Risk Management Maturity: Where Does the Pharma Industry Rank?By
A recent analysis by PwC of 1,500 executives across 30 industries shows that the most successful companies make risk management a more collaborative, measurable, and strategic function among the board, the C-suite, and business unit decision makers. But what are the ways to make risk management most effective?
The PwC study points to 11 practices that are the hallmarks of highly developed risk cultures. So where does the pharma industry stand comparative to other industries in its risk maturity? DCAT Value Chain Insights examines the rankings.
Models in risk management
A new study from PwC US, Risk in Review: Managing Risk from the Front Line, finds leading companies are increasingly moving risk-management decisions to “first line” business units and shifting away from a traditional model of risk management of a “second line” defense strategy. The study found that companies doing this most effectively, so-called “Front Liners,” are more likely to project higher revenues and profit growth, but this model of risk management is still not practiced by a majority of companies. Of the more than 1,500 executives across 30 industries surveyed for the study, only 13% qualified as Front Liners.
“The key to growth isn’t in avoiding risk; Front Liners make risk management a mandate for the board, the C-suite and perhaps most importantly, among crucial business unit decision makers,” said Dean Simone, leader of PwC’s U.S. Risk Assurance practice, in commenting on the study. “This year’s survey tells us that leaders must make risk management a more collaborative, measurable, and strategic function. We also see great alignment on the biggest growing risk factors, such as cybersecurity, but a lack of maturity in terms of preparing for and planning around the biggest risks facing executives today.” According to PwC’s new survey, Front Liners are more likely than other respondents to effectively manage across all 12 surveyed risk areas: financial, regulatory and compliance, earnings and volatility, operational, reputational, strategic, environmental, cybersecurity, technology, human capital, third-party, and culture and incentives. For example, among companies that have suffered a disruption due to operational risk, 63% of Front Linters reported recovering effectively versus 46% of other respondents.
The survey outlines five “Front Line” steps companies should consider taking to build a collaborative, effective risk-management approach:
- Set a strong organizational tone focused on risk culture modeled and measured by leadership and the board.
- Align risk management with strategy at the point of decision-making, so risk management is embedded into planning and tactical execution.
- Recalibrate the risk-management program across all three lines of defense so that the first line owns business risk decision making, the second line monitors the first, and the third line provides objective oversight.
- Implement a clearly defined risk appetite and framework across the organization.
- Develop risk reporting; tracking risk is critical to keeping business decisions within the agreed risk appetite.
“The key to effective risk management is active engagement, placing responsibility for the various building blocks of an effective risk management program – strategic alignment, expertise, processes, assurance — with the line of defense that is best prepared to execute them,” added Jason Pett, US, Internal Audit, Compliance & Risk Management Solutions Leader at PwC, in commenting on the study. “Clarifying the function of each line of defense and collaborating closely between the lines, enabled with technology, helps promote a free and welcomed flow of perspectives and ideas.”
Risk maturity and industry rankings
The PwC study also examined industries in terms of their risk maturity using 11 practices that are the hallmarks of a highly developed risk cultures. These practices are as follows:
- A formal process for employees to report potential risk events or flag concerns as they arise;
- Mandatory training in ethics and compliance for all employees;
- Leadership places priority on doing what is right rather than just what is required;
- Provides periodic training to staff to update them on new or potential risks;
- Has one or more board-level risk committee(s) to ensure a top-down and bottom-up approach to risk management;
- The second line of defense in a company can effectively challenge the business;
- Updates on risk management are part of regular performance reports;
- In the case of adverse events, external relations personnel communicate with stakeholders;
- Use of external providers of risk management, compliance, training, or other services;
- Have a dedicated manager of third-party risk; and
- Reward employees who actively take steps to minimize risk by using existing resources;
In using those practices as input to evaluate risk maturity, the healthcare industry, which includes the pharmaceutical industry and health-services industry, along with the financial services industry, posted the highest overall scores. In looking at certain key risk practices, most industry sectors had mandatory training in ethics and compliance, with financial services (80%) and healthcare (79%) posting the highest positive response rate. Also, there was high buy-in across most sectors in having a process in place in which employees could report risks or raise concerns, with the financial services (70%) and healthcare sectors (66%) again leading across all industries. Healthcare and financial services also lead all industries in the practice of having one or more board-level risk committees with 56% of healthcare companies (inclusive of pharmaceutical companies and health services providers) and 72% of financial services firms. A lagging risk practice across all sectors was having an employee reward system for risk mitigation using existing resources. The healthcare sector was the only sector that posted a positive rate over 20% for that practice, and only the financial services sector had a response rate above 20% for having a dedicated manager of third-party risk. As would be expected, more highly regulated industries had the highest risk maturity. In looking at both risk maturity and cyber risk maturity, the pharmaceutical industry was in the mid-tier of companies and chemical companies ranked somewhat higher.