In this article, Eli Lilly & Co. examines risk management in the context of partnerships with other companies.
Nathan M. Knies
The news is full of announcements of large alliance partnerships in all facets of business, as companies seek synergies to grow their businesses faster. At the same time, we see a corresponding number of reports about partner company and supplier issues, particularly privacy and intellectual property data breaches, that negatively impact a company’s information technology, regulatory, and operating environments.
Given the prevalence of these problems, third-party risk management is an increasingly important topic, as an organizational discipline or as a distinct corporate function. Companies are strengthening existing risk management and creating new programs to manage third-party and even fourth-party risks.
Michael W. Magdycz
As a matter of course, management teams continually consider organizational risks, including reliance on third parties and the risks that might introduce. Eli Lilly and Company’s Jim Ward, Vice President of Finance and General Auditor, notes, “At Lilly, we consider third-party risk management a core capability to protect the company and the patients we serve. With the proliferation of alliances within our business at all stages, from early development through commercialization, it is important to ensure we manage risks within alliances as we work to maximize their value.”
In this article, we examine risk management in the specific case of alliances—partnerships between one or more companies designed to create value beyond what each company may have been able to accomplish alone.
Before we dive in, it might be useful to take a quick look at how we carry out risk management in our own everyday lives. Risk management is often a seemingly unconscious behavior, as we lock doors, use face recognition to unlock phones, or require passwords to prevent unwanted risks from affecting our lives. We might use security companies, video doorbells, or baby night monitors to warn us when things might be going wrong.
What is risk management in alliances? Risk Management in Alliances (RMIA) is the process of identifying and prioritizing the internal and external risks to an alliance, and then developing actions to manage those risks and define clear accountabilities. Risk management tools and behaviors may not prevent any single bad thing from happening, but RMIA helps mitigate risk levels, based upon the corporation’s appetite for risk.
It is well documented that there are three types of risk in alliances: business risk, human risk, and legal uncertainties1. Employing RMIA provides alliance directors, company leadership, and other key stakeholders with greater confidence that appropriate guardrails are in place to protect an organization’s investment. Gordon Brooks, Lilly’s Chief Procurement Officer says, “It is important that all of our alliances create the value that the companies intended when we signed the deal. It is also important at Lilly that while we endeavor to create value, we also have the appropriate organizational controls in place in our corporate risk management group to manage the risks and uncertainties inherent in alliances.”
Corporate risk management may be perceived by some to be a negative processor, one that creates roadblocks to getting alliance work done. We would argue that it is far from that. Applying RMIA tools to the business, human, and legal risks in an alliance can enable you to proceed confidently in alliance work and in engagement with alliance counterparts.
Alliance teams can incorporate preventive and detective risk behaviors to manage internal company risks and even those of the alliance as a whole. Risk models come in all shapes and sizes and are prevalent across the business community, especially at the enterprise level. Commonalities in these types of models include:
Similar to airlines’ use of highly structured safety programs for pilots, flight attendants, and ground crew, alliances can benefit from developing a culture of risk management. For successful risk identification, assessment, and mitigation to occur, key alliance stakeholders should be included at the appropriate times. Such stakeholders include alliance directors, business leadership, finance, legal, regulatory, human resources, and other functions that are relevant to the alliance.
The process of RMIA is best undertaken within each company in the alliance, thereby allowing each partner to manage its respective organizational risk profile. RMIA includes four key steps:
Step 1: Identify all major risk domains.
Step 2: Assess the underlying risk drivers.
Step 3: Develop risk-based monitoring activities.
Step 4: Focus on the risks that could have the biggest impact on the business of the alliance.
As a first step, alliance directors and business partners should collaborate to identify relevant risk domains (e.g. business risk, human risk, and legal uncertainties) and related underlying risk categories (e.g., governance, financial controls, or regulatory risks).
Once you have established the major risk categories, consider using a heat map exercise. In the heat map exercise, the team assigns risk categories to a basic two-by-two quadrant grid with one axis measuring the likelihood of the risk occurring and the other the impact to the alliance. In figure 1 below, low likelihood and low impact is classified as a green risk area, high-likelihood high-impact is classified as red, and yellow is in between. Depending on the desired level of precision, the grid size can be increased to three-by-three, four-by-four, and so on.
Click to enlarge
Following the heat map exercise, the organization may determine that detailed activity-level assessments are needed. Key control activities can be developed and prioritized to mitigate red (high-likelihood, high-impact) risks. These activities would be actively managed and have frequent sponsor-level review. Yellow risks of the high-likelihood, lower-impact or low-likelihood but higher-impact variety might be managed by an assigned subject matter expert and monitored periodically. Green low-likelihood, low-impact risks might be monitored by the business owner and raised only if the risk-measurement heat map has changed.
Having prioritized the red high-likelihood, high-impact categories, what now? Teams can choose to identify business activities and related controls that either prevent or offer early detection of a particular risk. You can assign owners, develop required documentation, and determine control activity frequency. Business leadership may define a group of key controls to address critical business operations, human risks, or legal uncertainties.
Control activity reviews are analogous to alliance health checkups. You identify gaps and try to determine where the breakdown might have occurred—was it processes, technology, training, or something else? A control activity review might seem a lot like an internal audit, especially since many alliance contracts appropriately include audit provisions. The difference is that RMIA is purposely designed to reduce the likelihood of audit triggers occurring. And in the event of an audit, RMIA provides for good documentation and record keeping consistent with the alliance contract.
The creation of an RMIA plan ideally should occur at the inception of an alliance, or shortly thereafter. That said, risk management is not just a one-and-done activity, but rather an ongoing behavior, similar to locking our cars or setting an alarm. As alliance goals and business drivers mature and change, so should the risk management plan. Refresh at key alliance milestones, such as annual business planning or strategy sessions.
A thoughtful and tailored risk management program can add great value to an organization, ensure quality communication between partners on views of risk, and potentially reduce alliance conflict. When the risk management value proposition is combined with a strong communication plan, encompassing both executive leaders and people performing the work, alliance directors will achieve measurable results that put the alliance in a stronger position to create the value that the partners intended.
Nathan M. Knies, CPA CIA MBA, is consultant at Eli Lilly and Company, where he is leads the source to payment and third party risk management process integration within Lilly’s overall global third party risk management program (firstname.lastname@example.org)
Michael W. Magdycz, R.Ph., CA-AM, was formerly director of alliance management at Eli Lilly and Company, where he directed international alliances and oversaw country-level alignment of international alliance commercial resources. He is currently advisor, corporate business development transactions at Eli Lilly and Company (email@example.com)
The authors would like to thank Eli Lilly and Company colleagues Jim Ward, VP of Finance and General Auditor, Gordon Brooks, Chief Procurement Officer, and David S. Thompson, Chief Alliance Officer.