Tired of the state of their organization’s risk environment, senior executives of a global pharmaceutical company gathered the leaders of each risk function ― Internal Audit, SOX, Legal and Regulatory, Compliance and ERM. The executives then listed a series of issues relative to overall risk management:
• Confusion around risk coverage at the board level
• Burden on the business units
• Lack of coordination and communication in the development of more than 13 separate risk assessments
• Development of seven different risk calendars
• Timing of risk activities that didn’t align to the ``rhythm of the business’’
• Gaps in addressing key risks
• Overlaps in roles and responsibilities within risk functions
They then gave their risk leaders three days to identify as a team their current state, establish a future state and develop an action plan with an ROI that would self-fund all future risk initiatives.
Accompanying this challenge was an ultimatum: if they couldn’t come back to the executive team with a viable solution, they would be replaced with risk leaders who could.
Individually, the executive team indicated that each risk leader would receive top marks for their current efforts. However, because each spent so much time building silos rather than breaking them down, as a group the risk leaders received a failing grade.
The organization had reengineered finance, supply chain and plant operations. It was time to reengineer risk management.
Knowing that they couldn’t tackle everything at once, the risk team put together a business plan that produced quick fixes to simple issues and generated early wins. In particular, the risk team focused on six specific actions;
1. Creating a single planning calendar that aligned with the business cycle
2. Reviewing mandate, scope and processes for each function to identify gaps and overlaps that they needed to address
3. Coordinating risk assessments that met the needs of most of the risk functions, thereby reducing the number of risk assessments from 13 to 2
4. Adopting a common framework, nomenclature and risk universe
5. Developing risk mitigation strategies
6. Using common technology tools to collect information into a single repository that all risk functions could access
In addition to these six actions, the risk team also focused on creating a single view of risk that broke down the silos, improving communication and coordination.
As a result of their efforts, the risk team was able to create a single view of risk that focused on the risks that mattered most, placed less pressure on the business, created greater agility and responsiveness to risk-related issues, and was self-funding.
This case study was included in Ernst & Young’s report ``Turning risk into results.’’