Putting Risk-Based Decision-Making Where It Belongs

Intense interest in risk-based decision-making has been building in the life-sciences industry for the past decade. Encouraged by investors and regulators, life-sciences companies have recognized that risk-based decision-making should be an enterprise-wide concern. Although some of this interest has been cGMP-driven, many other areas of the business—including legal, financial, safety, and others—have also driven it. Most organizations take an enterprise-wide approach, but tend to address only the broadest risks and isolate efforts into a few areas:

Greg T. Plante

• Product life-cycle risks—a focus on patient safety across the product lifecycle and cost controls during early stages of development

• Compliance—risk viewed through a regulatory lens

• Corporate functions—a focus on legal, financial, and intellectual property risks

• Manufacturing operations and quality—a focus on risk-based approaches to cGMP reviews and processes

• Health, safety and environment—a focus on the occupational and social consequences of operations.

Each area drives independent value at the enterprise level. However, much of the value of risk-based decision-making resides at the tactical level, that is, in the activity planning, change programs, management of project portfolios, and other investments that take place below the corporate level. These activities constitute the majority of actions in a company and cumulatively make an enormous difference in overall value creation.

Organizations can capture that value by integrating risk-based decision-making into all of their activities. Instead of relying on enterprise-level programs, organizations can work to:

• Recognize the misconceptions that impede integrated risk management

• Integrate risk assessment and mitigation planning into all decision processes and activities

• Identify risks and communicate the value of mitigation projects in a way that enables their comparison with other investments and expenditures intended to protect or enhance shareholder value.

RECOGNIZING MISCONCEPTIONS

How one thinks about risk management in broad terms can determine what specific actions are taken. In the author's experience, broad misconceptions can work against creating the mindset required to effectively implement integrated risk management. These misconceptions include:

Risk management should focus on dire consequences only. Risks such as patient and environmental safety can involve significant financial costs, and avoiding them requires unequivocal "must-do" decisions. But most corporate decisions are far more ambiguous and require a complex balancing of risk with cost, revenue, and other issues.

All risks are bad. This belief often leads one to focus on risk elimination rather than risk management. In the end, however, nothing happens without a risk being taken, and not all types of risk demand action. Risk management should focus on understanding risks and establishing parameters for tolerance—that is, how much risk the organization is willing to accept.

Risk management applies primarily to cGMP concerns and regulatory audits. Risk management is crucial for cGMP and audits; there is a clear application to legal and financial risk. But this narrow view can lead one to overlook other key issues such as cost-of-resolution.

Risk management ends at ranking and tracking. Many organizations use risk management to identify and quantify risks, once or periodically, and specify action as the responsibility of business leaders. Essentially, such risk managers create a portfolio of risks, not actions. As a result, business leaders are often left wondering what to do with the data given to them. This approach can lead to risk managers being viewed as distracting employees from "doing business."

The communication of risks requires complex formulas. Risk managers often become immersed in the "science" of their analyses. The most effective communication of risks should mirror how an organization reviews its expenditures. The risk analysis becomes a part of the business case, including return on investment (ROI), thereby presenting a clearer case for action.

Risk management should be an independent corporate process. Understanding risk is a fundamental part of running a business but large organizations often take that to mean that risk management must have a strong, independent role in the organization. A corporate risk-management group can track and communicate high-level risks, define processes, track activities, advise colleagues, and lead other risk-related activities, but in the end, the group is subordinate to the decision-making processes of the company. When functioning at its best, risk management is an integral part of most decision-making processes throughout the business.

ROI and risk mitigation are separate considerations. Laboring under this belief, organizations can fail to see that investments in proposed mitigation actions have a calculable return. An effective risk-assessment approach combines these concepts into a single portfolio review.

The misconceptions outlined here are deeply rooted in much of today's corporate thinking. Correcting them is essential for putting risk management into proper perspective and practice.

INTEGRATING RISK ASSESSMENT IN BUSINESS ACTIVITIES

Broadly adopting risk-based decision-making involves more than overlaying risk assessment and mitigation planning in particular areas, such as manufacturing and quality. It requires weaving a set of methods into the more encompassing methodologies related to the organization's work, such as cGMP.

Risk assessment should be integrated with large-scale change-management programs as well. For example, life-sciences companies cannot afford non-robust and unreliable processes. The risks are simply too great: costly rejected lots, launch delays, supply interruption, noncompliance issues, and time-consuming investigations. At the same time, FDA is calling on companies to continually strive to improve processes and to take a science- and risk-based approach to decisions related to product quality. By integrating risk assessment with programs designed to fully characterize, remediate, or control processes, the project team can proactively identify and distinguish high-impact risk mitigation actions from low-impact actions and make high-value decisions as they seek to control variability in the process in advance.

Similarly, transformational cost-reduction programs that are designed to reduce waste and non-value-added work should incorporate risk assessment to make higher-value decisions about what can be improved, eliminated, or scaled back. Technology transfer projects, which by their nature involve significant change, offer another opportunity to assess and respond to risks. In addition to integrating risk assessment with change-management programs, a business leader may want to seek an independent risk review, engaging external experts to help develop an objective understanding of risks the business faces.

Proper risk assessment should not only identify and quantify a set of risks, but should also proceed to mitigation planning. The combination affords an understanding of impact as well as potential cost of mitigation. The organization then has the ability to justify investments in mitigation and to compare them with other investments.

Overall, a comprehensive integration of risk assessment and mitigation planning across an organization can change the way many activities are conducted, including:

Business planning—the review of a company's investment portfolio generally includes investment reviews, cost reviews, and other considerations. Risk assessment should be a part of the analysis. In the end, a single portfolio of activities should be created so that risk-focused activities can be compared side-by-side with business opportunities.

Major initiatives—integrating risk assessment into major business initiatives can shift the focus from short-term objectives to long-standing concerns, thereby enabling their resolution.

Outsourcing initiation and review—outsourcing represents both a large opportunity and substantial risk. Developing an understanding of the risks and forming management plans to mitigate those risks are crucial to achieving the goals of outsourcing.

Business reviews—business reviews tend to focus on past performance, cost drivers, product characteristics, and a few other key metrics. Inclusion of risks in these periodic or one-time reviews can produce a different and valuable perspective.

Mock audits—when planning for an FDA audit, a company can not only identify regulatory risks, but also make the exercise far more productive by drawing in other parts of the business and developing a view of potential impacts throughout the enterprise. Developing approaches to resolve concerns and following up with a business plan that captures related risks, their potential resolution, and potential costs can be greatly beneficial before a live audit.

IDENTIFYING RISKS AND THE VALUE OF MITIGATION

The process of risk assessment may differ, depending on the nature of the activity or project into which it is integrated. No matter the activity, however, assessment should begin at the intersection of business activities and risk categories. Business activities include development, production, facilities/equipment, materials, laboratories, packaging/labeling, and sales/marketing. Risk categories include legal/regulatory, financial, policy, safety, quality, process, environmental, and business continuity.

Through structured working sessions, workshops and meetings, the project team can define the risks, decompose them into actionable elements, and quantify them through the use of company data, team knowledge and quantification tools. The team, which may consist of process leaders as well as risk specialists and, often, external experts, reviews the risks identified, defines mitigations, and recommends a set of responses that are clear, actionable, and well justified. Such recommendations should:

• Understand growth, risk, and return through a clear linkage of risk action, ROI, and business opportunity

• Include rough project plans and budgets for mitigation alternatives

• Provide integrated responses linked to the enterprise risk efforts and resources.

These value-based recommendations permit the organization to evaluate risk-mitigation actions alongside other investments, balance them with new investments, and capture additional value.

It is essential that risk-mitigation projects be able to stand up to comparison of value with other types of actions. In the end, a business manager must be able to review a portfolio of actions, all of which generate or protect value. Revenue-enhancement projects, for example, generally show a clear ROI starting from a zero balance, with return versus expenditure increasing over time. Similarly, cost-improvement projects show an ROI starting from a negative cost point, with the investment over time showing added value to the organization's bottom line.

Risk-mitigation projects often present a nebulous investment picture. Risk managers may characterize mitigations as "must do" projects for a variety of reasons and, in some cases, that judgment is correct. But the case for most risk-mitigation actions must stand up to financial scrutiny. Business value includes the evaluation of risks, starting as a negative cost point appropriate to the type of risk evaluated (e.g., sales impact, litigation risk, material risk).

Being able to evaluate and communicate the value of mitigation actions in clear financial terms can bring to fruition the aim of the kind of risk management being proposed: better decisions framed in the overall context of the business. Organizations that shake free of misconceptions about risk management, integrate risk-based decision-making into project and planning activities, and regularly evaluate mitigation actions against other investments are likely to find that those better decisions have become a matter of routine.

Greg T. Plante is a principal at Tunnell Consulting, Inc., gregory.plante@tunnellconsulting.com.