Novo Nordisk’s risk management process is governed by Executive Management and designed to ensure that key business risks are effectively identified, assessed and mitigated so that they do not affect the company’s ability to achieve its business objectives. The risk management system covers the entire company in terms of geography, activities and functional areas.
The Risk Management Board, established by Executive Management, is responsible for setting the strategic direction for the risk management process and challenging the overall risk and control profile for Novo Nordisk. The Board consists of senior management members representing relevant parts of the global organisation and is chaired by the chief financial officer.
All business activity has inherent risk. Our policy for risk management is to proactively manage risk to ensure continued growth of our business and to protect our people, assets and reputation. This means that we:
Our risk willingness depends upon the specific category of risk:
In Novo Nordisk, management teams in all organisational areas are responsible for continuous identification, assessment, and mitigation of risks. All areas have procedures and infrastructure to ensure successful management and reporting of risks, with dedicated local risk coordinators facilitating the process and providing advice and training. This setup allows us to respond timely to risks, and ensures that the Risk Management Board receives a comprehensive overview of risks.
Each quarter, management teams are required to report to the Risk Office their most significant risks, along with assessments and an overview of implemented mitigations and next milestones (see Figure 1). All risk assessments take into account the likelihood of an event and its potential impact on the business. Impact is quantified and assessed in terms of potential financial loss or reputational damage. Risks are assessed both as gross risk and net risk. The assessment of gross risk assumes that no mitigating actions have been implemented, whereas net risk assessment takes into account mitigation actions and their anticipated effect.
The Risk Office, which serves as the secretariat of the Risk Management Board, then challenges management on the reported risk information, and consolidates on a quarterly basis reported risks into a corporate profile containing the company's key risks. This information, along with assessments, implemented mitigations and next milestones, is presented to the Risk Management Board, which challenges the overall risk and control profile of Novo Nordisk. The final risk profile is reviewed by Executive Management, the Audit Committee and the Board of Directors.
Specific Key Performance Indicators are in place to ensure that risk management is carried out on a continuous basis. This includes ensuring that no major risks materialise that have not been reported to the Risk Management Board.
It is the responsibility of management teams and risk coordinators to identify, assess, mitigate, and report risks that makes the risk management process robust. The Risk Office is responsible for supporting the organisation fulfil this responsibility. It does so by conducting regular workshops and training sessions to equip local management teams with the necessary understanding and tools related to risk management and reporting. In addition, every year the Risk Office runs creative risk-thinking exercises with a view to identify emerging risks and trends.
On an ongoing basis, the Risk Office actively collects and disseminates internal and external best practices, and shares them with the organisation via guidance documents, booklets, and during training events. Furthermore, the Risk Office works continuously to identify and implement relevant improvements to the risk management system.