legal). All those different folks need to make sure they have an understanding or a say. Then in the sustaining phase, you focus on monitoring and understanding the KPIs.
When the FDA inspector asks if you've been to a supplier, if your procedures say "every three years," well, you better show you've been there every three years. But if our procedures don't specify that for this situation, and we can show all the data we have on them – all the monitoring, change notifications (or lack of changes) – and demonstrate they still match when we onboarded them and are meeting KPIs and requirements, then tell me why we would need to go.
One of the things we're going to talk about, which you mentioned earlier, is: Are we picking the right people? Is this question coming from a place of evolution or improvement?
When I started my career auditing 25+ years ago, it was "here's a checklist, go to the supplier and make sure you answer every question, and we should be good." Now, we try to understand the profile of our auditor versus the profile of our supplier.
When looking at auditors, we assess how strong they are in different standards and regulations (13485, 9001, GMP, FDA) and their category expertise (plastics, biochemicals, chemicals, etc.). At Thermo Fisher, we look at the profile of the supplier (their standard, category, and region) and match that with auditors who have corresponding strengths.
For instance, if you send an auditor who is strong in plastics and understands the manufacturing process for plastics, they're going to give you a better audit than somebody who doesn't know plastics at all. So we hire specific auditors to handle categories they're well-versed in. You wouldn't send a chemist to audit machining or milling – you'd send them to lab suppliers.
This topic must be very important to you in particular, because I've seen the Thermo Fisher catalog. Do you have hundreds or thousands of suppliers?
We have tens of thousands of suppliers across the globe, and we sell over a million different SKUs.
Let's talk about pre-pandemic versus post-pandemic. How have things changed?
Pre-pandemic, across the board, the focus was always to travel to suppliers and make sure we're getting in our X amount of audits every year. It was very important to complete the checklist and finish those audits.
During the pandemic, we still needed evaluations in place, which turned to remote auditing, and we had to get good at that. Coming out of the pandemic, we're focusing on auditing smarter – auditing the right people with that exception-based, combined with risk-based approach.
We look at our global auditor base and consider the logistics. If a supplier is in Europe, does an auditor need to fly from the US when we could find someone in the US to perform that audit? We've driven to a more harmonized approach in our auditor criteria and qualifications.
Previously at Thermo Fisher, if I wanted someone else to perform an audit, they had to train to my system and use my templates, even though we're all Thermo Fisher but from different businesses. There was a lot of red tape. We're breaking down those barriers to help share suppliers and have more collaborative efforts between businesses.
Are there any risks associated with breaking down those barriers?
Absolutely. It comes down to product awareness. Auditors need to know what product the supplier is providing and understand the criticality of that material going into our end product.
Some risk comes from not knowing the changes at the supplier and how that can impact the finished product. If you're a "guest auditor," do you understand the impact on the final product of your sister site halfway around the world? Sometimes you lose some of that visibility.
It sounds like part of the risk mitigation is ensuring you have the correct people making those decisions. Are there any systems in place to further mitigate that risk?
When I started with Thermo Fisher about six years ago, there was no actual communication between different sites. One of the key things we did was build a centralized audit portal, just to understand who's going where and what auditors we have within our organization. Before that, we never knew.
We had folks who were quality engineers or quality managers where a portion of their job was supplier quality, so we needed to understand who was even an auditor within Thermo Fisher.
I want to transition into socioeconomic and geopolitical factors. Can you discuss that and comment on that?
Supplier quality works very closely with our global procurement organization. The global business and manufacturing dynamics have changed significantly from pre-pandemic, during pandemic, and now coming out of it.
When looking at suppliers, our global procurement does an amazing job looking at supplier risk in terms of where they are located – are they in war zones, political hot spots, or areas prone to natural disasters? As this happens, we may need to reroute or find alternate suppliers, which puts a huge burden on supplier quality.
We might have everything in place with a single source or sole source supplier, and suddenly we need to find another supplier as a backup or tertiary option. We need to evaluate them in the same way.
With different administrations and tariffs, our global procurement is looking to understand how to strengthen our supply base to get products on time and at a good cost. That's another pressure they put on us – getting the best price for a SKU, delivered on time and quickly, with flexibility. In the medical device and pharmaceutical world, you can't change suppliers that quickly.
They say price, quality, speed – pick two.
Exactly. One thing I did at a previous company was look at a supplier pricing index – their quality level on the product they're giving us. If they provide product that isn't good, we have to put money into mitigating and remediating poor quality.
If we're spending $1 on the component, but we're spending an extra 10 cents per component because of their poor quality, the pricing index is really 1.1. What are we really spending on total cost versus just the piece price from global procurement? Having those conversations with procurement can be eye-opening.
Is the pricing index an external or internal thing?
It was something I had done at a previous location that we're looking to implement within Thermo Fisher at different sites. It was a great tool to use with manufacturing engineers, R&D folks, global procurement, and quality. It gave us a good KPI of that supplier.
It sounds like you're able to encapsulate the true value by doing it that way. Can you comment on concerns regarding increasing requirements from various standards and regulations and how those are impacting manufacturers?
After you've set up and onboarded a supplier and understand their requirements, that's a key area for me. You'll see some companies simply say, "We're ISO 13485, so our suppliers shall be ISO 13485," but that's not reality.
When you look at the scope of 13485, it's medical device manufacturing or distribution. A supplier might just be giving you a component or sub-assembly that doesn't require 13485, because you as the legal manufacturer of the device are 13485 certified.
I see some companies get lazy and just say suppliers need to be 13485 certified. What happened in the supplier landscape is that many wanted to become competitive, so they said, "If we become 13485 certified, we'll attract more business. And we'll also be 9001 certified." These are two separate systems.
But isn't it in the eye of the beholder? Not everybody agrees with your perspective.
Agreed. From the supplier's perspective, they want a competitive advantage and to say they have a system that will help you. Sometimes it's adding belts and suspenders – it might be a little too much.
Do they have the basic, foundational principle requirements needed to produce this product for us? It goes back to the skill set of the auditor – do these folks have their processes, manufacturing, and supporting systems under control?
I agree with you 100% – that's a very educated point of view. I must confess that we're doing something similar to what you described. We're creating AI software that doesn't need to be Part 11 compliant, but we're making it compliant for that reason. We might be spending more money, but it's designed not for you but for people who might not have that level of understanding, giving them peace of mind.
As the landscape changes with supplier evaluations, what are some new skill sets and competencies people need to look for in their auditors?
Previously, auditing was a very niche skill set. Now, one of the key things we're looking for in supplier auditors is the ability to understand more of the business – our interactions between functions within our company and how that translates to a supplier.
When we looked to hire auditors 15-20 years ago, it was: Do you know the standards? Have you done an audit? Can you talk with different folks and summarize under pressure within a given time period?
Now it's much more about how well the interactions of all the different functions within our company affect the supplier company, where those touch points are, and being able to assess that subjectively and quantifiably.
Your approach is above average, based on my experience helping companies with their audit programs. You described a standard mindset as pre-pandemic, and now you've moved into a very educated, well-thought-out approach. Are there any positive results you can point to with this different approach?
We're slicing the pie a little differently. In some sections of our business, we've looked at what percentage of our supply base is poor-performing, which is a strong KPI. We've seen a solid decrease in the number of poor-performing suppliers, which indicates the strength of your supply base.
Additionally, assigning the right auditor to the right supplier has reaped benefits. We've found a correlation between sending the right person and understanding the true picture of that supplier. It became almost a predictive model – "We know this supplier is struggling here; maybe it's time we start talking with procurement about looking for another supplier or backup supplier." We've had instances where supplier quality raised concerns, and we've seen strong benefits from that approach.
What are some potential consequences of manufacturers pushing down unnecessary standards to suppliers, and how does that affect suppliers' operational and financial burdens?
You have to remember that 99% of the time, you're not a supplier's only customer. They have many other customers to manage. If each different customer requires them to do things differently, does that make sense?
You're imposing costs because they need to add resources and systems. When you introduce burden, you introduce non-compliance, because they might not follow what you say. Look at the base, principal requirements that you need to transfer to a supplier – not just product specifications but also supporting requirements that can adversely affect suppliers and introduce a high level of inefficiency.
One thing that doesn't get enough attention is the soft results of this approach. When you have a manufacturer with a well-thought-out relationship with a supplier, there are intangible benefits that strengthen your ability to do your job. When a supplier gets an email or call from Thermo Fisher, they'll respond quicker and pay more attention versus dealing with a company pushing down unnecessary requirements.
ISO certifications are valuable but only address part of the company-supplier relationship. How can companies ensure their suppliers consistently meet contractual requirements and deliver quality products on time?
I've been struggling with this throughout my career – understanding the value of ISO certificates. They represent one snapshot in time, looking at the QMS structure but not specifically at my product.
They examine if a supplier has their QMS in place, the structure in place, and management responsibility in place. That's great, but how does that work for me? Can you make the product we're asking you to make?
While ISO certification is a good foundation in my opinion, adding the material or product component is key. ISO doesn't focus on the different requirements or systems a supplier might need to use, or all the different customers they might have.
It's a good foundation, but not the end-all-be-all. You can't just check the box and say, "You have an ISO certificate, so that's good enough." You need to look at the relationship in total.
This has been a truly good podcast. Before we close, what would you like to leave the audience with?
As we begin to look at how companies are growing or shrinking, we need to be smart about how we do our jobs. How are we interacting with other functions within our organization? Are we making the best decision for Thermo Fisher in this case?
When you're looking at it not just from a people or process perspective, but holistically, anything we can bring in that's quantifiable to remove some subjectivity, while understanding subjectivity will be there, is key.
Putting the right people in the right place to succeed is applicable for any organization or function, but it's especially key for supplier quality. We're often that bridge to the supplier and into the business – a checkpoint that things need to go through. You understand the importance of our job as supplier quality and how it supports the overall mission and objective of Thermo Fisher.
David’s key takeaways:
Balance risk and performance in audit planning. Rather than rigidly auditing all suppliers on a fixed schedule, use an exception-based approach combined with risk assessment to determine where to focus limited auditing resources.
Differentiate between onboarding and sustaining. Initial supplier onboarding almost always warrants an on-site audit, but the sustaining phase requires different, more nuanced monitoring approaches based on supplier performance and risk.
Send the right auditor for the job. Match auditor expertise with supplier characteristics. An auditor with specific knowledge of the supplier's manufacturing processes and technologies will provide much more valuable insights than one who only knows general standards.
Look beyond ISO certification. While ISO and other certifications provide a good foundation, they represent only a snapshot in time and don't necessarily reflect a supplier's ability to meet your specific product needs. Dig deeper to understand actual manufacturing controls.
Implement quantifiable measures of supplier quality. Tools like the supplier pricing index help quantify the true cost of poor quality, providing valuable data for cross-functional conversations with procurement, manufacturing, and R&D teams.
Consider the total impact of imposed requirements. Before pushing standards down to suppliers, evaluate whether those requirements truly add value or just create unnecessary burden that could lead to inefficiency and non-compliance.
Build centralized communication systems. Develop tools like centralized audit portals to track auditing activities across complex organizations, ensuring better coordination and resource utilization.
Develop auditors with business acumen. Modern supplier quality auditors need to understand business operations beyond just technical standards—they must comprehend how different functions interact and how supplier relationships impact the broader organization.
Create collaborative supplier relationships. Approach supplier quality as a partnership rather than merely a compliance exercise, focusing on building relationships that encourage transparency and responsiveness.
Take a holistic view of supplier management. Integrate supplier quality with procurement, sustainability, and other business functions to create a more comprehensive approach that balances quality, cost, and business needs.
David Festa is the Director of Corporate Quality at Thermo Fisher Scientific, where he focuses primarily on global supplier quality management across the organization. With over 25 years of experience in quality management and auditing, David has developed innovative approaches to supplier evaluation, quality management, and risk-based auditing strategies.
At Thermo Fisher Scientific, one of the world's leading medical companies with over $42.9 billion in revenue, David oversees quality systems that support the company's massive portfolio of over one million SKUs and tens of thousands of suppliers worldwide. Since joining Thermo Fisher in 2019, he has implemented forward-thinking supplier quality management strategies that balance quality, compliance, and business needs.
David previously served as Director of Supplier Quality at CooperSurgical, where he worked for nearly eight years in progressively responsible roles, including Supplier Quality Manager and Associate Director of Global Supplier Quality. His experience encompasses GMP, SOP, and comprehensive supplier lifecycle management.
Throughout his career, David has pioneered innovative approaches to supplier quality, including:
Developing exception-based auditing models that focus resources where they provide the greatest value.
Creating supplier pricing index methodologies that quantify the true cost of poor quality.
Implementing centralized audit portals to coordinate quality efforts across large organizations.
Matching auditor expertise with supplier characteristics to maximize audit effectiveness.
Building cross-functional relationships between quality, procurement, and other business functions.
He holds a degree in Manufacturing Engineering from Boston University (1989-1993) and has maintained a consulting practice through Docro for over 13 years, specializing in GMP and 21 CFR compliance. David is also an experienced coach, having spent 14 years with Sheehan Hockey.
David has spoken at industry conferences, including BOSCON 2024, where he shared his expertise on supplier quality management and auditing practices. He brings a pragmatic, business-oriented perspective to quality management that balances regulatory compliance with operational efficiency.
Connect with him on LinkedIn here.
The FDA Group helps life science organizations rapidly access the industry's best consultants, contractors, and candidates.
Is your organization auditing too much or too little? Are you sending the right people to evaluate your suppliers? Traditional supplier audit approaches may consume valuable resources without delivering optimal quality outcomes.
The FDA Group specializes in providing supplier quality expertise to life science organizations, helping you transition from checkbox compliance to strategic quality management. Our services are designed to optimize your supplier relationships while ensuring regulatory compliance.
Risk-Based Audit Program Development: Create customized audit schedules that focus resources where they provide the greatest value and risk mitigation.
Auditor Expertise Matching: Access specialized auditors with deep category knowledge in plastics, chemicals, electronics, machining, and other critical areas.
Remote & On-Site Audit Execution: Conduct efficient, focused audits that deliver actionable insights beyond basic compliance verification.
Supplier Lifecycle Management: Establish comprehensive programs that differentiate between initial qualification and ongoing monitoring.
Our flexible engagement models, including consulting, staff augmentation, and full-time employee recruitment, allow us to provide the right expertise to meet your specific requirements. Whether you need a comprehensive audit program overhaul or targeted support for critical supplier evaluations, we connect you with experienced quality professionals who understand how to balance quality, compliance, and business need
Our service areas:
Quality Assurance | Regulatory Affairs | Clinical Operations | Commissioning, Qualification, and Validation | Chemistry, Manufacturing, and Controls (CMC) | Pharmacovigilance | Expert Witness
Our engagement models:
Consulting Projects | Staff Augmentation | FTE Recruitment
Our podcast:
Apple | Spotify | YouTube | Web + Others
Share this post