Case Study: Eli Lilly

Background of the Organization

Headquartered in Indianapolis Indiana, Eli Lilly and Company focuses on the research,
development, manufacturing, sale and distribution of human pharmaceutical and animal health
products. The company sells products in approximately 120 countries worldwide. Eli Lilly has a
market capitalization of approximately $90 billion, revenue in 2014 of $20 billion, and
approximately 41,300 employees worldwide.

Overview of ERM
While the company’s ERM program began formally in 2005, the integration of ERM with the
company’s strategic planning process started in 2007. In order to promote the importance of a
strong connection and assess ways to improve the link between ERM and the company’s
strategic planning process, the Sr. Director of ERM initiated a series of sessions amongst leaders
from the Corporate Strategy, Ethics and Compliance (E&C), and Legal functions. It was
especially important that key strategic risks be included in the ERM process, and that leaders
within Eli Lilly’s strategic functions be able to provide input on what risks were ultimately
elevated to an enterprise level.

Eli Lilly and Company uses a highly structured approach to implement its ERM process and
accomplish integration of ERM and strategy. The board-level components consist of the Audit
Committee and the Public Policy and Compliance Committee (PPCC), which provide oversight
and accountability at the board level.

The company chose to align ERM with its E&C function to benefit
from two key attributes: risk identification and independence. The
E&C function at Eli Lilly conducts risk identification and mitigation
as part of its daily operations; keeping ERM aligned with Compliance
would provide for greater efficiency. The Ethics and Compliance
department reports to the CEO with a dotted line of reporting to the
board, so aligning ERM with the E&C function allowed ERM to
maintain this essential, independent line of reporting as well.

The next element is the Compliance and Enterprise Risk Management Committee (CERMC),
which consists of senior management, including the Presidents of each of the company’s
business units and functions (e.g. LRL, Manufacturing, Quality and Global Services, etc.), the
President of Lilly’s largest affiliate, the Chief Medical Officer, the Chief Information Officer,
and the General Auditor.

Another critical component is the ERM Core Team, which consists of a group of six selected
members representing various areas of the business, including two executives in charge of
strategy (including the leader of Corporate Strategy), the board secretary, who is an attorney in

INTEGRATION OF ERM WITH STRATEGY - 9

the Lilly Law Division, a CERMC member (Chief Ethics and Compliance Officer), and the two
individuals in charge of the company’s ERM process.

Eli Lilly ERM Structure

Having a group such as the ERM Core Team provides several benefits. A multi-disciplinary team
provides an enterprise-wide perspective on both risk identification as well as prioritization.
Including strategic personnel provides a uniquely strategic point of view, and including a board
level perspective can keep the ERM team informed of board-level priorities or concerns and more
closely link ERM risks to the company’s current and future strategic initiatives. The mix of personnel
on the Core Team allows the group to evaluate operational risks through a long-term strategic lens
to identify entity-level risks and opportunities.

Each January and February, the ERM Core Team conducts workshops involving 40-50 leaders
across the company’s geographic regions and business units. The Core Team then uses the
information gathered from the workshops as well as its own internal discussions to put together a
report on entity level risks that is reviewed by the CERMC. The Core Team is able to pull

INTEGRATION OF ERM WITH STRATEGY - 10

together themes that cross business unit/functional area boundaries and use their respective
points of view to prioritize these themes into entity level risks based on a strategic, enterprisewide
perspective. In this way, the ERM Core Team serves as a critical transition point from the “silo”
perspective of the individual business units to the more enterprise-wide view of executive
management and the board.

For example, after completing its annual ERM

workshop process and reviewing the results, if the
ERM Core Team discovered that several different
business units have identified a similar risk, the
ERM Core Team could upgrade the risk from a
business unit risk to an entity level risk in the
report to the CERMC. Upon review by the
CERMC, additional resources could be assigned,
including the creation of a task force/team to look
specifically at the enterprise level risk and craft a
mitigation plan to be implemented on a company-
wide basis. This is just one example of how Eli
Lilly’s process is designed to take what appears to
be a business unit risk and escalate it to an
enterprise level to be dealt with and mitigated before it negatively affects the company.

Directly supporting the ERM Core Team are the ERM Liaisons, which typically have operational
responsibilities at the business unit or functional level. The ERM Core Team works closely with
the ERM Liaisons to identify risk owners within each business unit or functional area, and the
ERM Liaisons in turn work with the identified risk owners to craft a mitigation plan for the risks
they have been assigned. This ensures that those most directly responsible for managing and
mitigating the identified risks maintain ownership of the risks.

In addition to the assignment of risk ownership, oversight and monitoring is conducted

throughout the process to ensure that the mitigation plans are put into action. Based on whether a
risk has been assigned a high (red), medium (yellow), or low (green) risk designation on the
company’s ERM heat map, oversight is assigned to the CERMC, ERM Core Team, or Business
Unit Liaisons respectively (see Appendix A3 and A4). For example, review and oversight by the
CERMC involves a risk owner providing an update to the members. The ERM Core Team meets
with ERM Liaisons to review documents that support execution of the various mitigation steps,
and Business Unit Liaisons conduct their own review of the documentation supporting execution
of the various mitigation steps.

Integration of ERM with Strategy

One of the first obstacles to integration faced by Eli Lilly was
getting those involved in the process to avoid mentally
separating ERM risks from other strategic processes. From the
INTEGRATION OF ERM WITH STRATEGY -
company’s point of view, integration should begin at the individual employee level, and this
required helping employees understand that ERM should not be separated from their other work.

One method the company used to overcome this obstacle was to ensure the timing of the
company’s ERM process coincided with the strategic planning process during the company’s
regular business cycle. When the strategic planning process begins in January and February,
business areas are responsible for establishing their portion of the strategic plan. Information
from this business unit level process is used as an input for annual ERM workshops, which
encourages employees to think about ERM at the same time they are already engaged in the
strategic planning process. This helps embed the ERM process at the strategic planning level and
increases the likelihood that strategic objectives directly inform the risk identification process.
Since the strategic planning process also involves scenario analysis activities, the company is
able to identify potential opportunities for competitive advantage arising from successfully
mitigated risks.

One of the keys to ensuring that personnel perceive ERM as more than just “another corporate
exercise” has been to focus on building relationships and educating employees on how the ERM
process has value for the company. This education has occurred by conducting CERMC and
board meetings as well as sessions with ERM Liaisons. Since the strategic planning process is
well-understood, and its importance widely accepted, linking ERM to the strategic planning
process from a corporate perspective helped forge the correct mindset.

The other key to integrating the process with strategy at the

employee level has been to create “local” ownership of the
process at the business unit level. This was accomplished by
establishing that the business leaders would ultimately be
responsible for the identified risks and their subsequent
management and mitigation. Additionally, making it clear that
the board of directors was keenly interested in knowing what the
risks were and how they were being managed created a powerful incentive that represented the
“tone at the top” and encouraged business unit leaders to make the process work.

After the CERMC conducts its review of the ERM Core Team’s report on entity-level risks, they
also review business unit strategic plans, which provides another level of strategy and ERM

INTEGRATION OF ERM WITH STRATEGY - 12

integration. The CERMC is able to view the strategic plans through the lens of the recently
reviewed enterprise-wide risks distilled from the work of the ERM Core Team and ERM
workshops. Having this dual outlook helps identify overlooked areas or risks that may have been
included in the risk portfolio but not addressed in the strategic plan.

The last component of the integration cycle happens at the end of the business plan process, after the
final funding decisions have been made as part of the company’s budgeting process. The ERM
Core Team and the CERMC meet again to discuss whether any funding changes resulting from
the budgeting process have affected the previously identified risks, and whether any changes
need to be reflected in the company’s risk profile. The ERM Core Team reviews and provides
input regarding the risks included in the company’s 10-K, which provides a final critical
communication link between risk, strategy, and the company’s stakeholders. This provides a
good summation point for the ERM process, and ensures one final point of review that includes
both ERM and strategic perspectives.

Future Steps
The integration of ERM and strategy is an ongoing process that
Eli Lilly seeks to improve each year. The company has
identified three broad areas where it intends to further improve
integration between ERM and the company’s strategic process.
The first area of focus includes improving its identification of
opportunities and not just the threats represented by risks
identified in the ERM process. Further integration of ERM and
strategy will allow risks to begin to inform new strategic
directions and initiatives that add value to the company. The
company plans to implement this change by specifically
discussing possible opportunities during the risk identification
workshop process each year. The discussion will seek to
identify risks that, if mitigated properly, may lead to a
competitive advantage in the industry or marketplace. Any
opportunities identified will then be passed along to those in
charge of business planning.

The second area of focus is to more systematically consider

key risk indicators, or what the company calls “signposts”.
Identifying “signposts” can enable the company to activate or
revise a mitigation plan in time to effectively address emerging
risks. While there are business units that are doing this currently, the goal is to ensure consistent
enterprise-wide adoption in a more formal and documented manner.

The last area of focus will be to more clearly identify risk interconnectedness. Viewing all risks
as being potentially linked in some way will improve both the identification of how one risk can
amplify others, as well as improve management of risks across affected business units. This will
INTEGRATION OF ERM WITH STRATEGY - 13
allow the company to be more efficient in managing risk, as well as assist in the identification of
new opportunities for improvement.

The company recognizes that integration is an ongoing process. Each of the critical elements of
integration have grown over time, and are the result of consistent leadership and support from the
top levels of the organization as well as a positive company culture surrounding risk
management and its integration with strategy.

INTEGRATION OF ERM WITH STRATEGY - 14

Case Study: Daisy Company
Background of the Organization
Daisy Company is a leading national specialty manufacturer of high-quality personal care
products. The company’s products are sold in more than 95 countries and territories around the
world. The company’s net sales for fiscal year 2015 was $12.4 billion and net income was $1.3
billion.

Overview of ERM
ERM is a process by which the company identifies critical risks affecting its ability to
successfully attain its goals and strategy. The company has adapted its ERM process over the
years by adopting a subcommittee ERM approach that deals with major risk areas such as
strategy, technology, human resources, and emerging markets.

Daisy Company Corporate Risk Management Committee

The company has a corporate-level Risk Management Committee (RMC) which meets four
times a year and is made up of ten members from the senior level of the corporation. The
committee includes Presidents of Brands, Head of HR, the CFO, the Treasurer, and the Head of
Operations. Below the RMC, there are nine other subcommittees: Strategic Business Risk, Legal,
Research and Development, Finance and Reporting, Supply Chain, Cyber Risks, IT, HR, and
Emerging Markets. Each of these subcommittees has approximately 8-12 members at VP or
above level. Each subcommittee is made up of multi-disciplinary members to identify the risks to
the company as a whole. Towards the end of the year, the CRO will present the top risks
identified and escalating risks to the CFO, CEO, Chairman, the Audit Committee and the Board
once a year.

INTEGRATION OF ERM WITH STRATEGY - 15

INTEGRATION OF ERM WITH STRATEGY - 16
Daisy Company ERM Structure

The risk identification process begins with a questionnaire that goes to all subcommittee
members as well as risk owners and senior management. The questionnaire, which is part of the
company’s integration of ERM and strategy, includes the following questions:
What are the risks that would affect the strategy?
What are the operational risks?
What risks are escalating that will require priority focus in the current year, and
What risks are emerging risks that could have significant impacts in the future?

The questionnaire includes a catalogue of existing risks for reference, and then the risks are
updated based upon the results of the questionnaire. A risk template is used to record the
identified risks with a description, the risk owner, and a scenario analysis that shows how the risk
affects the company. The template also includes 1-3 risk drivers. The inherent risk is then rated
by the risk owner and RMC based on 3 criteria: probability, impact, and velocity. Then the risk
score is derived from these criteria. As part of the mitigation strategy, a risk owner is assigned
responsibility for developing a mitigation plan. There are also risk mitigation tasks which are
high-level tasks done to implement the strategy for mitigating the risk. In the subcommittee, each

INTEGRATION OF ERM WITH STRATEGY - 17

task is rated to come to a composite score for the strategy and later, each owner of the committee is
responsible for having the template filled out. (See Appendix A5).

After completing the template, the risk owners and the committees then rate the risk on a residual
basis using the same 3 criteria (impact, probability, and velocity) to see how the mitigation
strategy has affected the level of risk. In addition, there is also a mitigation effort score using a 1-
5 scale (deficient, weak, basic, acceptable, and comprehensive) to rate the mitigation actions. The
risk owner is then given the chance to provide an explanation for the risk rating score. In order to
know whether the plan has been implemented in the future or whether the mitigation plan has
worked, the risk owner re-rates the risk after mitigation has been implemented using the same 3
criteria (impact, probability, and velocity). From the risks and the ratings provided by the risk
owners, escalating risks are determined and reported to senior management [See Appendix A6].
For example, cyber risk is a high impact and high likelihood risk, and if it is graphed on the heat
map, it would be upper right. However, the heat map does not give people a chance to
communicate and talk about what they have done to mitigate the risk. Therefore, the residual
rating gives people the chance to show that they are doing all they can, and despite their efforts, the
risk is still remaining high, even with a mitigation plan in place.

Integration of ERM with Strategy

The CEO has driven the integration of ERM with strategy,
therefore, changes and improvements each year have been in the
direction towards integrating ERM with strategy. The support and
strong tone at the top play an important role in the success of the
integration process of ERM with strategy. The risk committees
are made up of 8 operational subcommittees and one strategic risk
subcommittee with risk owners who are typically members of the
operational subcommittees. The strategic risk subcommittee is chaired by the head of strategy and
made up of senior management members. Each subcommittee, except for the risk
subcommittee, has its own risk owner, and risk owners are interviewed individually by the CRO of
the risk subcommittee.

The other key area of integration is the development of lagging KRIs for risk and mitigation
purposes. As a business, from the strategic plan, the company develops lagging KRIs to track the
various mitigation tasks. The risk indicators help the company to enact the mitigation plan in time
to effectively address emerging risks. For example, a lagging KRI might track sales in a particular
place and use the existing KRI to address any changes in risk and mitigation tasks when the
company plans to earn revenue in a particular location.

Finally, the company includes the risk templates in the normal strategy process and includes a
process for identifying the main risks to the strategy and the plan for managing those risks. After
the mitigation plan has been implemented, the RMC will re-assess to see whether additional
actions would be needed and send the summary to the finance department to make sure funds are
available.
INTEGRATION OF ERM WITH STRATEGY - 18
The corporate risk management committee and the risk subcommittees meet quarterly. The
subcommittees usually meet early in the third quarter. The strategic planning process typically
starts near the end of the year, while the budgeting process takes place in the later part of the
third quarter. The strategy process and the risk management process are ongoing, simultaneous
processes. The company sees risk management and strategic planning as a continuous, ongoing
cycle, so they do not try to fit things into a prescribed time, but rather maintain flexibility to
respond to changing conditions.

Daisy Company ERM Timeline

INTEGRATION OF ERM WITH STRATEGY - 19

Future Steps
The ERM process has been improving each year, involving more personnel throughout the
organization. Since its inception 15 years ago, it has matured in tandem with the strategic
planning process. The company has a very strong tone at the top which has supported the
continuous improvement of these processes. One of the most significant improvements in the
process came about during the aftermath of the financial crisis, when the company put more
structure around risk mitigation plans and mitigation efforts.

The company is now in the process of introducing a new set of

reporting procedures which will take more of a dashboard
approach, in an effort to better communicate risk information.
However, the company still believes that informal
communications between the key players dealing with risks
and strategy are critical, and those discussions need to continue.

At the business level, at first, personnel may have felt that

considering risks represented additional work, and did not
really see the immediate benefit. However, the RMC has been
trying to be a facilitator to keep the load on others as light as
possible, so the workload effect was not so dramatic. For
example, the strategic business risk subcommittee used to
request that the other risk committees complete the risk
templates. Now, the strategic business risk committee gathers
the information themselves, completes the templates, and sends
it to the other risk committees for review. Now that the benefits
of the ERM process are widely recognized, and the process has become institutionalized,
changes in personnel have not had a disruptive effect. New personnel quickly adapt to the
process as a result of the strong culture of the company.

The company realized the importance of integration of ERM and strategy early from the
beginning of the ERM process, and considers integration to be an ongoing process. The ERM
process as well as the integration with strategy have grown over time as a result of consistent
support from the top levels of management and the company’s culture.

INTEGRATION OF ERM WITH STRATEGY - 20

Conclusion
There is no best “home” for ERM within a company’s operations; rather, ERM should be
well-positioned to have proper reporting channels and have an effective vantage point of the
company’s operations to avoid potential “blind spots.” This can vary depending on the
nature
of the company’s operations, its culture, and organizational structure.

It is essential to remember how important the tone and expectation coming from top
leadership is in creating and maintaining a successful ERM process, especially one that is
functionally integrated with strategic planning.

Take time to build relationships through educating key business process leaders about the
benefits of the company’s ERM process. Business leaders will more fully engage in the
process when they see inherent value in the process.

No matter where a company is in its ERM process, communication and education of those
involved is critical to keeping ERM relevant, accepted, and supported.

Assign risk ownership and mitigation at the business unit level. Making business unit and
functional area level personnel responsible for owning risks and crafting mitigation plans
makes strategy and risk management coexist in the same space. This provides the “front-
line”
integration of risk and strategy, since the individuals responsible for carrying out strategic
objectives are also involved in risk ownership and mitigation.