A Framework for Continuous Risk Management Improvement

A Framework
for Continuous Enterprise Wide
Risk Management Improvement
ERM Roundtable – North Carolina State University
Raleigh, NC
Laurie Smaldone, M.D.
Vice President, Strategy & Business Risk Management
December 1, 2006

Mission: To extend and enhance human life by
providing the highest-quality pharmaceutical
and related health care products
2

Agenda
• BMS background
• Key objectives of ERM
• Key components for ERM maintenance
– Governance
– Process
– Leaders
– Culture
• Continuous improvement
• Integration with business process
• Monitoring
• Barriers
• Success factors
* This presentation does not necessarily represent the views of Bristol-Myers Squibb Company
3

• Global Operations, Headquarters: NYC
• Businesses: Pharmaceuticals, Mead Johnson
Nutritionals, ConvaTec (Ostomy Care and
Wound Therapeutics), Medical Imaging
• Key product areas: Oncology, CV, Virology,
Metabolics, Neuroscience
• Employees: 43,000
4

ERM Development
• ERM system in progress since 2003
• Linked at outset to strategy and planning
• Initiated with pilot programs
• Gradual expansion to businesses and functions
• Case studies
• Communication
5

Burning Platform
• Serious business risks can be missed or may not
be given appropriate focus
• Absence of formalized process, leaves risk
appreciation to inconsistent methods and surprise
• Little opportunity to reapply best practices, hence
reinvention of policies and procedures, and
inefficient operations
6

ERM Objectives
• To have a sustainable process to proactively
identify, analyze and manage risk
• To get ahead of risks before they become costly,
negatively impactful and disruptive
• Enable innovation and opportunity to drive
business growth
7

What is Business Risk?
• Any uncertainty to achieving an expected
outcome that has a significant impact on:
– Strategic goals
– Financial results
– Reputation
– Customers
– Shareholders
• Internal or external
• Anticipated or unanticipated
• Business unit, functional level or corporate-wide
8

Risk
Identification
Signal
Detection
Current
Issues
Risk Lifecycle
Crisis
Continuous
Risk Profile
Assessment
Inherent Business
Policies &
Risks
Best
Procedures
Practice
Action
Planning
Lessons
Learned
9

Key Components for ERM Maintenance
Governance
Culture
Process Leaders
10

Governance
• Core business review and corporate review
committees
• Engagement of the Board
• Supporting processes
• Develops transparency and facilitates decision
making
11

Process
• Importance of a stable risk identification and risk
management process
• Align risk process with decision making
processes
• Endorse prioritization and risk assessments at
oversight committees
• Understand the intersection with related
functions – simplify and leverage existing
processes (the control network)
12

Process: Language of Risk
• Critical to process adoption
• Standards are needed to set the system in place
and set expectations
• Brings clarity to often complex topics – what is
the risk, risk to what, impact of risk, time horizon,
management of risk
• Develop impact criteria
13

Risk Management Process
Communicate and Integrate
Establish the Context
• Internal /External Context
• Develop Criteria
• Define the Structure
• Define the Framework
Identify Risks
• What can happen?
• When and where?
• How and why?
Prioritize Risks Against
Standard Criteria
Determine Determine
Impact Probability
Determine Existing
Management Effectiveness
Determine Risk Management
Gap and Risk Priority
Response Plan Risk?
Yes
Analyze Risks
• Determine root cause
Develop Response Plan
• Select risk management strategy
• Perform capabilities gap analysis
• Develop metrics
• Prepare and implement treatment
activities
No
Monitor and Report
14

Risk
Risk Lenses
Media
Business
Partners
Shareholders
Financial
Regulators
Customers
Employees
15

Leaders
Multiple levels of leadership
• Risk owners
• Risk executive sponsors
• Risk process drivers
• Risk process integrators
16

Culture
• Evaluate risk readiness
• ERM is change management
• Find triggers that are meaningful to company
culture
• Communication efforts need alignment with
change plan
• Training and educating key employees
17

Multilevel communication
Company wide
Divisional
Local
18

Creating a Continuous Improvement Culture
Risk identification updates: What’s new, what’s
changed, new laws, changes in business
operations, anticipated business process or
infrastructure changes
Action plan updates: Are risk management
activities on target, metrics review, are goals
achieved, have accountable personnel changed,
is residual risk acceptable
19

Continuous Improvement Elements
• Keeping risk fresh – assess tolerance and
control capability changes
• Ability to effectively monitor environmental
changes (internal, external)
• Evaluation of action plan effectiveness
• Management commitment to drive open
discussion
20

Key Issues
• Organizational acceptance of proactive investment of
time, dollars and effort
• Demonstrating value often takes time – months to years
– to achieve risk management desired outcomes
• Dynamic process is challenging – need to overcome
risk “modeling” mentality
• Resources and expertise need to be readily accessible
• Continuous education – what went well, what didn’t
21

BUSINESS
OPERATIONS
Drive Integration Locally
RISK MANAGEMENT PLANS
BU Operating Committee
Agenda
FINANCIALS ISSUES HR
22

Monitoring Goals
• Transparency and awareness of issues and
needs to address risk
• Actionable vs. non-actionable risks
• Residual risk tolerance
• Links to strategic decision making
• Keep risk awareness alive
23

Risk Management Monitoring Tools
• Dashboard with metrics
• Performance objectives
• External information: e.g. audits
• Routine updates
• Risk self-assessment updates
24

Barriers
• Conflicting priorities and focus
• Overcoming skepticism
• Training of teams
• Turnover
• Unable to embed in sustainable process
• Limited subject matter expert support
• Language not standardized
• Another corporate initiative
25

Critical Success Factors
• Keep it simple
• Leadership support
• Customize approach when applicable
• Train all participants
• Leverage existing governance and processes
• Integrate with decision making bodies
• Prepare, prepare, prepare
• Professional ERM team
• Don’t expect to get it right the first time
26