Building lasting value for the life sciences industry Crowe Risk Consulting
Audit / Tax / Advisory / Risk / Performance
Smart decisions. Lasting value.™
Biotechnology, medical device, and pharmaceutical companies operate in a business environment that’s highly innovative but also highly regulated and exposed to risk. Crowe Horwath helps life sciences organizations meet governance, risk, and compliance challenges while providing tools, techniques, and guidance that can help clients make smarter decisions and build lasting value. Unique risk profile of the life sciences sector Although no single risk profile applies in the same fashion to every life sciences organization, some risks are highly prevalent. Given the depth and increasing complexity of regulations around the world, for example, companies are likely to incur ethics- and compliance-related risk, especially when operating across multiple jurisdictions.
In addition, companies are highly dependent on advanced IT infrastructure, systems, and data. Even the most sophisticated systems are at risk of intrusion and cyber crime, which may result in a loss of intellectual property and significant business disruption.
As companies focus on high-reward innovation and speed to market, they create complex value chains dependent on ethical and reliable performance by alliance partners and other third parties. The business model for the extended enterprise offers many advantages, but the risks are not easily shed. The overall accountability remains with life sciences organizations and their leaders.
Prevalent risks Unmitigated risks have the potential to keep organizations from achieving objectives. Life sciences leaders are obligated to understand the diverse array of risks facing their organizations to maximize the likelihood of achieving strategic business goals. Risks with the potential to affect life sciences organizations may include:
Pricing and reimbursement Price controls, value-based payment models, and other measures that compress profit margins and diminish financial performance are being instituted by governments and other payers. In addition, the likelihood of pricing- and reimbursementrelated impact is rising due to payer landscape shifts. Patients are increasingly likely to protest barriers affecting access to innovative medicines, increasing the strain.
Information security Harm from breaches in data security, theft of intellectual property, or disruption of ongoing business operations can result from nefarious hackers enabled by purposeful or inadvertent security and compliance failures.
Material/catastrophic compliance failure Additional business challenges arise from the expanding list of regulatory expectations. Compliance failures can subject a company to fines and penalties, significant
crowehorwath.com/lifesciences
reputation damage, and disbarment from payer and government programs – a “death penalty” of sorts.
Third-party risk Risks such as compliance, information protection, and safety increase exponentially as they cross the extended enterprise of third-party vendors and suppliers. The potential impact includes damage to reputation and substantial financial penalties.
Safety Manufacturing or quality control problems may hurt patients while exposing an organization to product liability claims requiring costly remediation with associated long-term impact on the brand. The proliferation of counterfeit products creates additional risk for patients and manufacturers alike.
Geopolitical Patent protection can be undermined after expansion of operations to countries vulnerable to political and economic instability. Global expansion may affect distribution channels and heighten exposure to currency risks.
Changing competition The competitive environment can change overnight. Innovations – including those from nontraditional competitors – can render market-leading treatments obsolete, and patent expirations create the potential for competitors to hurt sales and financial results.
Access to talent Failure to engage effectively with employees can have strategic ramifications. Long-term plans are needed to address recruitment and retention of personnel, executive, and managerial talent.
Aging populations Improved healthcare regimens around the world are resulting in extended life spans. With increased age comes increased likelihood of chronic disease, with commensurate strain on budgets and programming. Although aging populations create additional risks for life sciences companies, there is also potential for competitive advantage.
3
Sustainable risk management Embedding risk management across the life sciences value chain Life sciences organizations often have networks of suppliers to support the end-to-end sequence of business processes – encompassing research, development, manufacturing, distribution, and commercialization. Risks with the potential to affect the ability to accomplish business objectives can emerge from many sources. Using external vendors and suppliers – although often necessary – adds complexity to the extended enterprise (“extraprise”).
Life sciences value chain: the integrated set of systems and processes to create and deliver value to customers
Life Sciences Primary Activities Research
Development
Manufacturing
Distribution
Transform Governance Crowe Sustainability Risk Management
Embed Risk Management in Decision-Making Maintain Efficient Compliance
The life sciences value chain diagrammed here is adapted from the value chain theory in Michael E. Porter’s book “Competitive Advantage: Creating and Sustaining Superior Performance.”
4
Commercialization
Lasting Value
A comprehensive risk management framework is needed to appropriately address the myriad of risks facing complex organizations today. The Crowe Sustainable Risk Management (SRM) Framework, a portfolio of solutions enabling effective risk management, is built on the premise that successful risk management processes are built into the strategy, culture, systems, and processes of an organization. Our unique approach can improve the ability of organizations to fully embrace risk as a natural part of doing business and take advantage of the associated opportunities. Across the value chain Crowe helps life sciences organizations resolve strategic issues by:
Transforming governance An active, embedded SRM program visibly supported by business leaders maintains awareness and stimulates managers’ insights concerning the shifting conditions that can trigger increased risk. Effective governance clarifies accountability, directs needed resources, and encourages identification and correction of missteps early – before the business suffers significant impact. Highly aware leaders are better-positioned to take advantage of the inherent opportunities associated with operating in a high-risk enterprise.
Embedding risk management in decision-making The Crowe approach builds on existing risk management activities and goes further by embedding an understanding of business risk as a fundamental practice across a broad range of decision-making activities, including budgeting, business continuity, strategic planning, and performance management.
Maintaining efficient compliance An efficient ethics and compliance infrastructure supports an organization’s efforts to steer clear of fines, penalties, and negative publicity that can result from ethical or compliance-related failures. Life sciences organizations are encouraged to take a risk-based approach, focusing and scaling oversight in the right areas at the right times to maximize impact. Crowe works with life sciences leaders to minimize the barriers that can contribute to organizational resistance and dilute the effectiveness of SRM.
crowehorwath.com/lifesciences
5
The Crowe model for sustainable risk management Our Sustainable Risk Management Framework highlights three major domains: leadership, integration, and information. This model helps organizations see how risk management can be embedded in a broad range of activities, including budgeting, business continuity, strategic planning, and performance management.
Leadership Strategy: Lay the foundation by incorporating formal risk prioritization into organizational goals, strategies, and budgets. Organization: Define roles, set accountability, and recommend changes using three lines of defense: business unit, risk support functions, and internal audit. Change management: Integrate improvements into practices and prepare for risk profile shifts. Analyze sources and impacts of change for effective responses. Culture: Promote a common risk language while sustaining values, strategies, beliefs, and attitudes. Incorporate risk-based thinking into business plans, employee training, and individual performance plans.
Integration Break down risk silos to share and build on collective risk management efforts across the enterprise. Promote collaboration to strengthen risk management infrastructure and processes. Incorporate revised practices for improved decision-making.
Information
LEADERSHIP
Assess by using techniques such as risk maps, root cause analysis, and prioritization tools.
GRATION INTE
Respond through the use of tolerance analysis, internal and third-party investigations, and corrective action.
n
Mo
Monitor through observation of context, internal assurance, and systems for governance, risk, and compliance. Report using risk transparency dashboards, indicators, and other technologies for decision support.
ni t
or
Levera ge
Strat e gy
izatio ga n
R
or t
nd spo Re
INFORMATION
ep
Ch
Leverage best practices, and include experiential feedback.
an
ge
Or
Assess
M an
ag
em
e nt
lt Cu
ur
e
The Crowe SRM Framework assists life sciences organizations in scoping a wide range of risks, leading to sharper focus on mitigating high-risk areas.
The lasting value of sustainable risk management • Aligns board members, C-suite executives, and managers at multiple levels to understand risks facing the organization • Shapes assessments of the environment and frames effective responses • Supports development of accurate, timely, and relevant metrics that reduce uncertainty in decision-making • Offers ongoing opportunities to reduce costs, including reduced insurance premiums • Spotlights process improvements that can reduce losses and waste • Reassures stakeholders that compliance issues are identified and addressed and that reputation is being protected • Can contribute to staff morale, growth, and overall company profitability
crowehorwath.com/lifesciences
7
Ethics and compliance Monitoring the effectiveness of ethics and compliance programs Government officials in many parts of the world have signaled their intention to hold companies, as well as individual leaders, accountable for compliance failures. At Crowe, we understand that maintaining a robust, comprehensive, and cost-effective compliance program is challenging, particularly when factoring in the often conflicting demands of regulatory bodies, industry standards, payer requirements, shareholders, and the workforce. Crowe helps biotechnology, medical device, and pharmaceutical companies implement replicable, scalable processes that support deployment of effectively focused ethics and compliance monitoring programs. Phase I – Understand the compliance environment.
Phase IV – Document gaps and enhancement opportunities.
g
Phase III – Assess compliance program maturity.
Ph
Phase II – Gather data.
Monitoring and gress o r P Re I po V e rti s n a
Phase V
Phase I
Phase V – Develop a strategic and tactical road map. Phase VI – Progress monitoring and reporting.
Crowe PAR Methodology Represented by the outer gold ring, evidence of effective monitoring and reporting is required by authorities throughout the world. Source: Methodology diagram for Crowe Program Assessment Road Map (Crowe PAR)
8
Phase IV
Crowe PAR Methodology Phase II
Phase III
Crowe advises life sciences clients to begin with an assessment to identify and prioritize areas of potential high risk to compliance, thereby providing valuable information to focus the allocation of finite resources. Clarifying the most important risks also allows personnel to assist senior leaders in oversight and mitigation of ethics- and compliance-related risks. Periodic reporting integrates the results of risk assessments, topic-specific analyses, and ethics and compliance monitoring. Having a consolidated view – including a look inward from the external environment – enables ethics and compliance leaders to build support for improving practices and provides evidence of program effectiveness for governance groups, such as the board of directors and external monitors or advisers. Crowe can also transfer knowledge of effective monitoring and reporting best practices so internal teams can continually improve and sustain ethics and compliance program effectiveness.
The seven elements of an effective compliance program Our goal is to help life sciences companies embed ethical behavior across their extended enterprise so compliance becomes a sustainable business advantage. Ownership: Governance structure that supports the development and management of an effective compliance program Policies and procedures: Documented code of conduct that guides the behavior of personnel throughout the enterprise and extended value chain suppliers Training: Employees, contractors, and management at all levels have educational opportunities that support working compliantly Communication: Culture that welcomes dialogue about ethics and compliance-related topics Auditing and monitoring: Continuous analysis of the compliance program’s efficacy Investigations and disciplinary action: Clear and specific policies regarding the application of disciplinary measures Corrective action: Policies and procedures address the corrective actions needed to mitigate compliance failures
crowehorwath.com/lifesciences
IVE ECT R R CO
C ION T C A
E YCL
OWNERSHIP POLICIES & PROCEDURES TRAINING COMMUNICATION AUDITING & MONITORING INVESTIGATIONS & DISCIPLINARY ACTION CORRECTIVE ACTION
RIS
K
M ES S ASS
EN
T
9
Third-party risk management Effectively controlling third-party risks Businesses have many drivers – including speed, efficiency, and cost management – to outsource activities to highly efficient specialists. Relying on vendors and service providers, however, necessitates effective, ongoing third-party risk management (3PRM). An Institute of Internal Auditors Research Foundation study found that 65 percent of respondents described organizational reliance on third parties as either “significant” or “extensive.” More than three-quarters (78 percent) had either “some concern” or “high concern” about difficulties with monitoring third parties’ risk management practices. A CFO Research Services survey found that 75 percent of respondents had experienced harm due to a third party.1 Third parties can include service providers, supply partners, distributors and agents, licensees and licensors, franchisees, alliances, and joint ventures and investments – and all need to be on the risk radar screen. Crowe works with life sciences organizations to identify and mitigate risks that could undermine quality and tarnish reputations. Our suite of services helps organizations monitor a wide array of third- and fourth-party – that is, contractors to third parties – providers. Our approach is risk-based, technology-enabled, and linked to enterprise risk management. We help life sciences organizations: • Assess the maturity of 3PRM programs, identify gaps, and recommend program enhancements • Optimize programs to improve efficiency and obtain greater value • Implement specific components or an entire 3PRM program, including tools, processes, and procedures • Deliver third-party evaluations, run efforts to mediate risk, and provide technology support to sustain 3PRM programs
10
Improving 3PRM begins with understanding risk exposures and defining responsibilities for third-party risks. In your opinion, what changes are most needed to help your company identify and manage third-party risk?
Improving our visibility into the full range of risk exposures with our third-party relationships
38%
Defining responsibility for third-party risk more clearly
32%
Standardizing risk management processes across my company
29%
Improving risk expertise within my company
28%
Improving the tools and technology we have available to support third-party risk management
28%
Improving communication between my company and third-party companies
25%
Gaining more influence over our business partners’ management of risks and controls
19%
Overcoming resistance to risk management practices at the operational level Overcoming a lack of interest in third-party risk at the executive level of my company
crowehorwath.com/lifesciences
Source: “Working Well Together: Managing Third-Party Risk in a More Integrated World,� a report prepared by CFO Research Services in collaboration with Crowe.
15%
10%
11
Cybersecurity and privacy Improving cybersecurity and privacy Cybersecurity experts focused historically on controlling access using firewalls, passwords, and similar measures to prevent attacks. The focus has shifted from prevention alone to proactive incident response, posing questions about how biotechnology, medical device, and pharmaceutical organizations will respond to the next wave of intrusions. A data breach can cause severe, long-term repercussions. According to a study by Ponemon Institute LLC, breaches cost an average of $154 per record lost.2 Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or a contributing factor.3 An objective assessment of strengths and weaknesses is a good place to start when designing or upgrading a cybersecurity risk management program. The Crowe approach, which combines input from the leading industry frameworks with our professionals’ deep experience, provides a highly practical, comprehensive approach to assessing cybersecurity risks, exposures, and vulnerabilities.
Regulatory Compliance
Third-Party Risk Management
Resources
Risk Management
Roles and Responsibilities
Policies and Procedures
Governance
Cybersecurity Domains Logical Security
Logging and Monitoring
Physical Security
Data Protection
Business Continuity Management
Security Change Management
Employee Management
Security Configuration Management
Threat and Vulnerability Management
People Processes Technology
The program must address all the critical elements that need to be protected in the company.
12
Privacy is an essential concern for life sciences organizations, especially those managing any type of health information, including clinical trial results or adverse events, or those with a large global employee base. When expanded to include privacy considerations, the more holistic framework would look like the following:
s and Procedure licie s Po
s and Procedure licie s Po
ge
ct
Ch
lle
io
n
Logical Security
t
R isk
y
M a na g e m e n
s Acces
to e s ur ie os art l c P is D hird T
alit
Reg u Com latory plian ce
Data Protection
Qu
B Co usi nt nes in s ui ty
es
R isk
loye
d an g g in rin g g ito Lo on M
, tion l ten a , Re ispos e s D U and Mo nito En ring for cemand ent
Responsib ilitie s
curity
Physical Se
Emp
and Responsibiliti les es Ro
an
Co
and les Ro
Ch
nd t a ity ea abil r Th ner l Vu
Notice
rity
k Ris
cu
arty
P rdThi
Se
oic Co e an ns d en t
Privacy
S Co nfig ecur ura ity tion
Security
M a na ge m e n
t
A cybersecurity assessment from Crowe specialists can evaluate: • Qualifications and capabilities of the internal cybersecurity team • The state of the life sciences organization’s IT, cybersecurity, and privacy governance and associated procedures • Preventive controls and awareness training The Crowe Center for Cybersecurity helps our information security consultants stay at the forefront of identifying, addressing, and preventing problems, including the latest vulnerabilities, exploitation vectors, and configuration data that can lead to data breaches, network failures, electronic fraud, and other suspicious activities. Our cybersecurity team provides the following services to life sciences organizations: • Penetration testing and application security • Information and technology security and privacy assessments • Security and privacy consulting services • IT risk management and risk assessments • Business continuity management • Incident response and computer forensics • Third-party and cloud security assessments
crowehorwath.com/lifesciences
13
Seamless global service delivery for the life sciences industry Crowe offers a team of professionals with technical backgrounds in accounting, consulting, and technology, and industry experience working with leading public and privately held companies in the life sciences and related healthcare industries. • Crowe has experience in working with many of the world’s largest life sciences companies. • Crowe has completed project engagements for global life sciences companies in 35 countries in the past two years. • Crowe is a leading member of Crowe Horwath International, which is ranked among the top 10 largest professional services networks worldwide – with member firm offices in more than 120 countries.
Gartner 2015 magic quadrant Crowe Risk Consulting has once again been named a “Challenger” by Gartner Inc. in “Magic Quadrant for Risk Management Consulting Services, Worldwide” by Jacqueline Heng and John A. Wheeler. The full report can be accessed at www.crowehorwath.com/gartner.
ALM Intelligence gives its highest possible ranking to Crowe healthcare cybersecurity services ALM Intelligence (formerly Kennedy Consulting Research & Analysis) recently released the results of a market research study that assessed 24 firms and their cybersecurity consulting services in the healthcare industry, and Crowe services – including Crowe Risk Consulting and CHAN Healthcare, a subsidiary of Crowe Horwath LLP – received a very favorable assessment. ALM ranked Crowe in its “Vanguard” category, the highest ranking that the well-known consulting research company bestows on firms.
The yellow shading indicates countries with Crowe Horwath International member firms. The gray squares indicate countries where Crowe has completed projects for life sciences clients.
14
Finance/Treasury
Tax
Internal Audit/Risk
Operations
External audits • Financial statement audits • Specialized audits • Fund and portfolio audits
State and local tax • Credits and incentives • Sales and use tax • Real and personal property tax reviews • Unclaimed property risk mitigation • Income and franchise services
Business risks • ERM • Internal audit • Sarbanes-Oxley • COSO assessment • Capital expenditure audits • Global IA support • Supply chain risk
Manufacturing • Capital expenditure audits • Working capital • Demand planning • Sales and operations planning • Due diligence and integration efforts
Accounting services • Financial reporting • Accounting advisory • Unclaimed property compliance • Litigation support Benefit plan audits
Research, development, and clinical • Systems assessment • 340B provider audits
Federal tax • Income tax accounting/ Thomson Reuters® ONESOURCE™ software • Federal tax compliance and consulting • Cost segregation • Research credits • Medical device excise tax
Commercial • Promotional process assessments • Supplier governance
International tax • Transfer pricing • Global mobility tax services (expatriate) • Foreign tax credit maximization
Crowe works with many of the top 50 global Life Sciences companies in a broad number of service areas.
IT
Corp Dev
Procurement
Compliance
Development • Mobile apps • Custom applications • Data analytics • Information management • IT due diligence and integration efforts
M&A • Deal structuring and tax optimization
• Third-party risk maturity assessment • Third-party audits • Strategic sourcing • Supplier viability • Supplier governance models • Conflict minerals • Selling, general, and administrative expenses
• Effective compliance program assessment and remediation • CIA response • Independent reviewer • Forensic services • Investigation support • Anti-bribery and corruption • Policies and procedures review • Program management office/center of excellence • Privacy assessments
Security • IT risk assessment • Cybersecurity • Forensic technology
crowehorwath.com/lifesciences
Transaction services • Due diligence • Valuations • M&A integration • Licensing audits
15
Contact information
About Crowe life sciences services
Mindy Herman, Principal Life Sciences Services Leader +1 317 706 2614 mindy.herman@crowehorwath.com
For this innovative industry – highly regulated throughout the world – Crowe helps address complex business issues that can hold back achievement of a company’s most critical strategic objectives. The Crowe life sciences services group brings together accounting, consulting, and technology professionals in a highly collaborative and productive global team. Our wide range of competencies and industry experiences combine to produce pragmatic solutions that help our clients build successful, sustainable businesses.
Jonathan Burnett Risk Consulting Global Leader +33 6 29 65 88 93 jonathan.burnett@crowehorwathgrc.com Pamela Hrubey, Managing Director +1 317 208 1904 pam.hrubey@crowehorwath.com Michael Lucas +44 7525 809554 michael.lucas@crowehorwath.com Kevin O’Sullivan, Principal +1 973 422 7188 kevin.osullivan@crowehorwath.com Mike Varney, Partner +1 216 623 7553 mike.varney@crowehorwath.com
About us Crowe Horwath LLP is one of the largest public accounting, consulting, and technology firms in the United States. Under its core purpose of “Building Value with Values,®” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk, and performance services. With offices coast to coast and 3,000 personnel, Crowe is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world. The network consists of more than 200 independent accounting and advisory services firms in more than 120 countries around the world.
Vicky Ludema, Managing Director +1 616 752 4214 vicky.ludema@crowehorwath.com
1
For more results of these across-industry studies, visit http://www.crowehorwath.com/tpr
2
“2015 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2015, https://nhlearningsolutions.com/Portals/0/ Documents/2015-Cost-of-Data-Breach-Study.PDF
3
Elizabeth Weise, “43% of Companies Had a Data Breach in the Past Year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/ data-breach-companies-60/16106197
crowehorwath.com/lifesciences
Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. All statements in this report attributable to Gartner represent Crowe Risk Consulting’s interpretation of data, research opinion, or viewpoints published as part of a syndicated subscription service by Gartner Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this report). The opinions expressed in Gartner publications are not representations of fact and are subject to change without notice. In accordance with applicable professional standards, some firm services may not be available to attest clients. © 2016 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure
MD-16003-002B