1、风险管理,王 旭 Y2011,介绍风险管理系统要求和指南的来源背景 GSK/GSK Bio 风险内部控制和框架 GSKBS 风险管理方法概况,目的,英国Turnbull指南 公司丑闻 Enron, WorldCom, Parmalat, etc. 美国塞班斯法案,风险管理的历史,background,在应该对公司的监管,通过一系列的委员会审核和报告,变得愈来愈严格:- 1992 Cadbury report (建立公司财务监管标准) Use of board committees Separate roles of Chairman and Chief Executive 1995 Green
2、bury report(对高管薪酬进行管理) Disclosure of directors remuneration and compensation in company reports 1998 Hampel committee and report (要求公司制定内部控制体系保障股东利益) Reviewed the Cadbury Code and its implementation, followed up on matters arising from Greenbury report Addressed the role of shareholders and auditors
3、 in corporate governance issues 1998 UK Listing Authority Combined Code 14 Code Principles and 45 Code provisions Key principle relates to boards maintenance of a sound system of internal control Code provision references risk management 1999 Turnbull report Provides guidance on the internal control
4、 and internal audit provisions of the 1998 Combined Code Risk based approach,一些英国的历史.,background,Companys internal control system should: be embedded within its operations and not be treated as a separate exercise be able to respond to changing risks within and outside the company enable each compan
5、y to apply it in an appropriate manner related to its key risks Requires companies to identify, evaluate and manage their significant risks and to assess the effectiveness of the related internal control system Board directors are to regularly review and annually assess on internal controls.,May 200
6、7,GSKBS,Turnbull Requirements,background,May 2007,GSKBS,Corporate Missteps,background,The Sarbanes-Oxley Act provides a comparable rule in the US Management must assess annually the internal controls and procedures for financial reporting CEO must certify quarterly and annually that financial statem
7、ents are fairly presented Independent auditors must attest to and report on managements assessment of internal controls.,May 2007,GSKBS,塞班斯法案-Y2002 关于公司管理的汇报要求,background,May 2007,GSKBS,公司的响应:内部的控制模式,GSK RM overview,May 2007,GSKBS,内部控制的要素,Five interrelated components,May 2007,GSKBS,控制的氛围 人正直诚信 职业道德能
8、力 运营环境,内部控制的要素,May 2007,GSKBS,政策、规程和标准 公司 法律合规 IT GMP,GSK RM overview,内部控制的要素,May 2007,GSKBS,信息和沟通 运营、财务和合规报告 沟通流程 教育和培训,内部控制的要素,May 2007,GSKBS,监控 管理者审核 审计,内部控制的要素,May 2007,GSKBS,Control Environment,Risk Management,Policies and Procedures,Informationand Communication,Monitoring,风险管理 组织框架,内部控制的要素,May
9、 2007,GSKBS,Policy Excerpts:,Policy Highlights,GSK Policy POL-GSK-500 Risk Management and Legal Compliance Approved in 2001,GSK RM overview,May 2007,GSKBS,Policy Excerpts:,Policy Highlights,GSK Policy POL-GSK-500 Risk Management and Legal Compliance Approved in 2001,GSK RM overview,May 2007,GSKBS,Po
10、licy Excerpts:,Policy Highlights,GSK Policy POL-GSK-500 Risk Management and Legal Compliance Approved in 2001,GSK RM overview,May 2007,GSKBS,风险管理的层次,董事会审计委员会,风险监管和合规委员会,商业风险管理和合规组,合规和风险管理团队,运营团队,监控和审核内部控制体系的有效性和充分性。包括合规控制和风险管理。汇报给董事,识别所有重大风险. 监控实施风险控制的有效性. 确保为管理层的年度审核提供信息和报告,建立和实施重大风险审核流程, 以及确保风险控制管
11、理的有效性,建立内部控制系统: 标准, 政策, 规章 流程. 提供建议和实施审计和调查,识别评估潜在风险. 消除、监控和报告风险 确保重大风险通过内部管理框架被迅速沟通,鼓励新技术的应用资源和优化管理理解流程,例如验证建立面对审计的信心但不是为了 帮偏离和缺陷找理由,May 2007,GSKBS,风险管理的好处,May 2007,GSKBS,May 2007,GSKBS,我们说了很多风险的背景来源、管理框架 那么 风险是什么? 如何识别风险? 如何管理风险?,This is cute, but,风险:是能通过可能性和后果衡量的,一个事件发生后的可感知的后果。 可能性:暴露在危险下的可能性。 后
12、果:一个事件的结果 重大风险:给公司带来重大影响的违法(规)风险,和财务、运营和合规的风险 法律风险:有法规问题的风险(如:潜在的违法、违规,承担潜在法律责任),May 2007,GSKBS,风险的定义,What is risk?,May 2007,GSKBS,风险定义,May 2007,GSKBS,预算,运营计划,工厂战略审核,评估部门风险,评估工厂风险 Top Down,更新计划预算,实施计划,BCP,工厂验证主计划,风险清单优先级分类,STP 重大风险,风险记录,工厂战略,ISHIKAWA,外部风险,输入过程输出,流程清单,ISHIKAWA,风险台帐,工厂战略,部门战略,STP 重大风险
13、,风险管理方式,May 2007,GSKBS,风险管理工具:,工艺流程清单 初步危害分析 Preliminary Hazard Analysis (PHA) Hazard Analysis of Critical Control Points (HACCP) Hazard Operability Analysis (HAZOP) Fault tree analysis (FTA) Failure Mode Effects and Analysis (FMEA) Failure Mode Effects and criticality Analysis (FMECA) Risk ranking
14、and Filtering Informal risk management,May 2007,GSKBS,风险记录清单格式,May 2007,GSKBS,1-风险识别 (编号 + 流程 + 风险名称+ 风险描述):通过鱼骨图对各个流程的风险进行系统识别: Numbering principle: Finance (No: start with 1, 1.1, 1.2, . ) Supply (No: start with 2, 2.1, 2.2, . ) QA (No: start with 3, 3.1, 3.2, . ) EHS (No: start with 4, 4.1, 4.2,
15、. ) People (No: start with 5, 5.1, 5.2, . ) CI (No: start with 6, 6.1, 6.2, . )Process: refer to process list-level 3,编号 + 流程 + 风险名称+ 风险描述,May 2007,GSKBS,失去商业利益和长期生存能力,合作者,环境,政治,Theft,Earthquake,Flood,Distributors,Suppliers,Contractors,Fire,Sabotage,社会、经济,政府机构,Inspections,Regulators,Taxes,Population
16、 Profile,Policies, Laws,Price controls,商务,Competitor activity,Shift in customer Power,Technological change,Accidental Disaster eg crash , environmental, loss of power lines, infrastructure .,Epidemics,外部风险,Just for your references,May 2007,GSKBS,编号 + 流程 + 风险名称+ 风险描述,领导力、战略、声誉,可能影响 没有增长 失去声誉 诉讼 亏损 销售
17、市场下降 股东利益受损,无效率的管理模式,业务发展无法满足发展需要,无效率的文化和工作氛围,失去声誉、相关人失去信心,Poor PR management,Irregular risk management,Unclear decision making responsibilities,Lack of openness,Quality / Risk management not considered important,Insufficient action and Resolution follow up,No regular governance meetings/ agendas,No
18、, wrong or not communicated strategy, vision,No or wrong volume forecasts,No external sensing of needs,Poor Shadow of the leader,No consistency of message,Miss the big picture,No proactive involvement With stakeholders,Dont keep up with New requirements/ policies,Poor employee relationships,Peoples
19、needs not takeinto account,High stress / accidents,Blame culture Issues hidden,Poor communication,Poor morale motivation,Lack of marketing intelligence,Scope for future Business opportunities not considered,Poor Reward / recognition,IE not embedded Dont walk the talk Poor feedback,Lack of accountabi
20、lity,Actions not followed up,Poor process measures,Unethical practices,Adverse event,Failure to meet regulatory compliance,May 2007,可能后果 资产流失 公司资源被误用 坏帐,1.3 公司资产没有很好管理,1.1 信息慢,不准,1.2 不合规,Poor credit control,changes in business law,changes in tax law,Asset register / management,Low liquidity,Debt col
21、lection,Corruption,Fraud,Non existent employees, suppliers . Deliveries, customers , expenses,Customs & excise,Long cash to cash cycle,Data and information maintenance,Inaccurate project costing,Poor project cost control,Budget process / control,Forecast accuracy,Lost sales - tenders,Costs of materi
22、als not understood by users,Pay roll / Pensions -contractors,Support of business Decision making,Division of duties,Under insured,Theft or assets used for non business use,财务,Monthly closing,Stock taking accuracy,编号 + 流程 + 风险名称+ 风险描述,Share service,Inventory control,Share service,Share service,供应 计划,
23、Critical Parameters not understood,可能后果 供应能力不能满足需求 物料、人无法完成生产计划 由于加班造成成本增加 外包服务造成成本增加,2.3 供应、订单能力没有平衡,或不能满足成本、服务要求,2.1 客户要求没有转为生产指令,2.2 不清楚供应能力,Demand not levelled,Bottlenecks not identified, managed,Long lead times,Plans not based on demonstrated capacity,materials,High /low inventory,Forecast dema
24、nd not Visible/ highly variable,Long leadtimes,Patient, DoctorHospital,Logistics, Wholesaler, Retailer,Brand strategy,Promotions,CSAs,Service levels Not agreed,Disruptive/Unsuccessful tenders,Inflexible supply,Too high /low Contingency stocks/safety stock levels,High overtime,Inaccurate BoM,Finished
25、 goods, WIP,Write offs,Stock outs,Unsupported plans,BOM rationalisation,No scenario planning,Source changes (SUPPLIER),Increasing complexity Product mix,Insufficient capacity High utilisation,编号 + 流程 + 风险名称+ 风险描述,May 2007,GSKBS,可能后果 产品质量差造成返工、召回 不合规造成不好的政府关系:产品收回、推迟批准. 改进措施没有效果造成成本提高.,3.1 产品质量和服务差,3
26、.2 不合规,Poor validation,Low quality/ high variability of material,Deviation from SOP,Rework,Insufficient knowledge,Poor quality culture / leadership does not put quality first,Critical to quality parameters not understood,Equipment failure,Poor materials,Training SOP not in use,SOPs Specs, Methods,To
27、o many Out of date poor,Inadequate resource,Specification failure,3.3 质量基础流程,Slow or incorrect Batch release,Slow or poor CAPAs,Poor document control,Non approval of new product,Adverse audits or inspections,Complaints,Recalls,Failed or wrong material used,PPRs poor quality does not improve process
28、capability,Validation - high cost / status not maintained,Uncontrolled changes to material, process, equipment,Product not made in line with filing,Deviations not root caused,QMS in place not in use,Slow feedback when process Moving out of control limits,质量,编号 + 流程 + 风险名称+ 风险描述,May 2007,GSKBS,环境,Ene
29、rgy usage,Use of non-sustainable resources,New legislation eg carbon tax,Waste management Reduce, Reuse,recycle,Water usage,Emissions,Air Water,Hazardous materials information,Contamination,Groundwater Land Asbestos PCBs Radiation Odours Noise Fire water .,Environmental accidents,Bio diversity,Land
30、usage,Erosion , infringement of historic areas, Wild life,Safety,Accidents:-at work , travelling,Alcohol / drug abuse,4.2 & 4.3 健康安全,Stress / Poorwork life balance,High Absence,Absence process,Protective clothing,Poor Ergonomics and Job design,Equipment not used/Poor,Poor safety Auditprocess,Poor 5S
31、/ housekeeping,High Sound levels,Poor Lighting,Air quality,Infectious disease,Flu,Insufficient knowledge,Poor EHS culture / leadership does not put EHS as priority,SOPs Specs, Methods,Inadequate resource,Adverse audits or inspections,Too many Out of date poor,4.1 不合规,EHS,可能后果 工伤事故 不合规造成不好的政府关系,编号 +
32、流程 + 风险名称+ 风险描述,May 2007,GSKBS,为了进行风险识别,应有风险台帐来更好帮助风险记录清单的更新流程 其中所有可能导致潜在细微风险的危害都应记录.,May 2007,GSKBS,风险评估: 收集相关历史数据 当前控制 评估可能后果和可能的发生频率 评估风险重要性和优先性,May 2007,GSKBS,后果严重性评估-财务:,potential consequences,当同一风险造成不同的后果,选高分,May 2007,GSKBS,potential consequences,When one risk has different levels consequences
33、, go for the higher one,后果严重性评估-供应:,May 2007,GSKBS,potential consequences,When one risk has different levels consequences, go for the higher one,后果严重性评估-质量:,May 2007,GSKBS,potential consequences,When one risk has different levels consequences, go for the higher one,后果严重性评估-人员,May 2007,GSKBS,probabil
34、ity of occurrence,可能性评估,Risk index value,风险系数值,优先性高 (Red): risk index value in range 10-25+catastrophic risks 中度优先(Amber): risk index value in range 5-9 低优先(Green): risk index value in range 1-4,后果严重性 风险系数值= x 发生后果可能性,Escalation,向上汇报: 2 级- 工厂级别 和 工厂以上级别 渠道: 从部门向工厂汇报:每月管理会从工厂向总部汇报:月报和风险报告,风险汇报,消除评估 +
35、 修改和制定风险消除计划:,May 2007,GSKBS,红色风险必须有风险消除计划,目的至少是将风险由红色降为黄色黄色风险必须有风险消除计划,目的至少是将风险由黄色降为绿色绿色风险不用有进一步的整改行动,但必须记录,并且下一轮风险评估时重新评估到.如何风险后果达到严重程度(5分),尽管可能性为罕见,必要在持续运营计划中考虑,消除评估 + 修改和制定风险消除计划:,指定专人负责(accountable)重要风险 (red and amber) 必须是部门负责人 重大风险必须准备 STP- 每月在部门会议上评估 然后,重新评估风险系数值(Consequence, Likelihood, Risk
36、 Index Value),消除评估 + 修改和制定风险消除计划:,实施计划 通过项目管理的方式对风险消除行动计划进行管理 依据计划对进展进行监控和审核 CAPA 监控系统,当任何触发点出现,必须马上更新风险记录清单 (risk register),May 2007,GSKBS,触发点-重要变更,May 2007,GSKBS,审核和监控: 每月通过整合风险台帐,更新风险记录清单 每月在部门会议中审核回顾 通过”KPI监控”来监控整改前后的工艺流程的表现,总结:,Line management Other functions (audits),Line management,Line manag
37、ement,Line management,Line management,Other functions,List of risks,Assessed Risks Prioritized significant risks,Decision to continue, revise, or create mitigation plan,Risk Mitigation Plan,Major milestones and dates Evidence of compliance,Exception Reports and Successes,结果,工具,Brainstorming ISHIKAWA
38、 Supply chain risk matrix Value Stream mapping/IPO SWOT Risk Checklists,FMEA 5 by 5 Risk index matrix RAG Potential problem analysis,STP,STP,ACM-project managementCAPA system,N/A,职责,52,53,Risk Management Matrix 风险管理矩阵,URS,DS,IQ,OQ,PQ,风险评估在设计阶段的应用,用户要求说明文件,安装确认,运行确认,性能确认,54,Process URS,QC Environment Monitoring Risk Management Matrix,IOQ,PQ Residue Risk Verify & Study,EM Verified Residue Risk Monitoring,风险评估在制定环境监控和清洁计划的应用,END,
