Introduction
Nowadays, it is impossible to do business without taking risks. Risks are everywhere and in any activity.1 However, the words "risk" and "danger" are often used as equivalents, without drawing any clear distinction between them. Undoubtedly, risky decisions are those involving an element of danger. In other words, risk is the danger of future losses, which the entrepreneur may suffer under certain unfavorable business conditions. It is worth emphasizing that risk is a complex concept and can generally be regarded as the probability of causing uncertainty, property damage or other losses or the impossibility of obtaining the expected results of implementing the set goal.
The strategic goals of a company as well as its policy are determined by the expectations one has about that company. The company shareholders expect the managers to ensure that the business brings the expected profits. The company management relies on the efficiency and reliability of the organizational systems in accomplishing the set strategic goals. The company employees expect the guarantees of keeping their jobs and progress in the company development. The term "risk" implies any event or action that can interfere with the company's achieving its strategic goals on any of its organizational–technical levels. Therefore, risk management is a structured and coherent approach to identifying, analyzing and managing risks that affect the strategy, processes, people and technologies.
Many pharmaceutical companies, which have focused so much on innovation in science, are now looking for progressive ways to manage and mitigate their business risk not only to gain competitive advantage but, in some cases, to survive. Management are currently looking to better understand, anticipate and be able to mitigate business risk in order to deliver the rewards of risk taking, and to minimize the frequency and impact of risk on the downside. In the present paper, we discuss the topic of introducing Enterprise Risk Management (ERM) at the Roche Holding. The reader is offered a case of constructing ERM system in practice. We analyze the integrated approach that is used by the company as the foundation of risk management within a company.
Headquartered in Basel, Switzerland, Roche is one of the world's leading research-focused healthcare groups in the fields of pharmaceuticals and diagnostics. As the world's biggest biotech company and an innovator of products and services for the early detection, prevention, diagnosis and treatment of diseases, the Group contributes on a broad range of fronts to improving people's health and quality of life. Roche is the world leader in in vitro diagnostics and drugs for cancer and transplantation, a market leader in virology and active in other major therapeutic areas such as autoimmune diseases, inflammation, metabolism and central nervous system. In 2006, sales by the Pharmaceuticals Division totaled 33.3 billion Swiss francs, and the Diagnostics Division posted sales of 8.7 billion Swiss francs. Roche employs roughly 75,000 people worldwide and has R&D agreements and strategic alliances with numerous partners, including majority ownership interests in Genentech and Chugai.
Why risk management?
When speaking about risk management, it is necessary to first raise a question about the practicability of the very idea of managing risks. Risks in modern business are a dynamic and continuously developing process. And the winner in this race is the one who is capable of effective control and management of risks in a continuously changing business environment. On the other hand, the growing global competition, the increase in the freedom of trade and investment on the global scale as well as in the number of mergers raise the issues for the company management of improving the quality of information on the risk position of the company as well as on its production, financial and administrative activity.
One of a company's important competitive advantages is its quick reaction to any change whether it concerns competitors' actions or legal regulations of state authorities. The factors of risk change, and become more complex, revealing their so-far unknown aspects and features. Risks become a multifactorial and interdisciplinary phenomenon, acquire a number of complex internal dependencies. New computer technologies and the Internet, complex financial instruments (mainly financial derivatives), changes and shifts in regional climatic maps also result in ever more companies creating specialized risk management services in their organizational structures.
In recent years, the requirements of corporate management systems have also risen. For many enterprises, the need for a risk management system has become evident. To design possible future scenarios and determine the boundaries of dangerousness are the major tasks assigned to present-day qualified risk management services by the directors and top managers of the company.
The reduction of government interventions into major industries on the one hand, and the increase in the external demands from the society on effective management on the other, have led to a shift in social consciousness from constructing internal control and risk audit systems to introducing an integrated approach to developing complex ERM systems (see Figure 1). In 2001, Committee of Sponsoring Organizations of the Treadway Commission (COSO) together with PricewaterhouseCoopers initiated the project entitled Enterprise Risk Management – Integrated Framework (ERM) to achieve maximum effectiveness in risk management. According to the COSO standards, ERM consists of eight interrelated components. These are derived from the way the management runs an enterprise and are integrated into the management process. "These components are:
1. Internal environment
Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by an entity's people. The core of any business is its people – their individual attributes, including integrity, ethical values and competence – and the environment in which they operate.
2. Objective setting
Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.
3. Event identification
Potential events that might have an impact on the entity must be identified. Event identification involves identifying potential events from internal or external sources affecting achievement of objectives. It includes distinguishing between events that represent risks, those representing opportunities and those that may be both. Opportunities are channeled back to management's strategy or objective-setting processes.
4. Risk assessment
Identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with objectives that may be affected. Risks are assessed both on an inherent and a residual basis, with the assessment considering both risk likelihood and impact.
5. Risk response
Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing and sharing risk. Management selects a set of actions to align risks with the entity's risk tolerances and risk appetite.
6. Control activities
Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out.
7. Information and communication
Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information is needed at all levels of an entity for identifying, assessing and responding to risk. Effective communication also occurs in a broader sense, flowing down, across and up the entity. Personnel receive clear communications regarding their role and responsibilities.
8. Monitoring
The entirety of enterprise risk management is monitored, and modifications made as necessary. In this way, it can react dynamically, changing as conditions warrant. Monitoring is accomplished through ongoing management activities, separate evaluations of enterprise risk management or a combination of the two."2
Thus, centralizing and coordinating the risk management of the whole enterprise is a key issue today. It is professional risk manager rather than an internal audit or financial control department who can properly implement risk management procedures and integrate them into the enterprise management system. When risk management processes are scattered across various units, it is only separate company units that take actions to prevent negative aftereffects, and the new risk identification is intolerably slow. These organizations are characterized by a lack of complex risk management integrated into the general enterprise management system. Risk management is already becoming a core element in company strategic management. It is a process by which the company conducts the system risk analysis of every activity to reduce or avoid losses.
Recent practices have shown that ineffective risk management might be very costly for a company. A number of failures as a result of faulty risk management may lead not only to considerable financial losses but also to the reduction of share value, to the deterioration of the company's reputation, to the discharge of top management and even bankruptcy.
One should not ignore globalization as one more factor that calls for introducing ERM systems. It is noteworthy that changes in organizational structure by means of reductions, re-engineering and mergers may have significant impact on risk management development. Globalization generates new threats for a company and adds risk and uncertainty to the company's development process. Sustainable economic growth and business development are becoming necessary conditions for the successful operation of big transnational companies.
Risk management in practice
Also in the Roche Holding, risk management is a core part of enterprise strategic management. In essence, it is a process by means of which the company systematically analyzes risks related to every activity in order to maximize effectiveness at any stage of company management (see Figure 2). Risk management should be a continuous and developing process that analyzes the company in action, namely, the present, past and future of the company. Effectiveness of risk management largely depends on methods and techniques of control. Continuous and proper monitoring of the company risk management policy makes it possible to analyze the effectiveness of the actions taken to reduce risks, provide necessary information, accumulate necessary knowledge and experience for further steps in the decision-making process of risk analysis and assessment, and develop methods and techniques for effective management in the future.
Following the COSO model, Corporate Executive Committee considers the entity's risk appetite in evaluating strategic alternatives, setting related objectives and developing mechanisms to management-related risks. ERM provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing and acceptance. So, entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. By considering a full range of potential events, management is also positioned to identify and proactively realize opportunities. Thus, obtaining robust risk and opportunity information allows management to effectively assess overall capital needs and enhance capital allocation.
The core element of risk management culture is making all the employees participating in the decision-making process at all the organizational levels aware of the company's general attitude towards risk and related corporate values. Today, risk management should be integrated into the general culture of the organization, accepted and approved of by the directors and conveyed to every employee in terms of a general company development program with locally formulated specific tasks. Risk management as a unified system should incorporate a program of control over the execution of the set tasks, efficiency assessment of the activities and a system of incentives at all the organization levels. Effective risk management requires in turn the accurate selection and skillful combination of methods to reduce potential risks.
Further development of risk management
Providing for the insurance against risks and for the assurance of tomorrow, ERM forms the company's risk management policy and accomplishes its active and extensive implementation. In spite of the already gained experience and wide practice, ERM application at a modern industrial enterprise is in the state of constant development. The evolution of risk management proceeds at all organizational levels of the company (from the primary business units up to the supervisory board) and in all directions exerting direct influence on the ERM system and on the concept of risk management, its activities and results.
There occurs a smooth change in the system of company risk management from procedures, processes and methodology to a single concept. The ideas of the role played by risk management also undergo changes from setting operational and tactical aims to working out a strategy and determining general corporate values. Actions carried out to manage risks are no longer of a random, selective or episodical character, and represent a coordinated and continuous process. From isolated projects aimed at managing separate kinds of risks, the company moves to a complex and multi-purpose aggregation of results.
Risk management is carried out according to a logical chain from theory to practical application based on a widely branching analysis and on possible applications of the methods and techniques of risk management (see Figure 2). Risk management in a company analyzes the company's past to answer the question "What is already available and done in the company as a whole or in any of its subdivisions from the viewpoint of managing risks?", and tries to see into the future ("What is possible and applicable in general?"), keeping itself, in so doing, within the bounds of what is necessary and admissible for the company. Then, risk management passes from the set aims and tasks to direct development of specific projects and programs meant to effectively manage the company's risks.
Conclusion
In conclusion, it should be noted that for many companies the creation of risk management services is frequently a forced action, which is only due to the demands of governmental and other regulating authorities. Ignoring the regulatory pressure and guidance related to the management of risk and desire of transparency, company management need to get a much better view of and control over risk if they are to build trust and keep performance volatility in control. Enterprises review their current risk management capabilities and investigate how an ERM system could improve their results. Nevertheless, sometimes the management of a company itself fails to attach the proper significance to the originating of services themselves and then fail to see the real benefit and advantage of risk management. Another problem in the sphere of risk management today is the substitution of the idea of a risk manager, to the official powers of an already existing financial analyst.
Undoubtedly, a risk manager does conduct financial analysis, but the analysis itself occurs at a somewhat different level. So it is necessary to distinctly differentiate which functions are within the competence of a risk manager, and which are the direct duties of a financial analyst. The risk manager is first of all to evaluate the risks, which the company takes upon itself, and is responsible for insurance, hedging, reservation and limiting. In other words, he reduces the risks using modern financial techniques and tools. A person in this position detects possible weak points while studying business processes, and, what is most important, he or she estimates the costs of operational risks, informing the company management about the presence of uncovered risks as well as about their costs. Moreover, another duty of no small importance performed by a manager engaged in calculating risks is to check the presence and performance of procedures aimed at reducing operational risks which is one of the main tasks facing not only the risk manager, but also the company as a whole.
To sum it up, the main responsibilities of enterprise risk managers at this stage are to:
- develop, implement and maintain risk management or – control policies, with appropriate organization, risk methodologies and processes encourages accountability and reliability in business;
- report regularly and/or on demand about the risk inventory and – exposures, as well as about the assessment of the effectiveness and efficiency of the risk management – and control system;
- facilitate informed, factual, diligent, pro-active, entrepreneurial decision making and appropriate action on all material risks of a company;
- support best practice sharing within an organization;
- develop an overall Risk Management governance function.
The prospects of risk management development are linked to the globalization of economy, with the dynamically changing and competitive business environment. The variation and complication of risk factors are becoming interdisciplinary, multidisciplinary and surrounded by internal interdependencies. Unfortunately, the management of some enterprises believe that if a risk, revealed beforehand, is nevertheless realized, it will be regarded as an error (i.e. Kill the messenger of the risk). It is psychologically explicable that the personnel of the enterprises, too, have formed a negative attitude towards risk – it is better to avoid it. Thus, mistakenly, separately working officials are frequently reluctant to manage risks. The problem is that managers are not always aware of a risk, which is beyond the bounds of their immediate duties: they have no idea of a risk at the level of the whole enterprise. At the same time, it is effective risk management that makes it possible to demonstrate how much the potential consequences of a risk for the whole enterprise have been reduced with the help of preventive measures.
Despite the fact that at enterprises there are many problems connected with effective risk management and risk management introduction, today it is impossible to do without a well-grounded consideration and estimation of risk in taking managerial decisions. The whole weight of responsibility for a decision taken falls on the heads of business subunits and on the top management of a company. They are frequently forced to work under new conditions and in an unknown situation characterized by high risks, contradictions, constant and unexpected changes. Therefore, it is essential to "arm" officials who take decisions with the risk estimation technique, which is maximally approximated to the real economy. Good understanding of how the risk would work will make it possible to carry out a more complete analysis of expenses and results, to minimize unpleasant unexpectedness and to maximally make use of available possibilities and facilitate the solution of the problems faced by the company. Even now it is possible to say with certainty that risk management at many enterprises is becoming as typical an activity as, say, accounting.
Notes
1 All statements made in this paper express the personal view of the author on Enterprise Risk Management, and do not relate to companies for which the author is working now or has worked before. Nevertheless, some thoughts and ideas presented here might be implemented in the establishment of Risk Management process at these companies.
2 For more details on that we refer to Enterprise Risk Management – Integrated Framework, COSO, September 2004, http://www.coso.org/.
