Challenges to your business - both daily and long-term competitiveness - lurk in surprising places. Here's how to protect your company.
To paraphrase Donald Rumsfeld, there is 'what you know,' 'what you know you don't know,' and 'what you don't know you don't know.' While these unknowns have always been present in business, today more boards of directors are asking management the simple question: Have you identified our risks? This is driven in part by the push for corporate transparency, big patent and product liability litigation cases, and...
"There is growing risk. The world changes so quickly now," says Dave Young, director of risk management at BD (Becton, Dickinson and Co.), a medical technology company in
This relatively low implementation, especially in the face of recognition of benefits, may be owing to the fact that many companies think they are managing risk when they do risk management in specific functional areas such as marketing, sales, and manufacturing. Often, however, extensive coordination does not exist between functions or throughout the entire company via a formal process. Also, companies should have one person to coordinate this process, "somebody accountable in the company and with a scope broad enough to encompass the whole company," says Young. "The more people you can engage, the better the discussion will be."
While boards and investors are pushing companies for more extensive risk management, trends in the insurance industry are also forc-ing companies into looking at new ways to address risk (see "Four Ways to Save Money and Your Business"). Insurance premi-ums have climbed to unprecedented levels, and significant coverage restrictions have combined to force companies to reexamine the value of insurance. It is now not uncommon for premiums to equal 10% of the limit of liability purchased, i.e., a $50 million limit could cost $5 million.
"Commercial insurance is not going to be readily available to cover risks," says Gary Nelson, vice president of risk management at Medtronic, a medical technology company based in Minneapolis, Minn. "Industry has had huge losses, so underwriters are walking away or getting too expensive," he says. "So some pharmaceutical companies and medical device companies are self-insuring expo-sures such as product liability, which has traditionally been covered by insurance."
Medtronic is one of a growing number of companies that have made the decision to either entirely self-insure or to self-insure its product liability exposures, because purchasing such insurance no longer makes economic sense. This growing group of self-insurers also includes most major pharmaceutical companies, which have enough money to do this; they are betting that they are big enough to absorb a big loss. For them, it's probably a good bet: The likelihood of having a huge loss in, say, seven years, is low, and a company saves money over that time by not paying insurance premiums. Moreover, insurance probably wouldn't cover a catastrophic loss because of the reduced limits of liability and underwriters excluding a number of drugs from coverage.
The majority of life science companies continue to buy insurance, however, because their balance sheets do not allow them to self-insure. While it is expensive for smaller companies to buy insurance, they can't afford to not buy it, as a major loss would put them out of business. So what they are doing, typically, is buying less insurance or moving to buy more catastrophic coverage. In the end, the decision comes down to your balance sheet and how lucky you feel.
Medtronic decided to put its money into increased risk identification and loss prevention rather than insurance. By focusing more deeply on risk in various business units, it hoped to prevent problems and ultimately save money, says Nelson. For example, when Medtronic was expanding its operations in Puerto Rico in the 1990s, the risk management department convinced facilities manage-ment to consider design improvements that provided better protection. They evaluated the cost benefit of meeting the local building codes or exceeding them. By making a relatively small additional investment, the company could build the facility in a way that would not only provide protection against exposure to high winds, but also gain protection against seismic events. Exceeding local building codes turned out to be a good business decision as evidenced when hurricane George swept right over the facility but left little damage.
Human-caused accidents also threaten a company's continued operation. In the Business Continuity Planning case study, see how even a small fire, the loss of air conditioning, or a heart attack can halt your business, and what you should do to uncover and prepare for such risk.
Protecting your physical plant from weather or trespassing may seem obvious, but what about the threat of animal activism? Many biotechs would not consider this an issue if they weren't using animals on-site, but while the risk may be small, the harm can be great. Confrontation can interrupt administrative processes, R&D operations, and manufacturing, and publicity may make employee recruitment and retention more difficult. Smaller firms in particular are vulnerable to controversy because of smaller cash reserves, and being targeted can compromise venture capital funding. Moreover, activist organizations may operate under an inaccurate perception, seeing a link between animal testing and a life science or biotech company. Or, as groups have done in the past, they target companies along the supply chain that may lead to an animal-testing company.
Life Sciences Gap Analysis
For such a risk, a small investment could have a big impact, and risk preparedness can be based on a changing level of risk. For example, once a basic plan is in place and an increased threat arises, consider your response if a demonstration occurs out-side or if somebody comes through the door. Also consider protection at special events, including public events you may spon-sor. Brief all employees on the appropriate response, which for many would be to do nothing other than clear out of the area. Advocacy groups want the pushback, because it provides grist for controversy, a way to get new members, and more funding so they can stay in business.
Review your standard security procedures and your response plans to be sure they match up to the threat. As with many forms of risk, it is important to establish a basic plan and have the flexibility to adapt different parts, depending on the threat. If a specific activist-related threat exists or periodic intelligence says your company is a more likely target, it's time to consider enhancing these procedures, maybe even conducting exercises to be certain employees understand the plans and procedures. If you are at a life sciences lab that works with animals (or may be perceived as working with animals), stay abreast of a particular group's actions and plans. You can get a somewhat biased view of most of the groups from their Web sites.
Of course, risk is not limited to physical attack or accidents. ERM strives to examine risk to your business model as well as po-tential opportunities. Risks that may seem analogous often are very different once you begin a deeper analysis. For example, in the Product Risk Assessment case study, a company was hesitant about supplying components for an implantable device, because it had become embroiled in a lawsuit by supplying a previous implantable device with components. On the sur-face, the company was managing risk in a reasonable way. Once a thorough risk analysis was done, however, things looked very different.
D. Apgar, Risk Intelligence: Learning to Manage What We Don't Know, Boston: Harvard Business School Press, 2006.
Developmet and use of risk minimization action plans:
Pharmacovigilance practices and pharmacoepidemiologic assessment:
Even when a company performs significant risk management beyond items typically checked off (worker safety, safeguarding data, and issues covered under insurance) - and thus also covers strategic, financial, operational, hazard and regulatory issues - it may wind up with a list but little prioritization ( see "Life Sciences Inherent Risk Map" above). In this way, a company may end up putting too many resources against low-probability risks or risk that won't significantly affect a company's bottom line, and not nearly enough against risks that could bring a company to its knees. Thus, the company has bought itself a false sense of pre-paredness. Doing an analysis to rank risk (see "Life Sciences Gap Analysis" above) will help guide the best use of resources. It is also important to reassess a company's risk annually as external and internal variables are constantly changing. And a company needs to conduct exercises at least once a year to test its reaction to possible risk scenarios.
Risk management aimed at both operations and strategy yields increased results when a company can more deeply evaluate specific areas while involving as many staff throughout the company as possible. The goal, says Nelson, is to condense "why should I care" topics so that everyone understands why they should be worried. In this way, responsibility is distributed throughout the company in a grassroots effort. When implemented, a good risk program will look at not only "what can go wrong," says Young, but also "what can go right, and are we taking advantage of it?"