The IERP® Monthly Newsletter July 2018 12
Spotlight Group Managing Director Interactions in ERM
Leonard Ariff Abdul Shatar, Group Managing Director, CCM Duopharma Biotech
A common excuse given by those who are not convinced of the use of risk management is that there is ‘no time’ for it, especially if management often has to make quick decisions. However, Leonard Ariff Abdul Shatar, Group Managing Director of CCM Duopharma Biotech, notes that many mistakes (and the subsequent costs) could have been avoided if additional thought and effort had been put in. As a public-listed company, it’s a requirement for CCM to have a risk management function. For CCM Duopharma Biotech, risk management was split up as it was thought that the audit function was overshadowing it.
At CCM Duopharma Biotech, Leonard Ariff faced the monumental task of reshaping the business to resolve issues relating to ageing products as well as ageing assets. A key part of the strategy was to move into biosimilar medicine, which is medicine that is highly similar to their reference product (distinct from generics, which are exactly identical to their reference product). In order to build the capabilities required of this endeavor, the company needed to establish partnerships with companies already in the field -- CCM had concluded that building in-house capabilities would take 8-9 years.
The Integration of ERM with Operational Plans
When it comes to proposing or executing plans, the ones who do the risk reviews should not be the risk managers but the promoters of the investment or the staff on the project. In effect, ERM and operational plans need to be in parallel with each other. This can start with the Annual Business Review, where best practice is to delineate goals, articulate the budgets, risks, and KPIs, so that you will be 80% confident when bringing the plan to the board.
ERM should be embedded into everyday business processes. For example, induction lists for new staff, for example, should include the risk register to communicate its importance to the company’s ecosystem. Risks, resolved or not, should be included in the risk register -- the risks identified should not just be operationally-focused as assumptions made at the beginning may become irrelevant at any time.
All in all, it’s vital that organizations consider (1) what could go wrong (the risks), (2) what the company has in place to prevent them from happening (the controls), and (3) what else the company can do about the risks (the treatment).