Вы находитесь на странице: 1из 10

Enterprise Risk Management in a Pharmaceutical Company

Author(s): Andrey Y. Rogachev


Source: Risk Management, Vol. 10, No. 1 (Feb., 2008), pp. 76-84
Published by: Palgrave Macmillan Journals
Stable URL: http://www.jstor.org/stable/27669990 .
Accessed: 26/02/2014 12:45
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .
http://www.jstor.org/page/info/about/policies/terms.jsp
.
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of
content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms
of scholarship. For more information about JSTOR, please contact support@jstor.org.
.
Palgrave Macmillan Journals is collaborating with JSTOR to digitize, preserve and extend access to Risk
Management.
http://www.jstor.org
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
Review article
ENTERPRISE RISK MANAGEMENT
IN A PHARMACEUTICAL
COMPANY
Andrey
Y.
Rogachev
F. Hoffmann-La Roche
Ltd,
Group
Risk
Management
CSR, Basel,
Switzerland
Correspondence: Andrey
Y.
Rogachev,
F. Hoffmann-La Roche
Ltd, Group
Risk
Management
CSR,
Bldg.
654/431,
CH-6070
Basel,
Switzerland.
E-mail:
andrey.rogachev@roche.com
Abstract
Risks are
everywhere
and in
any activity. Many pharmaceutical companies
are
currently
looking
to better
understand,
anticipate,
and be able to
mitigate
business risk in order
to deliver the rewards
of
risk
taking,
and to minimize the
frequency
and
impact of
risk
on the downside. Some
of
them use
Enterprise
Risk
Management concept (ERM,
devel
oped by COSO)
to establish an
effective corporate management system.
In the
present
paper,
we
analyze
the
integrated approach
that is used
by
the
company
as the
founda
tion
of
risk
management
within a
company.
The reader is
offered
a case
of constructing
ERM
system
in
practice.
Keywords
business
risk;
COSO
model; corporate management system; enterprise
risk
management;
internal
control;
risk
manager responsibility
Risk
Management (2008) 10,
76-84.
doi:10.1057/palgrave.rm.8250037
Introduction
Nowadays,
it is
impossible
to do business without
taking
risks.
Risks are
everywhere
and in
any
activity.1
However,
the words
"risk" and
"danger"
are
often used
as
equivalents,
without
drawing
Risk
Management 2008, 10, (76-84)
? 2008
Palgrave
Macmillan Ltd 1460-3799/08 $30.00
www.palgrave-journals.com/rm
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
Risk
Management
*
any
clear distinction between them.
Undoubtedly, risky
decisions are those
involving
an
element of
danger.
In other
words,
risk is the
danger
of future
losses,
which the
entrepreneur may
suffer under certain unfavorable business
conditions. It is worth
emphasizing
that risk is a
complex concept
and
can
generally
be
regarded
as
the
probability
of
causing uncertainty, property
dam
age
or
other losses
or the
impossibility
of
obtaining
the
expected
results of
implementing
the set
goal.
The
strategic goals
of a
company
as well as its
policy
are
determined
by
the
expectations
one has about that
company.
The
company
shareholders
expect
the
managers
to ensure that the business
brings
the
expected profits.
The
com
pany management
relies on the
efficiency
and
reliability
of the
organizational
systems
in
accomplishing
the set
strategic goals.
The
company
employees
expect
the
guarantees
of
keeping
their
jobs
and
progress
in the
company
devel
opment.
The term "risk"
implies
any
event or action that
can
interfere with the
company's achieving
its
strategic goals
on
any
of its
organizational-technical
levels.
Therefore,
risk
management
is a
structured and coherent
approach
to
identifying, analyzing
and
managing
risks that affect the
strategy, processes,
people
and
technologies.
Many pharmaceutical companies,
which have focused
so
much
on innova
tion in
science,
are now
looking
for
progressive ways
to
manage
and
mitigate
their business risk not
only
to
gain competitive advantage but,
in some
cases,
to survive.
Management
are
currently looking
to better
understand,
anticipate
and be able to
mitigate
business risk in order to deliver the rewards
of risk
taking,
and to minimize the
frequency
and
impact
of risk on the down
side. In the
present paper,
we discuss the
topic
of
introducing Enterprise
Risk
Management (ERM)
at the Roche
Holding.
The reader is offered a case
of
constructing
ERM
system
in
practice.
We
analyze
the
integrated approach
that is used
by
the
company
as the foundation of risk
management
within
a
company.
Headquartered
in
Basel, Switzerland,
Roche is one of the world's
leading
research-focused healthcare
groups
in the fields of
pharmaceuticals
and
diagnostics.
As the world's
biggest
biotech
company
and
an
innovator of
prod
ucts and services for the
early detection, prevention, diagnosis
and treatment
of
diseases,
the
Group
contributes
on a
broad
range
of fronts to
improving
people's
health and
quality
of life. Roche is the world leader in in vitro
diag
nostics and
drugs
for cancer and
transplantation,
a market leader in
virology
and active in other
major therapeutic
areas
such
as
autoimmune
diseases,
inflammation,
metabolism and central nervous
system.
In
2006,
sales
by
the
Pharmaceuticals Division totaled 33.3 billion Swiss
francs,
and the
Diagnostics
Division
posted
sales of 8.7 billion Swiss francs. Roche
employs roughly 75,000
people
worldwide and has R&D
agreements
and
strategic
alliances with
numerous
partners, including majority ownership
interests in Genentech
and
Chugai.
Enterprise
Risk
Management
in a Pharmaceutical
Company
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
yfc
Risk
Management
78
COSO Internal Control COSO ERM framework
framework
Figure
1 ERM vs internal control.
Why
risk
management?
When
speaking
about risk
management,
it is
necessary
to first raise a
question
about the
practicability
of the
very
idea of
managing
risks. Risks in modern busi
ness are a
dynamic
and
continuously developing process.
And the winner in this
race is the one who is
capable
of effective control and
management
of risks in a
continuously changing
business environment. On the other
hand,
the
growing
global competition,
the increase in the freedom of trade and investment on the
global
scale as well as in the number of
mergers
raise the issues for the
company
management
of
improving
the
quality
of information
on
the risk
position
of
the
company
as
well
as on its
production,
financial and administrative
activity.
One of
a
company's important competitive advantages
is its
quick
reaction
to
any change
whether it concerns
competitors'
actions
or
legal regulations
of
state authorities. The factors of risk
change,
and become
more
complex,
revealing
their so-far unknown
aspects
and features. Risks become
a
multifac
torial and
interdisciplinary phenomenon, acquire
a
number of
complex
inter
nal
dependencies.
New
computer technologies
and the
Internet, complex
financial instruments
(mainly
financial
derivatives), changes
and shifts in
regional
climatic
maps
also result in ever more
companies creating specialized
risk
management
services in their
organizational
structures.
In recent
years,
the
requirements
of
corporate management systems
have
also risen. For
many enterprises,
the need for
a
risk
management system
has
become evident. To
design possible
future scenarios and determine the bound
aries of
dangerousness
are the
major
tasks
assigned
to
present-day qualified
risk
management
services
by
the directors and
top managers
of the
company.
The reduction of
government
interventions into
major
industries
on the one
hand,
and the increase in the external demands from the
society
on
effective
management
on the
other,
have led to a shift in social consciousness from
constructing
internal control and risk audit
systems
to
introducing
an
integrated approach
to
developing complex
ERM
systems (see Figure 1).
In
2001,
Committee of
Sponsoring Organizations
of the
Treadway
Commission
(COSO) together
with
PricewaterhouseCoopers
initiated the
project
entitled
Andrey
Y.
Rogachev
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
Risk
Management
#
79
Enterprise
Risk
Management
-
Integrated
Framework
(ERM)
to achieve
maximum effectiveness in risk
management. According
to the COSO stand
ards,
ERM consists of
eight
interrelated
components.
These are derived from
the
way
the
management
runs an
enterprise
and are
integrated
into the
man
agement process.
"These
components
are:
1. Internal environment
Management
sets a
philosophy regarding
risk and establishes
a
risk
appetite.
The internal environment sets the basis for how risk and control
are
viewed
and addressed
by
an
entity's people.
The core of
any
business is its
people
-
their individual
attributes,
including integrity,
ethical values and
competence
-
and the environment in which
they operate.
2.
Objective setting
Objectives
must exist before
management
can
identify potential
events affect
ing
their achievement.
Enterprise
risk
management
ensures
that
management
has in
place
a
process
to set
objectives
and that the chosen
objectives support
and
align
with the
entity's
mission and
are
consistent with its risk
appetite.
3. Event
identification
Potential events that
might
have an
impact
on
the
entity
must be identified.
Event identification involves
identifying potential
events from internal or
external sources
affecting
achievement of
objectives.
It includes
distinguishing
between events that
represent risks,
those
representing opportunities
and those
that
may
be both.
Opportunities
are
channeled back to
management's strategy
or
objective-setting
processes.
4. Risk assessment
Identified risks are
analyzed
in order to form
a
basis for
determining
how
they
should be
managed.
Risks are
associated with
objectives
that
may
be
affected. Risks are
assessed both on an
inherent and a residual
basis,
with the
assessment
considering
both risk likelihood and
impact.
5. Risk
response
Personnel
identify
and evaluate
possible responses
to
risks,
which include
avoiding, accepting, reducing
and
sharing
risk.
Management
selects
a set of
actions to
align
risks with the
entity's
risk tolerances and risk
appetite.
6. Control activities
Policies and
procedures
are
established and executed to
help
ensure
the risk
responses management
selects are
effectively
carried out.
7.
Information
and communication
Relevant information is
identified, captured
and communicated in a
form and
timeframe that enable
people
to
carry
out their
responsibilities.
Information is
Enterprise
Risk
Management
in a Pharmaceutical
Company
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
~?j?
Risk
Management
80
needed at all levels of an
entity
for
identifying, assessing
and
responding
to
risk. Effective communication also occurs in a
broader
sense,
flowing down,
across and
up
the
entity.
Personnel receive clear communications
regarding
their role and
responsibilities.
8.
Monitoring
The
entirety
of
enterprise
risk
management
is
monitored,
and modifications
made as
necessary.
In this
way,
it can react
dynamically, changing
as conditions
warrant.
Monitoring
is
accomplished through ongoing management activities,
separate
evaluations of
enterprise
risk
management
or a
combination of the
two."2
Thus, centralizing
and
coordinating
the risk
management
of the whole
enterprise
is a
key
issue
today.
It is
professional
risk
manager
rather than
an
internal audit or financial control
department
who
can
properly implement
risk
management procedures
and
integrate
them into the
enterprise manage
ment
system.
When risk
management processes
are
scattered
across various
units,
it is
only separate company
units that take actions to
prevent negative
aftereffects,
and the
new
risk identification is
intolerably
slow. These
organiza
tions are
characterized
by
a
lack of
complex
risk
management integrated
into
the
general enterprise management system.
Risk
management
is
already
becoming
a core element in
company strategic management.
It is a
process by
which the
company
conducts the
system
risk
analysis
of
every activity
to
reduce or avoid losses.
Recent
practices
have shown that ineffective risk
management might
be
very
costly
for
a
company.
A number of failures as a result of
faulty
risk
manage
ment
may
lead not
only
to considerable financial losses but also to the reduc
tion of share
value,
to the deterioration of the
company's reputation,
to the
discharge
of
top management
and even
bankruptcy.
One should not
ignore globalization
as one more
factor that calls for intro
ducing
ERM
systems.
It is
noteworthy
that
changes
in
organizational
structure
by
means
of
reductions, re-engineering
and
mergers may
have
significant
impact
on
risk
management development.
Globalization
generates
new
threats
for
a
company
and adds risk and
uncertainty
to the
company's development
process.
Sustainable economic
growth
and business
development
are
becoming
necessary
conditions for the successful
operation
of
big
transnational
companies.
Risk
management
in
practice
Also in the Roche
Holding,
risk
management
is a core
part
of
enterprise
strategic management.
In
essence,
it is a
process
by
means of which the
company systematically analyzes
risks related to
every activity
in order to
Andrey
Y.
Rogachev
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
Risk
Management
*
Figure
2 ERM
process development.
maximize effectiveness at
any stage
of
company management (see Figure 2).
Risk
management
should be
a continuous and
developing process
that
analyzes
the
company
in
action, namely,
the
present, past
and future of the
company.
Effectiveness of risk
management largely depends
on methods and
techniques
of control. Continuous and
proper monitoring
of the
company
risk
management policy
makes it
possible
to
analyze
the effectiveness of the actions
taken to reduce
risks, provide necessary information,
accumulate
necessary
knowledge
and
experience
for further
steps
in the
decision-making process
of
risk
analysis
and
assessment,
and
develop
methods and
techniques
for effective
management
in the future.
Following
the COSO
model, Corporate
Executive Committee considers the
entity's
risk
appetite
in
evaluating strategic alternatives, setting
related
objec
tives and
developing
mechanisms to
management-related
risks. ERM
provides
the
rigor
to
identify
and select
among
alternative risk
responses
-
risk avoid
ance, reduction, sharing
and
acceptance. So,
entities
gain
enhanced
capability
to
identify potential
events and establish
responses, reducing surprises
and
associated costs or
losses.
By considering
a
full
range
of
potential
events,
man
agement
is also
positioned
to
identify
and
proactively
realize
opportunities.
Thus, obtaining
robust risk and
opportunity
information allows
management
to
effectively
assess
overall
capital
needs and enhance
capital
allocation.
The core element of risk
management
culture is
making
all the
employees
participating
in the
decision-making process
at all the
organizational
levels
aware of the
company's general
attitude towards risk and related
corporate
values.
Today,
risk
management
should be
integrated
into the
general
culture
of the
organization, accepted
and
approved
of
by
the directors and
conveyed
to
every
employee
in terms of a
general company development
program
with
locally
formulated
specific
tasks. Risk
management
as a
unified
system
should
incorporate
a
program
of control
over
the execution of the set
tasks, efficiency
assessment of the activities and
a
system
of incentives at all the
organization
Enterprise
Risk
Management
in a Pharmaceutical
Company
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
~*j?
Risk
Management
82
levels. Effective risk
management requires
in turn the accurate selection and
skillful combination of methods to reduce
potential
risks.
Further
development
of risk
management
Providing
for the insurance
against
risks and for the assurance of
tomorrow,
ERM forms the
company's
risk
management policy
and
accomplishes
its active
and extensive
implementation.
In
spite
of the
already gained experience
and
wide
practice,
ERM
application
at a
modern industrial
enterprise
is in the state
of constant
development.
The evolution of risk
management proceeds
at all
organizational
levels of the
company (from
the
primary
business units
up
to
the
supervisory board)
and in all directions
exerting
direct influence
on
the ERM
system
and
on
the
concept
of risk
management,
its activities and results.
There
occurs a
smooth
change
in the
system
of
company
risk
management
from
procedures, processes
and
methodology
to a
single concept.
The ideas of
the role
played by
risk
management
also
undergo changes
from
setting opera
tional and tactical aims to
working
out a
strategy
and
determining general
corporate
values. Actions carried out to
manage
risks
are no
longer
of a
random,
selective
or
episodical character,
and
represent
a
coordinated and
continuous
process.
From isolated
projects
aimed at
managing separate
kinds
of
risks,
the
company
moves to a
complex
and
multi-purpose aggregation
of
results.
Risk
management
is carried out
according
to a
logical
chain from
theory
to
practical application
based
on a
widely branching analysis
and on
possible
applications
of the methods and
techniques
of risk
management (see Figure 2).
Risk
management
in a
company analyzes
the
company's past
to answer
the
question
"What is
already
available and done in the
company
as a
whole
or in
any
of its subdivisions from the
viewpoint
of
managing risks?",
and tries to see
into the future
("What
is
possible
and
applicable
in
general?"), keeping itself,
in so
doing,
within the bounds of what is
necessary
and admissible for the
company. Then,
risk
management passes
from the set aims and tasks to direct
development
of
specific projects
and
programs
meant to
effectively
manage
the
company's
risks.
Conclusion
In
conclusion,
it should be noted that for
many companies
the creation of risk
management
services is
frequently
a
forced
action,
which is
only
due to the
demands of
governmental
and other
regulating
authorities.
Ignoring
the
regu
latory pressure
and
guidance
related to the
management
of risk and desire of
transparency, company management
need to
get
a
much better view of and
control over
risk if
they
are to build trust and
keep performance volatility
in
control.
Enterprises
review their current risk
management capabilities
and
Andrey
Y.
Rogachev
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
Risk
Management
#
investigate
how
an ERM
system
could
improve
their results.
Nevertheless,
sometimes the
management
of
a
company
itself fails to attach the
proper
significance
to the
originating
of services themselves and then fail to see the
real benefit and
advantage
of risk
management.
Another
problem
in the
sphere
of risk
management today
is the substitution of the idea of
a
risk
manager,
to
the official
powers
of
an
already existing
financial
analyst.
Undoubtedly,
a risk
manager
does conduct financial
analysis,
but the
analy
sis itself occurs at a somewhat different level. So it is
necessary
to
distinctly
differentiate which functions
are
within the
competence
of
a
risk
manager,
and
which
are
the direct duties of
a
financial
analyst.
The risk
manager
is first of all
to evaluate the
risks,
which the
company
takes
upon itself,
and is
responsible
for
insurance, hedging,
reservation and
limiting.
In other
words,
he reduces the
risks
using
modern financial
techniques
and tools. A
person
in this
position
detects
possible
weak
points
while
studying
business
processes, and,
what is
most
important,
he or she estimates the costs of
operational risks, informing
the
company management
about the
presence
of uncovered risks as well as
about their costs.
Moreover,
another
duty
of
no
small
importance performed
by
a
manager
engaged
in
calculating
risks is to
check the
presence
and
per
formance of
procedures
aimed at
reducing operational
risks which is one
of the
main tasks
facing
not
only
the risk
manager,
but also the
company
as a
whole.
To sum it
up,
the main
responsibilities
of
enterprise
risk
managers
at this
stage
are to:
develop, implement
and maintain risk
management
or
-
control
policies,
with
appropriate organization,
risk
methodologies
and
processes encourages
accountability
and
reliability
in
business;
report
regularly
and/or on
demand about the risk
inventory
and
-
exposures,
as
well
as
about the assessment of the effectiveness and
efficiency
of the risk
management
-
and control
system;
facilitate
informed, factual, diligent, pro-active, entrepreneurial
decision
making
and
appropriate
action on all material risks of a
company;
support
best
practice sharing
within
an
organization;
develop
an
overall Risk
Management governance
function.
The
prospects
of risk
management
development
are linked to the
globalization
of
economy,
with the
dynamically changing
and
competitive
business environ
ment. The variation and
complication
of risk factors
are
becoming
interdisci
plinary, multidisciplinary
and surrounded
by
internal
interdependencies.
Unfortunately,
the
management
of some
enterprises
believe that if a
risk,
revealed
beforehand,
is nevertheless
realized,
it will be
regarded
as an error
(i.e.
Kill the
messenger
of the
risk).
It is
psychologically explicable
that the
person
nel of the
enterprises,
too,
have formed
a
negative
attitude towards risk
-
it is
better to avoid it.
Thus, mistakenly, separately working
officials are
frequently
Enterprise
Risk
Management
in a Pharmaceutical
Company
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions
~?j?
Risk
Management
84
reluctant to
manage
risks. The
problem
is that
managers
are not
always
aware
of a
risk,
which is
beyond
the bounds of their immediate duties:
they
have
no idea of
a
risk at the level of the whole
enterprise.
At the same
time,
it is
effective risk
management
that makes it
possible
to demonstrate how much the
potential consequences
of
a
risk for the whole
enterprise
have been reduced
with the
help
of
preventive
measures.
Despite
the fact that at
enterprises
there are
many
problems
connected with
effective risk
management
and risk
management introduction, today
it is
impossible
to do without a
well-grounded
consideration and estimation of risk
in
taking managerial
decisions. The whole
weight
of
responsibility
for a deci
sion taken falls on the heads of business subunits and on the
top management
of
a
company. They
are
frequently
forced to work under new conditions and
in an
unknown situation characterized
by high risks, contradictions,
constant
and
unexpected changes. Therefore,
it is essential to "arm" officials who take
decisions with the risk estimation
technique,
which is
maximally approximat
ed to the real
economy.
Good
understanding
of how the risk would work will
make it
possible
to
carry
out a more
complete analysis
of
expenses
and
results,
to minimize
unpleasant unexpectedness
and to
maximally
make use of availa
ble
possibilities
and facilitate the solution of the
problems
faced
by
the
company.
Even now it is
possible
to
say
with
certainty
that risk
management
at
many enterprises
is
becoming
as
typical
an
activity
as, say, accounting.
Notes
1 All statements made in this
paper express
the
personal
view of the author on
Enterprise
Risk
Management,
and do not relate to
companies
for which the author is
working
now or has worked
before.
Nevertheless,
some
thoughts
and ideas
presented
here
might
be
implemented
in the estab
lishment of Risk
Management process
at these
companies.
2 For more details on
that
we refer to
Enterprise
Risk
Management
-
Integrated Framework, COSO,
September 2004,
http://www.coso.org/.
Andrey
Y.
Rogachev
This content downloaded from 111.68.97.118 on Wed, 26 Feb 2014 12:45:26 PM
All use subject to JSTOR Terms and Conditions