Risk management

Novo Nordisk’s risk management process is governed by Executive Management and designed to ensure that key business risks are effectively identified, assessed and mitigated so that they do not affect the company’s ability to achieve its business objectives. The risk management system covers Novo Nordisk in terms of geography, activities and functional areas.

Our approach

All business activity has inherent risk. Our approach to risk management is to proactively manage risk to ensure continued growth of our business and to protect our people, assets and reputation. This means that we:

  • utilise an effective and integrated risk management system while maintaining business flexibility,
  • identify and assess material risks associated with our business, and
  • monitor, manage and mitigate risks. 
     

Our risk willingness depends upon the specific category of risk and examples of such categories are:

  • Delays or failure of products in pipeline
  • Supply distributions
  • Competition and market development
  • Compromises to product quality and patient safety
  • Information technology security breaches
  • Currency impact and tax disputes
  • Breach of legislation or ethical standards
  • Loss of intellectual property rights
     

Please refer to the Annual Report 2019 p.31 for a more detailed description of the above categories and Novo Nordisk’s key risks.

The enterprise risk management system

In Novo Nordisk, management teams in all organisational areas are responsible for continuous identification, assessment, and mitigation of risks. All areas have procedures and infrastructure to ensure successful management and reporting of risks, with dedicated local risk coordinators facilitating the process and providing advice and training. This setup allows us to respond timely to risks.

Biannually, management teams are required to report to the Insurance & Enterprise Risk Department their most significant risks, along with assessments and an overview of implemented mitigations and next milestones. All risk assessments take into account the likelihood of an event and its potential impact on the business. Impact is quantified and assessed in terms of potential financial loss or reputational damage. Risks are assessed both as gross risk and net risk.

Insurance & Enterprise Risk then challenges management on the reported risk information (including assessments, implemented mitigations and next milestones), and consolidates on a biannual basis reported risks into a corporate profile containing the company's key risks. The final risk profile is reviewed by Executive Management, the Audit Committee and the Board of Directors.