No executive can have witnessed the humbling of global banks and insurers in the recent financial crisis without wondering whether their organisation should be doing a better job of identifying, measuring and managing risk. One clear lesson from the turmoil is that neither a high level of regulation nor long experience in dealing with risk is adequate protection. In order to survive in an increasingly uncertain world, companies have to adjust their risk antennae constantly to detect not just “known unknowns,” to borrow from former US defense secretary Donald Rumsfeld, but also “unknown unknowns” before they become a serious threat.
The collapse of the Ponzi scheme run by New York financier Bernie Madoff may not at first blush have appeared relevant to executives in the life sciences sector. But when it caused the collapse of the Picower Foundation, a major benefactor of life sciences research, the ripples spread through the industry. The growing ability of organized crime to operate globally might not seem germane until the items being illegally manufactured abroad and smuggled are counterfeit versions of popular drugs. In 2005, authorities in the US, Britain and Canada seized millions of dollars worth of fake Viagra, Cialis and Propecia produced by a network with tentacles in China, India, Pakistan, the Caribbean and the US.
To find out how companies in the pharmaceutical and life sciences industry are managing risk, and to identify areas in need of improvement, the Economist Intelligence Unit on behalf of KPMG conducted a global survey of 65 executives in the industry and compared the results with a separate survey of 353 executives from other industries. The principal findings are as follows:
Risk management is a C-level issue in the pharmaceutical and life sciences industry. Ultimate responsibility for risk management rests most frequently with the chief executive officer (CEO), followed by the chief financial officer (CFO), the chief risk officer (CRO) and the general counsel. Executives are generally satisfied with the level of expertise at the C-level and the support that senior management gives to risk governance. However, senior executives could be doing a better job of defining their organisation’s appetite for risk, making sure risk information gets to the right people and increasing the level of expertise at the executive board level.
In managing risk, pharmaceutical and life sciences companies spend the most time on activities aimed at controlling regulatory risk, which they perceive to be by far the biggest threat to their organisations. Compliance absorbs most of their time, followed by controls and monitoring. Yet in focusing on and then reacting to this obvious risk, they leave themselves less time and resources to scan the horizon for new and emerging threats. This reactive style of risk governance, directed from the top, means companies in this industry are failing to instill broad risk awareness throughout their organisations. As a result, the level of understanding of new risks, the likelihood of occurrence, the magnitude of impact and the interaction between risks is dangerously low.
There is a mismatch between what executives identify as the biggest barrier to effective risk management in the coming year – a shortage of available expertise – and their main priority – risk processes*. Less than one-third of respondents say their organisation has a chief risk officer and almost two-thirds do not intend to recruit one. This appears at first glance to be misguided. However, by giving a high priority to training non-risk professionals in risk, companies may succeed in spreading risk awareness throughout the organisation. If they break down the risk management silo, which concentrates responsibility in a single unit of the organisation, they may be better able to identify and manage emerging risks.
* Risk processes are the internal actions taken or mandated by management to detect, identify, assess and respond to risks.