Risk management

Novo Nordisk’s risk management process is governed by Executive Management and designed to ensure that key business risks are effectively identified, assessed and mitigated so that they do not affect the company’s ability to achieve its business objectives. The risk management system covers the entire company in terms of geography, activities and functional areas.

The Risk Management Board, established by Executive Management, is responsible for setting the strategic direction for the risk management process and challenging the overall risk and control profile for Novo Nordisk. The Board consists of senior management members representing relevant parts of the global organisation and is chaired by the chief financial officer.

All business activity has inherent risk. Our policy for risk management is to proactively manage risk to ensure continued growth of our business and to protect our people, assets and reputation. This means that we:

  • utilise an effective and integrated risk management system while maintaining business flexibility
  • identify and assess material risks associated with our business
  • monitor, manage and mitigate risks.

Our risk willingness depends upon the specific category of risk:

  • We develop new innovative products to improve treatment of serious diseases such as diabetes and haemophilia. We accept the high level of risk involved in bringing new products to market that meet the needs of patients in terms of both safety and efficacy.
  • The safety of patients is paramount to us. We make every effort to reduce safety risks to the lowest level possible in both clinical trials and already marketed products.
  • We take a conservative approach to the management of financial risks.
  • We strive to reduce supply chain risks through proactive business continuity planning, regular inspections and back-up facilities.
  • We strive to reduce any risks to people, communities and the environment related to our business activities
  • We never compromise on quality and business ethics.

The enterprise risk management system

In Novo Nordisk, management teams in all organisational areas are responsible for continuous identification, assessment, and mitigation of risks. All areas have procedures and infrastructure to ensure successful management and reporting of risks, with dedicated local risk coordinators facilitating the process and providing advice and training. This setup allows us to respond timely to risks, and ensures that the Risk Management Board receives a comprehensive overview of risks.

Each quarter, management teams are required to report to the Risk Office their most significant risks, along with assessments and an overview of implemented mitigations and next milestones (see Figure 1). All risk assessments take into account the likelihood of an event and its potential impact on the business. Impact is quantified and assessed in terms of potential financial loss or reputational damage. Risks are assessed both as gross risk and net risk. The assessment of gross risk assumes that no mitigating actions have been implemented, whereas net risk assessment takes into account mitigation actions and their anticipated effect.

The Risk Office, which serves as the secretariat of the Risk Management Board, then challenges management on the reported risk information, and consolidates on a quarterly basis reported risks into a corporate profile containing the company's key risks. This information, along with assessments, implemented mitigations and next milestones, is presented to the Risk Management Board, which challenges the overall risk and control profile of Novo Nordisk. The final risk profile is reviewed by Executive Management, the Audit Committee and the Board of Directors.

Success criteria for the risk management system

Specific Key Performance Indicators are in place to ensure that risk management is carried out on a continuous basis. This includes ensuring that no major risks materialise that have not been reported to the Risk Management Board.

It is the responsibility of management teams and risk coordinators to identify, assess, mitigate, and report risks that makes the risk management process robust. The Risk Office is responsible for supporting the organisation fulfil this responsibility. It does so by conducting regular workshops and training sessions to equip local management teams with the necessary understanding and tools related to risk management and reporting. In addition, every year the Risk Office runs creative risk-thinking exercises with a view to identify emerging risks and trends.

On an ongoing basis, the Risk Office actively collects and disseminates internal and external best practices, and shares them with the organisation via guidance documents, booklets, and during training events. Furthermore, the Risk Office works continuously to identify and implement relevant improvements to the risk management system.