How Roche raised the profile of risk management throughout their organization and introduced a common language when discussing risk




The Background and Challenge

For more than 110 years Roche has played a pioneering role in healthcare. As an innovator of products and services for the early detection, prevention, diagnosis and treatment of diseases, Roche contributes on a broad range of fronts to improving people’s health and quality of life. Roche is the world leader in in-vitro diagnostics and drugs for cancer and transplantation, and active in other major therapeutic areas with a high medical need such as, autoimmune diseases, inflammatory diseases, virology, metabolic disorders and diseases of the central nervous system.

Roche is committed to meeting high ethical standards and complying with all applicable local, national and international laws. The company’s ethical standards are embodied in its corporate values. Conducting business responsibly includes the organization’s approach to managing risk.

In 2007 Roche set up a new Group Risk Management function to consolidate risk information from different parts of its considerable business. At the time the different business units were using a variety of tools and processes to identify and mitigate risk. The new risk management group needed a common platform to bring together the various tools and information processes that would be flexible enough to support local working practices. As well as managing enterprise risk globally, the tool also had to be suitable for managing risk within projects.

Dr Daniel Imhof, Risk Director at Roche explained; “At Roche we like to take a pragmatic approach. We needed a practical risk management solution that would be easy to use, easily accessible, that would collect all the data we needed to support good decision making. In addition, the tool needed to be fully compatible with standards such as COSO and ISO 31000.”

Enterprise Risk Management

The group risk management team at Roche takes a global approach to Enterprise Risk Management by engaging with the organization’s major business units covering areas such as marketing, sales, technical operations, research and development, IT, HR, finance and legal, about 25 in total, distributed around the world.

Each business unit has a nominated Risk Manager that coordinates all risk information using Project Risk Manager (PRM), however for each business unit the Risk Manager profile may be distinctive depending on the individual requirements. Risk information is collected in different ways across the units depending on culture and includes a mix of workshops, face-to-face meetings and questionnaires. Once the information is gathered the Risk Manager enters it into PRM with details of review dates and risk owners. The information is consolidated for each business unit and then sent to group risk management where information for the entire organization is merged and ultimately presented to the executive committee and the board of directors.

We receive requests from a range of different functions for assistance with identifying, assessing and documenting risks and developing risk mitigation strategies. We have worked with areas as varied as IT, communications, pricing, compliance and product development. It is important that we have the tools that enable us to work in a way that best suits the individual function or project.

Dr Daniel Imhof, Risk Director, Roche

Project Risk

One of the roles of the group risk management team is to provide risk advisory services. They can be called upon by anyone within Roche to provide risk management expertise, tools and resources.

We want the business units and affiliates to use risk management for its own sake, for the benefits it brings rather than seeing it as a form of monitoring or control.” Imhof stated, “This is why we have been so keen to preserve and support the local working practices, which PRM has successfully enabled us to do.

Dr Daniel Imhof, Risk Director, Roche

Local Affiliate Risk

Roche has approximately 150 affiliates worldwide, which consist of local marketing & sales, distribution and production organizations. There is no mandate that these organizations use risk management, but the option is there should they wish to.

With this in mind, the group risk management team has developed an eLearning package, which enables anyone wishing to use PRM locally to learn more about risk management and the PRM software and to assess if it will be suitable for them. It gives an introduction to the product and provides a good level of background information.

For those affiliates that do decide to take up the offer, the group risk management team undertakes a 2 week assessment reporting on any risks that they find and proposing risk mitigation strategies. The findings are provided to the affiliate management team for them to continue to manage locally.

Central Risk Management Monitoring

PRM is also used by the group risk management team to monitor and improve their own performance and the risk management process itself. In this way they ensure that the whole corporate risk management function is iterative and continually improved.

As part of this process the team has the ability to analyze events that have already happened. The system allows users to go back in time to review what the perceived risks were, what actually happened and how it was dealt with. For example, did the impact correspond to the outcome that was anticipated? This retrospective element of the system enables the Roche team to understand how good they were historically at dealing with risk and to assess lessons learned.

A feature within PRM that the Roche team finds particularly useful is the ability to reassess a risk at any time, when new external information comes to light. For example, this could be when a competitor completes a clinical trial and publishes results that could have a direct impact on one of Roche’s products.

Consolidated Group Risk Management

The key benefit for Roche has been the consolidation of the Group Risk Management process by using a common tool, a common language and scoring criteria that are clearly defined within Project Risk Manager. Reports, some of which have been customized for the group, provide a valuable means of communicating with the business units. Managers can be provided with risk information, without the need to go into the tool itself, making the intelligence more pertinent and easier to digest for individual risk owners.

The alert features within PRM also help to improve communications and risk awareness. Alerts can be sent centrally from group risk management to the respective users, or they can be disseminated to the Risk Managers for each business unit who then pass on the alerts to the appropriate risk and risk plan owners.

PRM is accessible via the web so that individual users can use the system from any location on any device without the need to download software locally. While providing easy accessibility, this also ensures that the central database of corporate risk data is maintained, avoiding silos of information held locally.

Daniel Imhof summarized; “We are now in a position where we have visibility of our risk profile globally. PRM has enabled us to raise the profile of risk management throughout the organization and has helped us to introduce a common language when discussing risk, which is extremely helpful. We have a pragmatic system for managing corporate risk management that covers the entire organization. PRM centralizes risk information enabling the organization to measure the performance, KPIs, risks or responses overdue, and generally see how well we handle our risks, and so make better business decisions.”