enterprise risk management in a pharmaceutical company

Enterprise Risk Management in a Pharmaceutical CompanyAuthor(s): Andrey Y. RogachevSource: Risk Management, Vol. 10, No. 1 (Feb., 2008), pp. 76-84Published by: Palgrave Macmillan JournalsStable URL: http://www.jstor.org/stable/27669990 .

Accessed: 26/02/2014 12:45

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .http://www.jstor.org/page/info/about/policies/terms.jsp

.JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range ofcontent in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new formsof scholarship. For more information about JSTOR, please contact [email protected].

.

Palgrave Macmillan Journals is collaborating with JSTOR to digitize, preserve and extend access to RiskManagement.

http://www.jstor.org

This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PMAll use subject to JSTOR Terms and Conditions

http://www.jstor.org/action/showPublisher?publisherCode=pal

http://www.jstor.org/stable/27669990?origin=JSTOR-pdf

http://www.jstor.org/page/info/about/policies/terms.jsp


Review article

ENTERPRISE RISK MANAGEMENT IN A PHARMACEUTICAL

COMPANY

Andrey Y. Rogachev F. Hoffmann-La Roche Ltd, Group Risk Management CSR, Basel, Switzerland

Correspondence: Andrey Y. Rogachev, F. Hoffmann-La Roche Ltd, Group Risk Management CSR, Bldg.

654/431, CH-6070 Basel, Switzerland.

E-mail: [email protected]

Abstract

Risks are everywhere and in any activity. Many pharmaceutical companies are currently

looking to better understand, anticipate, and be able to mitigate business risk in order

to deliver the rewards of risk taking, and to minimize the frequency and impact of risk

on the downside. Some of them use Enterprise Risk Management concept (ERM, devel

oped by COSO) to establish an effective corporate management system. In the present

paper, we analyze the integrated approach that is used by the company as the founda

tion of risk management within a company. The reader is offered a case of constructing

ERM system in practice.

Keywords business risk; COSO model; corporate management system; enterprise risk

management; internal control; risk manager responsibility

Risk Management (2008) 10, 76-84.

doi:10.1057/palgrave.rm.8250037

Introduction

Nowadays, it is impossible to do business without taking risks.

Risks are everywhere and in any activity.1 However, the words

"risk" and "danger" are often used as equivalents, without drawing

Risk Management 2008, 10, (76-84) ? 2008 Palgrave Macmillan Ltd 1460-3799/08 $30.00

www.palgrave-journals.com/rm



Risk Management *

any clear distinction between them. Undoubtedly, risky decisions are those

involving an element of danger. In other words, risk is the danger of future

losses, which the entrepreneur may suffer under certain unfavorable business

conditions. It is worth emphasizing that risk is a complex concept and can

generally be regarded as the probability of causing uncertainty, property dam

age or other losses or the impossibility of obtaining the expected results of

implementing the set goal. The strategic goals of a company as well as its policy are determined by the

expectations one has about that company. The company shareholders expect the managers to ensure that the business brings the expected profits. The com

pany management relies on the efficiency and reliability of the organizational

systems in accomplishing the set strategic goals. The company employees

expect the guarantees of keeping their jobs and progress in the company devel

opment. The term "risk" implies any event or action that can interfere with the

company's achieving its strategic goals on any of its organizational-technical levels. Therefore, risk management is a structured and coherent approach to

identifying, analyzing and managing risks that affect the strategy, processes,

people and technologies.

Many pharmaceutical companies, which have focused so much on innova

tion in science, are now looking for progressive ways to manage and mitigate their business risk not only to gain competitive advantage but, in some

cases, to survive. Management are currently looking to better understand,

anticipate and be able to mitigate business risk in order to deliver the rewards

of risk taking, and to minimize the frequency and impact of risk on the down

side. In the present paper, we discuss the topic of introducing Enterprise Risk

Management (ERM) at the Roche Holding. The reader is offered a case

of constructing ERM system in practice. We analyze the integrated approach that is used by the company as the foundation of risk management within a

company.

Headquartered in Basel, Switzerland, Roche is one of the world's leading research-focused healthcare groups in the fields of pharmaceuticals and

diagnostics. As the world's biggest biotech company and an innovator of prod ucts and services for the early detection, prevention, diagnosis and treatment

of diseases, the Group contributes on a broad range of fronts to improving

people's health and quality of life. Roche is the world leader in in vitro diag nostics and drugs for cancer and transplantation, a market leader in virology and active in other major therapeutic

areas such as autoimmune diseases,

inflammation, metabolism and central nervous system. In 2006, sales by the

Pharmaceuticals Division totaled 33.3 billion Swiss francs, and the Diagnostics Division posted sales of 8.7 billion Swiss francs. Roche employs roughly 75,000

people worldwide and has R&D agreements and strategic alliances with

numerous partners, including majority ownership interests in Genentech

and Chugai.

Enterprise Risk Management in a Pharmaceutical Company



yfc Risk Management

78

COSO Internal Control COSO ERM framework framework

Figure 1 ERM vs internal control.

Why risk management?

When speaking about risk management, it is necessary to first raise a question about the practicability of the very idea of managing risks. Risks in modern busi

ness are a dynamic and continuously developing process. And the winner in this

race is the one who is capable of effective control and management of risks in a

continuously changing business environment. On the other hand, the growing

global competition, the increase in the freedom of trade and investment on the

global scale as well as in the number of mergers raise the issues for the company

management of improving the quality of information on the risk position of

the company as well as on its production, financial and administrative activity. One of a company's important competitive advantages is its quick reaction

to any change whether it concerns competitors' actions or legal regulations of

state authorities. The factors of risk change, and become more complex,

revealing their so-far unknown aspects and features. Risks become a multifac

torial and interdisciplinary phenomenon, acquire a number of complex inter

nal dependencies. New computer technologies and the Internet, complex financial instruments (mainly financial derivatives), changes and shifts in

regional climatic maps also result in ever more companies creating specialized risk management services in their organizational structures.

In recent years, the requirements of corporate management systems have

also risen. For many enterprises, the need for a risk management system has

become evident. To design possible future scenarios and determine the bound

aries of dangerousness are the major tasks assigned to present-day qualified risk management services by the directors and top managers of the company.

The reduction of government interventions into major industries on the one

hand, and the increase in the external demands from the society on effective

management on the other, have led to a shift in social consciousness from

constructing internal control and risk audit systems to introducing an

integrated approach to developing complex ERM systems (see Figure 1). In

2001, Committee of Sponsoring Organizations of the Treadway Commission

(COSO) together with PricewaterhouseCoopers initiated the project entitled

Andrey Y. Rogachev



Risk Management #

79

Enterprise Risk Management -

Integrated Framework (ERM) to achieve

maximum effectiveness in risk management. According to the COSO stand

ards, ERM consists of eight interrelated components. These are derived from

the way the management runs an enterprise and are integrated into the man

agement process. "These components are:

1. Internal environment

Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed

and addressed by an entity's people. The core of any business is its people -

their individual attributes, including integrity, ethical values and competence -

and the environment in which they operate.

2. Objective setting

Objectives must exist before management can identify potential events affect

ing their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.

3. Event identification Potential events that might have an impact on the entity must be identified.

Event identification involves identifying potential events from internal or

external sources affecting achievement of objectives. It includes distinguishing between events that represent risks, those representing opportunities and those

that may be both. Opportunities are channeled back to management's strategy or

objective-setting processes.

4. Risk assessment

Identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with objectives that may be

affected. Risks are assessed both on an inherent and a residual basis, with the assessment considering both risk likelihood and impact.

5. Risk response Personnel identify and evaluate possible responses to risks, which include

avoiding, accepting, reducing and sharing risk. Management selects a set of

actions to align risks with the entity's risk tolerances and risk appetite.

6. Control activities

Policies and procedures are established and executed to help ensure the risk

responses management selects are effectively carried out.

7. Information and communication

Relevant information is identified, captured and communicated in a form and

timeframe that enable people to carry out their responsibilities. Information is




~?j? Risk Management

80

needed at all levels of an entity for identifying, assessing and responding to

risk. Effective communication also occurs in a broader sense, flowing down, across and up the entity. Personnel receive clear communications regarding their role and responsibilities.

8. Monitoring The entirety of enterprise risk management is monitored, and modifications

made as necessary. In this way, it can react dynamically, changing as conditions

warrant. Monitoring is accomplished through ongoing management activities,

separate evaluations of enterprise risk management or a combination of the

two."2

Thus, centralizing and coordinating the risk management of the whole

enterprise is a key issue today. It is professional risk manager rather than an

internal audit or financial control department who can properly implement risk management procedures and integrate them into the enterprise manage

ment system. When risk management processes are scattered across various

units, it is only separate company units that take actions to prevent negative

aftereffects, and the new risk identification is intolerably slow. These organiza tions are characterized by a lack of complex risk management integrated into

the general enterprise management system. Risk management is already

becoming a core element in company strategic management. It is a process by

which the company conducts the system risk analysis of every activity to

reduce or avoid losses.

Recent practices have shown that ineffective risk management might be very

costly for a company. A number of failures as a result of faulty risk manage ment may lead not only to considerable financial losses but also to the reduc

tion of share value, to the deterioration of the company's reputation, to the

discharge of top management and even bankruptcy. One should not ignore globalization as one more factor that calls for intro

ducing ERM systems. It is noteworthy that changes in organizational structure

by means of reductions, re-engineering and mergers may have significant

impact on risk management development. Globalization generates new threats

for a company and adds risk and uncertainty to the company's development

process. Sustainable economic growth and business development are becoming

necessary conditions for the successful operation of big transnational

companies.

Risk management in practice

Also in the Roche Holding, risk management is a core part of enterprise

strategic management. In essence, it is a process by means of which the

company systematically analyzes risks related to every activity in order to

Andrey Y. Rogachev



Risk Management *

Figure 2 ERM process development.

maximize effectiveness at any stage of company management (see Figure 2). Risk management should be a continuous and developing process that

analyzes the company in action, namely, the present, past and future of the

company. Effectiveness of risk management largely depends on methods and

techniques of control. Continuous and proper monitoring of the company risk

management policy makes it possible to analyze the effectiveness of the actions

taken to reduce risks, provide necessary information, accumulate necessary

knowledge and experience for further steps in the decision-making process of

risk analysis and assessment, and develop methods and techniques for effective

management in the future.

Following the COSO model, Corporate Executive Committee considers the

entity's risk appetite in evaluating strategic alternatives, setting related objec tives and developing mechanisms to management-related risks. ERM provides the rigor to identify and select among alternative risk responses

- risk avoid

ance, reduction, sharing and acceptance. So, entities gain enhanced capability to identify potential events and establish responses, reducing surprises and

associated costs or losses. By considering a full range of potential events, man

agement is also positioned to identify and proactively realize opportunities.

Thus, obtaining robust risk and opportunity information allows management to effectively assess overall capital needs and enhance capital allocation.

The core element of risk management culture is making all the employees

participating in the decision-making process at all the organizational levels

aware of the company's general attitude towards risk and related corporate values. Today, risk management should be integrated into the general culture

of the organization, accepted and approved of by the directors and conveyed to every employee in terms of a general company development program with

locally formulated specific tasks. Risk management as a unified system should

incorporate a program of control over the execution of the set tasks, efficiency assessment of the activities and a system of incentives at all the organization




~*j? Risk Management

82

levels. Effective risk management requires in turn the accurate selection and

skillful combination of methods to reduce potential risks.

Further development of risk management

Providing for the insurance against risks and for the assurance of tomorrow, ERM forms the company's risk management policy and accomplishes its active

and extensive implementation. In spite of the already gained experience and

wide practice, ERM application at a modern industrial enterprise is in the state

of constant development. The evolution of risk management proceeds at all

organizational levels of the company (from the primary business units up to

the supervisory board) and in all directions exerting direct influence on the ERM

system and on the concept of risk management, its activities and results.

There occurs a smooth change in the system of company risk management from procedures, processes and methodology to a single concept. The ideas of

the role played by risk management also undergo changes from setting opera tional and tactical aims to working out a strategy and determining general

corporate values. Actions carried out to manage risks are no longer of a

random, selective or episodical character, and represent a coordinated and

continuous process. From isolated projects aimed at managing separate kinds

of risks, the company moves to a complex and multi-purpose aggregation of

results.

Risk management is carried out according to a logical chain from theory to

practical application based on a widely branching analysis and on possible

applications of the methods and techniques of risk management (see Figure 2). Risk management in a company analyzes the company's past to answer the

question "What is already available and done in the company as a whole or in

any of its subdivisions from the viewpoint of managing risks?", and tries to see

into the future ("What is possible and applicable in general?"), keeping itself, in so doing, within the bounds of what is necessary and admissible for the

company. Then, risk management passes from the set aims and tasks to direct

development of specific projects and programs meant to effectively manage the

company's risks.

Conclusion

In conclusion, it should be noted that for many companies the creation of risk

management services is frequently a forced action, which is only due to the

demands of governmental and other regulating authorities. Ignoring the regu

latory pressure and guidance related to the management of risk and desire of

transparency, company management need to get a much better view of and

control over risk if they are to build trust and keep performance volatility in

control. Enterprises review their current risk management capabilities and

Andrey Y. Rogachev



Risk Management #

investigate how an ERM system could improve their results. Nevertheless, sometimes the management of a company itself fails to attach the proper

significance to the originating of services themselves and then fail to see the

real benefit and advantage of risk management. Another problem in the sphere of risk management today is the substitution of the idea of a risk manager, to

the official powers of an already existing financial analyst.

Undoubtedly, a risk manager does conduct financial analysis, but the analy sis itself occurs at a somewhat different level. So it is necessary to distinctly differentiate which functions are within the competence of a risk manager, and

which are the direct duties of a financial analyst. The risk manager is first of all

to evaluate the risks, which the company takes upon itself, and is responsible for insurance, hedging, reservation and limiting. In other words, he reduces the

risks using modern financial techniques and tools. A person in this position detects possible weak points while studying business processes, and, what is

most important, he or she estimates the costs of operational risks, informing the company management about the presence of uncovered risks as well as

about their costs. Moreover, another duty of no small importance performed

by a manager engaged in calculating risks is to check the presence and per formance of procedures aimed at reducing operational risks which is one of the

main tasks facing not only the risk manager, but also the company as a whole.

To sum it up, the main responsibilities of enterprise risk managers at this

stage are to:

develop, implement and maintain risk management or - control policies, with appropriate organization, risk methodologies and processes encourages

accountability and reliability in business;

report regularly and/or on demand about the risk inventory and - exposures,

as well as about the assessment of the effectiveness and efficiency of the risk

management -

and control system;

facilitate informed, factual, diligent, pro-active, entrepreneurial decision

making and appropriate action on all material risks of a company;

support best practice sharing within an organization;

develop an overall Risk Management governance function.

The prospects of risk management development are linked to the globalization of economy, with the dynamically changing and competitive business environ

ment. The variation and complication of risk factors are becoming interdisci

plinary, multidisciplinary and surrounded by internal interdependencies.

Unfortunately, the management of some enterprises believe that if a risk, revealed beforehand, is nevertheless realized, it will be regarded as an error (i.e.

Kill the messenger of the risk). It is psychologically explicable that the person nel of the enterprises, too, have formed a negative attitude towards risk - it is

better to avoid it. Thus, mistakenly, separately working officials are frequently




~?j? Risk Management

84

reluctant to manage risks. The problem is that managers are not always aware

of a risk, which is beyond the bounds of their immediate duties: they have

no idea of a risk at the level of the whole enterprise. At the same time, it is

effective risk management that makes it possible to demonstrate how much the

potential consequences of a risk for the whole enterprise have been reduced

with the help of preventive measures.

Despite the fact that at enterprises there are many problems connected with

effective risk management and risk management introduction, today it is

impossible to do without a well-grounded consideration and estimation of risk

in taking managerial decisions. The whole weight of responsibility for a deci

sion taken falls on the heads of business subunits and on the top management of a company. They are frequently forced to work under new conditions and

in an unknown situation characterized by high risks, contradictions, constant

and unexpected changes. Therefore, it is essential to "arm" officials who take

decisions with the risk estimation technique, which is maximally approximat ed to the real economy. Good understanding of how the risk would work will

make it possible to carry out a more complete analysis of expenses and results, to minimize unpleasant unexpectedness and to maximally make use of availa

ble possibilities and facilitate the solution of the problems faced by the

company. Even now it is possible to say with certainty that risk management at many enterprises is becoming as typical an activity as, say, accounting.

Notes

1 All statements made in this paper express the personal view of the author on Enterprise Risk

Management, and do not relate to companies for which the author is working now or has worked

before. Nevertheless, some thoughts and ideas presented here might be implemented in the estab

lishment of Risk Management process at these companies. 2 For more details on that we refer to Enterprise Risk Management

- Integrated Framework, COSO,

September 2004, http://www.coso.org/.

Andrey Y. Rogachev



enterprise risk management in a pharmaceutical company

Documents