Medco Health Solutions—now part of Express Scripts—had an escalating, but mysterious problem. Some customers of the mail-order prescription service were returning their shipments, fearing that the package holding the medication had been tampered with. The cost of replacing such orders for customers was more than $500,000 annually. Senior executives turned to security to fix the problem, improve the customer experience, and save money. The security team turned to Six Sigma.
The security team had previously been trained on Six Sigma, a process improvement method developed in the 1980s that continues to be used by Fortune 500 companies. It provides a method for improving any process, including making it quicker or more productive, while increasing quality and cutting costs.
Six Sigma offers a focused approach to process improvement through a method known as DMAIC. This stands for Define, Measure, Analyze, Improve, and Control. In each phase of the DMAIC process, specific tools are used to advance the process improvement. Following is a discussion of each of these tools and how they were used to solve Medco’s product tampering issue.
The first step in the DMAIC process is to accurately define the problem. Here, the project team identifies the customers served by the process, determines customer requirements, and plans how to complete the project. This usually requires some research and initial data collection. The team then prepares problem and goal statements for the project and records this information in a project charter document.
In defining Medco’s problem, the security team understood that customers requested replacement orders for a variety of reasons. The package might have been damaged when received. Items could be missing from the order. The package could appear as if tampering had occurred. An order could get lost and never arrive at the patient’s address. Any of these reasons could result in a replacement order, costing the company significant funds in employee time, postage, packaging, and the replacement medication.
The security team investigated the reasons behind the replacement requests and found that suspected tampering was an overwhelming reason given by customers. A goal was set to reduce shipment replacements due to suspected tampering.
The next step in the process is to measure the problem by collecting data to determine the current volume of defects and errors. These results will serve as a baseline or starting point by which future improvements may be measured. The team should agree on the measurement process and collect an appropriate sample size.
At Medco, the project team collected and measured data related to replacement shipments for suspected tampering. Security was able to collect specific examples marked with “suspected tampering” as the reason for the return. From this data, security measured the number of defects (replacement orders) per million opportunities (total shipments), or DPMO. This DPMO value would serve as security’s baseline and illustrate the team’s progress in reducing future replacement shipments.
As part of the measure phase, security wanted to verify that the data collected was being accurately reported. Security consulted the inbound call center representatives who speak directly to customers. To validate that the reason code for a replacement shipment was being properly assigned, a decision tree job aid was developed that guided the representative to the correct reason code based on the patients’ responses.
Continuing the DMAIC process, managers must analyze the data collected for possible trends. The team uses the collected data to detect differences that may suggest theories as to root causes. Oftentimes, statistical tools are used to review the data. Then the team completes a cause-and-effect diagram to further identify and prioritize possible causes.
In the Medco example, charts and graphical summaries began to provide clues to possible root causes. The security team began to ask what the customer or patient considered tampering. Were there certain medications or types of packaging that were being reported as suspicious more often than others? Did suspected tampering include a shortage in the prescription quantity? If this was truly suspected tampering, were the complaints geographically related?
In furthering the analysis, security needed to view actual shipment packaging and contents from patients who suspected tampering. The security team requested that several shipped orders be returned by the patients so the evidence of tampering could be verified. Security found a common element in the majority of these replacement requests. The suspected tampering involved orders where two or more prescriptions were being combined into a single shipment package. This was called a “marriage order” and it combined items such as a prescription bottle with a prepackaged prescription item, like a nasal spray. These types of packages were open when the customer received them.
The next step is to improve the process being investigated. This is where ideas for solutions are generated. The team can use various brainstorming techniques to produce a list of the best possible solutions to the root causes identified.
To improve upon a process requires a full understanding of the current process. At Medco, the security team knew that patients were complaining that an interior shipping bag on a marriage order was often found torn along a perforation. This gave the appearance that the contents of the inner bag, typically a vial of prescription medication, may have been breached during shipping.
What the security team found when it observed the packing process within the Medco pharmacy was that packers were tearing this internal packaging as a part of the packing process. When questioned, the packers indicated that prescription vials were filled through an automated process. These prescription vials would be placed into a shipping bag and sealed, often trapping air and producing a balloon-like package. When such a prescription vial needed to be joined with other medication for the same patient, these multiple items would be routed and combined in another shipping bag as part of a marriage order. But, because of the trapped air, the prescription packages would not fit into the marriage order packages. Employees were tearing some of the inner packaging along the bag perforation to expel air, allowing for easier combining into a single marriage order shipping bag.
Several improvement ideas were offered as a way to mitigate this problem in the marriage order process. Adjustments could be made in the automated packing process for prescription vials to reduce the amount of air being pushed into the shipping bag. A prescription tamper seal could be used for all prescription vials to provide additional confidence that medication is pristine. However, the best idea was the use of a simple hole-punch device at the packing stations. The device placed a small hole in the inner bag that allowed for air to be expelled without suggesting any breach attempt of the package contents.
The final step in the DMAIC process is to maintain control of the implemented improvements. A major part of this step involves monitoring the process performance with control charts to assure stability. A process is said to be in control when the results are stable, predictable, and meet the customer requirements. Once established, the team will document the improvement.
At Medco, the volume of replacement prescription requests due to suspected tampering fell by more than 50 percent as a result of the improvement process. This produced a savings of more than $250,000 annually for the company. To monitor this improvement, security used a control chart to track the DPMO for replacement orders due to suspected tampering.
A control plan was also put in place providing specific steps to take should the DPMO exceed control limits. The plan included ongoing data collection of prescription replacement volumes over the next 12 months. This data would be used to calculate the DPMO and recorded into a control chart. If the DPMO went beyond the upper control limit in the control chart, an indication of a significant increase in prescription replacements due to suspected tampering, then additional actions or response would be required by the control plan. In this case, that would mean that the packing station for marriage orders would need to be reviewed and audited for proper packing technique and the use of the hole-punch device. Based on that finding, additional coaching or training may be necessary. In the case of this project, replacement prescriptions due to suspected tampering remained in control and required no further actions.
Solving a specific problem is only part of the Six Sigma process. Other critical aspects include choosing projects carefully, using metrics consistently, and embracing a culture of continuous improvement.
Project selection. Choosing which security improvement project to work on first can be difficult. This is particularly true when there are ample opportunities to choose from. However, there are a few strategies security managers can use in selecting appropriate projects.
Depending on the nature of the company’s business, regulatory requirements might be a regular part of the work environment. Any work performed or product produced that fails to comply with regulatory requirements may be subject to penalty. Thus, process improvements that address regulatory requirements should be considered first in the project prioritization process.
Identifying and managing risk is a primary responsibility for the security professional. Six Sigma offers a tool for that process. Failure Mode and Effects Analysis (FMEA) is a systematic technique for failure analysis. It includes documenting potential failure points in a process and then assigns a risk priority number (RPN) for each failure mode. This is similar to a security risk analysis, whereby security risks or failure points can be prioritized by level of importance or risk to the company.
Another strategy for selecting security improvement projects is based on return on investment, or ROI. This business approach is used often and is a preferred method for many companies. If a company invests $10,000 for security improvement and it returns $40,000 in cost savings as a result, the positive ROI is sufficient to recommend the project. Multiple projects can then be compared based on their projected ROI and prioritized.
Metrics. For many security professionals, collecting and measuring security performance and processes can be challenging. There are some security metrics that are easy to identify because they are tangible, such as the volume of alarm signals received in a month or the number of security incidents reported in a year. Other performance metrics may be unknown and require research, such as the perception of how safe employees feel while at work. Such qualitative data can also be collected through the use of surveys. A properly written survey can capture the perceived level of safety or security by the customer and result in a quantitative score. This score can then be used as a baseline for measuring future improvement efforts.
Culture. To see change throughout the organization, a company must embrace a continuous improvement culture. Such a culture means that there is an ongoing effort to improve quality, services, and processes. A key component is to communicate the benefits of a Six Sigma approach to problem solving and educate the security team on that process. By including all security staff, trust and support of Six Sigma projects will build. That’s not to say every staff member should be included in every project, but a rotation of security participants will provide unique insights and allow everyone an opportunity to engage in the Six Sigma process.
It is important to share progress and results on Six Sigma projects with team members. Doing so confirms the value of Six Sigma as a process improvement methodology. It will also encourage future project participation and innovative solutions.
Six Sigma can help a security manager make improvements to a variety of security programs. For example, it can be used to identify and improve the effectiveness of an access control system, or reduce the turnover rate of security guard staffing, or increase the recovery of assets through investigations. By using a Six Sigma approach to improve a security process, the CSO can rely on data to support the changes and obtain funding from the C-suite.
James Yothment, CPP, is a process consultant for RightSource Process Engineering, a pharmaceutical division of Humana. He specializes in Six Sigma methods for process improvement. He formerly served as the director of global security for Medco.