enterprise risk management in a pharmaceutical company
TRANSCRIPT
Enterprise Risk Management in a Pharmaceutical CompanyAuthor(s): Andrey Y. RogachevSource: Risk Management, Vol. 10, No. 1 (Feb., 2008), pp. 76-84Published by: Palgrave Macmillan JournalsStable URL: http://www.jstor.org/stable/27669990 .
Accessed: 26/02/2014 12:45
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .http://www.jstor.org/page/info/about/policies/terms.jsp
.JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range ofcontent in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new formsof scholarship. For more information about JSTOR, please contact [email protected].
.
Palgrave Macmillan Journals is collaborating with JSTOR to digitize, preserve and extend access to RiskManagement.
http://www.jstor.org
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
Review article
ENTERPRISE RISK MANAGEMENT IN A PHARMACEUTICAL
COMPANY
Andrey Y. Rogachev F. Hoffmann-La Roche Ltd, Group Risk Management CSR, Basel, Switzerland
Correspondence: Andrey Y. Rogachev, F. Hoffmann-La Roche Ltd, Group Risk Management CSR, Bldg.
654/431, CH-6070 Basel, Switzerland.
E-mail: [email protected]
Abstract
Risks are everywhere and in any activity. Many pharmaceutical companies are currently
looking to better understand, anticipate, and be able to mitigate business risk in order
to deliver the rewards of risk taking, and to minimize the frequency and impact of risk
on the downside. Some of them use Enterprise Risk Management concept (ERM, devel
oped by COSO) to establish an effective corporate management system. In the present
paper, we analyze the integrated approach that is used by the company as the founda
tion of risk management within a company. The reader is offered a case of constructing
ERM system in practice.
Keywords business risk; COSO model; corporate management system; enterprise risk
management; internal control; risk manager responsibility
Risk Management (2008) 10, 76-84.
doi:10.1057/palgrave.rm.8250037
Introduction
Nowadays, it is impossible to do business without taking risks.
Risks are everywhere and in any activity.1 However, the words
"risk" and "danger" are often used as equivalents, without drawing
Risk Management 2008, 10, (76-84) ? 2008 Palgrave Macmillan Ltd 1460-3799/08 $30.00
www.palgrave-journals.com/rm
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
Risk Management *
any clear distinction between them. Undoubtedly, risky decisions are those
involving an element of danger. In other words, risk is the danger of future
losses, which the entrepreneur may suffer under certain unfavorable business
conditions. It is worth emphasizing that risk is a complex concept and can
generally be regarded as the probability of causing uncertainty, property dam
age or other losses or the impossibility of obtaining the expected results of
implementing the set goal. The strategic goals of a company as well as its policy are determined by the
expectations one has about that company. The company shareholders expect the managers to ensure that the business brings the expected profits. The com
pany management relies on the efficiency and reliability of the organizational
systems in accomplishing the set strategic goals. The company employees
expect the guarantees of keeping their jobs and progress in the company devel
opment. The term "risk" implies any event or action that can interfere with the
company's achieving its strategic goals on any of its organizational-technical levels. Therefore, risk management is a structured and coherent approach to
identifying, analyzing and managing risks that affect the strategy, processes,
people and technologies.
Many pharmaceutical companies, which have focused so much on innova
tion in science, are now looking for progressive ways to manage and mitigate their business risk not only to gain competitive advantage but, in some
cases, to survive. Management are currently looking to better understand,
anticipate and be able to mitigate business risk in order to deliver the rewards
of risk taking, and to minimize the frequency and impact of risk on the down
side. In the present paper, we discuss the topic of introducing Enterprise Risk
Management (ERM) at the Roche Holding. The reader is offered a case
of constructing ERM system in practice. We analyze the integrated approach that is used by the company as the foundation of risk management within a
company.
Headquartered in Basel, Switzerland, Roche is one of the world's leading research-focused healthcare groups in the fields of pharmaceuticals and
diagnostics. As the world's biggest biotech company and an innovator of prod ucts and services for the early detection, prevention, diagnosis and treatment
of diseases, the Group contributes on a broad range of fronts to improving
people's health and quality of life. Roche is the world leader in in vitro diag nostics and drugs for cancer and transplantation, a market leader in virology and active in other major therapeutic
areas such as autoimmune diseases,
inflammation, metabolism and central nervous system. In 2006, sales by the
Pharmaceuticals Division totaled 33.3 billion Swiss francs, and the Diagnostics Division posted sales of 8.7 billion Swiss francs. Roche employs roughly 75,000
people worldwide and has R&D agreements and strategic alliances with
numerous partners, including majority ownership interests in Genentech
and Chugai.
Enterprise Risk Management in a Pharmaceutical Company
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
yfc Risk Management
78
COSO Internal Control COSO ERM framework framework
Figure 1 ERM vs internal control.
Why risk management?
When speaking about risk management, it is necessary to first raise a question about the practicability of the very idea of managing risks. Risks in modern busi
ness are a dynamic and continuously developing process. And the winner in this
race is the one who is capable of effective control and management of risks in a
continuously changing business environment. On the other hand, the growing
global competition, the increase in the freedom of trade and investment on the
global scale as well as in the number of mergers raise the issues for the company
management of improving the quality of information on the risk position of
the company as well as on its production, financial and administrative activity. One of a company's important competitive advantages is its quick reaction
to any change whether it concerns competitors' actions or legal regulations of
state authorities. The factors of risk change, and become more complex,
revealing their so-far unknown aspects and features. Risks become a multifac
torial and interdisciplinary phenomenon, acquire a number of complex inter
nal dependencies. New computer technologies and the Internet, complex financial instruments (mainly financial derivatives), changes and shifts in
regional climatic maps also result in ever more companies creating specialized risk management services in their organizational structures.
In recent years, the requirements of corporate management systems have
also risen. For many enterprises, the need for a risk management system has
become evident. To design possible future scenarios and determine the bound
aries of dangerousness are the major tasks assigned to present-day qualified risk management services by the directors and top managers of the company.
The reduction of government interventions into major industries on the one
hand, and the increase in the external demands from the society on effective
management on the other, have led to a shift in social consciousness from
constructing internal control and risk audit systems to introducing an
integrated approach to developing complex ERM systems (see Figure 1). In
2001, Committee of Sponsoring Organizations of the Treadway Commission
(COSO) together with PricewaterhouseCoopers initiated the project entitled
Andrey Y. Rogachev
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
Risk Management #
79
Enterprise Risk Management -
Integrated Framework (ERM) to achieve
maximum effectiveness in risk management. According to the COSO stand
ards, ERM consists of eight interrelated components. These are derived from
the way the management runs an enterprise and are integrated into the man
agement process. "These components are:
1. Internal environment
Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed
and addressed by an entity's people. The core of any business is its people -
their individual attributes, including integrity, ethical values and competence -
and the environment in which they operate.
2. Objective setting
Objectives must exist before management can identify potential events affect
ing their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.
3. Event identification Potential events that might have an impact on the entity must be identified.
Event identification involves identifying potential events from internal or
external sources affecting achievement of objectives. It includes distinguishing between events that represent risks, those representing opportunities and those
that may be both. Opportunities are channeled back to management's strategy or
objective-setting processes.
4. Risk assessment
Identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with objectives that may be
affected. Risks are assessed both on an inherent and a residual basis, with the assessment considering both risk likelihood and impact.
5. Risk response Personnel identify and evaluate possible responses to risks, which include
avoiding, accepting, reducing and sharing risk. Management selects a set of
actions to align risks with the entity's risk tolerances and risk appetite.
6. Control activities
Policies and procedures are established and executed to help ensure the risk
responses management selects are effectively carried out.
7. Information and communication
Relevant information is identified, captured and communicated in a form and
timeframe that enable people to carry out their responsibilities. Information is
Enterprise Risk Management in a Pharmaceutical Company
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
~?j? Risk Management
80
needed at all levels of an entity for identifying, assessing and responding to
risk. Effective communication also occurs in a broader sense, flowing down, across and up the entity. Personnel receive clear communications regarding their role and responsibilities.
8. Monitoring The entirety of enterprise risk management is monitored, and modifications
made as necessary. In this way, it can react dynamically, changing as conditions
warrant. Monitoring is accomplished through ongoing management activities,
separate evaluations of enterprise risk management or a combination of the
two."2
Thus, centralizing and coordinating the risk management of the whole
enterprise is a key issue today. It is professional risk manager rather than an
internal audit or financial control department who can properly implement risk management procedures and integrate them into the enterprise manage
ment system. When risk management processes are scattered across various
units, it is only separate company units that take actions to prevent negative
aftereffects, and the new risk identification is intolerably slow. These organiza tions are characterized by a lack of complex risk management integrated into
the general enterprise management system. Risk management is already
becoming a core element in company strategic management. It is a process by
which the company conducts the system risk analysis of every activity to
reduce or avoid losses.
Recent practices have shown that ineffective risk management might be very
costly for a company. A number of failures as a result of faulty risk manage ment may lead not only to considerable financial losses but also to the reduc
tion of share value, to the deterioration of the company's reputation, to the
discharge of top management and even bankruptcy. One should not ignore globalization as one more factor that calls for intro
ducing ERM systems. It is noteworthy that changes in organizational structure
by means of reductions, re-engineering and mergers may have significant
impact on risk management development. Globalization generates new threats
for a company and adds risk and uncertainty to the company's development
process. Sustainable economic growth and business development are becoming
necessary conditions for the successful operation of big transnational
companies.
Risk management in practice
Also in the Roche Holding, risk management is a core part of enterprise
strategic management. In essence, it is a process by means of which the
company systematically analyzes risks related to every activity in order to
Andrey Y. Rogachev
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
Risk Management *
Figure 2 ERM process development.
maximize effectiveness at any stage of company management (see Figure 2). Risk management should be a continuous and developing process that
analyzes the company in action, namely, the present, past and future of the
company. Effectiveness of risk management largely depends on methods and
techniques of control. Continuous and proper monitoring of the company risk
management policy makes it possible to analyze the effectiveness of the actions
taken to reduce risks, provide necessary information, accumulate necessary
knowledge and experience for further steps in the decision-making process of
risk analysis and assessment, and develop methods and techniques for effective
management in the future.
Following the COSO model, Corporate Executive Committee considers the
entity's risk appetite in evaluating strategic alternatives, setting related objec tives and developing mechanisms to management-related risks. ERM provides the rigor to identify and select among alternative risk responses
- risk avoid
ance, reduction, sharing and acceptance. So, entities gain enhanced capability to identify potential events and establish responses, reducing surprises and
associated costs or losses. By considering a full range of potential events, man
agement is also positioned to identify and proactively realize opportunities.
Thus, obtaining robust risk and opportunity information allows management to effectively assess overall capital needs and enhance capital allocation.
The core element of risk management culture is making all the employees
participating in the decision-making process at all the organizational levels
aware of the company's general attitude towards risk and related corporate values. Today, risk management should be integrated into the general culture
of the organization, accepted and approved of by the directors and conveyed to every employee in terms of a general company development program with
locally formulated specific tasks. Risk management as a unified system should
incorporate a program of control over the execution of the set tasks, efficiency assessment of the activities and a system of incentives at all the organization
Enterprise Risk Management in a Pharmaceutical Company
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
~*j? Risk Management
82
levels. Effective risk management requires in turn the accurate selection and
skillful combination of methods to reduce potential risks.
Further development of risk management
Providing for the insurance against risks and for the assurance of tomorrow, ERM forms the company's risk management policy and accomplishes its active
and extensive implementation. In spite of the already gained experience and
wide practice, ERM application at a modern industrial enterprise is in the state
of constant development. The evolution of risk management proceeds at all
organizational levels of the company (from the primary business units up to
the supervisory board) and in all directions exerting direct influence on the ERM
system and on the concept of risk management, its activities and results.
There occurs a smooth change in the system of company risk management from procedures, processes and methodology to a single concept. The ideas of
the role played by risk management also undergo changes from setting opera tional and tactical aims to working out a strategy and determining general
corporate values. Actions carried out to manage risks are no longer of a
random, selective or episodical character, and represent a coordinated and
continuous process. From isolated projects aimed at managing separate kinds
of risks, the company moves to a complex and multi-purpose aggregation of
results.
Risk management is carried out according to a logical chain from theory to
practical application based on a widely branching analysis and on possible
applications of the methods and techniques of risk management (see Figure 2). Risk management in a company analyzes the company's past to answer the
question "What is already available and done in the company as a whole or in
any of its subdivisions from the viewpoint of managing risks?", and tries to see
into the future ("What is possible and applicable in general?"), keeping itself, in so doing, within the bounds of what is necessary and admissible for the
company. Then, risk management passes from the set aims and tasks to direct
development of specific projects and programs meant to effectively manage the
company's risks.
Conclusion
In conclusion, it should be noted that for many companies the creation of risk
management services is frequently a forced action, which is only due to the
demands of governmental and other regulating authorities. Ignoring the regu
latory pressure and guidance related to the management of risk and desire of
transparency, company management need to get a much better view of and
control over risk if they are to build trust and keep performance volatility in
control. Enterprises review their current risk management capabilities and
Andrey Y. Rogachev
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
Risk Management #
investigate how an ERM system could improve their results. Nevertheless, sometimes the management of a company itself fails to attach the proper
significance to the originating of services themselves and then fail to see the
real benefit and advantage of risk management. Another problem in the sphere of risk management today is the substitution of the idea of a risk manager, to
the official powers of an already existing financial analyst.
Undoubtedly, a risk manager does conduct financial analysis, but the analy sis itself occurs at a somewhat different level. So it is necessary to distinctly differentiate which functions are within the competence of a risk manager, and
which are the direct duties of a financial analyst. The risk manager is first of all
to evaluate the risks, which the company takes upon itself, and is responsible for insurance, hedging, reservation and limiting. In other words, he reduces the
risks using modern financial techniques and tools. A person in this position detects possible weak points while studying business processes, and, what is
most important, he or she estimates the costs of operational risks, informing the company management about the presence of uncovered risks as well as
about their costs. Moreover, another duty of no small importance performed
by a manager engaged in calculating risks is to check the presence and per formance of procedures aimed at reducing operational risks which is one of the
main tasks facing not only the risk manager, but also the company as a whole.
To sum it up, the main responsibilities of enterprise risk managers at this
stage are to:
develop, implement and maintain risk management or - control policies, with appropriate organization, risk methodologies and processes encourages
accountability and reliability in business;
report regularly and/or on demand about the risk inventory and - exposures,
as well as about the assessment of the effectiveness and efficiency of the risk
management -
and control system;
facilitate informed, factual, diligent, pro-active, entrepreneurial decision
making and appropriate action on all material risks of a company;
support best practice sharing within an organization;
develop an overall Risk Management governance function.
The prospects of risk management development are linked to the globalization of economy, with the dynamically changing and competitive business environ
ment. The variation and complication of risk factors are becoming interdisci
plinary, multidisciplinary and surrounded by internal interdependencies.
Unfortunately, the management of some enterprises believe that if a risk, revealed beforehand, is nevertheless realized, it will be regarded as an error (i.e.
Kill the messenger of the risk). It is psychologically explicable that the person nel of the enterprises, too, have formed a negative attitude towards risk - it is
better to avoid it. Thus, mistakenly, separately working officials are frequently
Enterprise Risk Management in a Pharmaceutical Company
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions
~?j? Risk Management
84
reluctant to manage risks. The problem is that managers are not always aware
of a risk, which is beyond the bounds of their immediate duties: they have
no idea of a risk at the level of the whole enterprise. At the same time, it is
effective risk management that makes it possible to demonstrate how much the
potential consequences of a risk for the whole enterprise have been reduced
with the help of preventive measures.
Despite the fact that at enterprises there are many problems connected with
effective risk management and risk management introduction, today it is
impossible to do without a well-grounded consideration and estimation of risk
in taking managerial decisions. The whole weight of responsibility for a deci
sion taken falls on the heads of business subunits and on the top management of a company. They are frequently forced to work under new conditions and
in an unknown situation characterized by high risks, contradictions, constant
and unexpected changes. Therefore, it is essential to "arm" officials who take
decisions with the risk estimation technique, which is maximally approximat ed to the real economy. Good understanding of how the risk would work will
make it possible to carry out a more complete analysis of expenses and results, to minimize unpleasant unexpectedness and to maximally make use of availa
ble possibilities and facilitate the solution of the problems faced by the
company. Even now it is possible to say with certainty that risk management at many enterprises is becoming as typical an activity as, say, accounting.
Notes
1 All statements made in this paper express the personal view of the author on Enterprise Risk
Management, and do not relate to companies for which the author is working now or has worked
before. Nevertheless, some thoughts and ideas presented here might be implemented in the estab
lishment of Risk Management process at these companies. 2 For more details on that we refer to Enterprise Risk Management
- Integrated Framework, COSO,
September 2004, http://www.coso.org/.
Andrey Y. Rogachev
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions