ws from innovation to litigation neil campell and james bird

Early stage ERM implementation forLife Science and Biotech companies

Foreword

Businesses in the Communication, Technology and

Media sectors experienced rapid growth into the

early-2000s, which at the time seemed unstoppable

so long as the technology behind those businesses

evolved at such an incredible rate. In fact, with

broadband becoming ubiquitous, the growth of data

services exploding, and the plummeting price of

hardware against rising expectations of capability,

the value chain has fragmented rapidly. Services

have been saturated and commoditised, meaning

slower growth and narrower margins.

The breakneck speed of such change has brought

with it a whole host of new risks. Industry’s reliance

on these new technologies, and others’ intent on

criminally exploiting that reliance, have both given

rise to an expanding range of first and third party

exposures. However, unlike physical risks – with

their long and recorded history – or management

risks – typically driven by the slow pace of regulatory

change – the emerging risks of the digital era are

driven by technological development, and the speed

of such progress has been hitherto unknown to the

insurance industry.

Technological development has also driven the very

direction of some businesses. In 15 years a small

company selling books online has emerged not only

as one of the world’s most powerful retailers, but

also as owner of two publishing houses, numerous

web services, one of the world’s largest and most

robust global IT infrastructures, a purveyor of

wireless services, digital books, music and TV-on-

demand and, perhaps most surprisingly, an

emerging giant of B2B cloud computing services.

Was this their plan, or the opportunities that opened

up to them along the road?

Either way, the convergence of these industries, and

the nature of the risks they face, has required us to

evolve, too. In 2004 JLT founded the

Communications, Technology & Media (CTM)

Practice to bring together our global expertise and

experience in these sectors. Today, the CTM

Practice has an unrivalled record of working on

exciting and challenging projects for some of the

most significant players in the global industry,

providing consultancy, risk management and risk

financing services in Europe, North America, Africa

and Asia. As a result, we have developed an

excellent understanding of the regulatory and

commercial issues affecting businesses in these

sectors. In this publication we seek to share some of

our findings with you.

Luke Foord-Kelcey

UK Head of the Communications, Technology &

Media Practice

1

Early stage ERM implementation for Life Science and Biotech companies


But do they?

Have they really looked carefully through the glasses

of "the other side'? Through the eyes of the bankers,

the buyout funds, the investment analysts and the

detail-hungry due diligence teams, who's green light

is so essential when it comes to putting serious

money on the table - the preferred CEO prescription

medication for several good nights sleep.

Maybe not...

Dull as it may appear at first blush, proven risk

management excellence and discipline could well be

the answer to the key questions posed in the title of

this article. "We don't need all that stuff now" I hear

you cry. "Of course we have insurance, my secretary

takes care of that". Yes, insurance, that sure fire,

cocktail-party-room-emptying device. Perhaps it's

not quite as exciting as Tiger's recent love affair with

fire hydrants but having a properly constructed wall

of contingent capital - product liability insurance to

use is more mundane name - can be the difference

between corporate life and death if something goes

wrong. And the likelihood of something bad

happening in the first place can be dramatically

reduced with the early adoption of best practice in

Enterprise Risk Management (ERM).

Just imagine for a moment you're an investor being

asked to finance or buy a company. What would be

running through your mind? Firstly, no doubt trying

to figure out whether the financial projections are

reasonable, robust? Remember, the client’s almost

certainly pressurising you into paying dearly for the

consistent growth and lack of volatility so proudly

displayed in their future revenue and profit projection

PowerPoints. But you would also be thinking more

broadly what could go wrong. Quite a lot as it turns

out...What if that recent trade journal promotion,

which won an award for the ad agency, wandered

way outside of the strict zone allowed by the

packaging label and that dreaded lawyer's first

claim letter landed in the corporate in-tray? Or

perhaps worse, the same shock revelation arose

during an analyst presentation, with the trade

press in full attendance and the CEO was not fully

forewarned or prepared? What if that that seemingly

inconsequential Puerto Rican supplier – but one that

happened to provide a cheap yet critical ingredient

for the company's bestseller – went bust or was

shut down for a regulatory infringement or just

blown away by the next hurricane? What if you

suffered a major IP infringement? What if a

significant environmental threat in one of your

Access to cheap and plentiful finance and achievinga successful exit is typically at the top of the "musthave" list for CEO's of fast growing Life Science andBiotech companies. For sure they and their fellowdirectors and managers continuously strive to doeverything they can to secure these vital ingredientsand have their business priorities in the correct order.

1

2


production facilities, that cost 10% of your profit to

manage, turned out to be not so serious after all and

the cash saved from earlier more considered and

professional analysis could have been used to

finance another sure hit product?

When you raised all these issues with the senior

management of the company - let's call it company

A – and they appeared on the back foot, defensive

all the time, no real answers, a "Don't-worry-it-will-

never-happen" nervous pat on the back from the

CEO in your wrap up meeting, you’d be more than a

little concerned wouldn’t you? You'd probably want

to dig some more and see if there were more bones

lying in the corporate cupboards. After all, you are

being asked to invest a lot of money and you want to

be sure of meeting or exceeding your return targets.

On the other hand, let's consider hypothetical

company B in these same circumstances. What if

each time you probed and dug deeper into the

detail, a confident, well thought through response

came back. And the more you probed, the more it

really did seem as though not only had the company

considered the myriad of things that could go wrong

but also what to do if the proverbial happened.

You'd be reassured, would you not? Comforted that

your investment or refinancing capital was more

secure with Company B than Company A. That the

former had a better chance of achieving its financial

projections and was much less likely to spring any

nasty surprises along the journey to success.

Now, here's the real issue, The difference between the

price you might be prepared to pay for an investment

in Company B might be tens or maybe hundreds of

millions of dollars more than Company A. In fact you

may be put off making any investment at all in

Company A. You may just conclude that it's too risky.

Yet the real but simple difference between

Companies A and B is that Company B decided,

early on, to invest a little time, effort and money in

some professional risk management help and

advice. The initial cost was probably no more than

fifty thousand dollars, maybe even less. But the real

value was huge. It was perhaps hard to see at the

time, but once the professional Enterprise Risk

Management journey had commenced, Company

B never doubted its long-term value for a second.

And yet, in the heat of battle, with the CEO trying

to grow its precious company so it can be noticed

among all the competitive noise, this long-term

core process can so easily be overlooked, with

the modest initial cost and investment buried in

the lower budget reaches or not even making it

on to the critical corporate "to do" list.

So, if you’re interested in how to add multiple

millions of value and gain easier access to cheaper

finance, you'd better sit down, grab a cup of coffee

and read on.

The best 50k you've ever spent: Initial ERM

Implementation for Tier 3 companies

In the context of a commercial organisation,

Enterprise risk management (ERM) prescribes

the methods and processes used to manage risks

and seize opportunities related to the achievement

of business objectives. ERM provides a framework

for risk management, which typically involves

identifying particular events or circumstances

relevant to the organisation's objectives (risks and

rewards), assessing them in terms of likelihood and

magnitude of impact, determining the most effective

method of managing or exploiting risk, and ongoing

management and monitoring. Such a process

creates value for all stakeholders, including

customers, shareholders, employees, and regulators.

ERM can also be described as a risk-based

approach to managing an enterprise, integrating

concepts of internal control, appropriate national

and international regulation, and strategic planning.

ERM is evolving to address the needs of various

stakeholders, who want to understand the broad

spectrum of risks facing complex organizations to

ensure they are appropriately managed..

Effective Enterprise Risk Management is about

identifying, mitigating and ultimately optimising the

various risks that drive a company's success. Risk

cannot be eliminated entirely. Indeed it would be

wrong to do so as measured and managed risk

taking is actually what companies should be doing.

ERM is part of the overall process that transforms

risk to your competitive advantage. Done correctly

and we would strongly recommend, at an early

stage, ERM provides critical intelligence and

processes to manage the gamut of financial,

operational, reputational and natural and other

catastrophic risks that would otherwise keep the

Board awake at night unnecessarily. In addition,

regulators and debt rating agencies have increased

their scrutiny on the risk management processes of

companies, further heightening the potential

economic impact.

To embark on this process, here's a summary of the

key steps that need to be taken with the appropriate

professional advice and guidance.

Long term, a three-phased approach might prove

best suited to the needs of emerging Life Science

and Biotech companies. However, we would

suggest that any Company starts its ERM program

with a streamlined, practical baseline engagement

that will set the ERM foundation and allow The

Company to then progress its ERM program at a

rate appropriate to its requirements. For purposes of

the discussion below, we will refer to this initialization

phase as a Phase 1 engagement.

During the Phase 1 process, The Company would be

professionally guided to develop its ERM structure,

overarching ERM terms and definitions, its perceived

risk profile, and its initial perceived Risk list (via a

review of existing materials, interviews, limited use

of a questionnaire). Importantly, a heavy emphasis

would be placed upon leveraging the information

that The Company has already developed rather

than attempting to “reinvent the wheel”.

Further, we would work through the initial business

area risk workshops with The Company, facilitate

the first so-called Risk Council meeting to review

the workshop findings, and help to develop The

Company’s first validated and prioritized Risk Report

for executive leadership. This work would also assist

The Company to define the structure and processes

that it can use as it later proceeds to the risk

mitigation stage of its program.

3


PHASE 1: ERM Program Development:

Define EBS’s ERM Program &

Vocabulary; Risk Mapping Exercise; Risk

Workshop; Report to Management

Step 1:

ERM Program

Development –

Define EBS’s

ERM Program

& Vocabulary

Step 2:

Risk Mapping

Exercise – Data

Gathering &

Development of

“Perceived Risk Map”

Step 3:

Risk Workshop –

Risk Validation.

Step 4: Risk Council

Review and Report

to Management.

PHASE 1:

The Development of The Company’s ERM

Program and its Initial Risk Mapping Exercise

A Phase 1 engagement would provide The

Company with the foundation for an effective,

sustainable ERM program. Based upon our

dialogue, we would suggest the following steps:

Step 1 – ERM Program Development – Defining

The Company ERM Program and its Vocabulary:

At the start of any process, the Company would be

asked to identify an “ERM Project Leader” as well

as an “ERM Core Working Group”, which ideally will

be cross functional and consist of four (4) to five (5)

persons including the ERM Project Leader. In

addition, the appointment of a Board representative,

usually from the legal or finance disciplines, is highly

recommended. In this role, they will oversee the

project, providing guidance and facilitating

organizational support as well as provide more

intimate feedback to and discussion with the rest

of the Board.

The initial ERM Core Working Group session

typically takes one full business day and is highly

interactive. During this session, the team will decide

upon the Company’s approach to ERM while also

crafting its formal ERM Mission Statement and

developing the Company’s unique ERM vocabulary.

Concepts and processes that are fundamental to

ERM success will also be reviewed. Finally, a

strategy to move the ERM process forward will be

reviewed for endorsement and support, e.g.

development of achievable goals and objectives for

the project; preparation of a draft annual

timeline/schedule that will integrate the new ERM

process into the Company’s annual budget and

strategic planning cycles.

Following the meeting, a Draft ERM Handbook will

be prepared. The Handbook will summarize the

approach and definitions/materials developed by the

Core Working Group. Once approved by the Core

Working Group, a status update can then be shared

with the appointed Board representative, through to

the executive leadership group. With the proposed

path finalised and signed off by the Board, the Core

Working Group proceeds to Step 2.

Step 2 – Data gathering & the Development of The

Company’ Perceived “Risk Map”:

After reviewing and consolidating available

information that has already been developed by

and for The Company, best practice suggests that

approximately five (5) to eight (8) members of the

Senior Management Team be interviewed to identify

‘perceived’ material risks within the Company

(approx. 1 hour/interview). These discussions

would be on an anonymous basis to encourage a

frank and candid dialogue. Some limited use of

questionnaires may also be considered, although

generally, questionnaires are not nearly as effective

as actual interviews.

The risk items developed during this interview/

questionnaire process would be combined with

other risks identified from existing materials for

discussion with the Core Working Group and

compiled into the draft perceived risk list. This set

of risks will form the basis for the risk workshops

discussed in the next step.

Step 3 – “Validation Workshops”:

This process involves cross-functional “Bottom-Up”

risk workshops for each of the main business areas.

These workshops, which usually include 8-12

participants from the relevant business area (and

other related disciplines that interact with and may

4


have important insights) will:

• be provided with a background briefing on the

The Company's ERM process,

• assess those pre-identified ‘perceived’ risks

collected in step 2 as well as any new risks

which may be raised during the workshop,

• identify any low cost items for which risk

mitigation may be considered immediately

• prioritize those risks which may require funding

consideration

• consider the appointment of potential Risk

Owners for specific items proposed for risk

mitigation (based on time constraints of the

day). “Risk Owners” are persons who are

believed to possess appropriate skills and

expertise to lead a Risk Mitigation initiative

following senior management approval.

Ideally, one or two members of the Core Working

Team will participate in each of these sessions.

Workshop participants are normally senior

executives (Director, Senior Director, Vice President)

that have a good understanding of the business, as

well as the issues to be discussed. Validation and

prioritization are achieved via the use of an

anonymous, wireless voting system that has proven

highly popular and effective.

A report of Workshop findings and results is

generated that can be shared internally within The

Company and consolidated into a group level report

as described below.

Step 4 – Risk Workshop - Assessment of Phase 1

Findings:

Once the “Top Down” and “Bottom Up” assessment

of the risks are completed, the Core Working Group

(possibly with additional membership) would

convene to participate in an initial Risk Assessment

workshop (often called the Risk Council).

During this initial Risk Council session, the

group would be asked to assess the direct and

consequential implications, assess current controls,

and vote on the significance to The Company of the

compiled/combined risks gathered and assessed

during the previous steps, using an interactive,

anonymous voting tool. From this feedback, a

risk-prioritized “Heat Map” and summary report

will be developed for presentation to senior

management and for consideration in the Strategic

and Operational Budget process. The Core Working

Group may also identify potential Risk Owners at this

stage, time permitting. Risk Owners will eventually

be assigned to address priority issues approved by

The Company for risk mitigation initiatives.

Significantly, experience to date suggests that the

cost to mitigate many of risks identified through the

ERM process is fairly nominal. To address many

risks, all that is often required is the identification of

the issue, the dedication of focused effort, and the

removal of the internal barriers that has previously

precluded a solution. In instances where some

capital funding is needed, the prioritization

methodologies of an effective ERM process provides

Senior Management with a unique advantage when

deciding where to best allocate limited capital. Just

as importantly, ERM provides Senior Management

and the Board with an effective tool to define and

objectively measure progress against agreed upon

risk mitigation objectives.

After this initialization phase, The Company can then

assess its progress and determine a path forward

that meets with its needs and abilities.

5


PHASE 2 and beyond

Successful and growing organisations are

increasingly outsourcing risk management and other

similar advisory and management functions, much in

the same was as the software industry is moving

from an ownership to rent-as-a-service model. JLT

has wide-ranging, deep experience in working with

the World's largest Life Sciences companies and is

therefore in an excellent position to be able to share

this rich seam of knowledge with emerging and fast

growing Life Science and Biotech companies. grow

it's involvement with its clients to suit their future

advisory and risk financing requirements.

DON'T RUN BEFORE YOU CAN WALK

If you're not convinced yet that this is a "must do",

essential investment for your company and its

stakeholders, just reflect for a moment on some of

the outcomes for companies that ignored it. [list a

few here....]

Just remember that a small but critical investment

early on in developing a professional company-wide

risk management culture will make it easier and

cheaper to finance, more attractive to buy or invest

in and more valuable overall.

You know it makes sense.

6


NEIL CAMPBELL

Head of Life Science & Chemicals, Jardine Lloyd

Thompson Limited

After graduating in 1982 with a Masters in Applied

Biology Neil spent a short period in the Agrochemical

Industry before joining Sedgwick Group (insurance

brokers) in London, and subsequently moved to

Imperial Chemical Industries in London to work in the

company’s risk management department.

In 1993 ICI demerged its bioscience business to

form a separate company, Zeneca Group PLC, and

Neil was appointed global Risk Manager. In 1999

Zeneca merged with Astra AB to form AstraZeneca,

one of the world’s biggest healthcare companies.

Neil was subsequently appointed Director, Risk &

Insurance Services based at AstraZeneca’s

headquarters in London.

Neil joined Jardine Lloyd Thompson Risk Solutions

in November last year to head up JLT’s Life

Sciences Industry Practice.

Neil earned an Honours degree from Cambridge

University in applied Biology, has post-graduate

qualification in agronomy and is an associate of

the UK Chartered Institute of Insurers.

T: + 44 (0)20 7558 3996

E: [email protected]

JAMES BIRD

Partner, Jardine Lloyd Thompson Limited

James obtained a degree in Economics from the

University of Portsmouth and began his insurance

career on Guardian Royal Exchange's graduate

training scheme in 1993. He subsequently became

a Liability underwriter in the London Market. Moving

to Chubb as a Senior Liability Underwriter, he took

responsibility for several of their largest multinational

clients. In 2001 James became Senior Insurance

Manager at AstraZeneca, managing the global

product liability, clinical trials, marine, credit and

travel accident programmes. He moved to JLT in

2004. He is a Fellow of the Chartered Insurance

Institute and an Associate of the Institute of Risk

Management.

James leads JLT's approach to clinical trial

insurance and risk management, an area in which

he looks after some of JLT's largest clients. He is

heavily involved in the development of products

and risk management approaches aimed at better

addressing the risk profiles of life science companies

across the wider risk portfolio including supply

chains and liability exposures. James looks after a

number of clients in respect of their product liability

insurance programmes and is one of a team of JLT

Life Science Liability Insurance Practitioners who

provide technical advice to JLT's clients.

James regularly speaks at industry events on a

broad range of life science related topics including

product liability, clinical trials and supply chain risks.

T: +44 (0)20 7558 3580

E: [email protected]

7


Jardine Lloyd Thompson Limited

6 Crutched Friars

London EC3N 2PH

Tel +44 (0)20 7528 4000

Fax +44 (0)20 7528 4500

Lloyd's Broker. Authorised and Regulated by the Financial Services

Authority. A member of the Jardine Lloyd Thompson Group. Registered Office:

6 Crutched Friars, London EC3N 2PH. Registered in England No. 01536540.

VAT No. 244 2321 96.

www.jltgroup.com. © November 2010 262978

ws from innovation to litigation neil campell and james bird

Health & Medicine