WEC

MADRID 18TH MARCH 2004

ASTRAZENECA’S APPROACH

TO SUPPLIER RISK MANAGEMENT

INTEGRATED BUSINESS MANAGEMENT

CORPORATE RESPONSIBILITY PRINCIPLES FOR SUPPLIERS

RISK MANAGEMENT IN BULK DRUG OUTSOURCING PROJECTS

Principles

1.Delivering opportunities by managing risk is a key part of all our activities.

2. In all our activities, risk should be understood an visible.

3.Approaches to managing risk will be simple flexible and sustained.

4.Business context will determine the level of acceptable risk and control.

5.Risk will be managed consistent with Company Values

Understand Identify

• PlanRisk Management PlansEnabling ResourcesMonitoring & Reporting

• Review& LearningReview Overall OutcomesLearning ReviewSharing Learning

• Consequences

RewardsImpacts

• Likelihood

• ContextMap ContextEngage Stakeholders

• BoundariesAgree Scope & Objectives

• Opportunities• Threats

RiskLanguage

Review

Outcomes/Learning

Culture and Values

ManageAssess

Measure Score Financial ($ or Time Delay)

Score Reputational Score

VH - Very HighAn event you can expect

to happenVH TO COMPLETE VH TO COMPLETE VH

H - High

An event that can be anticipated to happen and this area/AZ or a closely

allied company have experienced such an

event

H H H

M - Medium

A rare event that can be envisaged but has not

occurred in this area or in AZ

M M M

L - Low

An event that can be envisaged but hasn’t

occurred in the company history (e.g. requires a combination of two or more events to occur).

L L L

VL - Very Low

An event that can be conceived but is

considered to be very difficult to realise (e.g.

requires a combination of several events to occur)

VL VL VL

Financial Weighting 50 Reputational Weighting

50

Likelihood ImpactImpactDefinitionsRisk Criteria

Competitors Political change

Customers Legal change

Partners Markets restructuring

Technology Change Regulatory Change

Interest rates Contractual

Currency Litigation

Cash flow, Credit Intellectual Property

Financial Markets Challenge

Reorganisation Leadership

Communication breakdown Authority limits

Performance incentives

Fire Product tamper/recall

SHE Incident Patient injury

Natural Hazard Product contamination

Supplier failure Terrorism

Loss of SHE or Medicines Licence Civil unrest

Loss of People Crime

Fraud Strikes

Ethical failures Industrial Action

Theft of Intellectual Property Sabotage

Loss of data System access

System integrity System availability

Business Environment

Financial & Commercial

People

Information

Organisational / Leadership

Operational

Identification Checklist

VH

H

M

L

VL

VH H M L VL VL L M H VH

Likelihood Likelihood

Imp

ac

t

THREATS OPPORTUNITIES

Threat & Opportunity Risk Profile

Corporate Responsibility

Principles in Purchasing

2003 Progress&

2004 Objectives

What is Corporate Responsibility (CR)?

• Business interruption risk management

• AstraZeneca’s Reputation

• Insurers, investors and media interest

Purchasing and CR

• Mandatory SHE standard

We are committed to living our values by ensuring consistently high standards of corporate responsibility wherever AstraZeneca has a presence or impact.

AstraZeneca CR Goals

What does this mean for Purchasing? • The overarching principle is that it is our objective to

increase suppliers' awareness and seek improvements, rather than excluding any suppliers based on poor performance.

• However, if the performance remains poor, we will take steps to place our business elsewhere.

• CR should be incorporated into the selection and relationship management of our suppliers whilst ensuring that basic legal requirements are included in contracts.

• We can only expect our suppliers to do what we are prepared to do ourselves.

Objectives 2004

• Continue to build CR into contracts, frameworks or master service agreements (Purchasers)

• Continue to include CR in Business Control Meetings with strategic and key suppliers (Purchasers).

• Build CR into the consistent Category Management process being developed as part of Transformation(Implementation Team)

Risk Management in Bulk Drug Outsourcing Projects

The purpose of the AstraZeneca Supplier Risk Assessment is to:

• Ensure compliance with the AstraZeneca SHE Policy and Standards (Std 6)

• Assure security of supply by identifying and managing risk

• Facilitate the provision of insurance cover• Identify possible costs associated with SHE

improvements as early as possible• Safeguard AstraZeneca’s image and

reputation

Supplier evaluation – key principles• Carried out for all new suppliers and new

projects at existing suppliers.• Scheduled by the Outsourcing Project

Managers (OPM) as one of the project deliverables.

• Lead by trained auditors (OPMs), supported by others (OPMs, purchasing, project team members)

• Reinforced by specialists (Corporate SHE, QA, etc) where necessary.

Supplier Risk Assessment

• An initial assessment of standards:– Safety, Health and Environmental risks– Corporate Social Responsibility– Technical capability– Quality systems– Commercial status

Risk Assessment in an Outsourcing Project

Preliminary Assessment

RiskAcceptable

?

Specialist Assessment

ProjectImplementation

On Going Supply

Do not progress

Supplier SelectionY

N

Unsure

Preliminary Assessment

RiskAcceptable

?

Specialist Assessment

ProjectImplementation

On Going Supply

Do not progress

Supplier SelectionY

N

Unsure

Audit Preparation• Pre-audit questionnaire• Pre-audit document request• Form audit team, agree

scope of audit• Review returned data• Identify key issues for audit• Finalise scope and logistics

Audit Process• Understand management

systems• Assess apparent strengths

and weaknesses• Gather audit evidence• Re-assess, evaluate results• Report audit findings (AZ

only)

Preliminary Assessment

RiskAcceptable

?

Specialist Assessment

ProjectImplementation

On Going Supply

Do not progress

Supplier SelectionY

N

Unsure

Supplier Selection• Risk assessment findings considered as part of supplier

selection process, along with other factors (e.g. cost, time, capacity, regulatory, commercial, intellectual property)

• Project proposal is a formal project document where chosen supplier is approved

• Business sign on to associated risks and any improvement plans

Preliminary Assessment

RiskAcceptable

?

Specialist Assessment

ProjectImplementation

On Going Supply

Do not progress

Supplier SelectionY

N

Unsure

Project Implementation• Project activities to include

any improvement plans from audit

• Included in development contract

• Further project specific audits as required

Preliminary Assessment

RiskAcceptable

?

Specialist Assessment

ProjectImplementation

On Going Supply

Do not progress

Supplier SelectionY

N

Unsure

On Going Supply• Periodic review of risk

assessment• Utilise appropriately trained

resources• Basis for continuous

improvement, managed through Business Control process

Questions For Discussion

• How far should we expect/require suppliers to go in complying with CR principles?

• To what extent should we monitor/audit their compliance?

• In reporting our Environmental performance should we include the impact of outsourced activities?