As part of managing its reputation, an organisation needs to have a continuous process that supports internal changes and decisions and allows it to respond well to external changes – especially those emerging stakeholder concerns that can affect its reputation. In this article, Dr. Pojasek, an internationally recognised expert and practitioner in the fields of risk management and Ian Huntly, CEO of Rifle-Shot Performance Holdings discuss that, in order to effectively manage their reputation, an organisation needs to embed risk management into their normal business practices and translate this throughout the value chain. Rifle-Shot Performance Holdings is the official distributor for SoftExpert in southern Africa.
Evolution of enterprise risk management
The pharmaceutical industry is highly regulated. This has been infused throughout its value chain and as a result, pharmaceutical and other life sciences companies focus on processes and controls in place to manage risk.
Emphasis on risk management began to shift with the advent of Enterprise Risk Management (ERM) as specified in regulations similar to the Sarbanes Oxley Section 404 requirements for financial reporting. This enterprise approach to risk management elevated the responsibility for risk management to the board of directors, the chief executive officer and the chief financial officer. ERM enables the organisation to consider the potential impact of all types of risks on all processes, activities, decisions, products and services throughout the value chain. This should result in enhanced compliance, assurance and strategic decision making.
The definition of risk used in the context of ERM examines the possibility that an event will occur and adversely affect the achievement of objectives. The ERM process is designed to identify potential events that may affect the corporation, to manage risk to be within its risk appetite, and to provide reasonable assurance regarding the achievement of organisational objectives. All efforts are made to ensure that risk management and internal controls are fully integrated in the operating management system.
Risk arises because the organisation and its value chain operate in an uncertain world. Objectives are set in the organisation’s mission statement, but to achieve them the organisation must contend with the internal and external context of every element in the value chain that it may not control and which generates uncertainty and risk. In the past, risk has been regarded solely as identifying the negative effects (threats) of uncertainty and seeking to avoid them or sharing the risk with others (e.g. insurance).
In the international risk management standard, it is recognised that risk is indeed a fact of life that cannot be avoided or denied. With this understanding of risk and how it is caused and influenced, it is possible to manage it so that the objectives can be achieved. With this knowledge, organisations might even operate more effectively and efficiently with improved results. Risk is implicit in all decisions that are made. How these decisions are made will affect how successful the organisation can be in achieving its objectives.
In ISO 31000, a risk management framework becomes a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organisation. This is different than what is currently done in an ERM.
Benchmarking to ISO 31000
To manage reputation, an organisation needs to have a continuous process that supports internal changes and decisions and allows it to respond well to external changes – especially those emerging stakeholder concerns that can affect its reputation. For this to take place effectively, an organisation must embed risk management in their normal business practices and translate that throughout the value chain.
Here’s how this can be accomplished:
* All of the risk management initiatives can be benchmarked to the ISO 31000 risk management guidance. From this benchmarking process, the organisation will be able to design a risk management framework to suit its business processes, structure, risk profile and risk appetite.
* The organisation can benchmark all of its operating management systems (including the ERM system) to the ISO Consolidated Annex SL format. This is the document that all ISO management systems are required to use as part of the revision process. Three standards have already been released in this format: business continuity, information security and assets management. If all of the organisation’s operating systems are placed on the same platform, it is possible to embed the risk management framework in all of these programs.
* The organisation can then benchmark how operating management systems are used throughout the value chain. It is essential to have a risk management framework for the entire enterprise that describes the broad strategies to be pursued to manage reputation.
Conducting these benchmarks can lead to a continuous process that supports the development and implementation of the strategy of the organisation and builds on what is already in place. A successful enterprise risk management program that spans the entire value chain will mean the pharmaceutical industry can be tough minded about how it can build and maintain the strong reputation that it deserves.