Risky business

By Graeme Burton

When, in March 2006, the first human trials of the anti-inflammatory drug TGN1412 went horribly wrong, the response of the German pharmaceutical company that designed the drug, TeGenero, spoke volumes for the company’s risk management practices – to all intents and purposes, they would appear to have been minimal.

Rumours abounded that the drug had been tested on dogs – and that a dog had died. The company refuted this, although it insisted it had been tested on other mammals, but refused to elaborate. Later, news stories suggested that the drug had adversely affected monkeys in trials four years earlier and that tests on human tissue cultures indicated that it might also affect human cells, too.

The company simply insisted that it had seen, “no drug-related adverse events and… no drug-related deaths”. The debacle – and the response of both the German pharmaceuticals company, as well as the Boston, Massachusetts-based testing company, Parexel International, which had been conducting the human trials on TeGenero’s behalf – has left other organisations and professionals at the cutting edge of medical science fizzing with fury.

“They didn’t have a clue,” says Carolyn Olivare, the director of quality assurance, risk management and regulatory compliance for the LifeGift Organ Donation Center in Houston, Texas. “We hope that their mistakes won’t impact what we are doing here.”

That tragedy also underscores the fact that risk management as a discipline is as broad as business itself. Risk managers, in many respects, are compliance managers on steroids. The typical risk manager’s remit includes examining everyday business processes and procedures, and providing a plan of action in the event of something going wrong. In some organisations, their remit will also include financial regulatory compliance.

Then and now

Risk managers have got to be aware of how to identify risk, to be able to assess risk and, most importantly, they have got to be aware of how to manage risk in a structured, formalised way,” says Steve Perry, principal advisor in the risk management practice of consultants KPMG. There is often a fine line between risk management and business continuity planning.

It is all a far cry from how risk management used to be practiced in the 1980s, adds Perry, at least in certain quarters. “I used to work within a merchant bank [in London] where risk was managed by senior directors coming together over coffee at nine each morning and just looking at what jobs they had got on the go,” he says.

Today, while the practice may be more rigorous and scientifically based, the supporting tools that professionals use are still very basic. They need to collaborate with other members of staff in their organisation, to establish the potential adverse outcomes that could arise from the execution of everyday processes, and to draw up robust contingency plans, just in case the worst should happen.

In high-profile industries, such as pharmaceuticals, that will include a media management plan, so that the press is fed the right information, as well as recovery plans.

As a result, while many software vendors may hawk so-called ‘risk management solutions’, the most important ‘tools’ for risk managers remain the telephone – simply to talk to people elsewhere in the organisation about their experiences – as well as e-mail, of course, and a spreadsheet.

One of the most important management tools for Olivare is the simple method of ‘debriefing’ – talking to staff after a positive or negative work experience, such as delivering an organ to a hospital for a life-saving operation, or finding out about how such a process went wrong and working out how it can be improved upon to avoid such mistakes in the future.

Indeed, the heart of risk management, especially within particularly risky sectors, is the sharing of knowledge or information – not just internally, but between people in the same industry. The importance of knowledge sharing was recognised by US space agency NASA after the 2003 Columbia disaster.

It had a portal in place for disseminating lessons from past missions and projects, but it had been voluntary – there was no formal procedure whereby engineers could learn from each other’s experience. That is now being rectified with the establishment of an information portal purely for engineers to share what they have learnt.

Olivare also makes good use of the expertise available in the industry to learn about best practices from other organisations, as well as the opportunity to benchmark against them, via the Organ Collaborative organisation that operates in the US. “Centres that have good practices are coming together to share experiences in the hope that the ‘slower’ performers can learn from their experiences and, ultimately, increase the number of donors and lives saved,” says Olivare.

Sharing information can save lives: “At the last Organ Collaborative meeting in San Francisco, one of our pulmonary physicians went and he discussed with one of his counterparts about how to manage some of these lung patients that are potential lung donors to maybe rescue some lungs that don’t look so good – lungs that wouldn’t necessarily be suitable.

“He learnt some things from this gentleman and, coincidentally, we had a scenario where the lungs looked bad, but that the doctor was able to do some things,” says Olivare, with a successful outcome. “The lungs were transplanted into a nine-year-old girl with cystic fibrosis and she’s doing awesome,” she concludes.

Top to bottom

Olivare’s story also underscores the applicability and importance of risk management across the organisation – not just to dedicated risk managers such as her and Perry. Senior managers, on the one hand, are increasingly demanding the ability to have a high-level view of risk exposure across an organisation, in the same way that their business intelligence dashboards, for example, can give them a view of daily or weekly sales.

More important than that is the embedding of risk-mitigation procedures within broader corporate processes. “If we are lucky enough to win a piece of work at KPMG we have to go through quite strict procedures to ensure that we have covered all the risk and quality issues in taking on a particular client and a particular piece of work,” says Perry.

In practical terms, that means acquiring an approval number from a global system before a proposal is even started so that it can be tracked from the very beginning and the organisation can make sure that staff can only chase work that they are qualified to do. It also gives senior management an insight into the organisation’s sales pipeline, giving them visibility about upcoming work, work-in-progress and contracts completed.

Such systems are a great aid to enterprise risk management, but for the risk manager in their office, simplicity is the key. “I think the best tools a risk manager could have would include good quality processes that have ‘track and trend’ logs and tools or mechanisms for reporting events,” says Olivare. That and, of course, a good spreadsheet, e-mail access and a telephone.