** Part I. Background

1.What is Risk Management, what are the benefits?

2.The Risk Management Framework

* Part II. Risk Management Process

1.Risks vs. Issues vs. Exceptions

2.Establish the Context

3.Assess the Risks

4.Treat the Risks

5.Monitor and Review the Risks

* Part III. Supporting Information

1.Global IT Risk Management Community

2.Risk Management Resources

Risk Management

• The systematic and comprehensive identification and understanding of risk factors and their associated risks, together with a decision making process to implement appropriate controls.

• Aims to maximize potential opportunities, control uncertainties and minimize potential threats, thereby increasing the probability of achieving business objectives.

• Includes the conscious decision to accept risk.

• Is an ongoing (iterative process)

Risk

• A risk is an uncertain future event that could affect the achievement of objectives.

• Is forward-looking (not a current issue)

• Has an element of uncertainty

• Could affect the achievement of objectives.

• Risk can be accepted, threats mitigated (reduced) or transferred, opportunities exploited and contingency plans can be prepared in case the risk (opportunity or threat) actually occurs.

Operational Risk

• A Risk which impacts operational effectiveness or efficiency.

*

3

• Provides a consistent approach across the service and system spectrum, and documents the justification of decisions made in regards to risk and improvement activities.

• Formal Risk Management makes good business sense:

• Reduces total cost of ownership by increasing system quality and customer satisfaction by lowering critical system failures

• Reduces risk to an acceptable level

• Scales improvement activities commensurate with system/service complexity, customer expectations, supplier capabilities, and regulatory requirements

• Incorporates the evaluation of business and regulatory risks

• Focuses support activities where it’s most appropriate

• Improves the visibility of key decisions pertaining to risk

• Mitigates risk to patient safety, product quality, and data integrity

• Optimizes the use of resources and company assets

• Aligns to FDA’s risk based guidance and shareholder expectations

*

4

*Background and purpose

A maturity roadmap provides a way to prioritise and visualise

development activities for Risk Management in your organization.

The initial Maturity Roadmap provides an objective starting point

You have to know where you are, before you can build the roadmap to

where you want to be

A sample roadmap follows.

5

*

6

COSO Framework Compliance Framework Maturity Roadmap

Control Environment Organisation & Culture Organisation & Culture

Ensure effective oversight

Collaboration between Group Risk, Assurance Functions

& IAS

Risk Management embedded within business activities

Senior Stakeholder Engagement

Promote awareness of Risk Management

Effective Risk Networks

Risk Assessment Risk Identification & Assessment Risk Identification & Assessment

Set and Embed Group Risk Appetite

Identify Risks

Understand Risks

Control Activities Standard Setting & Control Activities Standard Setting & Control Activities

Develop a Risk Management Approach

Manage Risks

Relevant use of tools and technology

Information &

Communication

Training, Communication & Reporting Training, Communication & Reporting

Educate and Train Employees

Effective Reporting

Monitoring Activities Monitoring & Auditing, Investigations &

Remediation

Out of scope of Group Risk team – Compliance and IAS

carry out these activities

*

7

Organizational Maturity Roadmap Current

Maturity 2016

2017

+

Organisation & Culture 2.0 3.0 4.0

Ensure effective oversight 3.0 4.0 4.0

Collaboration between Group Risk, Assurance

Functions & Compliance 2.0 4.0 4.0

Risk Mgmt embedded within business activities 2.0 3.0 5.0

Senior Stakeholder Engagement 3.5 4.0 5.0

Promote awareness of Risk Management 2.5 4.0 5.0

Effective Risk Networks 1.0 4.0 4.0

Risk Identification & Assessment 3.0 3.5 4.0

Set and Embed Group Risk Appetite 3.0 4.0 5.0

Identify Risks 3.3 4.0 5.0

Understand Risks 2.7 3.0 5.0

Standard Setting & Control Activities 2.8 3.3 5.0

Develop a Risk Management Approach 3.3 4.0 5.0

Manage Risks 2.5 3.0 5.0

Relevant use of tools and technology 2.5 3.0 5.0

Training, Communication & Reporting 2.0 3.0 5.0

Educate and Train Employees 1.5 2.0 5.0

Effective Reporting 2.5 4.0 5.0

Organisation &Culture

RiskIdentification &

Assessment

StandardSetting &Control

Activities

Training,Communication

& Reporting

Current 2017+ 2016

• The Larger Picture

• How we use this Framework

ISO 31000:2009

Risk Management – Principles and

guidelines

Global IT Risk Mgmt

Standard

IControl Framework Risk Management

Process Diagram

*

8

Communication and Consultation

Establishing the Context

Risk Assessment

Risk Treatment

Monitoring and Review

*

9

Definitions

• Risk: Is something that has not yet happened.

• Issue: Is any uncontrolled activity or event which has already happened.

• Exception: Is a planned approved deviation from IS Policies and Standards.

• Note: We have separate processes for managing Risks, Issues, and Exceptions.

Risks, Issues, and Exceptions are Different but can be Related

• An issue can lead to the identification of a risk.

• An issue may lead to the requirement for a temporary exception.

• An exception usually has risks associated with it.

ISSUE Failure of backup for

GxP System Can

lead to

RISK Other backups might

fail Can

lead to

EXCEPTION Request for

exception until

system can be fixed

Temporary exception may

be raised

Objective: Understand the scope for the IT risks you need to consider

Risk category

Business Change

Business Systems

Compliance with external Regulation

Data Quality

Emerging Technology

Global IT

IT Asset Management

IT Governance and Leadership

IT Resilience

People, Culture & Behaviours

Projects

Security & Privacy

Sourcing

Strategy & Architecture

•Future

risks to

consider

•Grey Swans & Black Swans

• Initiatives that must be delivered

*

10

Supporting process document

Guidance A - Establishing the

context

• XX risk areas specific to Your organization (e.g., IT)

Establish External Context

Establish Internal Context

Review key business

objectives

Your corporate

strategy/goals

Objective: Identify risks and determine if they should be mitigated or accepted

*

11

Understand what it means to Your Organization

Decide appropriate steps: Reduce or Accept

C.

Evaluate Risks

A. Identify Risks

• The Requirement

Risks greater than $3M must be reported for Quarterly Business Review

• The Guidance

• Risks that keep you up at night

• Risks that leadership L1, ITLT, CIO or group VP should know about

B.

Analyze

Risks

B. Analyze Risks

• IT Risk Criteria

• Impact (Financial & Reputational)

• Likelihood of Occurrence

• Calculated Risk Score

• Current Position

• Trends

• Existing Controls C. Evaluate Risks

• Target Risks

• Requirement for Treatment

• Prioritization

Supporting process document

Guidance B - Risk Identification Supporting process document

Guidance C - Risk Analysis

Supporting process document

Guidance E - Risk Evaluation

A.

Identify Risks

*

12

Impact

• An outcome of any circumstance, action, situation or event

• Outcomes can be positive (opportunities) or negative (threats)

• Pragmatically, we focus on managing negative outcomes

Likelihood of Occurrence

• The probability of an event occurring

• Ranges from a 1% chance (very low) to a 99% (very high) chance

• 0% means it will not occur

• 100% means it will occur

• If has already occurred, it is not a risk (but rather an issue), but could have subsequent risks

Risk

• Risk = Impact x Likelihood of Occurrence

• Once a risk has been identified, it moves into Treatment/mitigation

• Options:

This is not risk management

Avoid

Share

Transfer

Reduce

Accept Pragmatically, we operate here

A risk is something that has not yet happened.

*

13

• Risks greater than $x must be reported for Escalation

Supporting process document

Guidance G - Example Good

Practice Risk Register

Table A Global IT criteria

Definitions Likelihood ScoreFinancial

ImpactScore Reputational Impact Score

VH - Very

High

An event you can expect to

happen within a 12 month

period

VH >$200m VH

Significant impact on AZ Group.

Sustained international media and/or

regulatory involvement. Group crisis.

VH 5

H - High

A realistic event for AZ that can

be anticipated to happen, either

in AZ or a closely allied business

H >$100m H

Impacts AZ Group. International media

and/or regulatory involvement.

Possible financial implications and

developing crisis.

H 4

M -

Medium

An event that can be envisaged

but has not occurred in the

business area or AZ

M >$30m M

Regional impact. Media and/or

regulatory involvement. Possible

impact for other regions/parts of the

business.

M 3

L - Low

A rare event that can be

envisaged but hasn't happened

in the company's history

L >$10m L

Largely local impact. Limited external

interest e.g. media, regulatory and

stakeholder management required

L 2

VL - Very

Low

Never happened & relies on

multiple unlikely eventsVL >$3m VL Localised effects. Short lived impact. VL 1

Objective: Treat and mitigate risks according to an approved plan

*

14

Supporting process document

Guidance F - Risk Treatment

Supporting process document

Guidance D - Controls and

Contingencies

Identify Risk Treatment Options

Prepare Risk Treatment Plan

Associate Risk Treatment Plan to Service Improvement Plan (SIP)

Implement Risk Treatment Plan

• Avoid • Share • Transfer • Reduce • Accept

Pragmatically, we operate here

• Specific • Measurable • Achievable • Realistic • Timely

Must Include • Actions/Tasks • Delivery Dates • Responsible Parties

• Provides transparency and awareness • Ensures management approval and

prioritization • Facilitates reporting

• Execute activities and tasks per agreed plan

*

15

Objective: Ensure risk treatments are progressing as planned, and adjusted as needed

Review risks in Risk

Register

Update risks in Risk

Register

Review risks with

Leadership

• Access IT Area Risk Register • Review:

• Risk Description • Treatment Plan • Net Risk Score • Trend • Comments/Updates

• Does it make sense? • Is it current? • Is it in control?

• Update IT Area Risk Register with latest view • Progress against the

Treatment Plan • Barriers to progress

• Adjust as needed

• Risk Score • Trend • Treatment Plan • Risk Description

• Review IT Area Risk Register with Leadership • Tower Leads – must support

the current risk position • ITLT Members – own all

risks in their areas

• Update IT Area Risk Register with Leadership feedback

Problem Areas Elements to Consider

Risk Description • Should include four elements

1. What’s the situation?

2. What’s the risk?

3. What’s the impact to IT Area?

4. What’s the impact to the Business?

• Avoid stating issues

• Expressed as something likely to occur if not managed

• Try to turn risks into opportunities

Treatment Plans • Must be an up-to-date plan of action described in SMART terms

• Specific

• Measureable

• Achievable

• Realistic

• Timely

• Be creative, think of ways to avoid risk

• Ensure stakeholder involvement

Key Controls • Must be current

• Detail existing controls that are in use

Comments and Updates • Should be included if extra info is needed to explain deltas in expected progress

against Treatment Plan

• Describes progress from last update

• Should be aligned to defined Treatment Plans

Net Risk Scores and Trends • Net Risk Scores should be routinely evaluated to reflect “current” risk

• Risk Trend should be adjusted and justified

16

Must Include • Actions/Tasks – What? • Delivery Dates – When? • Responsible Parties – Who?

*

• Success is about taking risks

• Understanding risks to see opportunities, and taking risks responsibly

• Risk Management is not about compliance, it’s about managing day to day activities to achieve objectives

• Risk Management provides evidence of accountability and make risks visible to leadership and stakeholders

• Making risks visible leads to surprise reduction at all levels of management right up to the board (take this challenge on board even if it is culturally a difficult behaviour)

• Focus should be on developing risks that are material to objectives, especially organizational goals and strategy

• Make sure largest risks have contingency plans in place

• Management must engage for risk management to be successful

• Risk Management can only succeed if you discuss risks with your colleagues, peers, stakeholders, and leadership

17

*

*

IT Functional Areas – What You Need to Do

* Support line management-led processes, tools and resourcing for effective risk management.

* Work with the ITLT member and their leadership teams, to enable and facilitate risk discussions, attention and focus.

* Lead annual/quarterly assessment and reporting of risks including; strategic, performance/operational, reputational, financial control, and compliance risks.

* Submit a comprehensive ITLT area risk assessment as part of the Global IT annual business planning and Budget processes.

* Provide ongoing risk training and support.

For Global IT – What We Do

* Define Global IT risk management standards, process, performance and maturity levels.

* Provide risk management oversight, challenge when required and maintain an independent view of Global IT Risks.

* Provide consultancy and advice to Global IT on tools and training, to support 1st line capability and performance.

* Support and provide risk management guidance to the ITLT Risk Leads.

* Work with CIO and other members of the ITLT and their teams, to facilitate robust risk discussions.

* Provide guidance and oversee the IT annual/quarterly assessment of risks for QBR submission, including; strategic, performance/operational, reputational, financial control, and compliance risks.

* Build and continually improve Global IT risk management culture and capability.

* Monitor the effectiveness in the implementation of the Risk Management process within Line 1 Global IT and the quality of its execution.

Strategy and

Performance

HR/Lega/ Corp

Affairs IT Finance & GPPS IT

Operations

IT

Infrastructure &

Operations

Software Shared

Services RDI

MedImmune

R&D IS Commercial IT

a

IT A

rea

ITLT

R

isk L

ead

Global IT Risk Management

GR

L

18

• Global Policy - Safeguarding Company Assets and Resources

• The Company is committed to effective risk management

• Organizational (IT) Policy

• Risks arising from IT activities must be identified and managed. This is a responsibility of all IT managers.

• Global IT Risk Management Standard

• The purpose of this standard is to mandate the minimum requirements for an appropriate and consistent level of risk management activity across Global IT (SET IT & Corporate IT).

• IT Control Framework Risk Management Process Diagram

• Risk management process flow

• Links to policies and standards

• Links to guidance documents

• Links to training module

• Quality and Compliance Manual

• Various risk-related standards

*

(embedded Global

Policy)

(embedded IS Policy)

(embedded Risk Mgmt

Std)

19

*

20