Risk management in life sciences: A work in progress

From intellectual property and trade secret theft, to cyberrisk, or compliance risk related to international regulations, the life sciences industry contends with its fair share of risk.

“What makes for successful risk management initiatives is an organization’s culture and a commitment to managing risk from the top. Really starting at the board level, down through the executive team, there needs to be a cross-functional commitment to risk initiatives and a common understanding of related objectives and level of effort.”

Lisa Walkush, National Life Sciences Sector Leader
Life science companies are in search of the best strategy to approach assessing risk in their organizations. This includes developing an enterprise risk management (ERM) process that is specific to the life sciences industry and is scalable to be appropriate for large, global companies or small emerging companies.

In addition, companies need to consider aligning internal resources vs. hiring outside help, as well as figuring out investments in technology and establishing a culture that understands the importance of managing the highest risks to the business. How can businesses balance needed resources with the restrictions imposed by their size?

Top of mind: Risk diagnosis and prioritization For companies large and small, identifying, assessing and prioritizing risk becomes the big question. How do you align an organizational structure to execute your ERM program and effectively manage high risk areas? Start with a risk register that defines the entire set of risks and conditions that you need to consider in establishing your ERM approach.

“Identifying and/or customizing a risk register that fits your business and industry -- getting a handle on what your risk universe looks like -- is definitely your first step to an end-to-end ERM perspective,” said Vikrant Rai, Grant Thornton Senior Manager, Cyberrisk.

With the risk register in place, what factors should shape the extent and nature of your company’s investment in your ERM policies, processes and tools? While every company’s needs are unique, certain issues drive increased risk concerns:

  • How quickly is your company growing? One medical device company that expected to more than double in size over the next few years chose to invest heavily in scalable risk infrastructure now in order to not only meet their current risk needs, but also to position itself for the foreseeable future.
  • What is your geographic footprint? Are you expanding into new foreign markets? New markets mean new risks. For example expansion into foreign markets means exposure to regulations and laws, such as the Foreign Corrupt Practices Act (FCPA) issues, the UK bribery act and other international bribery and corruption laws. Health care and life science companies face considerable attention on that front.
  • Are you deploying new products or services? What additional risks will those entail?

The size of an organization itself plays a role in determining the extent and nature of its ERM approach, but size alone is not the only consideration. For example, a small pharma company is not necessarily at a lower risk for a data breach than a larger company. While a smaller company might have fewer resources to devote to managing risk, and cyberrisk in particular, its intellectual property (IP) could be just as valuable as that of a larger company, and, hence, worth hacking.

Effective communication across organizational and functional boundaries is also vital to an effective risk approach. Some organizations struggle because their risk assessment process is still anchored in traditional silos, leaving separate functions or business units to assess and manage risks in a vacuum with little or no consideration given to how the numerous risks within the overall organization interact. This not only means that risks that overlap functional areas are not addressed effectively, it also makes the ERM approach inefficient, as the same risk may be addressed by multiple departments.

Identifying risks is just the beginning. Addressing them requires everyone to understand their roles and responsibilities. Establishing a strong risk culture starts at the top, with clear direction and strong support from the board down. However, effective risk management also means keeping hundreds of risk issues from bubbling up to senior leadership or the board. Companies need to have the risk management infrastructure in place at all levels to assess, prioritize and address risks according to both their probability and their potential level of threat to the organization. That way, only the most serious, strategic risks are elevated to the board level.

Achieving that goal means clearly communication risk responsibilities at four levels:

  • At the operational level, where employees should understand the key risks facing the business and their role in managing those risks.
  • At the mid-management level, where managers need to own risks within their area of operation and clearly communicate roles and responsibilities to their people for managing those risks.
  • At the senior leadership level, where leaders must embrace their responsibility for overseeing and managing risks, including compliance.
  • At the executive and board level where enterprise-wide risks must be discussed, prioritized and managed.

Risk management success: What does it look like for companies big and small? While often a company’s size determines its approach to risk management, size limitations can be counterbalanced by leadership. Companies of all sizes benefit when they have a leadership that is committed to having an up-to-date methodology to identify and prioritize risks based on probability and severity.

The approach should be one that works for their company, but should be rooted in a solid foundation and follow a recognized methodology. Often due to various constraints, leadership might be tempted to rush the process of assessing risk and rely on instinct and experience in identifying top risk priorities.

An effective ERM approach is founded on a culture of ethics and compliance. An ethics and compliance program is an enterprise-wide framework designed to prevent, detect and respond to instances of legal and policy violations and ethical misconduct. A program that is designed effectively helps organizations achieve the following outcomes:

  • Achieve strategic objectives
  • Preserve and enhance reputation
  • Maximize compliance resources and drive down compliance-related costs
  • Strengthen competitive advantage
  • Increase employee engagement and morale
  • Decrease business disruption
  • Retain top talent
  • Reduce exposure to fines and penalties

With the right culture in place, an organization then ensures that it involves the right people, processes, technology and documentation to create a framework for a holistic ethics and compliance program, with programmatic elements aligned to the guidelines defined by the Department of Justice, the Office of Inspector General (OIG) and other guidance documents and industry-specific domains. These programmatic elements are:

  • Governance and oversight
  • Risk assessment and due diligence
  • Code policies and procedures
  • Training and communications
  • Employee speaking up
  • Case management and investigations
  • Auditing and monitoring
  • Third-party risk management
  • Continuous improvement

With the implementation of these necessary program elements, then companies can be in a good position to address the surrounding universe of potential risks. For example, a representative list of such risk domains that pertain to life sciences specifically are:

  • Interaction with healthcare professionals
  • Data privacy
  • Drug safety
  • Patient data privacy
  • Product promotion
  • R&D

At the end of the day, the solution that all life science companies need to embrace in order to stay in the competitive global game of the industry is to focus on and allocate resources to building strong support systems from the ground up, while also ensuring clear communication channels through the different levels of the business all the way up to leadership.

At the same time, leadership needs to zoom in and check the pulse of an ever changing risk scenery that includes tried-and-true risks to the industry, but also new and sometimes surprising elements such as the ever-changing cyberrisk.

Learn more

  • To find more on managing cyberrisk, read our paper “Taking AIM at cyber risk.”
  • Read “Risk and sustainability: How to get the most out of your existing ERM framework.”
  • Explore drug traceability challenges and solutions by reading “Is blockchain the right technology for the pharma supply chain?”

Lisa Walkush
National Sector Leader for Life Sciences
T +1 215 814 4000