IOD MASTERCLASS FOR DIRECTORS

267TH BATCH

DISSERTATION

Enterprise Risk Management in the

Medical Devices/Healthcare Industry
Module: Enterprise Risk Management

Dayanidhi Krishna
Contents

Project Objectives .................................................................................................................................................. 3

Acknowledgements ............................................................................................................................................... 3
Introduction and Context .................................................................................................................................... 4
Risks in a VUCA World ................................................................................................................................... 4
Risk Management as a Necessity .......................................................................................................................... 6
Risk Management as a Legal Requirement ..................................................................................................... 6
Economic Case for Risk Management ............................................................................................................ 7
Evolution of Risk Management ....................................................................................................................... 9
Implementation of Enterprise Risk Management............................................................................................. 12
Identification of Risk Types........................................................................................................................... 12
Design of a Risk Management Framework ................................................................................................... 14
Risk Management Process .............................................................................................................................. 18
Case Studies ......................................................................................................................................................... 23
F. Hoffmann-La Roche AG (Roche Group) ................................................................................................ 23
Apollo Hospitals & Apollo Munich Health Insurance (Apollo Group) .................................................... 24
Disclaimer ............................................................................................................................................................ 27
References ............................................................................................................................................................ 27

2
Project Objectives

Enterprise Risk Management (ERM) is an effective process to assess, evaluate and manage both
internal and external risks. ERM ultimately results in a risk management policy and by extension, a realisation
of an iterative process that can transform any organization to imbibe a risk-aware culture across its value chain.

To adopt ERM processes, the organization’s senior leadership and board need to appreciate and
internalize the value proposition of ERM into their DNA. There is a need for this to transcend into the
mindset of business leaders to evaluate risks for their decisions as well as to incorporate risk contributions to
wider firm-level risk as a metric for financial and growth incentive structures (1). With this large objective, the
priority is to enhance awareness on risk management ranging from its origins, the rationale behind its
implementation, and current ERM frameworks such as ISO, COSO.

At the outset, the risks relevant to medical, healthcare and pharma industry are identified. After
detailing the risk management framework and associated processes, a snapshot of current risk management
practices adopted by certain industry leaders based on their risk management policies and Annual reports are
analysed to provide the senior leadership and board members unfamiliar with risk management, guidance on
prevailing best practices. This project shall also attempt to provide a broader perspective by incorporating
available insights from a wider geographical and historic spread.

Acknowledgements

I thank the speakers for providing their insights with several case-studies/examples on various aspects
of corporate governance during the sessions that formed a part of IoD’s Masterclass. With corporate
governance in a constant state of influx, the perspectives of the speakers on the emerging understanding on
financial controls, board room processes, legal compliance, etc. enabled a more holistic understanding for me
while conceptualizing this work. I thank the authors and institutions behind the works cited who have
contributed towards the creation of a vast pool of resources both in the form of industry trends as well as
forward-looking guidance on the best practices in ERM. I am grateful to several industry leaders, risk
professionals/actuaries and researchers who gave me their time, inputs, comments and suggestions while
undertaking this work.

3
Introduction and Context

Risks in a VUCA World

According to Taleb, A black swan is a highly improbable event which is unpredictable, carries a
massive impact; and, is justified by succumbing to hindsight bias (2). The year 2020, with the impact of
COVID-19 arguably termed a black swan event has demonstrated some of the potential risks and threats that
organizations, individuals, governments face alike (3). The World Economic Forum’s Global Risks Report
2020 however classified pandemics as a low-probability event (4). COVID-19 and several prior risk events
like natural disasters, cyber-attacks, terror attacks, etc. have demonstrated that the world today truly operates
in a Volatile, Uncertain, Complex and Ambiguous (VUCA) environment. W. G. Bennis and N. Burt
conceptualized the characterization of risk events under the VUCA paradigm in a corporate context (5).
Beyond their typical definitions of VUCA, Table 1 briefly describes the nature of risk events based on the
aforementioned paradigm (6). While the possibility of the event such as COVID-19 occurring was evident,
the associated risks weren’t effectively managed. The silver lining from COVID-19 has been the realization
that current models of managing projects, operations, supply chain, agile software development, etc. lack the
resilience to several risk events (7).

P Complexity Volatility
R
The likelihood of the event is Awareness and Likelihood of the event
E
D predictable but very little is known are fairly certain but the situation is
I
about the event due to multiple unstable and duration is unknown
C
T factors influencing the situation
A
B Ambiguity Uncertainty
I Both Awareness and Likelihood of Event’s basic cause and effect are
L
I the event are unknown known but the likelihood is not
T predictable
Y
AWARENESS
Table 1 Classification of risk events based on VUCA characteristics (8,9)

4
 Weather risks
Pension or healthcare shortfalls
Political risks
Terrorism risks
Employee misdeeds
Natural catostrophe risks
Litigation risks
Property and casualty risks
Loss of key personnel
Regulatory or government risks
Credit risks
Interest rate risks
Operational risks
Commodity price risks
Reputational risks
Execution risks
Failure of company projects
Competitive Risks
Strategic risks
Foreign Exchange Risk

0% 10% 20% 30% 40% 50% 60%

Risks rated 4 or 5(Highest Cost)

Table 2 Risk Exposure based on Survey of CFOs in 2009

Different organizations and individuals identify over 100+ types of risks that could impact them,
these risks can collectively be categorized into Financial/Economic Risk, Geopolitical Risk, Technology Risk,
Environmental Risk, Social Risk and Governance Risk (10). While Governance Risk is purely internal, the
other risks emerge in the overlap of internal and external actors and processes. In the aftermath of the 2008
Financial Crisis, 300+ CFOs drawn from listed and unlisted companies around the world were surveyed to
assess their risk perception and categorization as detailed in Table 2 (11). However, the last decade has seen a
shift from operational or financial risks towards ESG related risks. Experts estimate environmental risk events
as the most likely and a combination of environmental, geopolitical and social issues to have the most
devasting impact (4). The report provides a great insight into potential risks that could result in devasting
consequences and value destruction for all stakeholders. There is, however, a need for a more standardized
and holistic approach to risk management for combatting these challenges.

5
Risk Management as a Necessity

Risk Management as a Legal Requirement

Over the years, laws and regulations including those listed in Table 3, enacted by different countries
have emphasized on risk management as an inherent corporate governance requirement. In the United States
of America, the now-repealed Glass-Steagall Legislation mandated risk mitigation norms for the banking
sector (12). The safeguards under that legislation were replaced by a Federal Deposit Insurance to protect
depositors. India has adopted a similar deposit insurance requirement beyond the capital adequacy standards
mandated in the banking regulations (13). However, the inherent shortcomings of this new approach were
exposed in the subsequent global financial crisis in 2007-2008 (14). The housing bubble that burst in the
United States of America resulted in spill over effects that were felt all over the world. In the aftermath of this
crisis, a new law was enacted to enhance risk management. Despite the efforts of the advocates of the Glass-
Steagall legislation, several of the safeguards from the earlier law didn’t pass muster for inclusion in the new
law (15).

Country Acts/Laws Applicable

Stock Corporation Act (16)
Germany Corporate Sector Supervision and Transparency Act (17)
Risk Limitation Act (18)
Companies Act (Amended in 2013) (19)
The Deposit Insurance and Credit Guarantee Corporation Act (Amended in
India
2006) (13)
The Occupational Safety, Health and Working Conditions Code (20)
Singapore Workplace Safety and Health Act (21)
United Arab
Ministry of Finance – Risk Management Circular (22)
Emirates
The Management of Health and Safety at Work Regulations (23)
United Kingdom Financial Services and Markets Act (24)
The Risk Transformation Regulations (25)
United States of Glass-Steagall Legislation (12)
America Dodd-Frank Wall Street Reform and Consumer Protection Act (15)
Table 3 Laws, Regulations and Norms incorporating Risk Management

With the legislative action in the United States of America, other countries both within the EU and
in the APAC region, enacted their variants of risk-limiting laws (18,19,25). Beyond financial risk controls in
the form of capital adequacy, etc. several countries have enacted laws to mitigate social risk in form of
employee safety guidelines (20,21). Some of these legislations directly align with the current risk management
frameworks detailed subsequently in this dissertation (22).

6
 In light of these regulations, it has become essential for organizations both big and small to comply
with the necessary risk management norms. In the Indian context, the Companies Act mandates several risk
management related compliances for companies. At the time of public listing or while raising debt from the
capital markets, the prospectus must detail the management’s perception of the risk factors that impact the
business. Along the aforementioned lines, any presentation of financial statements during a general meeting
must be accompanied by a statement of the board, indicating development and implementation of a risk
management policy for the company including identification therein of elements of risk that threaten the
existence of the company. The audit committee of any company should evaluate the risk management
systems currently in use.

Different companies have interpreted and implemented these requirements differently, some
allocating dedicated resources for Risk Management, while others co-locate these responsibilities with the
Audit Committee and its associated verticals.

“The independent director shall satisfy themselves on the integrity of financial

information and that financial controls and the systems of risk management are robust
and defensible” – Art. 4 Sec. II Schedule IV of Companies Act 2013 (19)

The role of the Independent Director here is relevant, as the act requires the director to play a
significant role in the risk management function of the company as highlighted above. Also, the Reserve Bank
of India (RBI) has issued master directions and guides on the required risk management systems for financial
institutions both during operations as well as while engaging in transactions with foreign currency exposure.

In the medical industry, risk management is directly and indirectly mandated by legal and quasi-legal
frameworks across verticals. At the inception stage, medical devices, medicines, drugs, surgical instruments,
etc. that are sold are to be certified by US FDA/European Union’s CE Mark or the Bureau of Indian
Standards (BIS) and licensed with CDSCO (Central Drugs Standard Control Organisation). The process to
obtain these certifications while inheriting from comparable ISO standards, also required risk mitigation steps
to prevent various risks to the patient ranging from safety, cybersecurity, privacy, etc. At medical institutions,
obtaining NABH (National Accreditation Board for Hospitals & Healthcare Providers, a constituent board
of Quality Council of India) certification through compliance of their standards involves the adoption of risk
management practices with a top-down approach. NABH accreditation standard “FMS 1a” requires
hospitals to conduct a hazard identification and risk analysis process (26).

Economic Case for Risk Management

Any organization has a reasonable understanding of its liabilities. Beyond the loans and tax-related
liabilities, the risks that could impact an organization brings with it disproportionately, uncertain costs. While
these risks plague small and large organizations alike, small organizations often lack the resources to recover

7
from such risk events (27,28). Beyond the expected risks, an element of structural risk with no logical
connection to the risk event results in additional value erosion (29). The US GAAP standard adopts a mark-
to-market approach while IFRS and IndAS have typically adopted a conservative recognition philosophy.
Though current accounting standards US GAAP, IFRS and IndAS have different approaches to accounting
for the liabilities, quantifying risk related liabilities are not as straightforward (30).

Shareholder Value
Enhancement
• Protecting Corporate Relations
Operating Performance • Enhancing capital allocating
• Avoiding personal liability failure • Improved returns through risk &
• Understanding the full range of opportunity management
Compliance and Prevention risks & opportunities facing a
buisness
• Own company crises
• Understanding and evaluating
• Other company crises
business strategy risks &
• Compliance with corporate opportunities
governance standards (fiduciary
responsibility)

Figure 1 Risk & Opportunity Management Continuum (31,32)

Several of the risks discussed subsequently can be managed cost-effectively by realigning risk-reward
matrix by techniques such as hedging, insurance (Liability, Keyman, Cyber, Standard Peril, etc.),
implementation of ERM. In 2009, a significant majority of products used to mitigate risks were traditional
as detailed in Table 5 (11). With the evolution of the ERM frameworks, newer techniques and tools have
emerged. Some of the value propositions of ERM identified are detailed in Table 4. The opportunity cost
estimates tilt the decision in favour of the adoption of ERM (33). Risk Management directly translates into
enhanced value creation and downside protection for all stakeholders involved in an organization’s life cycle
(31,32).

8
 Credit derivatives Equity derivatives Multi-risk products
3% Structured products 2% 2%
3%
Commodity
derivatives
7%
Insurance policies
18%
Operating
alternatives
10%
FX rate derivatives
FX denominated 18%
debt
10%

Financial Interest rate derivatives

guarantees 17%
10%

Figure 2 Products used to Manage Risk

Evolution of Risk Management

In the mid-20th century, Risk Management as a concept was observed in insurance product
documentation which protected individuals and companies from accidents, illness, etc. (34). Risk
management evolved with a focus on improving capital standards in the financial sector, which ultimately
resulted in the BASEL Accords (35). The same accords were revised over multiple rounds during instances of
large financial crises which ultimately resulted in the Basel Framework (36). From 1990 till date, two risk
management standards were created by Committee of Sponsored Organizations (“COSO”) and
International Organization for Standardization (“ISO”). Figure 1 elucidates the timeline of the evolution of
these two risk frameworks.

• ISO 31000:2009 Introduced

• Upgraded to ISO 31000:2018
ISO
• 1992 - Internal Control - Integrated Framework (popularly Pyramid Model)
• 2004 - Enterprise Risk Management - Integrated Framework (popularly Cube Model)
COSO • 2017 - Enterprise Risk Management–Integrating with Strategy and Performance

Figure 3 Timeline of Risk Management Frameworks

9
 Figure 2 succinctly describes the relationship between various stages of risk management, the
applicable verticals and the relevant organizations under the 2013 COSO framework.

Figure 4 ERM Model under the COSO Internal Control-Integrated Framework

With time, organizations, auditors as well as external/internal risk professionals have observed that
the existing frameworks resulted in a siloed implementation of risk management with an operational and
compliance mindset.

Integrated

Continual Structured &

Improvement Comprehensive

Human & Value Creation

Customised
Cultural Factors & Proection

Best Available
Inclusive
Information

Dynamic

Figure 5 Principles of Risk Management as per ISO 31000:2018 (37)

10
 The new frameworks by COSO and ISO are in effect, a corrective update resulting in risk
management becoming a cornerstone of strategy for organizations. Figures 3 & 4 detail the principles
conceptualized by ISO 31000:2018 & COSO ERM 2017 frameworks respectively. The new frameworks
provide ample flexibility to decision-makers and risk professionals to personalize ERM in line with their
organization’s objectives.

Strategy & Information,

Governance & Review &
Objective- Performance Communication
Culture Revision
Setting & Reporting

Board Risk Oversight Analysis of Business Identification of Risk Utilisation of

Context Assessment of
Information
Substantial Changes
Technology
Creation of Operating Assessment of Risk
Structures Severity
Definition of Risk
Appetite
Definition of Risk Review of Risk & Communication of
Risk Prioritisation
Culture Performance Risk Information
Evaluation of
Demonstrated Alternative Strategies
Implementation of
commitment to Core
Risk Response
Values
Reporting on Risk,
Attraction, Formulation of Improvement of ERM Culture &
Development of Performance
Development & Business Objectives
Portfolio View
Retention of Talent

Figure 6 Principles of Risk Management as per COSO Enterprise Risk Management 2017 (38)

11
Implementation of Enterprise Risk Management

This section details the journey of the creation of a risk management framework, its implementation,
associated processes. As detailed in the previous section, both ISO 31000:2018 & COSO ERM 2017 provide
valuable tools and guidelines for the implementation of ERM. In this context, an accommodative approach
is followed henceforth with an attempt to synergise the benefits provided by both frameworks. As a precursor
to the framework and processes, both COSO and ISO necessitate the identification of risk types applicable
to the particular organisation, industry (37,39). In the following sub-sections, albeit the approach adopted
bearing resemblance to the ISO 31000:2018 framework, they align closely with the principles-driven view of
ERM as adopted by the COSO ERM 2017 framework. The sub-sections on Leadership Commitment,
Integration, Design align with the Governance & Culture principles. The various parts of the Risk
Management Process (as interpreted from the ISO 31000:2018 framework) pertain to the Strategy &
Objective-Setting, Performance, Review & Revision and Information Communication & Reporting
principles of COSO ERM 2017.

Identification of Risk Types

The risks faced by the medical devices sector organisations and healthcare institutions are highly correlated
due to the deep linkages between the two. It is also a given that the nature of risks and its adverse impact will
constantly evolve and that the process detailed subsequently will incorporate a repeatable cyclical process
flow. While any attempt to list all risks will remain inadequate, a broad set of risk types relevant to this sector
are detailed below -

 Financial - The medical industry is typically capital intensive. The 2020 Global Healthcare Outlook by
Deloitte details numerous instances of organisations, government bodies, insurers under financial distress
(40). In the case of medical devices and pharmaceuticals, a significant upfront R&D cost is incurred with
uncertainty on market demand, potential delays, pricing, etc. Any hurried development would result in
poor quality thereby exposing the products and the company to far greater risks. In the case of hospitals
and medical institutions, investment into infrastructure and technology is a precursor to any financial
gains. Besides, due to the heavy regulatory environment, organizations are also susceptible to pricing
controls by the governments (41). Also relevant is the role of the governments, corporates and insurers
in meeting their financial obligations to the healthcare service providers on a timely basis. Any financial
loss or delay at this end will result in spill-overs into the medical device and pharmaceutical sector (42).

 Geopolitical - The close relationship between this industry with the health and survival outcomes of
mankind entails healthcare forming centre stage in the political conversation at local, national and
international arena. The relevance of geopolitical and regulatory risk as the most significant risk factor in
this industry is evident from the research carried out by Protiviti and NC State University on risk
perception among board members (43). With the push-pull relationship between the government and
the populace/civil society, governments often are forced to take executive action to regulate this industry.
These actions range from price controls, subsidies, regulation, licensing, taxation, trade barriers,

12
 restrictions on the application of intellectual property rights to extreme measures like nationalisation,
confiscation of assets, etc. The approach, actions and the eventual outcomes of these different
stakeholders are distinct but can be managed effectively by adopting the right frameworks (44). Any
changes to governments either within the geography of operation or overseas could result in changes to
the policy approach adopted by the relevant authorities. This results in increased interaction and
engagement between organisations and the government resulting in increased chances of corruption and
crime-related risks. With increased regulations, there is an advent of severe liabilities as penal action
against organizations for breach of privacy, impact on health, life, accidents, etc. arising out of the
products and services offered. Often, there is a potential mismatch between the intended objectives and
end policy outcomes of regulations (45).

 Technology - Infrastructure and technology are two high costs, recurring investments in this industry.
With better human development indicators on education and skill development, the last 3-4 decades have
seen an exponential development in technological advancements. With this transformation,
organizations are faced with obsolescence due to shorter shelf-life of their technical assets and a recurrent
need to invest in more relevant and new-age technologies. While technology has proved to be a great boon
across the value-chain of this industry, the threat of an incumbent or a start-up adopting modern
technologies like AI, Blockchain, etc. is always looming. Due to digitalisation at various ends of the
spectrum, new risks relating to cyber-security, ransom, breach of personal data/privacy, data
manipulation, biased decisioning systems, etc. have emerged (46). According to a Deloitte Advisory
report, the consequences of a cyber-attack or a comparable event aren’t limited to apparent one-time
financial and reputational damage but also long term ramifications (47). The size and nature of an
organization often entail a differentiated threat scenario and by extension, necessitates a different
countermeasure (48).

 Environmental – Medical institutions both R&D centres, laboratories and medical care facilities are
susceptible to numerous environmental risks. At the onset, building design, construction and
maintenance must factor in the complex nature of these sites. Environmental factors like pollution,
smoke, noise, etc. remain a constant threat. In some cases, these facilities host highly infectious diseases,
radiological machines, etc. which pose risks far beyond the boundaries of these facilities. Beyond the
aforementioned, the medicines, implants, machines, instruments, etc. may contain substances that may
either be harmful to patients, clinicians or the overall environment (49,50). Calamities both man-made
and natural with far-reaching repercussions are likely to occur. GARP Risk Institute has identified
environmental and climate risks that originate with counter-parties and could impact organisations (51).

 Social – The stakeholders involved in the lifespan of a medical organization range from suppliers, staff,
patients, test subjects for clinical trials, local communities, etc. W.r.t the staff, a wide range of issues
threaten the daily operations of the organisation including an inability to attract talent, diversity, strikes,
misconduct/fraud, inadequate training (52). Organizations may suffer reputation damage as a
consequence of the sensitive nature of the services provided. Beyond reputation damage, prior experience
indicates potential physical and mental threat posed to staff, management and stakeholders in this

13
 industry. Driving organisational resilience through constant planning is vital for erosion avoidance,
managing tensions on account of sudden disruptions (53).

 Governance – Albeit a variation in its impact, Governance related risks transcend industry
classifications. Governance related risks originate at the highest levels of the organisation in the context
of strategic risks. This arises as a consequence of an ineffective judgement of the risk-reward equation in
business decisions. However, certain governance risks around internal controls, financial management,
compliance of statutory provisions, internal corruption, processes, policies, payroll, etc. arise out of
shortcomings than poor judgement. Several legitimate financial investment processes and strategies
around loss management adopted as a part of corporate tax planning may result in increased risk scenarios
(54).

Design of a Risk Management Framework

Leadership Commitment towards the cultivation of Risk Culture

The revised risk frameworks’ reliance on the linkage between strategy and the ERM process is testimony to
the central role of any organisation’s leadership and their commitment to the success of this process (37,38).
The understanding of the board and senior executives of the context in which the organisation operates is
important in customising and implementing all components of the framework. Unlike the old Operational
Risk philosophy, the new standards recognise the need for flexibility and thereby encourage organisations to
customise the frameworks. Following the design, the leadership must translate the framework into a clear
policy which details the processes, allocation of resources towards risk management and outlining of the roles,
responsibilities & rewards across the various levels of the organisation. The ISO 31000:2018 framework lists
the following benefits of the aforementioned approach –

 Synergy between risk management and the overall objectives, strategy and culture of the organisation
 Progression towards a mature risk-aware organisation through clear and concrete guidelines for all
individuals and internal groups to understand their obligations
 Limiting risk-taking beyond permissible levels by outlining the type and extent of risk through the risk
identification, assessment and evaluation as outlined subsequently
 Embedding and internalisation of the value proposition risk management across the organization and its
stakeholders
 Preparedness and timely corrective actions through active monitoring of risks;
 Sustained relevance of the risk management framework in the context of the organization (37).

14
 Figure 7 Integration of Internal Audit Mechanisms within the ERM Framework (55)

Once the framework is clearly outlined, communicated and implemented, it is quintessential for
oversight to ensure that the success, continuous revision and improvement of ERM in place. For this most
organizations have either appointed a dedicated CRO leading the risk function or co-locating the risk
function with audit function. While the size of the organisation may dictate the extent of resources available,
larger organisations have a three-pronged oversight mechanism. This begins with the management and
leadership implementing the risk management processes across verticals. This is complemented by the risk
and compliance verticals by aiding and assisting. This two-pronged system reports to the executive insights
on performance and for decision making on risk management matters. The last and final layer of defence is
the implementation of an internal risk audit similar to the internal audit process for financial controls. Figure
7 details the risk functions of each vertical as adapted by Binder Dijker Otte(BDO) US from ECIIA/FERMA
Guidance on 8th EU Company Law Directive, article 41 (55).

Integration

The risk framework needs to ingrained into the skeletal structure of the organisation. Each
organisation may be structured differently based on their geographical spread, business strategy, local
geopolitical climate, legal & tax frameworks on companies, subsidiaries, joint ventures, etc. The structure
demonstrated in Figure 7 is merely an example of a suitable structure, organisations may adopt a structure
line with their existing structures. In addition to the structural integration, implementation of the risk process
must be undertaken across the value chain translating into better risk management from supplier, shareholder
to customers and the community. Organisations must resist the temptation to assume the integration as a

15
one-time activity and rather treat it as a constant journey with alterations that enhance the overall protection
of value for all stakeholders.

Design

 Understanding the context of an organization – When the risk management framework is being
designed, the organization must evaluate and comprehend the external and internal factors, stakeholders.
o External context typically involves an analysis of
 societal, cultural, political, legal, regulatory, financial, technological, economic and
environmental factors across geographical divisions (international, national, regional,
local)
 key external macro & micro trends affecting the objectives of the organization,
 external stakeholders and their sensitivities, ideals, principles, wants and aspirations,
 contractual obligations,
 complexity of supply-side and distribution-side networks and their dependencies.
o Internal context typically pertains to
 the ethos of the company (vision, mission, values, culture)
 governance & organizational structure (roles, responsibilities, rewards)
 strategy (objectives, policies, standards, guidelines and models)
 capabilities (assets both tangible and intangible, time, people, skills, patents,
trademarks, trade secrets, copyrights, procedures, structures and know-how)
 information systems, data streams
 perceptions among and relationships with internal stakeholders
 contractual relationships and commitments; interdependencies and interconnections.

 Communication of commitment towards the adoption of ERM – It is essential for senior leadership
to constantly reiterate their intention and efforts towards cultivating and growing a mature risk-aware
organisation. This mustn’t be restricted to internal and external communication alone, but must be
accompanied by actions that reflect commitment but in letter and spirit. Leaders across the value chain
must be empowered with decision-making authority, appropriate allocation of resources to adopt
practices and emerge as champions of risk management.

 Assignment of Roles & Responsibilities – While the risk professionals within the risk function may
provide useful material and guidance on the framework and industry best practices, the success of ERM
stems from adoption by the stakeholders. By identifying individuals and assigning ERM related
responsibilities, the outcomes can be directly attributable and tracked. By linking the contribution to
increased risk to the individual KPIs (Key Performance Indicators), appraisal & growth processes,
individuals are incentivised to take ownership and imbibe the appropriate culture.

16
 Allocation of Resources – Risk management requires allocation of time, capital and resources. Any
new organisation adopting this journey initially needs to train and equip the workforce on the framework
and processes. Subsequent retraining on best-practices, changes to risk standards, etc. are essential to meet
the constantly changing nature of the risk paradigm. Several risks discussed are transferrable through
financial instruments but require capital allocation. Several risks can be better managed through the
adoption of technology. Based on an evaluation of the risk-reward matrix, investment into technology
can result in far superior outcomes than the costs associated in the aftermath of risk events occurring

 Feedback and Consultation – Along the lines of project management, process improvements, risk
management also is a continuous iterative process. This necessitates the need for constantly monitoring
and evaluating the performance of risk mechanisms adopted. During the implementation phase,
alternative processes or approaches may emerge. A concentrated effort towards gathering these insights
from the internal and external stakeholders and revising the existing frameworks is likely to yield better
outcomes. Towards this end, the framework must embed feedback mechanisms to ensure sourcing of
these insights as well as communication that informs the community of the changes adopted. Certain
sub-groups may likely perform exceptionally while some may remain laggards. It is also essential that
feedback is given and corrective actions are taken to address shortcomings.

Implementation

The organization should implement the risk management framework by:

 developing a suitable plan that also details how resources shall be allocated
 decisioning systems across the organisational hierarchy ranging from risk identification, assessment of
risk appetite
 repetitive improvement and modification of decision-making processes
 reiterating the organization’s provisions for managing risk and ensuring adoption.

Effective execution of the framework entails the commitment and responsiveness of stakeholders. This
enables organizations to unequivocally address ambiguity in decision-making, while also ensuring that any
new or ensuing uncertainty can be taken into consideration as they emerge. Properly conceived and
employed, the risk management framework will ensure that the risk management process becomes engrained
into all actions, events throughout the organization.

Evaluation

Organisations must assess the efficiency of the risk management framework at regular time intervals
against its stated purpose, objectives, execution strategy, performance metrics and intended behaviour. This
assessment is important for detecting shortcomings and to ensure that the framework remains relevant to the
evolving goals and objectives.

17
Improvement

Based on the iterative evaluation detailed before, the organization must evolve its risk management
framework to manage the evolving external and internal ecosystem. The organization should continually
improve the aptness, adequacy and efficacy of the risk management framework and the ensure that the risk
management process functions in a cohesive manner. As relevant shortcomings or enhancement
opportunities emerge, the organization must revamp its existing procedures, processes, metrics, etc. and
ensure effective execution.

Risk Management Process

Figure 8 Risk Management Process as per ISO 31000:2018 (37)

The risk management process is multi-stage iterative, drawing from the aforementioned framework
as detailed in Figure 8. The process entails the systematic implementation of clearly defined standard
operating procedures & processes across the journey of managing risk. These processes involve assessing risk
through identification, analysis and evaluation in the prevailing ecosystem that the organisation operates in.
While applying appropriate risk treatment mechanisms, the rationale, objectives, expected outcomes are to
be well documented, communicated to the relevant stakeholders. Apart from monitoring and analysing the
reported outcomes, the process adopted needs to be review with a consultative approach. This process needs
to become ingrained into every aspect of the organisation including structure, operations, processes, etc. is
illustrated in Figure 4. The risk management process should be an integral part of management and decision-
making and integrated into the structure, operations and processes of the organization. While the process is
defined and adopted at an organisation-wide strategic level, the same process needs to be applied at strategic,
operational, programme or project levels for realising its full potential (56).

18
Communication & Consultation

The various risks that affect an organisation are such, that not all stakeholders may be able to decipher
or understand the threat, its implication and treatment process. By ensuring a cyclic communication channel,
relevant information, as well as feedback & inputs, can be shared with the relevant stakeholders resulting in
informed risk management decisions. It is important to create an effective process for communication to
protect confidentiality and privacy as applicable. The nature of some of these risks is such that solutions and
risk treatment approaches may appear from many quarters due to its multi-dimensional nature. This
approach also builds a sense of ownership among the stakeholders towards this process.

Scope, Context & Criteria

The first step towards establishing a risk management process is a clear outline of the objectives and
scope. At different levels in the hierarchy, the objectives, expected outcomes, resource, tools and the nature
of risk. As detailed in the identification and design related discussion above, any effective risk management
process is likely to achieve its intended objectives only when it's tailormade to the organisation’s context. It is
also relevant to note that for any risk management process to work as intended, active collaboration with both
internal and external stakeholders is key. In such a scenario, scenarios may arise where risk & rewards are
shared by both the organisation and its partners, affiliates, suppliers and customers. It is equally likely that
organisational factors may indeed be the source of certain risks. After outlining the scope and context, the
risk criteria must be defined. The organization must quantify the extent and type of risk that it can bear based
on stated objectives. While defining the risk criteria, due consideration must be given towards the nature and
type of risks, its consequence, time-related factors, measurement and risk assessment standards and the
organisation’s overall risk appetite.

Risk Assessment

Risk Identification

The purpose of risk identification is to make a concentrated effort to recognize and describe risks which
in turn can aid in preventing them from affecting the organization’s objectives. This must be undertaken
without prejudice against risks that may be beyond the control of the organization. ISO 31000:2018
recommends the consideration of the following factors (both individually and collectively) (37) –

 tangible and intangible sources of risk;

 causes and events;
 threats and opportunities;
 vulnerabilities and capabilities;
 changes in the external and internal context;

19
 indicators of emerging risks;
 the nature and value of assets and resources;
 consequences and their impact on objectives;
 limitations of knowledge and reliability of information;
 time-related factors;
 biases, assumptions and beliefs of those involved.

Risk Analysis

After identification, the risks need to be analysed is to grasp its nature, characteristics and extent.
Risk analysis involves a detailed reflection of uncertainties, risk sources, repercussions, probability, events,
situations, controls and their effectiveness. This can be achieved through qualitative (and/or) quantitative
techniques based on its nature, complexity and likely countermeasures. Since this process involves the
participation and contribution of various stakeholders with their views, values, stereotypes, the eventual
outcome is likely to be influenced by these. The accuracy, timeliness, efficacy of collection and relevance of
the data used shall also play a critical role. Different audit and consulting organisations based on their
interpretation of the ERM frameworks suggest different approaches to quantify these variations and arrive at
consensus (39,57).

Risk Evaluation

Risk Evaluation is the process of comparing the results of risk analysis with the stipulated risk criteria
of the organisation. This process eventually leads to the risk treatment stage where the evaluation results aid
in supporting decision making while selecting the appropriate treatment for risk mitigation/management.

Risk Treatment

Risk treatment is the continuous iterative process of decision making and implementation of risk
mitigation strategies. Considering the iterative process, once a particular treatment is implemented, the
effectiveness, consequence of residual risk is to be evaluated. At any point, if the chosen treatment is adjudged
to be inadequate, alternative options are to be considered. While selecting the options, a balance between risk,
rewards and costs needs to be struck. The most important caveat is that previous or current treatments may
emerge to be irrelevant in the future, necessitating a continuous tracking and corrective process. Some of the
risk treatments suggested by the frameworks are as follows –

 Risk avoidance by not initiating a particular project, activity due to unsurmountable risk
 Undertaking risk in the context of the rewarding opportunity
 Removal of the risk source;
 Altering the likelihood or its consequences;
 Risk transfer or sharing through contracts, insurance, derivative products, etc.

20
 Risk-retention after an informed decision.

While choosing a particular risk treatment, organisations must resist the urge to look at it solely from a
financial standpoint and instead assess it in the complete organisational context. There is also the possibility
that a particular risk treatment may result in the creation of other risks. Even if there are no solution is available
in the foreseeable future, the risk should still be considered in each iteration of this process. A risk treatment
plan must be conceptualised to detail the implementation, resource allocation, responsibility assignment,
monitoring and improvement stages. This will also translate into all stakeholders having a shared common
understanding of the plan. The plan should then be integrated with the organisation’s internal process. The
information provided in the treatment plan should include:

 Rationale and expected outcomes of the treatment options;

 Stakeholders responsible for approval and implementation of the plan;
 Proposed actions;
 Resource requirements;
 Process for measurement of the plan;
 Constraints;
 Required reporting and monitoring;
 Timeline for implementation.

Monitory & Review

The motive behind examining and appraising the risk process is to ensure and enhance the quality
and effectiveness of the risk management process. This must be embedded into all steps across the overall
process schedule along with an assignment of appropriate responsibilities. The results of monitoring and
review should be fused throughout the organization’s performance management, tracking and reporting
systems.

Recording and Reporting

Like any process adopted in an organisation, documenting the details and tracking the performance
metrics is vital. This stage works in parallel from the beginning where the risks are identified, all the way up
to the implementation and review. By adopting this practice, the organisation shall be able to effectively
communicate their risk management activities, the impact. The benefits aren’t restricted to branding and
communications alone. This practice also helps in improving the existing process, generates insights to the
leadership on successes and shortcomings, the emergence of new threats as well as the creation of a source of
shared understanding for all stakeholders to utilise. The standardised procedure adopted for documentation

21
and reporting must factor its end-use, sensitivity and context. Factors to be considered for reporting should
include –
 Views, opinions, actions of differing stakeholders and their needs & requirements;
 Cost, cadence and timeliness of reporting;
 method of reporting;
 relevance of the information to organizational objectives and decision-making.

22
Case Studies

F. Hoffmann-La Roche AG (Roche Group)

Roche Group being over a century old company and among the largest diagnostics & pharmaceutical
companies in the world faces a unique set of risks. For this case study, annual reports from the year 2010 to
2019 were analysed. The group’s current risk management policy dates back to 2012 which was created
relying upon 2004 COSO ERM Integrated Framework and 31000:2009 (58). In its 2019 Annual Report, the
group committed to an update to its risk management policy in 2020 (59). The group places the supervisory
responsibility of risk management system with the audit committee and environmental, social and ethical
Risk assessment with the Corporate Sustainability Committee. In 2010, Roche undertook an assessment of
suppliers based on a risk-based prioritisation as detailed in Figure 9 (60). The group categorises the
stakeholders and verticals in the descending order of risk in Figure 9. The group apart from auditing suppliers
also collaborated with them for minimisation of supply chain risks. An emphasis was placed in managing
security risk, occupational safety-related risks, and the environmental risks associated with the impact on
aquatic life.

Indirect
Direct Spend
Spend

Contract Manufacturers,
CROs, R&D laboratories,
API Manfucaturers,
3rd-Party Waste
Hazardous-Chemical
Management, Animals
Manufacturers

Temporary Labour, Logistics

services, Construction,
Chemicals/Biotech raw
Marketing services, Fleet
materials, Primary Packaging
services, Travel, Facility
Management

Informatics, General &

Admin services, Consulting
Secondary Packaging
Services, Engineering
Services, Equipment

Figure 9 Risk-based Prioritisation for Supplier Assessment

23
 In 2011, the group integrated its environmental risk assessment processes with its quality systems
(61). With the Beijing consensus capturing the imagination of business around the world, most companies
moved significant parts of their supply chain, manufacturing, etc. to China (62). This brought with it
increased risks around intellectual property, human rights, etc. Roche Group took implemented external risk
mitigation strategies for high-risk geographies including China for handling intellectual property & supply
chain related risks. The group also implemented financial controls on risks affecting employee benefits. In
2010, the European Parliament revised the 1986 regulations which placed a ban on the use of apes and
primates in animal testing (63). In 2012, the United Kingdom reaffirmed its strict animal-testing standards in
the aftermath of a milder EU directive (64). In conjunction with these external regulatory changes, the group
transitioned to towards a more risk-aware approach in the use of animals for clinical trials (65). Roche also
incorporated social risks associated with human rights that are linked to its business activities into its risk
management process.

In 2013, Roche Group undertook a new business sustainability risk assessment (66). The group
identified the following risks that were likely to materially affect the business –
 Earthquake at its Basel, Tokyo, South San Francisco sites
 Inadequate strategies for Cloud, mHealth(mobile devices), eHealth (electronic devices) and social
media
 Cyberattacks
 Issue response not yet optimised
 Severe income disparity
To mitigate new and emerging risks, the group undertook cybersecurity & reputation management(social
media) related measures as a stated risk mitigation strategy. The group also took a more comprehensive
approach to the environmental impact of pharmaceuticals looking at the solid and liquid waste-related risks
across its value chain (66,67). The group subsequently undertook measures to combat mental health risks for
its human capital as well as infection risks through an update of its influenza pandemic policy (68).

Apollo Hospitals & Apollo Munich Health Insurance (Apollo Group)

While Apollo Hospital’s stake in Apollo Munich Health Insurance has been acquired by HDFC
Group, this case study shall include discussion on its risk strategies alongside Apollo Hospitals from its
inception till acquisition (69). Apollo Group constituted its Risk Management Policy in FY 05-06 along with

24
an ERM (70). The group added risk as a tracking indicator on quality and performance metrics. Like most
organisations in their initial stages of ERM implementation, standard financial risks like Credit Risk, Default
risk were identified. Over the years, the group borrowed significantly through the External Commercial
Borrowing (ECB) route which increased exposure to currency risk and interest rate risks. In FY 06-07, the
group began managing these two risks through financial instruments like hedging, interest rate swaps and
forward contracts (71). Also, the group expresses its intent to enter the health insurance business. The annual
report in FY 07-08 initiates a discussion on insurance risks which over the years form a recurring theme (72).
To manage liquidity risk, the group invests surplus cash and reserves in short-term instruments with a time-
to-maturity of 3 months. The management commentary indicates that the group does not face any
concentration risk due to a diversified customer base spread across insurers, corporate and government
bodies.

With the addition of their Health Insurance business, the group started tracking insurance risk,
liquidity risk, concentration risk, inflation risk, technology obsolescence, human capital risk, regulatory risk,
etc. (73). On the basis of an analysis of risk-reward, the group reinsured a varying percentage of its unexpired
insurance risk each year. In 2017, Institute of Directors (IoD) awarded Apollo Munich Health Insurance
with the Golden Peacock Award for Risk Management (74). In FY 18-19, the group incorporated internal
controls with risk management being extended to site-level and entity-level structures (75). The group today
has a 360 Degree Review mechanism for risks and actively tracks risks such as Liquidity Risk, Currency Risk,
Interest Rate Risk, Price Risk(on account of ownership of a listed company), Credit Risk, Risks pertaining
to Employee Benefits Plan (Investment Risk, Interest risk, Longevity Risk, Salary Risk), customer mortality
related risks, infrastructure risk, etc. Apart from the strategies already discussed, the group has also
incorporated an internal credit scoring system to manage credit risk (76).

Apollo Group’s risk management policy is designed relying on standards such as the Risk
Management Standard AS/NZS 4360:1999, COSO Integrated ERM framework. The policy outlines the
integration of risk management across its hierarchy, its verticals along with a clear emphasis on the roles and
responsibilities of each internal stakeholder/committee. Based on risk evaluation, the group maintain a risk
register, an assessment template, scorecard and an organisation-wide risk profile. The group tracks 18 risk
categories as highlighted in Table 4 (77).

25
Risk Category Definitions
Physician Strategy and Risks associated with doctor engagement model including attracting and retaining
Relations experienced panel of physicians for hospital operations.
Risks associated with a multidisciplinary approach to acute care, speciality care,
Medical Services diagnostic and investigations and wellness program. This includes risks related to
inadequate facilities and inaccurate treatment of an ailment in each of the service areas.
Risks associated with adequate infrastructure to support patient services, patient
Service Excellence
satisfaction and care for IP, OP and International Patients
Risk associated with infection control, physician licensing and credentialing, medicare
Quality and
documentation and reporting, clinical standards and practices, emergency procedures,
Accreditations
clinical audits etc.
Risks associated with environment pollution, safety of resources and employees’ health
Health & Safety
and security at health care establishments
Risks related to the adequacy of policies and procedures related to nursing operations
Nursing Operations
and maintain continuous care.
Facilities & Risks associated with inadequacy or failure of facilities and equipment for delivery of
Equipments care.
Risks associated with operation of pharmacy and delivery of pharmaceutical products
Pharmacy
to hospital units and out patients.
Risks associated with culture, organisational structure, communication, recruitment,
performance management, remuneration, learning & development, retention,
Human Resource
Occupational Health & Safety and industrial relations, including supporting systems,
processes and procedures.
The risk that systems are inadequately managed or controlled, data integrity, reliability
may not be ensured, inadequate vendor performance and monitoring, system or
Information
network architecture not supporting medium or long term business initiatives and
Technology
strategy, capacity planning not being reviewed on a regular basis resulting in processing
failures, risks of data or systems migration or interfaces.
Marketing/Business Risks associated with customer sources, competition, brand management & brand
Development licensing and reputation of the company.
Risks related to liquidity /treasury operations, relationship management with lenders,
management of cash, billing and claims processing, customer credit risks, receivables
Finance
management inadequacy of controls and lack of adequate monitoring leading to higher
risks of frauds.
Risk relating to non-compliance with legislations including direct & indirect tax law
Legal and Compliance provisions, adequacy of financial reporting & disclosures, regulations, internal policies
and procedures.
Supply Chain Risks associated with sourcing and vendor management.
Risks associated with strategy development, strategic alliances, business planning,
business mix, performance targets, failure to align functional strategies and objectives
Planning and Strategy
with enterprise-wide strategies. Risks related to improper capital structuring and
funding.
The risks associated with board and board procedures including risk oversight, internal
Corporate Governance
controls, CSR, stakeholder relations including investor relations etc.
Corporate/External
Risks associated with appropriateness/adequacy of external communication & PR
communication
Market/Environmental Risks associated with changing consumer/business trends/technological shifts
impact assessment affecting all aspects of business and adequacy of assessment of such risks
Table 4 List of Risk Categories monitored by Apollo Hospitals Enterprise Limited

26
Disclaimer

This work is a purely academic non-commercial work. The works, content, brands, trademarks, etc.
cited or mentioned are works of their own respective owners. The views expressed in this work are of the
author alone. The work consists of analyses of publicly accessible research, material, annual reports, policies,
whitepapers, news articles, etc. produced by different authors, corporates, professors, academic institutions,
consulting organisations, statutory bodies, inter-governmental bodies, not-for-profits, media organisations
etc. The analysis undertaken in this work is made with an effort in earnest to ensure accuracy, up-to-date
information and an objective interpretation/summarisation. The author makes no representations,
warranties, express or implied, as to the accuracy or completeness of the information and disclaim any liability
for third-party information or for the use of this work.

References

1. Nocco BW, Stulz RM. Enterprise Risk Management: Theory and Practice. J Appl Corp Finance.
2006 Dec 7;18(4):8–20.
2. Taleb NN. The Black Swan: The Impact of the Highly Improbable [Internet]. Penguin Random
House; 2008. Available from: http://www.randomhousebooks.com/books/176226/
3. McGillivray Glenn. Coronavirus is significant, but is it a true black swan event? The Conversation
[Internet]. 2020 May 1; Available from: https://theconversation.com/coronavirus-is-significant-but-
is-it-a-true-black-swan-event-136675
4. The Global Risks Report [Internet]. Geneva, Switzerland: World Economic Forum; 2020. Available
from: https://www.weforum.org/reports/the-global-risks-report-2020
5. Bennis WG, Burt N. Leaders: Strategies for Taking Charge. New York, United States of America:
Harper & Row; 1985.
6. Kraaijenbrink J. What Does VUCA Really Mean? Forbes [Internet]. 2018 Dec 19; Available from:
https://www.forbes.com/sites/jeroenkraaijenbrink/2018/12/19/what-does-vuca-really-mean/
7. Worley CG, Jules C. COVID-19’s Uncomfortable Revelations About Agile and Sustainable
Organizations in a VUCA World. J Appl Behav Sci. 2020 Jun 16;56(3):279–83.
8. Bennett N, Lemoine GJ. What VUCA Really Means for You. Harvard Business Review [Internet].
2014 [cited 2020 Dec 6];(January-February). Available from: https://hbr.org/2014/01/what-vuca-
really-means-for-you
9. Liang FS, Lee L, Sang CN. Risk Management in a VUCA Environment. Institute of Singapore
Chartered Accountants Journal [Internet]. 2016 Apr; Available from:
https://journal.isca.org.sg/2016/04/06/risk-management-in-a-vuca-environment/pugpig_index.html
10. Crouhy M, Galai D, Mark R. The Essentials of Risk Management, Second Edition [Internet]. 2nd ed.
McGraw-Hill; 2013. Available from: https://www.mhprofessional.com/9780071818513-usa-the-
essentials-of-risk-management-second-edition-group
11. Servaes H, Tamayo A, Tufano P. The Theory and Practice of Corporate Risk Management. J Appl
Corp Finance. 2009 Dec 15;21(4):60–78.
12. Banking Act [Internet]. Jun 22, 1933. Available from: https://fraser.stlouisfed.org/title/991
13. The Deposit Insurance and Credit Guarantee Corporation Act [Internet]. Sep, 2006. Available from:
https://www.dicgc.org.in/pdf/DICGC_Act.pdf

27
14. Angelides P, Thomas B, Born B, Holtz-Eakin D, Georgiou B, Murren HH, et al. Final Report of the
National Commission on the Causes of the Financial and Economic Crisis in the United States
[Internet]. Washington DC, United States of America: Financial Crisis Inquiry Commission; 2011
Jan p. 29. Available from: https://www.govinfo.gov/content/pkg/GPO-FCIC/pdf/GPO-FCIC.pdf
15. Dodd-Frank Wall Street Reform and Consumer Protection Act [Internet]. 111–203 Jul 21, 2010 p.
1375. Available from: https://www.congress.gov/111/plaws/publ203/PLAW-111publ203.pdf
16. Stock Corporation Act [Internet]. Dec 12, 2019. Available from: https://www.gesetze-im-
internet.de/aktg/BJNR010890965.html
17. Corporate Sector Supervision and Transparency Act [Internet]. Apr 27, 1998. Available from:
http://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&jumpTo=bgbl198s0786.
pdf
18. Risk Limitation Act [Internet]. Aug 18, 2008. Available from:
http://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&jumpTo=bgbl108s1666.
pdf
19. Companies Act [Internet]. 2013. Available from:
https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf
20. The Occupational Safety, Health and Working Conditions Code [Internet]. Sep 29, 2020. Available
from: https://labour.gov.in/sites/default/files/OSH_Gazette.pdf
21. Workplace Safety and Health Act [Internet]. Sep 1, 2006. Available from:
https://sso.agc.gov.sg/SL/WSHA1920-RG8
22. Risk Management Circular [Internet]. Ministry of Finance, United Arab Emirates; Available from:
https://www.mof.gov.ae/en/lawsAndPolitics/Policies/Pages/default.aspx
23. The Management of Health and Safety at Work Regulations [Internet]. 1999. Available from:
https://www.legislation.gov.uk/uksi/1999/3242/contents/made
24. Financial Services and Markets Act [Internet]. 2000. Available from:
https://www.legislation.gov.uk/ukpga/2000/8/contents
25. The Risk Transformation Regulations [Internet]. 2017. Available from:
https://www.legislation.gov.uk/uksi/2017/1212/contents
26. Hazard identification and risk analysis. Express Healthcare [Internet]. 2012 Nov 13; Available from:
https://www.expresshealthcare.in/strategy/hazard-identification-and-risk-analysis/
27. Steinberg S. Cyberattacks now cost companies $200,000 on average, putting many out of business.
CNBC LLC [Internet]. 2019 Oct 13; Available from:
https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-
business.html
28. Emerging Risks Report [Internet]. Marsh & McLennan Companies; 2014 Sep. Available from:
https://www.mmc.com/content/dam/mmc-web/Files/AheadoftheCurve-
UnderstandingEmergingRisks.pdf
29. Jensen JL, Ponsaig CD, Thrane S. Risk, resources and structures: Experimental evidence of a new cost
of risk component — The structural risk component and implications for enterprise risk
management. Risk Manage. 2012 Apr 25;14(2):152–75.
30. Hibbert AJ, Turnbull CJ. Measuring and Managing the Economic Risks and Costs of With-Profits
Business. Br Actuar J. 2003;9(4):725–77.
31. Bekefi T, Epstein MJ, Yuthas K. Managing Opportunities and Risks - Management Accounting
Guideline [Internet]. The Chartered Institute of Management Accountants; 2008. Available from:
https://www.cimaglobal.com/Documents/ImportedDocuments/cid_mag_managing_opportunities
_and_risk_march08.pdf.pdf

28
32. Enhancing Shareholder Wealth by Better Managing Business Risk [Internet]. New York, United
States of America: International Federation of Accountants; 1999. Available from:
http://devbiz.narod.ru/home/kozloff/PWC/risk_mngmnt99.pdf
33. Meulen R van der. COVID-19 Makes a Strong Business Case for Enterprise Risk Management
[Internet]. Gartner. 2020. Available from: https://www.gartner.com/smarterwithgartner/covid-19-
makes-a-strong-business-case-for-enterprise-risk-management/
34. Flanagan R, Norman G. Risk Management and Construction [Internet]. Wiley; 1993. Available
from: https://www.wiley.com/en-in/Risk+Management+and+Construction-p-9780632028160
35. International Convergence of Capital Measurement and Capital Standards [Internet]. Jul 15, 1988.
Available from: https://www.bis.org/publ/bcbs04a.htm
36. Basel Framework [Internet]. Dec 15, 2019. Available from:
https://www.bis.org/basel_framework/index.htm
37. ISO 31000:2018 Risk management [Internet]. Geneva, Switzerland: International Organization for
Standardization; 2018. Available from: https://www.iso.org/obp/ui#iso:std:iso:31000:ed-2:v1:en
38. Enterprise Risk Management - Integrating with Strategy and Performance [Internet]. Committee of
Sponsoring Organizations of the Treadway Commission; 2017 Jun. Available from:
https://www.coso.org/Pages/erm.aspx
39. Iyer V. COSO Enterprise Risk Management – Aligning risk and strategy [Internet]. 20th Global
Conference of Actuaries; 2019 Mar 5; Mumbai, India. Available from:
http://www.actuariesindia.org/downloads/20thGCA/ppt/5March/C3/C3%20-
%20Vivek%20Iyer.pdf
40. Allen S. 2020 Global Healthcare Outlook - Laying a foundation for the future [Internet]. Australia:
Deloitte Development LLC; 2020 p. 7. Available from:
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/life-sciences-health-care/za-2020-
global-health-care-outlook.pdf
41. Sinha A, Phelps A. US Regulatory Healthcare Outlook 2020 [Internet]. Deloitte Centre for
Regulatory Strategy, Americas; (Top Regulatory Trends 2020). Available from:
https://www2.deloitte.com/content/dam/Deloitte/us/Documents/regulatory/us-regulatory-health-
care-outlook-2020.pdf
42. Patel Y, Agrawal S, Mittal D, Bhandari R, Verma A, Brar D. Financial Risk Management: What
healthcare organisations need to learn? [Internet]. Healthcare Senate - The National Private
Healthcare Business Summit; 2018 Jul 14; New Delhi, India. Available from:
https://www.expresshealthcare.in/healthcare-senate-special/financial-risk-management-what-
healthcare-organisations-need-to-learn/404094/
43. Beasley M, Branson B, Pagach D, Scott P, Atallo D, Donahue K, et al. Top Risks Report 2020:
Executive Perspectives on Top Risks for 2020 [Internet]. Raleigh, North Carolina, United States of
America: NC State University - Poole College of Management (Enterprise Risk Management
Initiative), Protiviti; p. 77. Available from: https://erm.ncsu.edu/library/article/top-risks-report-
2020-executive-perspectives
44. Jha S. Analyzing political risks in developing countries: a practical framework for project managers.
Aggarwal VK, editor. Bus Polit. 2013 Apr;15(1):117–36.
45. Accounting for failure: risk-based regulation and the problems of ensuring healthcare quality in the
NHS. Health Risk Soc. 2016 Jun 27;18(3–4):205–24.
46. Mudgal Y, Burt A, Puri R, Hall P, Schmidt N, Dandapani A, et al. Artificial Intelligence Risk &
Governance [Internet]. Philadelphia, Pennsylvania, United States of America: Artificial
Intelligence/Machine Learning Risk & Security Working Group, The Wharton School, The
University of Pennsylvania; Available from: https://ai.wharton.upenn.edu/artificial-intelligence-risk-
governance/

29
47. Mossburg E, Gelinne J, Calzada H. Beneath the surface of a cyberattack - A deeper look at business
impacts [Internet]. Deloitte Advisory; Available from:
https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-beneath-the-surface-
of-a-cyber-attack.pdf
48. 2017 Cost of Cybercrime Study - Insights on the Security Investments that Make a Difference
[Internet]. North Traverse City, Michigan, United States of America: Accenture Security, Ponemon
Institute; 2017 p. 21–2. Report No.: 8. Available from: https://www.accenture.com/us-
en/insights/security/eighth-annual-cost-cybercrime-study
49. Schoen J, Chopra V. The Harm We Do: The Environmental Impact of Medicine. J Hosp Med. 2018
May 1;(5):353–5.
50. Chavoshani A, Hashemi M, Amin MM, Ameta SC. Pharmaceuticals as emerging micropollutants in
aquatic environments. In: Micropollutants and Challenges -Emerging in the Aquatic Environments
and Treatment Processes [Internet]. Elsevier; 2020. p. 35–90. Available from:
https://doi.org/10.1016/B978-0-12-818612-1.00002-7
51. Paisley J, Nelson M. Annual Global Survey of Climate Risk Management at Financial Firms
[Internet]. Jersey City, New Jersey, United States of America: GARP Risk Institute; 2020 p. 13.
Report No.: 2. Available from: https://climate.garp.org/wp-
content/uploads/2020/05/GRI_ClimateSurvey_051320.pdf
52. Managing Risk - The Human Factor [Internet]. London, United Kingdom: Airmic; 2019 p. 7–9.
Available from: https://www.airmic.com/system/files/technical-documents/Airmic-Guide-
Managing-risk-the-human-factor.pdf
53. Denyer D. Organizational Resilience: A summary of academic evidence, business insights and new
thinking [Internet]. British Standards Institution, Cranfield School of Management Cranfield
University; 2017 p. 16–9. Available from: https://www.cranfield.ac.uk/-/media/images-for-new-
website/som-media-room/images/organisational-report-david-denyer.ashx
54. Langenmayr D, Lester R. Taxation and Corporate Risk-Taking. Account Rev. 2017 Jul 1;93(3):237–
66.
55. Dawson B, Casey J. 2020 IA Webinar Series - Integration of Enterprise Risk Management with
Internal Audit [Internet]. Webinar presented at; 2020 Feb 25; United States of America. Available
from: https://www.bdo.com/events/2020-ia-webinar-series-integration-of-enterprise-r
56. Lachapelle E, Aliu F, Emini E. ISO 31000:2018 Risk Management Guidelines [Internet]. Professional
Evaluation and Certification Board; 2018 Feb p. Montreal, Quebec, Canada. Available from:
https://pecb.com/whitepaper/iso-310002018-risk-management-guidelines
57. Risk Assessment for Information Security [Internet]. United Kingdom: The British Standards
Institution; Available from: https://www.bsigroup.com/LocalFiles/en-
IN/Resources/BRISK_For_InformationSecurity-LR.pdf
58. Roche Group Risk Management Policy [Internet]. F. Hoffmann-La Roche AG; 2012 Mar. Available
from: https://www.roche.com/dam/jcr:1933130a-cbc2-44f6-bdc6-
b7dba5604547/en/risk_management_policy.pdf
59. Roche Group Annual Report 2019 [Internet]. F. Hoffmann-La Roche AG; 2019. Available from:
https://www.roche.com/dam/jcr:a3545548-a7f9-40f4-a70e-7266a363f856/en/ar19e.pdf
60. Roche Group Annual Report 2010 [Internet]. F. Hoffmann-La Roche AG; 2010. Available from:
https://www.roche.com/dam/jcr:36e796fd-5381-427f-bd14-c2bea3573b72/en/gb10e.pdf
61. Roche Group Annual Report 2011 [Internet]. F. Hoffmann-La Roche AG; 2011. Available from:
https://www.roche.com/dam/jcr:52174b39-feab-4210-82f6-9b8786a69ecf/en/gb11e.pdf
62. Sharma R. The Rise and Fall of Nations - Ten Rules of Change in the Post-Crisis World. Penguin
Random House; 2016. 132–134 p.

30
63. Harrison P. Great apes protected as EU restricts animal testing. Reuters [Internet]. 2010 Sep 8;
Available from: https://www.reuters.com/article/us-eu-primates-ban/great-apes-protected-as-eu-
restricts-animal-testing-idUSTRE6873MS20100908
64. Ghosh P. Government retains UK’s strict animal testing regime. BBC News [Internet]. 2012 May 17;
Available from: https://www.bbc.com/news/science-environment-18104614
65. Roche Group Annual Report 2012 [Internet]. F. Hoffmann-La Roche AG; 2012. Available from:
https://www.roche.com/dam/jcr:3e048249-e3ce-4969-a77e-cc90d8f3fa73/en/gb12e.pdf
66. Roche Group Annual Report 2013 [Internet]. F. Hoffmann-La Roche AG; 2013. Available from:
https://www.roche.com/dam/jcr:64fd6b2d-1a76-467f-badd-ab94b85b6d70/en/gb13e.pdf
67. Roche Group Annual Report 2015 [Internet]. F. Hoffmann-La Roche AG; 2015. Available from:
https://www.roche.com/dam/jcr:9b36e11d-495c-42f5-b757-e80c4e88d793/en/gb15e.pdf
68. Roche Group Annual Report 2014 [Internet]. F. Hoffmann-La Roche AG; 2014. Available from:
https://www.roche.com/dam/jcr:880b44a1-3fd6-4e66-bf10-f4af1e724d4d/en/gb14e.pdf
69. HDFC completes majority acquisition in Apollo Munich Health Insurance for ₹1,495.81 crore. Live
Mint [Internet]. 2020 Jan 9; Available from: https://www.livemint.com/companies/news/hdfc-
completes-majority-acquisition-in-apollo-munich-health-insurance-for-rs-1-495-81-crore-
11578577371499.html
70. Apollo Hospitals Enterprise Limited Annual Report (FY 2005-2006) [Internet]. Apollo Hospitals
Enterprise Limited; 2005. Available from:
https://www.apollohospitals.com/apollo_pdf/Annual_Report-FY_31.03.2006.pdf
71. Apollo Hospitals Enterprise Limited Annual Report (FY 2006-2007) [Internet]. Apollo Hospitals
Enterprise Limited; 2006. Available from:
https://www.apollohospitals.com/apollo_pdf/Annual_Report-FY_31.03.2007.pdf
72. Apollo Hospitals Enterprise Limited Annual Report (FY 2007-2008) [Internet]. Apollo Hospitals
Enterprise Limited; 2007. Available from:
https://www.apollohospitals.com/apollo_pdf/Annual_Report-FY_31.03.2008.pdf
73. Apollo Hospitals Enterprise Limited Annual Report (FY 2015-2016) [Internet]. Apollo Hospitals
Enterprise Limited; 2015. Available from: https://www.apollohospitals.com/apollo_pdf/annual-
report-year-2016.pdf
74. Apollo Munich Health Insurance wins Golden Peacock Award for Risk Management 2017. Asian
News International (ANI) News [Internet]. 2017 Feb 22; Available from:
https://www.aninews.in/news/business/apollo-munich-health-insurance-wins-golden-peacock-
award-for-risk-management-2017/
75. Apollo Hospitals Enterprise Limited Annual Report (FY 2018-2019) [Internet]. Apollo Hospitals
Enterprise Limited; 2018. Available from: https://www.apollohospitals.com/apollo_pdf/annual-
report-year-2019.pdf
76. Apollo Hospitals Enterprise Limited Annual Report (FY 2019-2020) [Internet]. Apollo Hospitals
Enterprise Limited; 2019. Available from:
https://www.apollohospitals.com/apollo_pdf/AHEL%20AR20%20Full%20Report%20-
%20Updated%20eVersion%20(20200909).pdf
77. Risk Management Policy [Internet]. Apollo Hospitals Enterprise Limited; Available from:
https://www.apollohospitals.com/apollo_pdf/ahel-risk-management-policy.pdf

31