This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Risk, Control & Audit

Enterprise Risk Management (ERM)

Embedded and effective risk management can be one of the most powerful tools in management’s toolbox. When designed and implemented appropriately, risk management drives positive behaviour by ensuring that all employees are risk-aware and consider the implications of their actions on the wider organisational objectives.

Why is it an issue?

  • Increased focus following the updated provisions in the UK Corporate Governance Code, which state: ‘The Board is responsible for determining the nature and extent of significant risks it is willing to take in achieving its strategic objectives. The Board should maintain sound risk management and internal control systems’
  • Fines levied on Health and Life Science (H&LS) organisations for non-compliance with regulatory requirements are increasing
  • The profile for risk management is changing due to globalisation and the increase in outsourcing
  • Manifestation of risks can critically damage the reputation of H&LS organisations in the eyes of the consumer
  • Shareholders increasingly seek reassurance on how H&LS organisations are managing the risk of supplier failures, be that as outsourced service providers or suppliers of key components
  • Many organisations still struggle to define and deliver effective and fit-for-purpose risk management.

Service overview

  • Assess and support the development of a framework for the management of risk that is aligned to the business, addresses risk context and is consistent with business risk appetite and culture
  • Facilitate definition and implementation of risk appetite and metrics using our risk appetite methodology (e.g. Risk KRIs, targets and tolerances)
  • Support the identification of key risks including risk context, key risk themes and mitigations
  • Assist you to clearly articulate your organisation’s risk-taking capacity, risk appetite and current risk profile
  • Support the improvement of risk governance through monitoring risk metrics
  • Consult on the selection and development of risk management tools and applications.

Find out more about Enterprise Risk Management

Back

Contract, Risk & Compliance (CRC)

Ensuring that business partners deliver on their obligations can maximise revenue, protect your brand, improve operational efficiency and reduce cost. Third party relationships are prevalent and important in the value chain, but have frequently escaped validation and verification. Often third parties such as suppliers, joint venture partners, distributors and licensees – self report their performance. We are seeing organisations increasingly wanting to verify, as well as trust, their business partners.

Why is it an issue?

  • Third parties bring risks to the organisation that impact on brand reputation, customer safety and experience, financial revenues and costs, as well as regulatory risks
  • From capital projects, distribution contracts, licensee relationships each third party has a specific set of risks that need to managed and governed
  • Assessing and managing contract and third party risks not only provides positive assurance but if conducted properly can be revenue generative
  • Developing an internal governance framework and assessing existing process and controls is proven to yield cost savings in the long run

Service overview

Our Contract Risk & Compliance professionals have experience of hundreds of third party reviews across a range of partners and sectors:

  • In respect of outsourcing, supply arrangements and joint ventures, we can establish whether third parties are compliant and delivering expected benefits. We can also help organisations understand if they are managing their own obligations effectively
  • In the distribution channel, rebates, special pricing, discounts and other complexities can result in error and value leakage. Routine monitoring of business partners can result in improved visibility and value for both parties
  • In licensing and royalty bearing arrangements, certainty over the accuracy of reporting is crucial as brands are developed, markets explored and products are distributed. Across the spectrum of third party relationships we have the tools, experience and knowledge to deliver value

Find out more about Contract, Risk & Compliance

Back

Digital Risk

Digital (on-line) activity has accelerated in prominence in the Health and Life Science industry (H&LS), with health and fitness being one of the largest categories of Apps on the Apple AppStore. In addition, there are over 6,500 apps targeted specifically at health care professionals. The regulatory environment is favourable to digital marketing and coupled with the large brand portfolios held by many companies, it is becoming one of the channels of choice.

Digital brings opportunity but also new, unique risks which you need to consider and manage in order to be successful. To enhance your digital potential it is essential to develop a sustainable and realistic framework to actively control, manage and optimise your digital assets.

Why is it an issue?

  • The level of digital activity is growing exponentially in volume and complexity to meet the increasing demands of consumers, regulators and stakeholders
  • Digital activity must be kept up to date and is not seen by regulators as product at a point in time. Ownership and accountability are therefore key
  • Digital activity is easy to create and the perception is that it falls within the marketing domain and therefore is not subject to normal IT and other business controls
  • Relationships and ownership of content and audience are not clear cut. Regulators are also themselves unclear and wish to leave themselves room to manoeuvre
  • Organisations in regulated industries, such as H&LS, must create processes to manage digital activity through its entire lifecycle, not one just up to the point it goes live. Experience has shown that it is after the launch that compliance issue arise, primarily due to poorly defined on-going ownership
  • A decentralized operation with a limited framework for managing Digital Risk can result in the creation of excess digital assets with low impact and limited searchability.

Service overview

Deloitte has a digital risk management framework that can assist the management of your Digital Risk by helping you with:

  • Discovery: understand the size and accountability of your digital footprint and analyse the public response to your brand
  • Privacy and Trust: keep personal data safe and secure and comply with the latest privacy regulations to build and maintain trust
  • Risk: monitor your digital activity as it grows in order to stay one step ahead of your digital risk exposures
  • Compliance: navigate compliance hurdles and implement new processes to maximise the opportunities from your digital activities
  • Security: recognise the security threats to your digital assets and how best to protect them in order to be successful in the digital environment.

Back

Project Assurance

For a project to succeed it must deliver on time, to budget and to the required level of quality. However, the successful achievement of these objectives is threatened by numerous risks.

Why is it an issue?

  • As the world emerges from recession, businesses are re-initiating change programmes that were delayed and increasing R&D spend, which was impacted when the economic outlook became uncertain. This, combined with the revival of the merger and acquisition market, has meant that the success of many high-profile change and integration programmes are of fundamental importance to the business.
  • The business, IT and internal audit functions are now faced with the prospect of providing assurance over these change programmes. This is challenging in an environment in which risks are continually evolving with significantly more volatility during business as usual.
  • With focus on delivery, the early identification and management of these project risks is often overlooked, with risks and issues which could have been identified prior to critical decision points, having a negative impact on the project.

Service overview

Whilst we cannot guarantee the success of a project, we do have a track record of reviewing complex business critical programmes and projects at Health & Life Science organisations, and successfully identifying risks and issues prior to critical decision points. These can be addressed before the project progresses. We can:

  • Define and implement focused reviews aligned to the programme/project lifecycle and the activities critical to success
  • Focus quickly on the key risk areas, allowing us to dive deeper into the underlying causes of risk identify issues in real-time, enabling the programme/project to respond before delivery is impacted or critical programme/project decisions are made
  • Provide pragmatic recommendations for management to action
  • Evaluate current programme/project activity against our own experience of good practice, relevant industry standards and your own requirements
  • Work collaboratively with your Internal Audit function to report to the Audit Committee or assist in the design of a project assurance methodology
  • Work within a project as an independent internal assurance function to provide guidance to the project management team or directly for the Board or on behalf of the project sponsor.

Find out more about our Project Risk services

Back

 Programme Management Office (PMO)

Projects are unique offerings where very often you are: breaking new ground, implementing new technologies or fundamentally changing the way you do business. Is your PMO up to the challenge of managing the project management control framework to ensure your projects stay on track?

Why is it an issue?

  • More often than not you are trying to do all the above at once, whilst managing a variety of other projects and programmes with competing priorities and occasionally conflicting objectives
  • To manage these challenges, the right approach is to implement a pragmatic project control framework, supported by an effective Project Management Office (PMO). The PMO is critical to maintain adherence to the established framework and to provide centralised governance and control
  • We perform many project and programme health checks on behalf of our Health and Life Science clients, and frequently find that although a PMO may be in place, the basic disciplines of good project management control are misunderstood or poorly implemented.

Service overview

We have a team of experienced, Prince 2 accredited staff with a proven track record of assessing and implementing Project Management Office controls (PMOs) across multiple industry sectors

  • We can work with you from the outset, assessing your current PMO capabilities, strengths and weaknesses. This helps us identify any problems at an early stage, which could lead to later project failure. We can then provide you with pragmatic recommendations to implement
  • We can help you set up your PMO with the right monitoring and control processes from the start. We will help you define project goals, objectives and determine the right delivery and governance models to put you on track for success
  • We can provide you with specialists to either manage your PMO or work alongside your team to support you with key disciplines; from planning and budgeting, to change control and stakeholder management. We can advise on risk management, from designing an effective risk and issues log to implementing quantitative ‘Monte Carlo’ risk modelling for complex programmes
  • Reviewing previous projects and programmes can lead to insights on strengths and weaknesses in your organisation, which can impact on the success or failure of future projects. By undertaking post implementation reviews of the PMO practices deployed on your key projects and programmes, we can help you evaluate your critical success factors and ensure your PMOs have the right focus on your future projects.

Find out more about our Project Risk services

Back

 SAP Risk

Enterprise Resource Planning (ERP) projects represent some of the largest investments that some Health and Life Science organisation’s make, both in terms of direct financial spend and ongoing resource commitments. Successful SAP implementations can significantly reduce costs through efficiencies and represent an opportunity to streamline and standardise processes globally.

Measuring return on investment is a complex process. Developing a sustainable mechanism to continually assess risk, compliance, system usage and drive improved performance, is the key to increasing return on investment and user satisfaction.

Why is it an issue?

  • Limited visibility of the risks associated with SAP for key business processes, and limited oversight relating to the compliance of SAP
  • Due to the complexity of the system, the volume of transactions and the material nature of account balances, there is a high risk that material misstatement of the account balances could occur
  • Management and internal and external uditors review and place reliance on appropriateness of controls in SAP. If irregularities are found, reliance on the control environment for the integrity of financial accounts is reduced, which may result in additional costs to manually substantiate the business financial accounts and low confidence in the control environment

Service overview

Our solutions cover all components of SAP including:

  • Process and control design - creating efficient processes and robust control frameworks and designing strong controls, by effectively utilising system configuration and reporting controls
  • Security and role design – remediating and redesigning security and role design to minimise segregation of duties (SoD), sensitive access & privileged access issues
  • Optimisation – monitoring deviation from the original business case and business needs, to ensure efficient use of SAP, allowing clients to maximise the functionality of their SAP landscape
  • Business change and system embedding – performing risk assessments, creating business governance, designing processes and controls and business training to ensure embedding and realisation of SAP projects
  • Implementation healthcheck – provide a complete picture of system upgrades and implementations throughout the project lifecycle by performing an independent rigorous top down and bottom view across the programme
  • Use of 3rd party tools (i.e. GRC/ArcSight/ACL) – identifying and quantifying audit and compliance risks, and enabling clients to effectively monitor and react to business and SAP risks.

Find out more about SAP Risk

Back

 Internal Audit Effectiveness

Heads of Internal Audit face a difficult time balancing the demands of their stakeholders, the job market and regulators, when they define their assurance plans. Research & Development and the increased risk of fraud, are just two trends in the Heath and Life Science (H&LS) sector that need Internal Audit functions attention in order to provide balanced and objective assurance over the organisation's key risks and responses to these issues.

Why is it an issue?

  • The impact of increasing regulation and market expectation in the industry are driving Audit Committees to place increasing reliance on Internal Audit functions. The aim being, to deliver high quality assurance over current and emerging risks across financial, operational, IT, regulatory and strategic business processes
  • Directors are becoming increasingly concerned about their own personal liability in relation to control failures and unforeseen risks impacting results. This is leading to increasing demands for reliable business intelligence to be able to give early warning areas of potential risks and deal with them before they arise

Service overview

Deloitte has the skills and extensive experience to help Health and Life Science organisations to carry out a robust and independent review of the Internal Audit function and assist in the implementation of improvement recommendations.  Our reviews typically go beyond the IIA standards and also focus on how to improve the strategic positioning and effectiveness of the audit function. 

Our Internal Audit team can:

  • Perform a robust and independent review of the Internal Audit function focusing on five key themes: purpose and remit, position and organisation, processes and technology, people and knowledge, performance and communication
  • Interview key assurance stakeholders, review key documentation and benchmark results against our knowledge base of internal audit best practice, industry standards and the IIA’s Global Auditing Information Network (GAIN) database
  • Provide concise and useful feedback and work collaboratively with the Head of Internal Audit and the Audit Committee to develop realistic action plans to improve the strategic positioning and effectiveness of the Internal Audit function.

Find out more about Internal Audit

Back

  Co-source & Outsource  

The demands being placed on Internal Audit departments in the Health and Life Sciences (H&LS) industry have never been greater. Based on the results of a recent wide-ranging survey of 275 Heads of Internal Audit, the number one challenge facing Internal Audit functions now and in the future is a lack of resources. Other trends that are needing Internal audit functions attention, are Research & Development, increasing regulation and the increased risk of fraud.

Why is it an issue?

  • With stakeholders demanding increasingly sophisticated risk management, this has a direct impact on the expectations of Internal Audit and the nature of the role it carries out. This is driving an increasing need to both raise the skill levels within Internal Audit and to provide a more diverse mix of ability, knowledge and experience
  • It is therefore no surprise that many Heads of Internal Audit are seeking to co-source some or all of their Internal Audit function to professional services firms like Deloitte. Key questions to consider include:
    • Who are my stakeholders and what do they expect of Internal Audit?
    • Taking into account stakeholder expectations, what are the objectives of Internal Audit?
    • Given the objectives set, what skills are required/what is the coverage of Internal Audit?
    • Do I have a team with all the elements needed to achieve effective delivery of the objectives?

Service overview

Having identified the needs of the business, and taking into account the budget and the existing skills and resources, the case for co-sourcing can be made. The advantages from entering a co-sourcing arrangement with Deloitte include:

  • Flexible resourcing options to clients ranging from complete outsourcing of IA to partial co-sourcing arrangements
  • Access to resources when needed, so that auditor down-time is eliminated
  • Access to a global network of audit resources with local knowledge and language skills wherever required.
  • Deloitte can provide insight and ideas for improving the business based on experience with other life sciences and health care organisations
  • No in-house training cost or time commitment to keeping staff up-to-date with regulatory or technical developments
  • Drawing upon our specialist business, risk, regulatory and technology professionals we are able to significantly enhance the capability of IA functions for specific one-off reviews.

Find out more about Internal Audit

Back

 IT Internal Audit

The role of the Internal Audit department has expanded, both in scope and the requirement to deliver tangible value to the business. The business environment is growing more complex by the day with rapidly changing technologies, increasing demand for IT services among business units, and the continual expansion of the “extended enterprise” all translating into greater IT risks for most organisations.

Why is it an issue?

  • Many new emerging technologies and ways to working arise in the industry, for example E-detailing and increase data sharing within the healthcare community will require significant technology and business change projects to be undertaken. Internal Audit are often asked to perform independent assessments over such projects. The ability for IA functions to be able to mobilise the appropriate specialist resource to ensure the right risks are focused upon and a robust review is performed is essential given the reliance Audit Committees and senior management place on such reviews.
  • The increasing regulatory focus on internal audit and their capabilities, including the use of data analytical techniques to both review entire populations of data and provide insights into an institutions' data, provides a further challenge for Internal Audit functions in terms of the development of such capability. This is an area we see as becoming far more prevalent in the industry in the coming year.

Service overview

  • Deloitte is able to offer flexible resourcing options to clients ranging from complete outsourcing of IT IA to partial co-sourcing arrangements
  • Deloitte is able to assess the end-to-end effectiveness of internal audit functions including IT
  • Our specialist project risk professionals are experienced at reviewing significant change programmes and the common pitfalls to successful implementation
  • Drawing upon our specialist business, risk, regulatory and technology professionals we are able to significantly enhance the capability of IA functions for specific one-off reviews.

Find out more about Internal Audit and IT Internal Audit

Back

Share this page

Email this Send to LinkedIn Send to Facebook Tweet this More sharing options
Follow:

Get in touch

More on Deloitte