The Institute of Enterprise Risk Practitioners (IERP®) is the world’s first and leading certification institute for Enterprise Risk Management (ERM).

Image Alt

IERP® International Institute of Enterprise Risk Practitioners

  /  Interview With Practitioners   /  Interview with Mr. Leonard Ariff Abdul Shatar, Group Managing Director, Duopharma Biotech Berhad

Interview with Mr. Leonard Ariff Abdul Shatar, Group Managing Director, Duopharma Biotech Berhad

Leonard Ariff

Tell us about yourself and how you came to get involved in risk management.

 

I have both a Law and Economics degree from Monash University, Australia. Why two degrees? It’s because at the age of 17, I absolutely had no idea what I wanted to do, so doing two degrees concurrently was a form of risk mitigation. I did the 6-year stint in Australia, came back, and within the first 30 days in a law firm, I decided that a career in law wasn’t for me. So rather than waste all that education which was paid via a Petronas scholarship; I joined Petronas as their legal advisor for two of their subsidiaries. That first got me interested in the business side of things. I didn’t actually see my career path going down the legal route, I was much more interested in the commercial route.

 

After about 3 years in Petronas there was an interesting advertisement in the paper by ICI Malaysia, they wanted somebody with a legal background but flexible enough to explore areas outside of the Legal Department after 12 months. I joined ICI, and worked with their Legal Department for 1 year and after that, they moved me into business development, an area where I was interested in. And that basically dictated my entire career thereafter. Working for a multinational was obviously very different from working for a Malaysian owned company, but I suppose I had the best of both worlds because we were a multinational up until around 1996, when there was a management buyout and the company went from a being a multinational to being locally owned. It was a very different environment to work within. With a multinational, they tend to have a structure for everything; you didn’t have to think because there was a standard operating procedure for you to work with. When we cut ties with the multinational, it became a different ballgame because things became much more entrepreneurial. But the discipline we got from being in a multinational proved to be very useful. When it comes to risk, it’s not new; risk has been there from day 1. What risk management now seeks to do is to document both the risk and plans to mitigate it. Previously it was kept at the back of everybody’s head, so it’s not true a company doesn’t have risk appreciation; the only difference is whether they document it. So, I’ve always had a huge interest when it came to risk and its mitigation.

 

Where I started taking a big interest in risk was when we got into developing a risk management framework, post-demerger from the multinational, so there wasn’t a structure we could rely on. I started looking at different programs related to risk that we could use. I found the exercise very useful because we had a bottom-up approach to risk which gave me an indication on what the staff thought relative to what I thought major priorities were. When it came to risk, I used to directly involve myself in it. I took it on my shoulders at the time because it forced you to think of risk not just in terms of identifying it but also how to mitigate it. I saw firsthand a few years back in another company I was tasked with managing, where there was a disconnect between the risk register of a particular business and what I thought the risks were, and the business was really struggling. I’ve noticed in a few companies where the Board of Directors identification of risk is very different from the management’s, and that’s very dangerous because the Board provides direction and the management just follow it even though they don’t think it’s addressing what the real risks are. Hence, a lot of the work I do as Group MD is to ensure at the Board level there is full alignment of what the major risks are relative to the management side, because that’s the only way you effectively address what I call the “biggies”, as opposed to getting sucked into handling all the minutiae, which tends to be distracting. So that is risk management in a nutshell. The discipline of writing it down, mitigating it and sharing so it permeates throughout the whole organization. In the current climate, the change of government was a risk, the exchange rate is a risk, the capital markets is a risk, and now we’ve got guidelines that tell us we should look upon corruption and integrity as a risk as well. But I think it’s extremely dynamic. If you were to ask me, I would tell you that risk management is a do or die exercise; I don’t expect my management to have the same view of risk because for them they look at it at an operational level. For me, I look at it from a strategic level, and I try to make sure the Board looks at it the same way. So, when we present projects about our entire strategy in pharmaceuticals, it includes an identification of the larger risks inherent in the type of profile business we are in. By way of example, back in 2010 we identified the type of business we were in was in itself a huge risk due to competition both domestically and internationally. This led us to look at mitigation in terms of managing those risks and that took us into a completely different strategic direction. The original business continues and we’re still reliant on it but at least we are 50-60% down the road of where we think would mitigate the original risk that we saw, and of course the new business would create a whole set of risks, so it’s really dynamic.

 

You mentioned the discrepancies between the board, management, and staff – how do you navigate those discrepancies?

 

Oh, a lot of communication. We have a risk department within the organization and from a governance standpoint it reports directly to the Risk and Sustainability Committee. Now under the Bursa guidelines it only mandates two committees in a public-listed company, one is the nomination and remuneration committee, and the other one is the audit committee. The Malaysian Code on Corporate Governance however is where a Risk Management Framework is highlighted. So, while there’s a lot being made out in terms of risk, integrity, etc. there’s no board committee mandated specifically for it. We have set up a Board level Risk Management and Sustainability Committee, because we have elevated risk and sustainability to the point of being a permanent board agenda in terms of how important it is for us in terms of long-term survival. The head of risk reports directly to the board committee, so she’s the conduit we use in terms of engagement with staff. In fact, one of the reasons she hasn’t moved to our corporate office is because she feels she’s more effective closer to the ground within a production setting. So, she does a huge amount of education, alignment, etc. and the Group Management Committee which is 7 of us, review all the risks once every three months and we assess whether the risks identified are still relevant and whether the levelling of the risk is correct, and so on. Recently we had an issue with a registration of a product that was delayed, and that was a major contributor to our strategy. So, while it hadn’t been top 10 because we thought we had sufficiently mitigated the risks in not obtaining the registration, all of a sudden, it went to top 10 because of the potential impact if we failed to get the registration. So, it’s extremely dynamic, it changes every quarter. Exchange rate wasn’t high in our risk register up to second quarter of last year because we thought the ringgit was appreciating but now, we are seeing weaknesses appearing in the exchange rate and it has now moved up again in our risk register.  We do town halls once every quarter and there, we attempt to simplify the issues we are facing in the business, and we also have monthly meetings among the senior management as well as monthly meetings with their staff as well. And Anita, who is our Risk Manager, has the option of sitting in on any meeting, and she conducts workshops with particular departments to make sure the risk register is holistic enough to cover the entire organization.

 

Having the risks documented, how does that relate to your decision-making?

 

It’s not so much the risks that are important as they are inherent in any business, but the mitigation, because the mitigation can take us down an entire different strategic route, so that’s where the focus is. Because of the risk registers we have a broad idea of key touch points we need to address, and that translates into the KPIs. To develop the KPIs for the following year we look at the risk registers as well as the Annual Budget Review, and merge these two to look and say, okay what needs to be done in order to address the budget, taking into consideration the risks. So, in the final KPI, we have incorporated risk items and budget items, and that document is updated on a weekly basis, and shared among the management committee. Every Sunday night I review this document so there’s basically a live update on the entire list of KPIs. The Group Management Committee also have a monthly face-to-face where risks are taken into consideration when making decisions.

 

What makes for a sustainable organization?

 

Stamina. If you look at the 1920’s and you look at the top 20 companies, at the 1950’s, at the 2000’s, it’s amazing how companies that we were familiar with have come and gone. It’s changed for various reasons, if you look at Kodak – poor strategy, poor foresight. It comes down to stamina and foresight, the two major elements, I think. The stamina includes remaining relevant to your consumers, and for us that means both the general population as well as those in the healthcare profession. And the strategy is dynamic, every 3 to 5 years we relook at our strategy and decide how relevant are we going to continue being.  We even question whether some parts of our business should remain or should we spin them off. When I first started working for this company it was called ICI and that was about 30-35 years ago. Today, ICI no longer exists as an overall entity, but bits and pieces of it survive under different names. Companies need to be comfortable to reinvent themselves to remain relevant.

 

In a nutshell, yes, stamina and foresight, and obviously taking into consideration that to retain your relevance you also have to recognize how user preferences are changing. So, when you look at the UN Global Compact, etc., these are things that are becoming top of mind for consumers, and while we don’t have a very large carbon footprint as a pharmaceutical manufacturer, that doesn’t mean that we shouldn’t try to minimize it. To me, sustainability is making sure that I leave this company in a better shape than I came in, and that the successors that come in will bring it to greater heights. It’s about making money ultimately, but it’s also about making money sustainably. It’s a tough question because what may be sustainable today may be very different 30 years ago, so keeping your fingers on the pulse on how things are changing, in the minds of the consumers, the medical profession, the regulatory authorities, etc. is very important.

 

Major large companies now that were deemed ‘too big to fail’ are having problems – like General Electric, some of the Japanese electronic brands, etc. The mindset was always that Japan was at the forefront of technology. Korea has come out of nowhere and has overtaken it in a lot of fields. The Korean model has always fascinated me in that in the 70s Malaysia had a higher per capita GDP than Korea, now they’re 3 times larger than Malaysia. We have invested in one public-listed company in Korea. It’s interesting to see their innovation ecosystem. I don’t think Malaysia is any less innovative but what fails us is the ecosystem of taking an idea to market. And that’s due to less sophisticated consumer base, regulatory authorities that are overly conservative or our capital markets are immature. So, if I had an idea, I would probably fund it in Korea because the ecosystem is such that monetizing technology is much easier. Some of the companies that we have invested in Korea had zero revenue, only losses, but their market value was higher than Duopharma Biotech upon listing, purely because their technology platform was stronger. Until the capital markets in Malaysia recognize that, it’s very difficult for us to translate innovation into commercial success. A lot of people keep blaming academics in Malaysia for researching the wrong thing, but I tell you “no”. When we bought into a stem cell company in Korea, we wanted a third-party opinion, so we spoke to a few academics in Malaysia, and all of them were familiar with the technology, and their level of knowledge was comparable to those in Korea. But in Korea, venture capitalists were coming out of the woodwork, funding academic research, ready to take the idea for public listing, and in Malaysia our academics struggle to get grants.

 

Innovation is a large component of sustainability. That’s the reason we’ve bought into stem cells technology in Korea. That level of innovation will flourish there. And doing what we did, I’ll be able to bring that innovation to Malaysia, so in a way, I’m derisking innovation. We do our own R&D domestically, but that’s for the straightforward stuff. For anything that isn’t, yes we can develop it internally, but I think our regulatory framework here will struggle to keep up with it, so it’s better to outsource it, and that in itself is a form of risk mitigation for us.

 

You’ve stated publicly that the company is seeking to widen their business. How does ERM factor into that decision to reshape the business?

 

That came about from the risk exercise itself. Back in 2008-2010, we were looking at our business, we realized the biggest risk for us was that 50% of our business was from public tenders. And every time we entered into tenders, we were reasonably successful, but the selling price kept coming down, so the margins kept reducing. Unless we did something different, that margin squeeze will continue for a number of years and eventually we would not be making as much profit as we were making then. Therefore, one of the ideas we had for mitigating this risk was widening the scope of our product offering which lead to a focus on biosimilars. At the time, it was only 10% of the global market, but we saw it growing 16-20% per year. And we also noticed there weren’t that many patents for biosimilars in Malaysia.  We started looking at biosimilars as the risk mitigator to our then business model. From there we looked at which were the two biggest biologics, which was Erythpoeitin (EPO) and Human insulin. We started focusing on these two products to begin with. For Insulin, we entered into a long term partnership with one of the largest global producers, Biocon from India, whilst for EPO, we had access via a Korean company, Pangen Biotech. The whole risk mitigation led to a new strategy, and we’ve stuck with that strategy. Now we’re the largest pharmaceutical company in Malaysia by volume, no. 2 by value, with Pfizer as no. 1. How do we as a business ensure that we grow faster than market rates? We started thinking whether it was safe to only focus on therapeutic medication? Should we also be putting similar focus on consumer healthcare? We started putting more money in consumer healthcare business to develop brands that we had. In addition to judicious increased advertising expenditure, we also invested in a new facility for effervescent tablets and also an improved warehouse management system. All of these came out of risk mitigation exercises from that original thought that our margins were going to shrink over the years if we didn’t do anything different. If you ask me, we are now more robust than we were in 2010 because we have different streams of income. Having said that, in pharmaceuticals, the challenge is the long-term nature of the business where conceptualization of an idea to cash flow generation can take anything from 5 to 7 years. All those ideas we had in 2010 it’s only now that we’ve begun to see them come to fruition. EPO has only just got registered, for insulin we had early success in 2017, our effervescent facility only launched in 2017 as well. I’ve always maintained that ERM has a role in the entire strategy of the company, and until you take it to that level, it is more of a paper-pushing exercise.

 

When we look at our ERM, we have both a bottom-up and top-down approach. Unless your bottom-up aligns with your top-down, you can’t be sure that the people are focusing on the right areas. In the last year and a half we’ve seen more alignment in the organization, but it doesn’t happen overnight. When you first set up an ERM system, it requires a commitment from the Board, Senior Management and also from the rest of the Organization.

 

For example, for a factory worker, the exchange rate from ringgit to dollar means nothing. But for us, when we look at our financial statements, every depreciation of the ringgit translates into margin compression. Unless the operational staff realize that the exchange rate does have an impact on us, we’re not going to have buy-ins for projects seeking to localize raw material sourcing.

 

So you get to that alignment through…

 

Hard work! It’s constant communication. It’s making sure that people don’t see risk management as purely a paper exercise. I find that in companies, with people I speak to, it’s something that’s mandated because somebody attended a course or it’s required by market regulators. If it’s not intertwined with the way the business is run, then it becomes a paper exercise, that’s when people get turned off, because they’re doing it without seeing relevance to their own role. As I’ve said, we’ve intertwined ERM with the Annual Budget Review (ABR), it’s tied to our KPIs, and it’s become second nature to us. It’s more or less in our SOP. We’re far from perfect, of course, but we are definitely heading in the right direction. One area where ERM provides tremendous value, is that by forcing people to put risks and mitigations down in writing, it acts like a database for how to run our business, so you’re codifying what it takes to run the business. Succession becomes easier because every newly promoted individual has access to issues encountered by their predecessor and the means to mitigate the same. Boards have to be careful with succession plans. If they’re not familiar with the intricacies of the business, they have to bring in someone who is familiar with the business. The risk register becomes a wonderful place for somebody to get an appreciation of the business from the right angle.

 

How does risk management here compare to other players in the industry?

 

When we separated from ICI 20 years ago, risk management in the form it is today was not a big thing. For board papers, we used to put in downside risks just to make sure you thought about everything, but it wasn’t codified in a continuous process and they weren’t always elevated to the board members the way they are now. I think you find that different companies treat risk management with different levels of emphasis. We tend to put a lot of emphasis on risk management, mainly because I find it extremely useful to focus people on where they need to focus. I use it like a management tool, for strategy, for budget reviews, for weekly updates – it’s not just risk, sustainability as well needs to be entrenched into the organization, it can’t be seen as a bolt-on. A lot of companies I’ve seen, where the risk mitigation plans aren’t there; something happens, and they don’t have a plan B. Where they don’t have a plan B, the risk system has failed. Companies where something major has happened, like a loss of a contract, it’s probably a sign that their risk process has failed. Again, we’re not perfect. On a scale of 1-10, we’re probably about 5.5 to 6. We still have a long way to go.

 

What do you enjoy most about your role?

 

As you get more senior in an organization, you find that people management takes out a disproportionate time of your day. When I joined the company in 2008; I inherited too large a management team so I started consolidating roles in order to have clearer accountability. 12 months later, I took over another part of the business in combination with what we have today. Again, I had to make hard decisions about who deserved to be in the management team to ensure clear accountability but also develop a succession plan. Today I’ve got a management team of seven, including myself. It’s been enjoyable to see the choices I made were correct, the way I rationalized the portfolios was also correct. They are highly motivated; we’ve hardly had attrition at the senior management level in the last 10-12 years. I’ve enjoyed working with my current management team. They’re independent. As we get more and more alignment, my role as Group MD gets more diminished as the line managers know exactly what they need to do. There’s very little intervention needed on my part. My role tends to be strategy and partnerships. I work closely with our business development group. I put a lot of effort into partnerships, relationship with authorities, with ministries, etc. so I tend to find that I do less of the operational work, which I enjoy, because I like the interfacing with the authorities, with my senior management, with partners, and so on. The day I have to get back into the nitty gritty operational issues would probably indicate a failure on my part. I enjoy how the company has grown over the years and I have trust in my management to continue the strategic path irrespective of whether I’m there or not.

User registration

You don't have permission to register

Reset Password