The Right Approach to Risk

NGP speaks with Christopher Carey, Director of Business Risk Management at Bristol-Myers Squibb, about the increasing number and complexity of risks faced by pharmaceutical companies that are pushing the need for adoption of enterprise risk management strategies.

Risk has always been an inherent and vital part of the pharmaceutical industry, as new product launches and clinical trials fundamentally involve risk. But as risks have steadily increased in recent years in both complexity and number, today pharma faces an unprecedented array of risks as a result of a myriad of pressures and changes, including increasing regulatory requirements, globalization and operational efficiency.

Compliance has consistently put increasing pressure on pharma as regulations increase each year, putting more strain on organizations in relation to the rising number of regulations that need to be monitored. “The number of laws, guidelines, and regulations increase year after year,” says Christopher Carey, Director of Business Risk Management at Bristol-Myers Squibb. “National governments, state legislators, regulatory bodies, as well as company specific internal standards, all continue to react to external events, the need for process improvement and stakeholder needs by issuing additional standards and guidance. Ultimately, there are many more regulations to comply with and proactively monitor.”

Reducing costs
Operational efficiency also factors into the need for better risk management. Subject to similar pressures faced by other industries, pharma is also under pressure to reduce costs. “The need for operational excellence can also drive increased risk exposure,” Carey notes. “For example, pharmaceutical companies execute business process outsourcing (BPO) with third parties as a way to reduce costs or to gain access to expertise.”

BPO is just one outsourcing process that has seen an uptick in the industry. Such third party arrangements – ranging from clinical data management to manufacturing to knowledge process outsourcing – have become strongly prevalent in the industry, with the largest pharmaceutical companies retaining multiple third-party relationships for a variety of processes.

While some erroneously view a third party as an altogether separate entity responsible for its own risks, a third party should rather be viewed simply as an arm of the organization, subject to the same scrutiny of compliance checks. “Although the potentially non-core function or process was outsourced, it still needs to remain fully visible in terms of operational excellence and risk management,” Carey acknowledges. “The third party is now viewed as an extension of your organization and is required to maintain levels of quality and compliance consistent with company standards.”

Global risks
While globalization is another trend familiar to pharma, new pressures have exerted greater challenges on organizations. Carey cites today’s new challenge as being able to operate globally and act locally with an ability to quickly react to external changes in the environment. “Individual market requirements, local market competition, broad scale roll out of company wide initiatives, along with working through many third parties requires a greater sense of urgency.” In addition, growing global risks such as counterfeiting, data privacy, and intellectual property issues have held pharmaceutical companies to a greater level of accountability.

Altogether, the prevalence and magnitude of risks have consequentially caused risk to bleed into strategic decision-making at the upper management level. Nearly every opportunity presents risk, and in turn, risk can’t be separated from strategy. Thus risk needs to be accounted for beginning at the top level of decision-making in order for it to be integrated effectively throughout the entire organization.

Carey reinforces why including risk considerations in senior management decisions is imperative. “Setting the strategic direction of a company must include considering the uncertainties and risks of the future direction. When senior management has consensus around the company’s strategy and the risks associated with executing that strategy, this information is naturally factored into decision-making as the strategy and tactics are executed.”

Intertwining risk with strategy is the critical confluence necessary to achieve the core, underlying objective of an ERM strategy. “Ultimately, ERM is about managing risks to objectives across the enterprise in a strategic setting,” Carey states. “If you’re managing risks within the strategy process, you’re also including this information as input into decision making.”

ERM begins with realignment
As industry pressures have multiplied risks and moved them higher up the value chain into the strategic level of decision-making, the traditional silo approach no longer satisfies the new attention and requirements needed for risk management. A coordinated risk management effort is necessary to connect risk management practices across the organization for optimal resource allocation and to ensure an evenly distributed focus.

Implementing an effective ERM strategy begins with proper resource and organizational realignment, which includes shifting from a vertical focus to a horizontal one that enables a coordinated effort. “An optimal scenario of enterprise risk management requires that risks be managed horizontally while being communicated vertically,” Carey explains. “Some pharmaceutical companies organize into structures that put them in the best position to manage risks and meet objectives.”

Carey elaborates on the two most popular organizational structures, with the first structure involving the creation of focused teams with a horizontal view of risks. “Enterprise risk management, product launch teams and partnership alliance teams are examples of these focused teams. Leaders of these teams have a view of and are accountable for the management of all risks that surface horizontally across silos. Based on the objectives, both enterprise risks management teams and product launch teams will break out of the silos to focus on mitigating risks.”

The second type of organizational alignment is a matrix structure with centralized and decentralized personnel. “A matrix structure establishes resources globally and allows for various solid and dotted line reporting and accountability options,” Carey explains. “This structure provides the knowledge, resources and coordination needed to prepare for and manage local, regional and global risks.”

Along with employing organizational realignment structures, technology can also play a role in setting an ERM strategy through risk identification and analysis tools to prioritize risks and make sure resources are being used effectively. Technology can then be further used for analyzing risk in more detail. “Once risks across the company have been identified technology can assist in assessing the risk further in preparation for mitigation,” Carey says. “Technology tools can be used to facilitate root cause analysis with risk management teams. Furthermore, risks that are now documented in a technology tool such as a database can be aggregated and reviewed for signals. Information from individual risks can be aggregated by ERM professionals to highlight broader risks impacting the company that might not have been visible otherwise.”

Creating a risk culture
One of the positive implications of adopting an ERM strategy is that it has the power to influence the way individuals think about and identify risk. Carey: “ERM provides the education and training needed to embed a risk management mindset into the culture of the organization. The end result is that managers think through risk and identify impacts inside and outside their area of responsibility and proactively coordinate with other teams.”

Incorporating enterprise-wide risk management mentalities into a culture should be approached like all major broad organizational changes – in a holistic manner to reach and influence everyone appropriately through all possible avenues. “You’re transitioning the culture from the current state where managing risk is someone else’s job to where risk management is everyone’s job,” Carey expresses. “Changing the way management and all company employees think about risk can be accomplished through training, awareness, tools, and attaching risk management to a sustainable process. Risk management mindsets can also be changed by taking risk management beyond the minimum requirements to focus on opportunity.”  

Carey also emphasizes the importance of tying risk to a sustainable process. “The risk management mind set remains front and center when attached to a sustainable process. Linking risk management formally to the strategic planning process, personal objectives, and/or employee behaviors are all ways to reinforce the importance and accountability of risk management to all employees.”

Going above and beyond the minimal requirements within ERM initiatives can also provide a competitive advantage and ensure the process will stick. “Teams implementing initiatives or requirements such as SOX 404, Six Sigma, and ERM beyond the minimum requirements leverage the opportunity to change culture,” Carey explains. “For example, companies that document processes in search of risk and control breakdowns also look for process improvements. ERM teams identify risks and then leverage the risks as a way to get multiple teams to align objectives, resources and decisions to manage the risks and execute strategy. The teams that leverage the initiative, find additional value in the process and turn it into a competitive advantage will continue to utilize the process.”

Lastly, another way the proper shift in culture can happen is by a simple life lesson that applies to everything: you learn from your mistakes. “People, teams, and organizations all learn from past events. If you’ve ever been burned by the stove as a child, you’ll immediately never want to have that feeling again. As a result you’ll do things to ensure it does not happen again. The same can be said for teams and organizations. Whether it’s reacting to a crisis or ensuring you organization is proactively meeting its requirements, these events can change your current state into a future state and ultimately your culture.”    

True adoption and successful implementation of an ERM strategy is evident in the turn of the mindset. While culture change is a valid indicator of a well-integrated process, the last and most important aspect is coordinated execution. “Ultimately, the culture of the organization can be in the right place, business changes underway and still not be fully coordinated. From growing your business globally to rationalizing your manufacturing network and outsourcing a business process, coordination and resource allocation is critical. Coordinated execution, of which risk management is a part of, needs to be done together.”

As Director of Business Risk Management at Bristol-Myers Squibb, Christopher Carey has responsibility for implementing and managing a corporate wide business risk management capability and process. He is accountable for leading risk management activities across multiple business units and regions, corporate monitoring and reporting, and process integration.