Risk Management in the Pharmaceuticals
and Life Sciences Industry
An Economist Intelligence Unit research program

KPMG INTERNATIONAL


2 Risk Management in the Pharmaceuticals and Life Sciences Industry

The following is the final version
of the Executive Summary of the
findings of a survey conducted among
executives in the pharmaceuticals
and life sciences industry during
October 2009, and comparison with
the findings of the broader survey
conducted in May and June 2009.
Preface
Risk management in the pharmaceuticals and life sciences industry is
a KPMG International report, written in cooperation with the Economist
Intelligence Unit. In August 2009, the Economist Intelligence Unit
carried out a survey of senior management executives in the pharmaceuticals and life sciences industry, which includes the biotechnology
as well as the medical devices and diagnostics segments. The
Economist Intelligence Unit executed the survey, conducted the
analysis and wrote the report. The findings and views expressed in the
report do not necessarily reflect the views of the sponsor. Katherine
Dorr Abreu was the editor and project manager. Madelaine Drohan was
the writer. The report also includes commentary by professionals in
KPMG LLP (U.S.), who sponsored this research.
Who took the survey?
In August 2009, the Economist Intelligence Unit conducted a global

survey of executives in the pharmaceuticals and life sciences
industry on how risk is managed in their organizations. The 65
responses were compared with those of a June 2009 global survey
of 353 executives in a broad range of other industries. Of the
pharmaceuticals and life sciences respondents, nearly one-half (46
percent) are C-level executives and the remainder are other senior
executives and managers. Sixty-eight percent represent companies
with annual global revenues above US$500m. The survey focused
on North America (65 percent of respondents), but had respondents
from Europe, Asia-Pacific, the Middle East and Africa, and Latin
America as well.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


Risk Management in the Pharmaceuticals and Life Sciences Industry 3

Principal Findings
No executive could have witnessed the humbling of global banks and
insurers in the recent financial crisis without wondering whether their
organization should be doing a better job of identifying, measuring,
and managing risk. One clear lesson from the turmoil is that neither a
high level of regulation nor long experience in dealing with risk can be
adequate protection. In order to survive in an increasingly uncertain
world, companies have to adjust their risk antennae constantly to
detect not just “known unknowns,” to borrow from former U.S. defense
secretary Donald Rumsfeld, but also “unknown unknowns” before they
become a serious threat.
The collapse of the Ponzi scheme run by New York financier Bernie

Madoff may not at first blush have appeared relevant to executives in
the life sciences sector. But when it caused the collapse of the Picower
Foundation,1 a major benefactor of life sciences research, the ripples
spread through the industry. The growing ability of organized crime to
operate globally might not seem germane until the items being illegally
manufactured abroad and smuggled are counterfeit versions of popular
drugs. In 2005, authorities in the United States, Britain, and Canada seized
millions of dollars worth of fake Viagra, Cialis, and Propecia produced by
a criminal network with tentacles in China, India, Pakistan, the Caribbean,
and the United States.
1

“Foundation That Relied on Madoff Closes.” The New York Times, December 19, 2008.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


4 Risk Management in the Pharmaceuticals and Life Sciences Industry

To find out how companies in the pharmaceuticals and life sciences industry
are managing risk, and to identify areas in need of improvement, the Economist
Intelligence Unit on behalf of KPMG conducted a global survey of 65 executives in
the industry and compared the results with a separate survey of 353 executives from
other industries. The principal findings are as follows:
• Risk management is a C-level issue in the pharmaceuticals and life sciences
industry. Ultimate responsibility for risk management rests most frequently with
the chief executive officer (CEO), followed by the chief financial officer (CFO), the
chief risk officer (CRO), and the general counsel. Executives are generally satisfied
with the level of expertise at the C-level and the support that senior management

gives to risk governance. However, senior executives could be doing a better job of
defining their organization’s appetite for risk, making sure risk information gets to
the right people, and increasing the level of expertise at the executive board level.
• There is a mismatch between what executives identify as the biggest barrier
to effective risk management in the coming year, identified as a shortage of
available expertise, and their main priority, which is risk processes.2 Less than
one-third of respondents say their organization has a chief risk officer and almost
two-thirds do not intend to recruit one. This appears at first glance to be misguided.
However, by giving a high priority to training nonrisk professionals in risk, companies
may succeed in spreading risk awareness throughout the organization. If they break
down the risk management silo, which concentrates responsibility in a single unit of
the organization, they may be better able to identify and manage emerging risks.
• In managing risk, pharmaceuticals and life sciences companies spend the most time
on activities aimed at controlling regulatory risk, which they perceive to be by far the
biggest threat to their organizations. Compliance absorbs most of their time, followed by
controls and monitoring. Yet in focusing on and then reacting to this obvious risk, they leave
themselves less time and resources to scan the horizon for new and emerging threats.
This reactive style of risk governance, directed from the top, means many companies in
this industry are failing to instill broad risk awareness throughout their organizations. As a
result, the level of understanding of new risks, the likelihood of occurrence, the magnitude
of impact and the interaction between risks is dangerously low.
Risks Posing Threat To Company’s Global Business Operations
How significant a threat do the following risks pose to your company's global business operation today?
Please rate on a scale of 1 to 5, where 1 = very high risk and 5 = very low risk.

Mean n
Regulatory risk (e.g., problems caused by new or existing regulations)

67%


Human capital risks (e.g., skills shortages, succession issues, loss of key personnel)

42%

Financing risk (e.g., difficulties with raising finance)

41%

Foreign exchange risk (e.g., risk that exchange rates may change)

Reputational risk (e.g., events that undermine public trust in your products or brand)

37%

IT risk (e.g., loss of data, outage of data center)

37%

Country risk (e.g., problems of operating in a particular location)

28%

Credit risk (e.g., risk of bad debt)

27%

Crime and physical security
0%
May not equal 100% due to rounding


2

9%
13%
11%

38%

25%

37%

48%

38%

2%
23%

17%

45%

25%

38%

19%

44%


23%

49%

20%

53%

23%

68%

11%

75%

14%

2%

75%

25%
1-2

8%

36%


21%

29%

Political risk (e.g., danger of a change of government)

Terrorism

22%

37%

Market risk (e.g., risk that the market value of assets will fall)

Natural hazard risk (e.g., hurricanes, earthquakes etc.)

25%

50%
3

75%
4-5

2.1

64

2.9


64

3.0

65

3.0

63

3.0

65

3.2

65

3.2

63

3.2

64

3.4

65


3.5

64

4.0

65

4.1

64

4.1

64

100%
Don't Know

Risk processes are the internal actions taken or mandated by management to detect, identify, assess, and respond to risks.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


Risk Management in the Pharmaceuticals and Life Sciences Industry 5

KPMG Commentary

Effectiveness of Organization’s Risk Reporting At Enabling Activities


Research indicates that the role of risk
management in the pharmaceuticals
and life sciences sector may not be
significantly more advanced than when
KPMG published Pressure Points: Risk
Management in the Pharmaceuticals
Industry in 2005.

How effective is your organization’s risk reporting at enabling the following activities? Please rate 1 to 5 where
1 = very effective and 5 = not at all effective.

Feeding into strategy development
and management decision-making

Indeed, the industry’s focus remains on
regulatory compliance rather than on a
more comprehensive and enterprisewide view of risk. Respondents
acknowledged concerns—which
KPMG has expressed in the past—that
risk management processes are not
proactive and anticipatory, but change is
not a significant priority at this time. The
integration of risk management into the
strategic areas of the business remains a
low priority for these respondents, with
most of them focused on mitigating risk
on the downside rather than taking a
more balanced view of risk appetite and
its potential.


17%

51%

32%

n

2.7

63

2.7

63

Highlighting risk concentrations

44%

29%

27%

2.8

63

Highlighting possible opportunities

(upside risk)

43%

32%

25%

2.8

63

Effective allocation of resources

27%

48%

25%

2.9

63

Providing information that is
tailored to the audience

27%

45%


27%

3.0

62

Providing up-to-date risk information

26%

3.0

62

3.1

63

3.2

63

Providing aggregate view of risk
exposure across entire organization

43%

35%


0%

25%
1-2

2%

35%

33%

22%

May not equal 100% due to rounding

31%

44%

30%

Highlighting interdependencies
between risks

50%
3

4-5

75%


100%

Don't Know

Most Important Objectives of Risk Management Function

This limited risk orientation is not
surprising as the penalties for failing at
regulatory compliance have been very
visible, with high profile examples of
financial, legal, and reputational costs.
While respondents acknowledged
that the most important goals of risk
management are proactive risk identification and helping management with
strategic decisions, nevertheless,
the business case for integrating risk
management into strategic processes
is harder to make; and examples of the
successful use of risk management in
driving business value are less visible.
One promising development over the
past few years is the emphasis on
significant investment in information
technology (IT), both by respondents
in this research and in the analyses
of public financial reports for KPMG’s
recent Disclosures Handbook. The
investment in IT infrastructure enables
more risk management controls to be

automated rather than manual, with
the potential for fewer human errors
and better documentation. Increasing
reliance on sophisticated IT, however,

22%

38%

40%

Highlighting emerging risks

Mean

What, in your judgment, are the most important objectives of the risk management function?
Please select no more than three objectives.
Identifying new and emerging risks

32%

Ensuring regulatory compliance

28%

Instilling risk culture in the organization

28%

Measuring and monitoring risk


23%

Enabling line-of-business managers to make
better business decisions
Identifying what action needs to
be taken once risks are identified

20%
20%

Ensuring corporate survival

18%

Communicating key risks to stakeholders

15%

Setting and monitoring the
organization’s risk appetite

15%

Minimizing loss

14%

Fraud risk management


6%

Enabling more efficient resource allocation

5%

Selection of appropriate insurance cover

5%

Counterparty risk reduction

5%

Other
Multiple Responses Allowed

n = 65

37%

Assisting management with
strategic decision-making

2%
0%

20%

40%


60%

80%

100%

is also increasingly disclosed as a risk by more companies in all segments of the
market—pharmaceuticals, biotechnology and medical device/diagnostics. “As IT
becomes more complex and there is an increased dependence on IT systems in the
day-to-day running of pharmaceutical businesses, the potential downside of any IT
failure becomes more catastrophic.”3

3

KPMG Disclosures Handbook 2008 – 2009, Volume 1 – Risk and Disclosure in the Pharmaceutical Industry, page 71.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


6 Risk Management in the Pharmaceuticals and Life Sciences Industry

An Industry with a Singular Focus
Pharmaceuticals and life sciences companies have a somewhat
narrow perspective of risk. Just over two-thirds of executives
responding to our survey say that problems caused by new or existing
regulations represent the biggest threat to their global business
operations. This is true regardless of the size of the company,
although those with annual revenue of less than US$500 million are

slightly more inclined to this view—70 percent of respondents from
small companies identify regulatory risk as somewhat or very high,
compared with 67 percent from larger companies. In comparison,
executives from other industries are more worried these days
about financing, foreign exchange, market, and credit risk. All of
these are seen as lesser threats by the pharmaceuticals and life
sciences industry as a whole. Nevertheless, smaller companies are
as concerned about financing as they are about regulatory risk, and
businesses with annual revenue of US$5 billion or more cite foreign
exchange risk as the second most important threat.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


Risk Management in the Pharmaceuticals and Life Sciences Industry 7

Regulatory risk is No.1 for all pharmaceuticals and life sciences companies,
but other risks vary by company size
How significant a threat do the following risks pose to your company's global
business operation today?
(Companies ranked by annual revenue)
(Percent of respondents who selected 1 or 2 on a 5-point scale, where 1=very high
risk and 5=very low risk)
All
companies

$500m or
less


Regulatory risk (e.g., problems
caused by new or existing
regulations)

67%

70%

68%

64%

Human capital risks (e.g., skills
shortages, succession issues,
loss of key personnel)

42%

45%

36%

46%

Financing risk

41%

70%


43%

14%

Political risk (e.g., danger of a
change of government)

38%

35%

36%

41%

Reputational risk (e.g., events
that undermine public trust in
your products or brand)

37%

52%

9%

50%

Foreign exchange risk (e.g.,
risk that exchange rates may
change)


37%

33%

23%

55%

IT risk (e.g., loss of data,
outage of data center)

37%

30 %

41%

38%

Market risk (e.g., risk that the
market value of assets will fall)

29%

24%

41%

23%


Country risk (e.g., problems
of operating in a particular
location)

28%

38%

18%

27%

Credit risk (e.g., risk of bad debt)

27%

25%

36%

18%

Terrorism

13%

15%

5%


18%

Crime and physical security

11%

10%

9%

14%

9%

10%

9%

9%

Risk

Natural hazard risk (e.g.,
hurricanes, earthquakes, etc.)

$500m to
$5bn

$5bn or

more

The risk governance structure of companies in the pharmaceuticals and life sciences
industry is suited to dealing with regulatory risk. Regardless of industry, risk
management is dealt with at the top, with ultimate responsibility resting most often
with the C-suite. In pharmaceuticals and life sciences companies, however, the
general counsel ranks much higher than in the general corporate world. This reflects
the importance of regulatory risk for the industry.
Executives in pharmaceuticals and life sciences companies are generally satisfied
with the level of risk expertise in the top management echelons. But they are more
likely than their counterparts outside the industry to think expertise is more broadly
disseminated throughout the company: they give higher ratings than the broader
survey to the heads of business units, the chairman, and the audit committee.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


8 Risk Management in the Pharmaceuticals and Life Sciences Industry

Pharmaceuticals and life sciences: Risk expertise broadly disseminated
How would you rate the level of risk expertise among the following individuals/entities within your business?
(% of respondents who selected 1 or 2 on a 5-point scale, where 1=Very effective and 5=Not at all effective)
Chief executive officer
Chief financial officer
Chairman
Audit committee
Business units
0%


10%

20%

All other industries

30%

40%

50%

60%

70%

Pharma and life sciences

Yet there is dissatisfaction with the effectiveness of risk management, how far it
extends through the organization and its perceived benefits. While executives say
their companies are effective at managing regulatory compliance and linking risk
management with corporate strategy, less than one-third think efforts to anticipate
and measure emerging risks or recruiting and retaining people with appropriate
expertise are effective. And one-quarter say their firms are good at aggregating risks
at the enterprise level or instilling risk awareness throughout the organization.
Companies manage regulatory risk well, but are weak in other areas
How would you rate the effectiveness of your organization at the following
activities?
(Percentage of respondents who selected 1 or 2 on a 5-point scale, where 1=Very effective
and 5=Not at all effective)


Managing regulatory compliance

69 %

Linking risk management with corporate strategy

45 %

Ensuring clear lines of reporting for risk information to be escalated to
board level

43 %

Ensuring that information about risk reaches the right people

42 %

Ensuring quality and availability of data

40 %

Ensuring that risk information is timely and up-to-date

37 %

Communicating risk information to investors

34 %


Ensuring that sufficient board time and resources are allocated to risk issues

29 %

Anticipating and measuring emerging risks

29 %

Recruiting and retaining appropriate risk expertise

26 %

Aggregating risks at the enterprise level

25 %

Instilling awareness of risk throughout the organization

23 %

Looking ahead, executives see a shortage of available expertise as the greatest
barrier to more effective risk governance. Yet they are not bringing risk experts into
the C-suite: 30 percent of respondents say their organization has a CRO in place (less
than one-fifth for smaller companies), and 63 percent have no plans to recruit one. The
general group is more inclined to have either a CRO in place or have plans to recruit
one, although the difference is slight.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS



Risk Management in the Pharmaceuticals and Life Sciences Industry 9

Risk processes and data quality and availability are
the top priorities in next 12 months
Over the next 12 months, which of the following aspects of risk management will be the main
priority for your organization? (% of respondents)

Risk processes
Data quality and availability
Training of nonrisk professionals in risk
Technology
Retraining of risk professionals
Recruitment of risk professionals
Other, please specify

0%

5%

10%

15%

20%

25%

30%


Although they see the lack of expertise as a barrier, the priority for the pharmaceuticals and life sciences executives for the next 12 months is on improving risk
processes, followed by improving data quality, and availability. Efforts to improve
expertise will be limited to training nonrisk professionals in risk, rather than recruiting
or retraining risk professionals.
Has your organization recruited, or does it plan to recruit,
the following individuals or entities?
(% of respondents)

30%

Chief risk officer

6%

35%

Risk committee

Board level executive
with ultimate accountability
for risk management

15%

33%

0

10


20

Already in place

63%

49%

11%

30

40

56%

50

60

Plan to recruit

70

80

90

100


No plans to recruit

While this approach to the people who are managing risk appears contradictory, it could
be an attempt to spread risk awareness throughout the organization, countering an
identified weakness. Pharmaceuticals and life sciences executives see embedding risk
in decision-making processes as key to instilling a risk culture in their companies. An
alternate explanation is that executives in this industry do not see the value of investing
further in risk management, given what they perceive as its slight contribution to some
of the more tangible corporate goals. Almost one-half of respondents (49 percent) say
risk management helps increase shareholder and stakeholder value and 48 percent feel
it improves corporate reputation. But only one-third (34 percent) think it has a positive
impact on revenue and 38 percent believe it helps with cash flow.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


10 Risk Management in the Pharmaceuticals and Life Sciences Industry

Conclusion
The picture painted by these findings is of an industry that pays
attention to what it perceives to be its most important risk—regulatory
risk. But it could be vulnerable to being sideswiped by other risks,
such as financial fraud, counterfeiting or being targeted by organized
crime, to name a few.
The temptation in industries subject to high levels of regulation is to
rely on the regulators to detect and mitigate emerging risks before
they become problematic. The experience of the financial services
industry serves as a cautionary tale. Companies in the pharmaceuticals and life sciences industry should strive to do a better job of
making risk management a company-wide effort aimed at managing

familiar risks while constantly scanning the horizon for new ones.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


Risk Management in the Pharmaceuticals and Life Sciences Industry 11

KPMG Commentary
This year has been unprecedented in recent memory, with the global economic
situation compounded by the prospect of healthcare reform in the United States
and in other markets around the world. While waiting to see what potential reform
legislation will bring, the fundamental drivers of the pharmaceuticals and life sciences
industry have not changed. The pharmaceutical industry remains under constant
pressure to deliver new and innovative products to the market, while biotech
companies are pressed to succeed with their own R&D. It is no surprise, given the
importance of a strong cash position and depressed market values that this year has
seen significant mergers and acquisitions, including Eli Lilly’s acquisition of ImClone,
Roche’s taking full ownership of Genentech, and Pfizer’s acquisition of Wyeth.
At the same time, the industry faces the ongoing challenges of profitability. Many
companies are continuing to cut costs and restructure operations by reducing sales
forces, eliminating redundancies in merged companies, pursuing joint ventures, and
collaborating in various ways on research, marketing, and distribution.
KPMG firms have continued to raise concerns about the management of risks
inherent in such transformation. Now, the heightened focus on regulatory compliance
raises questions about organizations’ ability to keep pace with the changing business
model. Life sciences companies—especially pharmaceuticals and biotechs—are
transforming from “complete businesses” with all their core and noncore processes
managed within each corporation to an increasingly complex web of third-party
relationships (i.e., sources, alliances, and suppliers in countries around the world).

In this time of transition, it is important for the board and management of the “core
entity” to ask whether they are comfortable with:
1) Their own approach to managing risk in their third-party relationships
2) The other parties’ compliance with the letter and spirit of the contracts
3) The other parties’ own regulatory compliance practices regarding clinical,
manufacturing, distribution, sales & marketing, financial reporting, and legal matters.
Even after a “meeting of the minds” memorialized in a signed agreement between the
parties, are the Board and management comfortable that their contract research organization would pass an FDA inspection? If not, would the company’s entire clinical trial
be shut down? What if the operations in their contract manufacturer were shut down
by the FDA and their product recalled? How would they manage their inventory and
delivery commitments? Is there a communications process to mitigate damage to the
company’s reputation with customers, and consumers real time?
In sum, does the company have a risk management process in place that enables
the identification of potential risks and the implementation of controls across their
entire organization and third-party relationships? It is not sufficient to address the silos
within the parent company for example, between operating divisions and the risk
management function. Companies need to be aware of the risks not only in their own
organization, but also in their third-party vendors. They need to view their enterprise—
and enterprise risks—in this broader context.

© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the
independent member firms of the KPMG network are affiliated. All rights reserved. 21452NSS


kpmg.com

For more information, please contact:
Ed Giniat
Global Chair, Pharmaceuticals
U.S. Sector Leader –

Healthcare & Pharmaceuticals
+1 312-665-2073


David Blumberg
U.S. Advisory Sector Leader –
Pharmaceuticals
+1 267-256-3270


The information contained herein is of a general nature and is not intended to address the circumstances of any
particular individual or entity. Although we endeavor to provide accurate and timely information, there can be
no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate
in the future. No one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
The views and opinions expressed herein are those of the survey respondents and do not necessarily represent
the views and opinions of KPMG International or KPMG member firms.

Chris Stirling
European Chair –
Pharmaceuticals
+44 0 20 7311 8512


© 2009 KPMG International. KPMG International is
a Swiss cooperative. Member firms of the KPMG
network of independent firms are affiliated with
KPMG International. KPMG International provides
no client services. No member firm has any
authority to obligate or bind KPMG International or

any other member firm vis-à-vis third parties, nor
does KPMG International have any such authority
to obligate or bind any member firm. All rights
reserved. Printed in the U.S.A. KPMG and the
KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 21452NSS