Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
ERM Leadership and Governance

Enterprise Risk Management at Bristol-Myers Squibb Company

December 1, 2006 4-min. read

Dr. Laurie Smaldone, Vice President-Strategy at Bristol-Myers Squibb Company, was the featured speaker at the ERM Initiative’s December 1, 2006 ERM Roundtable.  Dr. Smaldone highlighted how the New York City based pharmaceutical company manages the complex risks arising in a highly-competitive, FDA-regulated industry. 

ERM Objectives at Bristol-Myers Squibb

Launched in 2003, the company’s ERM approach is directly linked to its strategic planning processes and focuses on three key objectives:

  • To have a sustainable process to proactively identify, analyze, and manage risks
  • To get ahead of risks before they become costly and disruptive
  • To enable innovation and opportunity to drive business growth

Seeing a need to help business leaders move into new markets and launch new products, senior management sought to centralize its process of identifying and managing key risks affecting the company’s strategy and growth plans.  Much of the drive towards the launch of ERM was fueled by the realization that the absence of a formalized process leaves risk appreciation to inconsistent methods and surprises and causes risk responses that lead to reinvention of processes and inefficient operations across a company that consists of 43,000 employees.

Defining “Risk” at Bristol-Myers Squibb

One of the challenges to managing risks across any complex enterprise often begins with the need to clarify communications and terminologies related to risk management.  Bristol-Myers Squibb recognized the need to clarify basic terms, including the term “risk,” to ensure that all employees are focused on a common view of what should be managed.  Instead of developing a list of specific categories of risks, the company defines “risk” as “any uncertainty to achieving an expected outcome that has a significant impact of strategic goals, financial results, reputation, customers, and shareholders.”  Such risks can arise from internal or external events and can occur at the business unit, functional level, or corporate-wide.

Key Components for ERM

Dr. Smaldone identified four key components to effective ERM practices at Bristol-Myers Squibb:  Leadership, Culture, Governance, and Process.

Leadership and Culture

Many organizations often focus first on developing detailed ERM processes when launching an enterprise-wide approach to risk management.  Unfortunately, for many of these organizations, ERM programs never get off the ground and ultimately fail due to an oversight of the importance of having senior executive and board leadership and effective governance that supports and encourages an enterprise-wide, holistic approach to risk management.  Dr. Smaldone emphasized, based on her experience, that the launch of an ERM program often creates a huge cultural shift on how business units should identify and transparently report risk information within the organization’s ranks.  This shift in culture takes time, faces hurdles, and can be difficult to overcome. ERM cannot work without senior executive leadership that signals the value and importance of a coordinated, holistic approach to entity-wide risk management.  Training and education of key employees has also been a key ingredient to ERM at Bristol-Myers Squibb.

Governance

For ERM to be value-adding, the outcomes of any ERM process should be transparent to internal decision makers, including the board of directors, so that it facilitates decision making.  Effective ERM requires engagement of the board, which ultimately is responsible for overseeing management’s risk management processes and strategic planning. Thus, key business leaders need to be provided risk management information arising from core business reviews and corporate review committees.

Process

To provide information that can be relied upon to produce strategic value, an ERM program must lead to a stable risk identification and risk management process.  As well, resistance to ERM can often occur if it is viewed as adding layers of process and bureaucracy.  Dr. Smaldone described how the company has worked hard to align the risk oversight process with decision making.  To do so, they have looked for ways existing processes provide key risk information with the goal of identifying intersections of risk management within related business functions.  They have also worked on developing a standardized process for analyzing risks that keeps it simple, yet informative.

To assess risks, the company uses a “prism” for viewing risks that emphasizes considering potential risks from multiple perspectives.  For example, risk events are considered from the perspective of the media, business partners, shareholders, financial markets, regulators, customers, and employees.  This helps establish the context that enables the identification of what can happen, including how, when, and where it might occur, and the impact if it occurs. Furthermore, action plan updates occur to help ensure that risk management activities are on target, metrics are reviewed, and goals have been achieved so that the remaining residual risk is acceptable.

ERM Critical Success Factors

Based on her experiences, Dr. Smaldone noted the following as critical success factors for any ERM effort:

  • Keep it simple
  • Obtain leadership support – absolutely critical
  • Customize approach when applicable
  • Train all participants
  • Leverage existing governance and processes
  • Integrate with decision making bodies
  • Prepare, prepare, prepare
  • Seek a professional ERM team comprised of individuals with different experiences and fields of expertise
  • Recognize it is unlikely to be done exactly “right” the first time

Evolution of ERM

Like most companies that have launched an ERM approach to risk management, Bristol-Myers Squibb is continuously looking for ways to improve its approach to ERM.  Dr. Smaldone emphasized that demonstrating the value of ERM is extremely challenging, often taking from months to years to achieve desired risk management outcomes.  She noted that Bristol-Myers Squibb views its ERM approach as dynamic and evolving.

Click below for a link to the presentation.

More From Enterprise Risk Management Initiative

How do you effectively communicate risk insights to a board of directors?

Approaches to Communicating Risk Insights
cover fo 2024 global risk oversight

2024 Global State of Risk Oversight: Managing the Rapidly Evolving Landscape
photo of woman with e-tablet.

Techniques to Prioritize and Monitor Risks