Skip to main content.

Strategic program to expand a portfolio of health products


This case describes how an international pharmaceutical company used risk management to examine a significant long-term strategic agreement with another organisation in a complementary medical sector, for the purpose of developing improvement actions to enhance its success. The case discusses how the process was planned and conducted, and how the company’s enterprise risk management processes were tailored for the specific strategic and implementation decisions that were involved. It also discusses how the company made sense of the large amount of information generated in a series of risk-related workshops, to develop a practical and manageable set of improvement plans.


The agreement

Our client was an international pharmaceutical company. It was about to enter into a significant long-term strategic agreement with another organisation, working in a complementary medical sector, to allow it to make use of that organisation’s specialist supplies, capabilities and intellectual property. The agreement would provide an opportunity for a significant enhancement of the company’s product portfolio and its international presence.

Implementing the strategic agreement would involve a program of four large joint projects.

Risk management requirements and approach

The proposed agreement involved high stakes for the company. There were huge opportunities were the program to be fully implemented, but it required a substantial long-term commitment. The company would need to expand significantly an existing production plant, as well as its operations in several continents. Overall, the program would have long-lasting effects on the company’s strategic objectives and its future prospects.

The company wanted to fully understand those effects and their implications, so it could improve its planning to enhance the opportunities and reduce the threats. As part of developing its understanding and supporting its decision-making, the company embarked on a structured risk management activity that followed its enterprise risk management (ERM) process, itself aligned with ISO 31000.

Three workshops were conducted:

  • An initial workshop focussed on clarifying the scope and context of the strategic agreement, the company’s objectives and its criteria for success, and the scope and purpose of the risk management activity itself
  • A risk assessment workshop identified risks and confirmed priorities for addressing them
  • A treatment workshop developed and agreed action plans for addressing the high-priority risks and improving the outcomes from the program.

Scope, context and criteria


The strategic agreement would be a major milestone in the development of the company’s product portfolio and international presence. This meant that risks associated with the agreement could have implications for almost all parts of the company and its current and future business.

The primary purpose of the initial assessment was to help ensure the agreement was a success. To focus attention where it was most needed, the scope of the risk assessment was set to strike a balance between being broad enough to cover all relevant issues yet narrow enough to achieve a meaningful outcome in the time available.

It was agreed that the risk assessment would focus on:

  • The contract that formalised the agreement
  • Commercial exploitation of the agreement in both the short term, through the four constituent projects, and the longer term, through other products that might flow from the agreement
  • Requirements for sustaining the agreement and related activities
  • Development of a wider global presence with all the opportunities and exposures that would entail
  • Implications of the processing plant expansion
  • Requirements for regulatory approvals.

Without diminishing their importance to the company, the risk assessment did not encompass:

  • Potential changes to the contract
  • Further initiatives with the other company
  • The plant expansion itself
  • Further initiatives that might flow from the company’s enhanced profile.

The exclusion of some matters did not imply they were insignificant. It was simply a mechanism to focus attention where it would yield the most benefit in the time available for the workshops. The areas excluded from this analysis were to be examined in later risk assessments.


It was important to understand which individuals and organisations could influence the outcome of the new agreement. The aim was to identify the major influencers on the initiative and understand their motivations. Only the significant influencers were considered.

The stakeholders who needed to be taken into account to assure the success of the initiative are summarised in Table 1, with a note of their primary concerns.

Table 1: Stakeholder summary


Main concerns

The company and its shareholders

Overall success of the agreement

Exploit an enhanced product portfolio and international presence for further growth

The other organisation

Exploit their specialist capabilities commercially

Reduce reliance on their current major pharmaceutical partner

Key suppliers

Maintain their existing relationships with the company, maintain sources of specific critical supplies


Public safety in their jurisdictions

End users, patient advocacy groups

Supply, efficacy, safety, novelty and convenience

Medical groups

Publicity, reputation and public good

Medical insurers

Reduced cost of treatment


Gain and maintain market share


Maintain health care services

Economic and safe supply of health products


The company’s objectives for this agreement were discussed in detail in the context workshop. They were consolidated into seven criteria for success, summarised in Table 2. These criteria were used to develop scales for analysing the impacts or consequences of risks in the subsequent risk assessment workshop.

Table 2: Impact criteria




The annual income generated by this agreement when it achieves steady state operation


The gross margin from sales, aside from overheads that were conventionally accounted for separately by the company

Program cost

The incremental costs to the company associated with this agreement and the four projects

Contract milestones

The critical milestones dates from contract signature at which the company’s performance on specified aspects of the projects would be assessed

Contract specification

The technical specification to which the company would be bound by its contract, including technical issues not yet settled but subject to agreement by mechanisms defined in the contract

Regulatory approvals

All approvals necessary for the commercial exploitation in the relevant jurisdictions of products arising from this agreement


The company’s presence and reputation in the markets in which it is currently active and to which it aspires as a result of this agreement

The assessment was arranged to classify the risks into four categories of severity or priority with the following meanings (Table 3).

Table 3: Evaluation criteria




Matters that require attention at the most senior level, generally above the individual projects within the program


Matters that are the responsibility of the project managers and other senior managers in the company


Matters that will be delegated to the project teams


Matters that will not be allocated explicit attention, on the expectation that the company’s standard procedures and practices, already in place as part of day-to-day business, will address them adequately

Risk assessment


The purpose of the assessment was to produce an agreed view of the most important risks affecting the agreement, including their nature and severity, and assign responsibility for developing actions to address them. The assessment described the severity of risks in qualitative terms according to the level and urgency of the attention they required.

A set of 11 key elements or topics, developed as part of the context-setting activity, was used to structure the assessment workshop. (The key elements appear on the left-hand side of the chart in Figure 1.)

Each element was addressed in turn, brainstorming risks and analysing them before proceeding to the next element. For each risk, the analysis consisted of three steps:

  1. Note existing controls that modify causes or the impacts of the risk
  2. Taking those controls into account, assign the risk an impact score and a score for the likelihood of incurring that level of impact
  3. Use the look-up table derived in the context workshop to assign an initial priority rating for the risk.

When all the elements had been addressed, the risks were reviewed, and the priority ratings were adjusted where appropriate. All the most severe risks were allocated to named individuals for further consideration and the development of treatment actions.

Summary of outcomes

Well over 200 risks were assessed (Figure 1). The number of risks and their spread across the range of elements was consistent with the early stage of planning and definition of the program. As the program progressed and risks were addressed, the numbers of risks and their severities would be expected to reduce.

At this stage there were many risks at all levels of severity:

  • The four projects accounted for all the most extreme risks
  • The projects appeared to present similar numbers of Extreme and Major risks
  • Apart from the four projects, the company’s internal management and project management processes were the most important sources of risks, spread over several elements
  • There were many risks with potentially very high impacts, although most of them were quite unlikely.

Figure 1: Risks and priorities by element

Project-related risks

The four projects accounted for all the most severe risks, those rated Extreme or Major. Some risks were specific to one project but many, particularly those concerning regulatory authorities and the commercial counterparty, spanned all projects. Table 4 provides a brief outline.

Table 4: Project-related risks


Areas of uncertainty

Technical matters

Major design decisions arising from the possible need to segregate products that do not have to be segregated currently

Unexpected design changes, delays or increased costs arising from scaling up production

Project schedule slippage, particularly in the submission of applications for regulatory approval and the production of materials for clinical trials


Timing for granting of regulatory approvals

The company’s understanding of the regulators and their processes

Regulatory workloads and the capacity of the regulators to respond quickly


Delays arising from imperfect communication with other company


Short-term market penetration of the new products

Management-related risks

There were many risks related to the company’s internal management and its project management. While they did not all have high priorities individually, they constituted an important area of risk when taken as a whole. They concerned: executive decision making, priority setting and resource allocation; internal communications; the relationship between product development and commercialisation activities; and the experience of the project teams and their reliance on critical staff and specialists.

These risks were important not only because they represented significant threats and opportunities but also because they were, in principle, more closely under the control of the company than the fundamental technical and regulatory risks affecting the four projects themselves. Hence the management-related risks should present cost-effective targets for risk treatment, with a moderate effort being likely to yield significant improvements in outcomes. Taking this line of reasoning one step further, if problems should arise, failure to address these issues would present the least defensible rationale for any failures in the program, being almost entirely concerned with how the company managed itself.

Further analysis

Some of the areas of the company’s wider operations that interacted with the program warranted further risk assessments of their own, in particular:

  • Plant design and development and associated regulatory approval processes
  • The ongoing operation of the company’s existing business and other major projects.

There were several critical schedule and financial targets that appeared to remain subject to significant uncertainty. Quantitative analysis of the uncertainty in these targets was recommended, to ensure that any that were in fact unduly optimistic, given current plans, were identified while there was still time to adjust commitments and expectations or revise plans to reduce the chance of failure. The key measures of this kind identified in the workshop included:

  • The schedules and budgets of each of the four projects
  • The cost and schedule of the plant design and development and associated regulatory approval processes
  • The overall financial performance of the program.

Risk treatment

Review of risks

The risks from the first workshop were classified into Extreme, Major, Medium and Minor severity. The treatment workshop addressed the Extreme and Major risks, of which there were about 80, far too many to address individually in detailed treatment planning.

To simplify treatment planning, the Extreme and Major risks were consolidated into a smaller number of headline risks, drawing together risks with common characteristics and causes. Table 5 shows an example in summary form.

Table 5: Example headline risk

The risk treatment workshop was held some four months after the initial risk assessment. Without revisiting the risk assessment in detail, the treatment workshop considered whether:

  • Any risks had changed sufficiently, or were receiving sufficient attention already, for them to be omitted from the treatment exercise (this applied to several risks classified originally as Major)
  • Any risks or controls had changed in a way that needed to be taken into account in planning treatment actions
  • Any risks were parts of other headline risks and so did not warrant attention in their own right
  • Any new risks had been identified that were of comparable severity to the Extreme and Major risks and needed to be included in the treatment planning, with any related controls already in place.

Nine headline risks were selected for detailed treatment planning.

Treatment planning

The purpose of using a workshop for treatment planning was to maximise the creative input to the process and take advantage of a wide range of knowledge, so that weak options could be screened out before significant effort was devoted to planning them in detail. Detailed planning was to be addressed later by individuals or small groups, drawing on the options developed in the workshop.

Each of the nine headline risks was considered in turn. For each one, the workshop participants:

  • Brainstormed treatment options to address the headline risk and its component risks
  • Discussed the advantages and disadvantages of each option, and selected preferred options on the basis of net benefit to the company
  • Assigned responsibility for developing them further and taking them into implementation.

As the project was at an early stage, it was necessary to exercise judgement about the extent to which plans already in place should be included in the treatment options. To avoid simply reiterating existing plans, the general rule for such exercises is that treatment options should be actions that are not already in place or for which there is not yet a commitment to undertake them. A small number of actions already planned were included in the list of treatments where it was felt that:

  • They needed to be given additional priority
  • They were considered urgent and it was feared that they might not otherwise be completed in the near future.

The nine headline risks addressed in the workshop generated almost 100 treatment options. Table 6 shows an example of the treatment options for one headline risk, in summarised form, with the additional information needed for it to form the basis of a treatment plan.

Table 6: Example treatment plan summary

Upon examination, it was clear that the treatment options fell into sets that could conveniently be addressed together, often because they involved the same action owner or business team. Some sets spanned two or more risks.


In the four months between the initial risk assessment and the treatment workshop, some of the early concern about obtaining suitable supplies from the other company, on time and with consistent quality, had diminished. Several potentially severe risks remained, including some for which all practicable steps were already in hand.

Almost ninety actions were identified to reduce the chance of the remaining risks having negative impacts on the program. The proposed actions were arranged into 28 sets, drawing together options that could be taken as a single initiative.

Following the treatment workshop, the company proceeded to:

  • Develop the agreed options into management actions with firm dates for their completion
  • Ensure the implementation of these actions through existing project and general management controls
  • Integrate maintenance of the risk register into routine management activity across the program, including focussed reviews at regular project meetings
  • Plan a major review of risks in six months.


Tailoring the risk management process

Common risk assessment processes and scales are usually a good thing, as they support and provide the rationale for consistent decision-making behaviour and priority allocation across the organisation. However, the purpose of risk management is to create and protect value, so the main focus of any risk management activity should be to support sound decisions that will add value to the organisation. In this context, the risk management process should be a guide rather than a constraint, particularly for important strategic decisions.

The process should be suitable for the decision makers and what they need to decide about. We tailored the company’s enterprise risk management process in this case to the strategic and commercial nature of the program and the particular technical and regulatory characteristics of the pharmaceuticals sector.

In addition, the four-month interval between the assessment and treatment workshops allowed us to adjust the approach to identifying and analysing treatment options, taking account of additional work and new insights gained in the period between the workshops.

Making sense of information

Risk assessments and risk treatment workshops can generate a large amount of information. The case described here involved a program, consisting of four projects plus program-wide features, disaggregated into 11 key elements to structure the risk assessment workshop; the assessment workshop generated 225 risks, and 97 worthwhile improvement options were identified in a subsequent treatment workshop.

It is usually neither practicable nor necessary to address every item generated in a series of workshops individually. It is far more efficient to aggregate them into meaningful groups, based on the type of actions they require, that can be tackled as a whole. While the individual items may contribute usefully to detailed planning and communicating the nature of the risks to others, to retain all the information at a management level is not helpful. It is daunting and creates unrealistic expectations; simplifying and grouping appropriately helps to create realistic plans.

Table 7 summarises how all the detail was made more manageable and practical to use in this case.

Table 7: Making sense of the information

Treatment planning

Treatment planning should rarely be done risk-by-risk. It is usually far better to develop actions on a company-wide basis, evaluating the aggregate advantages and disadvantages across the whole organisation when selecting improvement actions.

The simplest approach to classifying options is a straightforward triage into:

  • Options that are clearly worthwhile
  • Those that might be worthwhile but additional analysis is needed, and
  • Those that are clearly not worth pursuing.

In this case the extended classification in Table 8 was used. This was appropriate for the strategic nature and extended time scale of the program.

Table 8: Treatment priorities



P1. Mandatory

Actions that must be taken to comply with legislation, regulatory requirements, organisational policy or community expectations that impinge on the company’s social licence to operate

P2. Worth doing now

There is a clear positive net benefit for the company

  • Easy and low cost to implement
  • Required urgently to avoid a potentially large impact

P3. Worth analysing now

This action appears to be worthwhile, but more work is needed to confirm whether it has a positive net benefit

P4. Worth doing later

There is a clear positive net benefit for the company, but the action can be postponed

P5. Nice to have

Follow up and implement this action if resources become available

P6. Set aside for now

Not worthwhile at this time

This assisted the management team to identify actions and establish plans. It also enabled them to communicate their plans to others, and to make it clear why they were adopting the priorities they had decided should guide the work.