Five Factors Holding Back ERM in the Pharma Sector

Despite compelling evidence linking robust Enterprise Risk Management (ERM) to improved financial performance and shareholder value (see:  ERM: Marketing Hype or Value add? A review of the empirical data), many pharma and biotech organizations fail to realize its full potential.

This article exposes five key reasons we commonly see which help explain why ERM initiatives often underperform in the sector and, more importantly, what Heads of Risk in pharma and biotech companies can do to overcome them.

1. Misconceptions and Confusion

ERM, despite its 20+ year history, remains a widely misunderstood concept. Many stakeholders mistakenly equate ERM with compliance or audit, viewing “risk management” as a narrow, regulatory-driven obligation, rather than as a company-wide strategic discipline.

This fundamental misconception clouds expectations and can limit ERM’s potential impact in supporting the management of a broad range of critical risks, such as those related to M&A, clinical development, market access, pricing, and operational execution.

This confusion is often further compounded in the pharma and biotech sectors given the prevalence of well-established, “traditional” risk management practices already embedded within Functions such as GxP, Quality Assurance (QA), Pharmacovigilance (PV) and others. This can lead to multiple siloed approaches and inefficient, parallel risk management programs that produce inconsistent findings and disjointed risk reporting for leadership teams.

Recommended Actions for Heads of Risk to Help Address These Challenges:

• • Clarify ERM’s scope: Emphasize ERM’s role in managing strategic, operational, financial, and compliance risks, while also highlighting its distinction from existing departmental risk teams.
  • Proactively engage with those other departments already performing formal risk management activities: It is important to ensure close collaboration with these teams, such as GxP, QA and PV, and for them to recognize that ERM is designed to complement and enhance their existing risk management activities, not to replace them.
  • Educate stakeholders: Conduct regular training sessions to dispel misconceptions and showcase ERM’s value in achieving business objectives with example use cases.

2. Insufficient Senior Management Buy-In and Support

A common challenge for ERM programs is securing genuine buy-in from senior leadership. While we appreciate that these individuals face relentless demands on their time, a lack of dedicated support from them for ERM can become a critical road block to its adoption. 

Disillusioned by past experiences, perhaps due to receiving uninspired risk reporting that offered little practical value, leaders can often approach ERM as a mere “tick-box” exercise with little strategic or commercial use. This can lead to superficial support without truly championing ERM or embedding it into the organization’s existing business processes.

Without visible, active, and consistent sponsorship from the top, the rest of the organization may receive an implicit message that ERM is not a priority. This can manifest as a reluctance to share individual views and perspectives during risk discovery interviews, low levels of engagement during risk workshops, and ultimately, the failure of the ERM program to help the business succeed.

Recommended Actions for Heads of Risk to Help Address These Challenges:

• • Secure executive sponsorship: Identify and engage senior leaders who understand ERM’s value and can champion it across their peer group, Function or Affiliate / Cluster, and the wider organization.
  • Demonstrate ERM’s strategic value: Showcase, via relevant case-studies that resonate with each individual and team, how ERM can improve their decision-making capabilities, enhance resilience, and support the achievement of key business goals, like successful drug launches and market expansion efforts.
  • Develop Impactful Risk Reporting: Design reports that are accessible, focused, action-oriented, and visually appealing. Use data effectively to encourage debate, inform decisions, and track risk exposures and trends over time.

3. Overlooking the Basics

A major pitfall in ERM implementation is weak fundamentals and/or the reliance on a generic, “one-size-fits-all” framework that fails to account for an organization’s unique culture, size, and industry context.

While there is much value in adopting recognised good practice, relying solely on a “cookie-cutter” approach often results in an ERM program being perceived as overly generic, out of touch, and ultimately unfit for purpose. In the pharmaceutical and biotech industry, this is particularly problematic, as these simplistic frameworks may clash with the industry’s scientific, data-driven culture and the need for ERM to take into account the sector’s unique risk landscape.

Furthermore, overly burdensome, bureaucratic, and time-consuming risk processes can actively discourage engagement, especially within companies that value, and seek to foster, a culture of agility and innovation. While not wanting to sacrifice rigour, the formal risk processes and reporting requirements must be ‘user-friendly’ and respectful of people’s time.

Recommended Actions for Heads of Risk to Help Address These Challenges:

• • Tailor the ERM framework: Ask for stakeholder views on what they need and expect from ERM and then customize the framework, tools, and processes to align with those preferences, as well as the company’s culture and risk profile.
  • Establish Sound ERM Fundamentals: Focus on mastering the basics first. Remember: DaVinci painted the Mona Lisa with just three primary colours. Use consistent risk terminology, craft well-articulated risk descriptions, deploy objective measurement criteria, and ensure there is clear accountability for each individual risk.
  • Design user-friendly processes: Ensure that risk assessment, reporting, and monitoring processes are practical, efficient, and easy to understand by users, including your network of Risk Champions.

4. Lack of Integration with Business Processes and Insufficient Alignment with Strategy

Another serious flaw in many ERM programs is their frequent isolation from core business processes, such as strategic planning, budgeting, and performance management activities. While maintaining independence to provide objective challenge is essential, a complete disconnect can marginalize ERM, framing it as an afterthought rather than an integral part of running the business.

When ERM fails to take into account key business objectives and performance indicators (which should be the core basis for informing risk identification), its relevance and impact on overall organizational success, and the benefit to individuals using the framework, becomes obscured.

In the pharmaceutical industry, this lack of integration can often result in a failure to incorporate proactive risk considerations into crucial processes like R&D pipeline management, clinical trial design, and market access strategies. Consequently, risk management becomes more reactive, seeking to address (or merely commentate on) issues and problems after they arise, rather than identifying and mitigating potential threats in advance.

Furthermore, many ERM programs suffer from a narrow, internal focus, neglecting the broader industry landscape and emerging trends. This inward-looking approach limits the ability to anticipate and prepare for external risks (such as macroeconomic, geopolitical and regulatory developments, as well as cyber threats) that could significantly impact the organization’s future.

Recommended Actions for Heads of Risk in Pharma to Help Address These Challenges:

• • Embed ERM in key processes: Integrate risk assessments into strategic planning and annual budgeting cycles and other relevant processes (such as M&A due diligence, major projects, compliance risk assessments etc.).
  • Align ERM with business objectives: Ensure that the ERM framework directly supports the achievement of the organization’s strategic goals and addresses the impact of risks on key performance indicators.
  • Offer an external perspective: Regularly monitor the external environment, including regulatory changes, competitor activities, and emerging risks, and share these with internal stakeholders to promote a more robust risk assessment exercise.