Risk Management in the Pharmaceuticals and Life Sciences Industry

Transcription

1 Risk Management in the Pharmaceuticals and Life Sciences Industry An Economist Intelligence Unit research program KPMG INTERNATIONAL

2 2 Risk Management in the Pharmaceuticals and Life Sciences Industry The following is the final version of the Executive Summary of the findings of a survey conducted among executives in the pharmaceuticals and life sciences industry during October 2009, and comparison with the findings of the broader survey conducted in May and June Preface Risk management in the pharmaceuticals and life sciences industry is a KPMG International report, written in cooperation with the Economist Intelligence Unit. In August 2009, the Economist Intelligence Unit carried out a survey of senior management executives in the pharmaceuticals and life sciences industry, which includes the biotechnology as well as the medical devices and diagnostics segments. The Economist Intelligence Unit executed the survey, conducted the analysis and wrote the report. The findings and views expressed in the report do not necessarily reflect the views of the sponsor. Katherine Dorr Abreu was the editor and project manager. Madelaine Drohan was the writer. The report also includes commentary by professionals in KPMG LLP (U.S.), who sponsored this research. Who took the survey? In August 2009, the Economist Intelligence Unit conducted a global survey of executives in the pharmaceuticals and life sciences industry on how risk is managed in their organizations. The 65 responses were compared with those of a June 2009 global survey of 353 executives in a broad range of other industries. Of the pharmaceuticals and life sciences respondents, nearly one-half (46 percent) are C-level executives and the remainder are other senior executives and managers. Sixty-eight percent represent companies with annual global revenues above US$500m. The survey focused on North America (65 percent of respondents), but had respondents from Europe, Asia-Pacific, the Middle East and Africa, and Latin America as well.

3 Risk Management in the Pharmaceuticals and Life Sciences Industry 3 Principal Findings No executive could have witnessed the humbling of global banks and insurers in the recent financial crisis without wondering whether their organization should be doing a better job of identifying, measuring, and managing risk. One clear lesson from the turmoil is that neither a high level of regulation nor long experience in dealing with risk can be adequate protection. In order to survive in an increasingly uncertain world, companies have to adjust their risk antennae constantly to detect not just known unknowns, to borrow from former U.S. defense secretary Donald Rumsfeld, but also unknown unknowns before they become a serious threat. The collapse of the Ponzi scheme run by New York financier Bernie Madoff may not at first blush have appeared relevant to executives in the life sciences sector. But when it caused the collapse of the Picower Foundation, 1 a major benefactor of life sciences research, the ripples spread through the industry. The growing ability of organized crime to operate globally might not seem germane until the items being illegally manufactured abroad and smuggled are counterfeit versions of popular drugs. In 2005, authorities in the United States, Britain, and Canada seized millions of dollars worth of fake Viagra, Cialis, and Propecia produced by a criminal network with tentacles in China, India, Pakistan, the Caribbean, and the United States. 1 Foundation That Relied on Madoff Closes. The New York Times, December 19, 2008.

4 4 Risk Management in the Pharmaceuticals and Life Sciences Industry To find out how companies in the pharmaceuticals and life sciences industry are managing risk, and to identify areas in need of improvement, the Economist Intelligence Unit on behalf of KPMG conducted a global survey of 65 executives in the industry and compared the results with a separate survey of 353 executives from other industries. The principal findings are as follows: Risk management is a C-level issue in the pharmaceuticals and life sciences industry. Ultimate responsibility for risk management rests most frequently with the chief executive officer (CEO), followed by the chief financial officer (CFO), the chief risk officer (CRO), and the general counsel. Executives are generally satisfied with the level of expertise at the C-level and the support that senior management gives to risk governance. However, senior executives could be doing a better job of defining their organization s appetite for risk, making sure risk information gets to the right people, and increasing the level of expertise at the executive board level. There is a mismatch between what executives identify as the biggest barrier to effective risk management in the coming year, identified as a shortage of available expertise, and their main priority, which is risk processes. 2 Less than one-third of respondents say their organization has a chief risk officer and almost two-thirds do not intend to recruit one. This appears at first glance to be misguided. However, by giving a high priority to training nonrisk professionals in risk, companies may succeed in spreading risk awareness throughout the organization. If they break down the risk management silo, which concentrates responsibility in a single unit of the organization, they may be better able to identify and manage emerging risks. In managing risk, pharmaceuticals and life sciences companies spend the most time on activities aimed at controlling regulatory risk, which they perceive to be by far the biggest threat to their organizations. Compliance absorbs most of their time, followed by controls and monitoring. Yet in focusing on and then reacting to this obvious risk, they leave themselves less time and resources to scan the horizon for new and emerging threats. This reactive style of risk governance, directed from the top, means many companies in this industry are failing to instill broad risk awareness throughout their organizations. As a result, the level of understanding of new risks, the likelihood of occurrence, the magnitude of impact and the interaction between risks is dangerously low. Risks Posing Threat To Company s Global Business Operations Regulatory risk (e.g., problems caused by new or existing regulations) Human capital risks (e.g., skills shortages, succession issues, loss of key personnel) Financing risk (e.g., difficulties with raising finance) Foreign exchange risk (e.g., risk that exchange rates may change) Market risk (e.g., risk that the market value of assets will fall) Political risk (e.g., danger of a change of government) Reputational risk (e.g., events that undermine public trust in your products or brand) IT risk (e.g., loss of data, outage of data center) Country risk (e.g., problems of operating in a particular location) Credit risk (e.g., risk of bad debt) Natural hazard risk (e.g., hurricanes, earthquakes etc.) Terrorism Crime and physical security How significant a threat do the following risks pose to your company's global business operation today? Please rate on a scale of 1 to 5, where 1 = very high risk and 5 = very low risk. Mean n 67% 25% 8% % 22% 36% % 21% 38% % 25% 37% 2% % 48% 23% % 17% 45% % 25% 38% % 19% 44% % 23% 49% % 20% 53% % 23% 68% % 11% 75% 2% % 14% 75% % 25% 50% 75% 100% May not equal 100% due to rounding Don't Know 2 Risk processes are the internal actions taken or mandated by management to detect, identify, assess, and respond to risks.

5 Risk Management in the Pharmaceuticals and Life Sciences Industry 5 KPMG Commentary Research indicates that the role of risk management in the pharmaceuticals and life sciences sector may not be significantly more advanced than when KPMG published Pressure Points: Risk Management in the Pharmaceuticals Industry in Indeed, the industry s focus remains on regulatory compliance rather than on a more comprehensive and enterprisewide view of risk. Respondents acknowledged concerns which KPMG has expressed in the past that risk management processes are not proactive and anticipatory, but change is not a significant priority at this time. The integration of risk management into the strategic areas of the business remains a low priority for these respondents, with most of them focused on mitigating risk on the downside rather than taking a more balanced view of risk appetite and its potential. This limited risk orientation is not surprising as the penalties for failing at regulatory compliance have been very visible, with high profile examples of financial, legal, and reputational costs. While respondents acknowledged that the most important goals of risk management are proactive risk identification and helping management with strategic decisions, nevertheless, the business case for integrating risk management into strategic processes is harder to make; and examples of the successful use of risk management in driving business value are less visible. One promising development over the past few years is the emphasis on significant investment in information technology (IT), both by respondents in this research and in the analyses of public financial reports for KPMG s recent Disclosures Handbook. The investment in IT infrastructure enables more risk management controls to be automated rather than manual, with the potential for fewer human errors and better documentation. Increasing reliance on sophisticated IT, however, Effectiveness of Organization s Risk Reporting At Enabling Activities How effective is your organization s risk reporting at enabling the following activities? Please rate 1 to 5 where 1 = very effective and 5 = not at all effective. Mean n Highlighting emerging risks Feeding into strategy development and management decision-making Highlighting risk concentrations Highlighting possible opportunities (upside risk) Effective allocation of resources Providing information that is tailored to the audience Providing up-to-date risk information Providing aggregate view of risk exposure across entire organization Highlighting interdependencies between risks May not equal 100% due to rounding Communicating key risks to stakeholders Setting and monitoring the organization s risk appetite Minimizing loss Fraud risk management Enabling more efficient resource allocation Selection of appropriate insurance cover Counterparty risk reduction 27% 27% 26% 22% 32% 30% 0% 25% 50% 75% 100% Other % 44% 43% 3 35% 45% 44% 33% 48% % 51% 29% 32% 35% 43% 27% 25% 27% 31% 22% 25% 17% Don't Know Most Important Objectives of Risk Management Function What, in your judgment, are the most important objectives of the risk management function? Please select no more than three objectives. Identifying new and emerging risks Assisting management with strategic decision-making Ensuring regulatory compliance Instilling risk culture in the organization Measuring and monitoring risk Enabling line-of-business managers to make better business decisions Identifying what action needs to be taken once risks are identified Ensuring corporate survival Multiple Responses Allowed 2% 6% 5% 5% 5% 14% 18% 15% 15% 23% 20% 20% 28% 28% 32% 37% n = 65 2% % 20% 40% 60% 80% 100% is also increasingly disclosed as a risk by more companies in all segments of the market pharmaceuticals, biotechnology and medical device/diagnostics. As IT becomes more complex and there is an increased dependence on IT systems in the day-to-day running of pharmaceutical businesses, the potential downside of any IT failure becomes more catastrophic. 3 3 KPMG Disclosures Handbook , Volume 1 Risk and Disclosure in the Pharmaceutical Industry, page 71.

6 6 Risk Management in the Pharmaceuticals and Life Sciences Industry An Industry with a Singular Focus Pharmaceuticals and life sciences companies have a somewhat narrow perspective of risk. Just over two-thirds of executives responding to our survey say that problems caused by new or existing regulations represent the biggest threat to their global business operations. This is true regardless of the size of the company, although those with annual revenue of less than US$500 million are slightly more inclined to this view 70 percent of respondents from small companies identify regulatory risk as somewhat or very high, compared with 67 percent from larger companies. In comparison, executives from other industries are more worried these days about financing, foreign exchange, market, and credit risk. All of these are seen as lesser threats by the pharmaceuticals and life sciences industry as a whole. Nevertheless, smaller companies are as concerned about financing as they are about regulatory risk, and businesses with annual revenue of US$5 billion or more cite foreign exchange risk as the second most important threat.

7 Risk Management in the Pharmaceuticals and Life Sciences Industry 7 Regulatory risk is No.1 for all pharmaceuticals and life sciences companies, but other risks vary by company size How significant a threat do the following risks pose to your company's global business operation today? (Companies ranked by annual revenue) (Percent of respondents who selected 1 or 2 on a 5-point scale, where 1=very high risk and 5=very low risk) Risk All companies $500m or less $500m to $5bn $5bn or more Regulatory risk (e.g., problems caused by new or existing regulations) 67% 70% 68% 64% Human capital risks (e.g., skills shortages, succession issues, loss of key personnel) 42% 45% 36% 46% Financing risk 41% 70% 43% 14% Political risk (e.g., danger of a change of government) 38% 35% 36% 41% Reputational risk (e.g., events that undermine public trust in your products or brand) 37% 52% 9% 50% Foreign exchange risk (e.g., risk that exchange rates may change) 37% 33% 23% 55% IT risk (e.g., loss of data, outage of data center) 37% 30 % 41% 38% Market risk (e.g., risk that the market value of assets will fall) 29% 24% 41% 23% Country risk (e.g., problems of operating in a particular location) 28% 38% 18% 27% Credit risk (e.g., risk of bad debt) 27% 25% 36% 18% Terrorism 13% 15% 5% 18% Crime and physical security 11% 10% 9% 14% Natural hazard risk (e.g., hurricanes, earthquakes, etc.) 9% 10% 9% 9% The risk governance structure of companies in the pharmaceuticals and life sciences industry is suited to dealing with regulatory risk. Regardless of industry, risk management is dealt with at the top, with ultimate responsibility resting most often with the C-suite. In pharmaceuticals and life sciences companies, however, the general counsel ranks much higher than in the general corporate world. This reflects the importance of regulatory risk for the industry. Executives in pharmaceuticals and life sciences companies are generally satisfied with the level of risk expertise in the top management echelons. But they are more likely than their counterparts outside the industry to think expertise is more broadly disseminated throughout the company: they give higher ratings than the broader survey to the heads of business units, the chairman, and the audit committee.

8 8 Risk Management in the Pharmaceuticals and Life Sciences Industry Pharmaceuticals and life sciences: Risk expertise broadly disseminated How would you rate the level of risk expertise among the following individuals/entities within your business? (% of respondents who selected 1 or 2 on a 5-point scale, where 1=Very effective and 5=Not at all effective) Chief executive officer Chief financial officer Chairman Audit committee Business units 0% 10% 20% 30% 40% 50% 60% 70% All other industries Pharma and life sciences Yet there is dissatisfaction with the effectiveness of risk management, how far it extends through the organization and its perceived benefits. While executives say their companies are effective at managing regulatory compliance and linking risk management with corporate strategy, less than one-third think efforts to anticipate and measure emerging risks or recruiting and retaining people with appropriate expertise are effective. And one-quarter say their firms are good at aggregating risks at the enterprise level or instilling risk awareness throughout the organization. Companies manage regulatory risk well, but are weak in other areas How would you rate the effectiveness of your organization at the following activities? (Percentage of respondents who selected 1 or 2 on a 5-point scale, where 1=Very effective and 5=Not at all effective) Managing regulatory compliance 69 % Linking risk management with corporate strategy 45 % Ensuring clear lines of reporting for risk information to be escalated to 43 % board level Ensuring that information about risk reaches the right people 42 % Ensuring quality and availability of data 40 % Ensuring that risk information is timely and up-to-date 37 % Communicating risk information to investors 34 % Ensuring that sufficient board time and resources are allocated to risk issues 29 % Anticipating and measuring emerging risks 29 % Recruiting and retaining appropriate risk expertise 26 % Aggregating risks at the enterprise level 25 % Instilling awareness of risk throughout the organization 23 % Looking ahead, executives see a shortage of available expertise as the greatest barrier to more effective risk governance. Yet they are not bringing risk experts into the C-suite: 30 percent of respondents say their organization has a CRO in place (less than one-fifth for smaller companies), and 63 percent have no plans to recruit one. The general group is more inclined to have either a CRO in place or have plans to recruit one, although the difference is slight.

9 Risk Management in the Pharmaceuticals and Life Sciences Industry 9 Risk processes and data quality and availability are the top priorities in next 12 months Over the next 12 months, which of the following aspects of risk management will be the main priority for your organization? (% of respondents) Risk processes Data quality and availability Training of nonrisk professionals in risk Technology Retraining of risk professionals Recruitment of risk professionals Other, please specify 0% 5% 10% 15% 20% 25% 30% Although they see the lack of expertise as a barrier, the priority for the pharmaceuticals and life sciences executives for the next 12 months is on improving risk processes, followed by improving data quality, and availability. Efforts to improve expertise will be limited to training nonrisk professionals in risk, rather than recruiting or retraining risk professionals. Has your organization recruited, or does it plan to recruit, the following individuals or entities? (% of respondents) Chief risk officer 30% 6% 63% Risk committee 35% 15% 49% Board level executive with ultimate accountability for risk management 33% 11% 56% Already in place Plan to recruit No plans to recruit While this approach to the people who are managing risk appears contradictory, it could be an attempt to spread risk awareness throughout the organization, countering an identified weakness. Pharmaceuticals and life sciences executives see embedding risk in decision-making processes as key to instilling a risk culture in their companies. An alternate explanation is that executives in this industry do not see the value of investing further in risk management, given what they perceive as its slight contribution to some of the more tangible corporate goals. Almost one-half of respondents (49 percent) say risk management helps increase shareholder and stakeholder value and 48 percent feel it improves corporate reputation. But only one-third (34 percent) think it has a positive impact on revenue and 38 percent believe it helps with cash flow.

10 10 Risk Management in the Pharmaceuticals and Life Sciences Industry Conclusion The picture painted by these findings is of an industry that pays attention to what it perceives to be its most important risk regulatory risk. But it could be vulnerable to being sideswiped by other risks, such as financial fraud, counterfeiting or being targeted by organized crime, to name a few. The temptation in industries subject to high levels of regulation is to rely on the regulators to detect and mitigate emerging risks before they become problematic. The experience of the financial services industry serves as a cautionary tale. Companies in the pharmaceuticals and life sciences industry should strive to do a better job of making risk management a company-wide effort aimed at managing familiar risks while constantly scanning the horizon for new ones.

11 Risk Management in the Pharmaceuticals and Life Sciences Industry 11 KPMG Commentary This year has been unprecedented in recent memory, with the global economic situation compounded by the prospect of healthcare reform in the United States and in other markets around the world. While waiting to see what potential reform legislation will bring, the fundamental drivers of the pharmaceuticals and life sciences industry have not changed. The pharmaceutical industry remains under constant pressure to deliver new and innovative products to the market, while biotech companies are pressed to succeed with their own R&D. It is no surprise, given the importance of a strong cash position and depressed market values that this year has seen significant mergers and acquisitions, including Eli Lilly s acquisition of ImClone, Roche s taking full ownership of Genentech, and Pfizer s acquisition of Wyeth. At the same time, the industry faces the ongoing challenges of profitability. Many companies are continuing to cut costs and restructure operations by reducing sales forces, eliminating redundancies in merged companies, pursuing joint ventures, and collaborating in various ways on research, marketing, and distribution. KPMG firms have continued to raise concerns about the management of risks inherent in such transformation. Now, the heightened focus on regulatory compliance raises questions about organizations ability to keep pace with the changing business model. Life sciences companies especially pharmaceuticals and biotechs are transforming from complete businesses with all their core and noncore processes managed within each corporation to an increasingly complex web of third-party relationships (i.e., sources, alliances, and suppliers in countries around the world). In this time of transition, it is important for the board and management of the core entity to ask whether they are comfortable with: 1) Their own approach to managing risk in their third-party relationships 2) The other parties compliance with the letter and spirit of the contracts 3) The other parties own regulatory compliance practices regarding clinical, manufacturing, distribution, sales & marketing, financial reporting, and legal matters. Even after a meeting of the minds memorialized in a signed agreement between the parties, are the Board and management comfortable that their contract research organization would pass an FDA inspection? If not, would the company s entire clinical trial be shut down? What if the operations in their contract manufacturer were shut down by the FDA and their product recalled? How would they manage their inventory and delivery commitments? Is there a communications process to mitigate damage to the company s reputation with customers, and consumers real time? In sum, does the company have a risk management process in place that enables the identification of potential risks and the implementation of controls across their entire organization and third-party relationships? It is not sufficient to address the silos within the parent company for example, between operating divisions and the risk management function. Companies need to be aware of the risks not only in their own organization, but also in their third-party vendors. They need to view their enterprise and enterprise risks in this broader context.

12 kpmg.com For more information, please contact: Ed Giniat Global Chair, Pharmaceuticals U.S. Sector Leader Healthcare & Pharmaceuticals David Blumberg U.S. Advisory Sector Leader Pharmaceuticals Chris Stirling European Chair Pharmaceuticals chris.stirling@kpmg.co.uk The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The views and opinions expressed herein are those of the survey respondents and do not necessarily represent the views and opinions of KPMG International or KPMG member firms KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative NSS