Beyond Insurance - Comprehensive Risk Analysis Through Enterprise Risk Management

Matt Allen, Timothy Budacki, Bruce Belzak and Gary Bucciarelli

Enterprise Risk Management (ERM) has the ability to help medical device companies align people, processes and ideas that support corporate objectives, improve cash flow and earnings, capture opportunities, allocate capital and manage growth. The recent AdvaMed 2008 Conference featured a panel presentation on the essentials of ERM. Presented below are excerpts of the discussion from panel experts Bruce Belzak, Managing Director & Life Sciences Practice Leader at Marsh; Mat Allen, Senior Vice President & ERM Practice Leader at Marsh Risk Consulting; Timothy Budacki, Principal at Hazard Management Associates; and Gary Bucciarelli, Chief Administration Officer at Medrad, a Bayer Company.

On Enterprise Risk Management (ERM)…

Matt Allen: Enterprise Risk Management (ERM) is a structured, consistent and continuous risk management process that is applied systematically across the entire organization. By proactively identifying, assessing and prioritizing material risks within an organization's business operations, ERM results in the development and deployment of effective mitigation strategies, generating security and driving value within the organization.

Based on my experience with clients, a viable ERM program demonstrates three core components. First, it should align directly with the strategic objectives and business processes within the organization. The ERM process should not only draw from the company's strategic plan, but also contribute to it, generating a critical dependency between the two. Secondly, the ERM should closely examine the budget, identifying potential circumstances that would prevent the organization from achieving the budget it has agreed to. How will the company proceed should one of these circumstances come to fruition? And lastly, the ERM should act as a feeder to the internal audit process. As a key component of an organization's culture, ERM is not a "once and done" process, but an iterative endeavor that continually evolves with the organization.

On the value of ERM…

Bruce Belzak: To paraphrase Don Rumsfeld, there is what you know; what you know you don't know; and what you don't know you don't know. And while we cannot anticipate everything the future holds, ERM is the deliberate attempt to identify the unknown and mitigate the risks it presents.

Companies today are facing a landscape steadily increasing in risk. Specifically within the medical device industry, risk grows as the development time for getting a new device to market increases, as supply chains become more complex and as outsourcing is increasingly utilized. Combined with the push for corporate transparency and a rise in consumer activism, more boards of directors are asking their management teams the simple question, "Have you identified our risks?"

From large life science companies to small, lack of proper risk management can damage the company's brand and reputation, hurt the bottom line and potentially put you out of business. ERM represents the opportunity to not only identify these risks, but develop a strategy for mitigating them.

On the key risks an ERM program can address… 

Timothy Budacki: An ERM program is not an attempt to address every risk a company is going to face, but rather an opportunity to identify potential risks, prioritize these risks, and develop strategies to address those that present the biggest potential hazards. These risks will vary by company, but generally fall into a few main categories: financial risks, human capital risks, strategic risks, legal and regulatory risks and technological risks.

Financials risks are often the most apparent and encompass the company's ability to maintain capital, ability to maintain supply chains and reimbursements and ability to build a product with the assurance that you will be able to make acceptable margins before you even begin design work.

Medical device companies in particular must closely examine legal and regulatory risks. While companies often have a good process in place to ensure regulatory compliance prior to product launch, the infrastructure is often less stable when post-launch crisis (e.g., a product injuresa person) arises.

Identifying technological risks is also essential to the success of a medical device company. Strategies for keeping in step with technological advancements, advancing product development programs and distinguishing your company among competitors must be considered.

And lastly, a company must also address its human capital risks, taking a critical look at how it is utilizing its employees and fostering a corporate culture that promotes retention. This goes hand in hand with analyzing strategic risks -or identifying what hurdles exist for the future growth of the company, and what tactics (branding, Intellectual Property advertising, mergers and acquisitions) are available to maintain growth.

On employee involvement in an ERM program…

Gary Bucciarelli: In short, just as every employee is integral to the success of a company, every employee also shares the responsibility for ERM. In my experience, employee engagement enables risk reduction. Establishing a vision statement that communicates a company's core objectives helps to set the benchmark for success, fostering an environment where employees recognize their role in achieving those objectives.

Engaging employees takes place on a number of levels. To begin with, a successful ERM program requires discussions with employees about what potential problems and issues they are facing within their role - asking them how the organization can improve and finding out what it is about their job that keeps them awake at night. This needs to take place in formal discussion groups, but also on an ad hoc basis.

These conversations cannot take place in a vacuum. A structure must be in place to integrate and respond to employee feedback. Management must evaluate what they are hearing from employees, and use what they are hearing as an opportunity to proactively dig deeper and ward off potential risks.

On new ERM requirements from Standard & Poor's…

MA: If there was ever any doubt that managing risk was essential to the success of an organization, recent headlines have demonstrated the necessity of proper risk management, and regulatory and quasi-regulatory bodies are responding in kind. With Standard & Poor's (S&P) announcement of its intention to incorporate ERM into the credit ratings of non-financial institutions, ERM has transitioned from something that is good to have to something we need to have.

To provide a brief background, following its announcement earlier this year, S&P had a period of open comment until March 1, 2008. They are now gathering information through Q408, with the expectation that evaluation will be complete and ratings will take effect in mid 2009. Within 12-18 months, S&P will begin assigning ERM ratings of "weak", "adequate", "strong" or "excellent". Ratings will be based on the company's ERM corporate culture and governance, strategic risk management, risk controls and emerging risks.

Essentially, S&P wants to ensure that management is deliberately attempting to manage key risks, and that they have allocated sufficient resources to achieve the objectives of ERM. The standards will be designed to ensure that long-term planning and resource allocations reflect a well conceived risk/reward and cost/benefit analysis, and that the Board of Directors is involved in setting and/or approving risk tolerances and related major policies. The ERM rating is intended to provide stakeholders with confidence in the management's ability to manage the key risks of the organization.

On launching an ERM program at your company…

TB: ERM is not a completely foreign process within the medical device industry. A regular part of systems safety techniques involves examining the individual components of a system - the people, processes, facilities, and environment - and identifying what can possibly go wrong within any of these elements. ERM replicates this process across the entire organization.

When you're getting started, make use of available resources to familiarize yourself and your team with ERM and get everyone on the same page. Once everyone understands the importance of ERM, you must determine what specific goals you are aiming to accomplish. These "smart objectives" should then result in specific, measurable and acceptable response plans.

Ultimately ERM combines an element of art and of science - you can use as many analytic tools as possible, but you also need to work and think outside of the box and identify those elements that are most critical to your organization. 

Core Checklist for an ERM Program

  • Does your organization have a detailed understanding of acceptable/tolerable risk?
  • Does your management agree on:
  • What the critical risks are?
  • The importance of these risks?
  • The relationship of the risksto strategy?
  • Does your organization have a plan in place to improve the management of:
  • Under managed risks?
  • Over managed risks?
  • Can the senior leadership team respond to the following Board questions:
  • "What are our most critical risks and are we effectively managing them?"
  • "What is our risk profile and how are we establishing risk tolerances?"
  • "What should we be doing to help the senior leadership team manage risk?"

For additional resources contact the Marketing department 
Phone: 800.356.6886 ext 1360

Copyright © 2021 - Medmarc

All statements and opinions in this publication are for informational and educational purposes only. None of the information presented should be considered as offering legal advice or legal opinion. We are not liable for any errors, inaccuracies or omissions. In the event any of the information presented conflicts with the terms and conditions of any policy of insurance offered by Medmarc Insurance Group, the terms and conditions of the actual policy will apply.