A common excuse given by those who are not convinced of the use of risk management is that there is ‘no time’ for it, especially if management often has to make quick decisions. However, Leonard Ariff Abdul Shatar, Group Managing Director of CCM Duopharma Biotech, notes that many mistakes (and the subsequent costs) could have been avoided if additional thought and effort had been put in. As a public-listed company, it’s a requirement for CCM to have a risk management function. For CCM Duopharma Biotech, risk management was split up as it was thought that the audit function was overshadowing it.

At CCM Duopharma Biotech, Leonard Ariff faced the monumental task of reshaping the business to resolve issues relating to ageing products as well as ageing assets. A key part of the strategy was to move into biosimilar medicine, which is medicine that is highly similar to their reference product (distinct from generics, which are exactly identical to their reference product). In order to build the capabilities required of this endeavor, the company needed to establish partnerships with companies already in the field — CCM had concluded that building in-house capabilities would take 8-9 years.

The Integration of ERM with Operational Plans

When it comes to proposing or executing plans, the ones who do the risk reviews should not be the risk managers but the promoters of the investment or the staff on the project. In effect, ERM and operational plans need to be in parallel with each other. This can start with the Annual Business Review, where best practice is to delineate goals, articulate the budgets, risks, and KPIs, so that you will be 80% confident when bringing the plan to the board.

Risks, resolved or not, should be included in the risk register — the risks identified should not just be operationally-focused as assumptions made at the beginning may become irrelevant during the project.

ERM should be part of the DNA of an organization, that is, it should be embedded into everyday business processes. For example, induction lists for new staff, for example, should include the risk register to communicate its importance to the company’s ecosystem.

All in all, it’s vital that organizations consider (1) what could go wrong (the risks), (2) what the company has in place to prevent them from happening (the controls), and (3) what else the company can do about the risks (the treatment).

What Next?

Interested in how to wield Enterprise Risk Management frameworks as tools for strategy and performance? Learn more about our flagship Enterprise Risk Manager (ERM®) certification program, a comprehensive 12-day course covering the latest and best practices in ERM in relation to business continuity management, corporate governance, and strategy (next intake on 1st October, 2018).

Alternatively, read more key highlights from the IERP® Global Conference here.