A Framework for Continuous Risk Management Improvement
A Framework for Continuous Risk Management Improvement
A Framework for Continuous Risk Management Improvement
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
A <strong>Framework</strong><br />
<strong>for</strong> <strong>Continuous</strong> Enterprise Wide<br />
<strong>Risk</strong> <strong>Management</strong> <strong>Improvement</strong><br />
ERM Roundtable – North Carolina State University<br />
Raleigh, NC<br />
Laurie Smaldone, M.D.<br />
Vice President, Strategy & Business <strong>Risk</strong> <strong>Management</strong><br />
December 1, 2006
Mission: To extend and enhance human life by<br />
providing the highest-quality pharmaceutical<br />
and related health care products<br />
2
Agenda<br />
• BMS background<br />
• Key objectives of ERM<br />
• Key components <strong>for</strong> ERM maintenance<br />
– Governance<br />
– Process<br />
– Leaders<br />
– Culture<br />
• <strong>Continuous</strong> improvement<br />
• Integration with business process<br />
• Monitoring<br />
• Barriers<br />
• Success factors<br />
* This presentation does not necessarily represent the views of Bristol-Myers Squibb Company<br />
3
• Global Operations, Headquarters: NYC<br />
• Businesses: Pharmaceuticals, Mead Johnson<br />
Nutritionals, ConvaTec (Ostomy Care and<br />
Wound Therapeutics), Medical Imaging<br />
• Key product areas: Oncology, CV, Virology,<br />
Metabolics, Neuroscience<br />
• Employees: 43,000<br />
4
ERM Development<br />
• ERM system in progress since 2003<br />
• Linked at outset to strategy and planning<br />
• Initiated with pilot programs<br />
• Gradual expansion to businesses and functions<br />
• Case studies<br />
• Communication<br />
5
Burning Plat<strong>for</strong>m<br />
• Serious business risks can be missed or may not<br />
be given appropriate focus<br />
• Absence of <strong>for</strong>malized process, leaves risk<br />
appreciation to inconsistent methods and surprise<br />
• Little opportunity to reapply best practices, hence<br />
reinvention of policies and procedures, and<br />
inefficient operations<br />
6
ERM Objectives<br />
• To have a sustainable process to proactively<br />
identify, analyze and manage risk<br />
• To get ahead of risks be<strong>for</strong>e they become costly,<br />
negatively impactful and disruptive<br />
• Enable innovation and opportunity to drive<br />
business growth<br />
7
What is Business <strong>Risk</strong>?<br />
• Any uncertainty to achieving an expected<br />
outcome that has a significant impact on:<br />
– Strategic goals<br />
– Financial results<br />
– Reputation<br />
– Customers<br />
– Shareholders<br />
• Internal or external<br />
• Anticipated or unanticipated<br />
• Business unit, functional level or corporate-wide<br />
8
<strong>Risk</strong><br />
Identification<br />
Signal<br />
Detection<br />
Current<br />
Issues<br />
<strong>Risk</strong> Lifecycle<br />
Crisis<br />
<strong>Continuous</strong><br />
<strong>Risk</strong> Profile<br />
Assessment<br />
Inherent Business<br />
Policies &<br />
<strong>Risk</strong>s<br />
Best<br />
Procedures<br />
Practice<br />
Action<br />
Planning<br />
Lessons<br />
Learned<br />
9
Key Components <strong>for</strong> ERM Maintenance<br />
Governance<br />
Culture<br />
Process Leaders<br />
10
Governance<br />
• Core business review and corporate review<br />
committees<br />
• Engagement of the Board<br />
• Supporting processes<br />
• Develops transparency and facilitates decision<br />
making<br />
11
Process<br />
• Importance of a stable risk identification and risk<br />
management process<br />
• Align risk process with decision making<br />
processes<br />
• Endorse prioritization and risk assessments at<br />
oversight committees<br />
• Understand the intersection with related<br />
functions – simplify and leverage existing<br />
processes (the control network)<br />
12
Process: Language of <strong>Risk</strong><br />
• Critical to process adoption<br />
• Standards are needed to set the system in place<br />
and set expectations<br />
• Brings clarity to often complex topics – what is<br />
the risk, risk to what, impact of risk, time horizon,<br />
management of risk<br />
• Develop impact criteria<br />
13
<strong>Risk</strong> <strong>Management</strong> Process<br />
Communicate and Integrate<br />
Establish the Context<br />
• Internal /External Context<br />
• Develop Criteria<br />
• Define the Structure<br />
• Define the <strong>Framework</strong><br />
Identify <strong>Risk</strong>s<br />
• What can happen?<br />
• When and where?<br />
• How and why?<br />
Prioritize <strong>Risk</strong>s Against<br />
Standard Criteria<br />
Determine Determine<br />
Impact Probability<br />
Determine Existing<br />
<strong>Management</strong> Effectiveness<br />
Determine <strong>Risk</strong> <strong>Management</strong><br />
Gap and <strong>Risk</strong> Priority<br />
Response Plan <strong>Risk</strong>?<br />
Yes<br />
Analyze <strong>Risk</strong>s<br />
• Determine root cause<br />
Develop Response Plan<br />
• Select risk management strategy<br />
• Per<strong>for</strong>m capabilities gap analysis<br />
• Develop metrics<br />
• Prepare and implement treatment<br />
activities<br />
No<br />
Monitor and Report<br />
14
<strong>Risk</strong><br />
<strong>Risk</strong> Lenses<br />
Media<br />
Business<br />
Partners<br />
Shareholders<br />
Financial<br />
Regulators<br />
Customers<br />
Employees<br />
15
Leaders<br />
Multiple levels of leadership<br />
• <strong>Risk</strong> owners<br />
• <strong>Risk</strong> executive sponsors<br />
• <strong>Risk</strong> process drivers<br />
• <strong>Risk</strong> process integrators<br />
16
Culture<br />
• Evaluate risk readiness<br />
• ERM is change management<br />
• Find triggers that are meaningful to company<br />
culture<br />
• Communication ef<strong>for</strong>ts need alignment with<br />
change plan<br />
• Training and educating key employees<br />
17
Multilevel communication<br />
Company wide<br />
Divisional<br />
Local<br />
18
Creating a <strong>Continuous</strong> <strong>Improvement</strong> Culture<br />
<strong>Risk</strong> identification updates: What’s new, what’s<br />
changed, new laws, changes in business<br />
operations, anticipated business process or<br />
infrastructure changes<br />
Action plan updates: Are risk management<br />
activities on target, metrics review, are goals<br />
achieved, have accountable personnel changed,<br />
is residual risk acceptable<br />
19
<strong>Continuous</strong> <strong>Improvement</strong> Elements<br />
• Keeping risk fresh – assess tolerance and<br />
control capability changes<br />
• Ability to effectively monitor environmental<br />
changes (internal, external)<br />
• Evaluation of action plan effectiveness<br />
• <strong>Management</strong> commitment to drive open<br />
discussion<br />
20
Key Issues<br />
• Organizational acceptance of proactive investment of<br />
time, dollars and ef<strong>for</strong>t<br />
• Demonstrating value often takes time – months to years<br />
– to achieve risk management desired outcomes<br />
• Dynamic process is challenging – need to overcome<br />
risk “modeling” mentality<br />
• Resources and expertise need to be readily accessible<br />
• <strong>Continuous</strong> education – what went well, what didn’t<br />
21
BUSINESS<br />
OPERATIONS<br />
Drive Integration Locally<br />
RISK MANAGEMENT PLANS<br />
BU Operating Committee<br />
Agenda<br />
FINANCIALS ISSUES HR<br />
22
Monitoring Goals<br />
• Transparency and awareness of issues and<br />
needs to address risk<br />
• Actionable vs. non-actionable risks<br />
• Residual risk tolerance<br />
• Links to strategic decision making<br />
• Keep risk awareness alive<br />
23
<strong>Risk</strong> <strong>Management</strong> Monitoring Tools<br />
• Dashboard with metrics<br />
• Per<strong>for</strong>mance objectives<br />
• External in<strong>for</strong>mation: e.g. audits<br />
• Routine updates<br />
• <strong>Risk</strong> self-assessment updates<br />
24
Barriers<br />
• Conflicting priorities and focus<br />
• Overcoming skepticism<br />
• Training of teams<br />
• Turnover<br />
• Unable to embed in sustainable process<br />
• Limited subject matter expert support<br />
• Language not standardized<br />
• Another corporate initiative<br />
25
Critical Success Factors<br />
• Keep it simple<br />
• Leadership support<br />
• Customize approach when applicable<br />
• Train all participants<br />
• Leverage existing governance and processes<br />
• Integrate with decision making bodies<br />
• Prepare, prepare, prepare<br />
• Professional ERM team<br />
• Don’t expect to get it right the first time<br />
26