Return to site


By RL Expert Dr Robert B. Pojasek

Evolution of Enterprise Risk Management
A quick scan of the literature reveals a plethora of articles written about risk and the damage that can impact a pharmaceutical company’s reputation when bad things happen. The pharmaceutical industry is highly regulated. This regulation has been infused throughout its value chain. As a result, pharmaceutical and other life sciences companies focus on processes and controls in place to manage risk. This is not risk management!

Emphasis on risk management began to shift with the advent of enterprise risk management
(ERM) as specified in regulations similar to the Sarbanes Oxley Section 404 requirements for
financial reporting. This enterprise approach to risk management elevated the responsibility for risk management to the Board of Directors, the Chief Executive Officer and the Chief Financial Officer.
The ERM enables the corporate governance to consider the potential impact of all types of risks on all processes, activities, decisions, products and services throughout the value chain. This should result in enhanced compliance, assurance and strategic decision-making.

The definition of risk used in the context of the ERM examines the possibility that an event will occur and adversely affect the achievement of objectives.

The ERM process is designed to identify potential events that may affect the corporation, to manage risk to be within its risk appetite, and to provide reasonable assurance regarding the achievement of corporate objectives. All efforts are made to ensure that risk management and internal controls are fully integrated in the operating management system.

Evolution of Our Understanding of Risk
From its roots in the early 1990s, an Australian and New Zealand risk management standard (AS/NZS 4360) became the catalyst for an international risk management standard – ISO 31000:2009. Risk is defined as “the effect of uncertainty on objectives.”
This definition clearly places risk in the context of what a corporation seeks to achieve: its objectives. Risk arises because the corporation and its value chain operate in an uncertain world. Objectives are set in the corporation’s mission statement, but to achieve them the governance must contend with the internal and external context of every element in the value chain that it may not control and which generates uncertainty and risk.
In the past, risk has been regarded solely as identifying the negative effects (threats) of
uncertainty and seeking to avoid them or sharing the risk with others (e.g. insurance).
In the international risk management standard, it is recognized that risk is indeed a fact of life
that cannot be avoided or denied. With this understanding of risk and how it is caused and
influenced, it is possible to manage it so that the objectives can be achieved. With this knowledge, corporations might even operate more effectively and efficiently with improved results.
Risk is implicit in all decisions that are made. How these decisions are made will affect how successful the corporation can be in achieving its objectives.

In ISO 31000, a risk management framework becomes a set of components that provide the
foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization. This is different than what is currently done in an ERM.
Benchmarking to ISO 31000
To manage reputation, a corporation needs to have a continuous process that supports internal
changes and decisions and allows it to respond well to external changes – especially those
emerging stakeholder concerns that can affect its reputation. For this to take place effectively, the corporations must embed risk management in their normal business practices and translate that throughout the value chain. Here’s how this can be accomplished:
First, all of the risk management initiatives can be benchmarked to the ISO 31000 risk management guidance. From this benchmarking process, the corporation will be able to design a risk management framework to suit its business processes, structure, risk profile and risk appetite. 
Second, the corporation can benchmark all of its operating management systems (including the ERM) to the ISOConsolidated Annex SL format. This is the document that all ISO management systems are required to use as part of the revision process.
Three standards have already been released in this format: business continuity, information security and assets management. In 2015, the new quality and environmental management systems will be released in the Annex SL format. If all of the corporation operating systems are placed on the same platform, it is possible to embed the risk management framework in all of these programs. 
Third, the corporation can benchmark how operating management systems are used
throughout the value chain. It is essential to have a risk management framework for the entire
enterprise that describes the broad strategies to be pursued to manage reputation.
Conducting these benchmarks can lead to a continuous process that supports the development
and implementation of the strategy of the corporation and builds on what is already in place.
A successful enterprise risk management program that spans the entire value chain will mean the pharmaceutical industry can be tough minded about how it can build and maintain the strong reputation that it deserves. We are reminded of the character of Dorothy in the “Wizard of Oz.” She always had the means of achieving her objective (going home). She only needed to effect the strategy to make it happen.
This article was written by Dr. Bob Pojasek, RL Expert Sustainability and Risk Management and was published in the July 2014 Pharmaceutical issue of RepRisk Insight, an ESG Risk publication co-founded by RL Expert and its partner RepRisk AG for the financial markets and their investee multinational corporations.
All Posts

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!