Enterprise Risk Management (ERM): A critical imperative for India’s pharma sector

The Indian pharmaceutical industry is one of the largest globally, known for its significant role in the production of generic drugs, contributing around 20 per cent of the global supply by volume. The industry is crucial in meeting global healthcare needs, especially in producing affordable medicines. However, the sector faces several supply chain challenges, affecting both domestic and international operations. However, the sector faces numerous risks and disruptions, including geopolitical tensions, pandemics, supply chain failures, and regulatory challenges. To address these challenges, there is an emergent need for the sector to develop and embrace a comprehensive Enterprise Risk Management (ERM) framework tailored to the unique needs of Indian pharma companies. Some of the key challenges faced by Indian Pharma are the following: 

1. Dependence on China for imports of basic chemicals and input raw materials. 
2. Regulatory hurdles and need to comply with the USFDA and European Medicine Agency regulations. 
3. Logistical bottlenecks, the complex transport network, port congestion, road conditions and inadequate cold chain infrastructure. 
4. Quality control issues arising from deviation from the Standard Operating Procedures, resulting in product failures and product recalls, impacting the company’s reputation and revenues. 
5. Supply chain disruptions arising out of unforeseen pandemics, further getting compounded by sudden price increase, contract cancellations and non-availability of critical raw materials. 
6. Inadequate technology integration, lower focus on innovation and minimal R&D spend. Indian companies lag in the adoption of advanced technologies like blockchain, AI in drug discovery and the use of robotics. 
7. Environmental impact due to pollution from pharmaceutical waste. Many units face a sudden stoppage due to non-compliance and the risks thereof. 
8. Product recalls and adverse FDA 483 observations resulting is revenue impact

ERM – The purpose 

The purpose of Enterprise Risk Management (ERM) policy framework in an organisation is to establish a structured and systematic approach to identifying, assessing, managing, and monitoring risks that may impact the achievement of the organisation’s strategic and operational objectives. The ERM policy framework once tailored to the organisations requirement will ensure alignment with regulatory requirements and industry best practices to enhance resilience and long-term sustainability. This policy applies to all business units, functions, and subsidiaries of the organisation. It covers strategic, financial, operational, regulatory, reputational, IT/cybersecurity, ESG, and compliance risks. 

The competitive advantage of ERM 

Companies that implement comprehensive ERM strategies don’t just manage risk – they create opportunities. By embedding ERM into business strategy, decision-making, and operations, pharma companies can drive: 

◆ Stronger investor confidence 

◆ Enhanced operational efficiency 

◆ Better regulatory preparedness 

◆ Sustainable long-term growth  

Key components of the ERM framework 

◆ Risk identification – Categorise risks into Strategic, Financial, Operational, Compliance, Cyber, and Reputational risks. – Use Risk Registers, SWOT analysis and others 

◆ Risk assessment & prioritisation – Use a Risk Matrix -Likelihood vs. Impact, to classify risks as High, Medium, or Low. – Conduct Scenario Analysis and Stress Testing for critical risks 

◆ Risk mitigation strategies – Develop a Risk Response Plan – Avoid, Mitigate, Transfer, Accept – Establish Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). 

◆ Risk monitoring and reporting – Implement a Risk Dashboard for real-time tracking. – Conduct regular risk audits and quarterly risk committee meetings.

Introducing ERM in a pharma organisation

In a highly complex and regulated pharma industry, there are risks at every step. From evolving regulatory landscapes to global supply chain disruptions, from clinical trial uncertainties to reputational vulnerabilities, the need for a structured and proactive approach to risk management is most important and a strategic imperative. It becomes a value-adding discipline that supports compliance, safeguards innovation, and protects every aspect of all stakeholder. A roadmap to effectively implement ERM in a pharma setting. 

1. Importance of executive sponsorship and board alignment 

In a pharma organisation, the link between ERM and regulatory compliance (FDA, EMA), product quality, and patient safety makes it a natural fit for a board-level oversight. The first step is to define the ERM mandate, gain approval for an ERM charter, and establish the function as a critical part of corporate governance. ERM is to be seen as a strategic enabler. 

2. Assess current state and compliance gaps 

It is important to understand the baseline as to where the Organisation currently stands. Conduct a thorough risk maturity assessment and gap analysis with respect to industry standards like ICH, ISO 31000, and COSO ERM. In pharma, the assessment must include – cGMP adherence, clinical trial risk, Pharmacovigilance and patient safety, data integrity, Supply chain traceability etc 

3. Define the ERM framework and governance structure 

With a clear view of current gaps, establish an ERM framework tailored to pharma operations. The framework should define risk principles, reporting structures, and escalation protocols. This may include a CFT – Cross Functional ERM team having participants from Regulatory, Quality, Medical, Supply Chain, and Legal. This should be followed by a defined risk ownership across business units, a Board-approved risk appetite statement which will be different for different organisation. However, this may be guided by the following: 

◆ Regulatory and compliance risks, e.g., FDA 483s, consent decrees 

◆ Product quality risks, e.g., recurring deviations, OOS results 

◆ Clinical risks, e.g., trial protocol violations, 

◆ Supply chain risks, e.g., API shortages, Logistical disruptions 

◆ Market and IP risk,s e.g., patent cliffs, etc Once these risks are compiled into the Risk Register, thereafter take steps to prioritise them for further analysis.

4. Facilitate risk assessments across departments 

Risk cannot be managed in silos. A collaborative process ensures a 360-degree view of enterprise risk and builds ownership across the organisation. 

5. Integrate ERM with strategic planning 

The true value lies in enabling better business decisions- especially in portfolio strategy, market launches, and clinical development. 

6. Develop mitigation plans and risk indicators 

For each top-priority risk, assign owners, define mitigation actions, and track progress. Use Key Risk Indicators (KRIs) that are specific to pharmaceutical operations, such as: Overdue CAPAs, recurring deviations, Compliance Audit scores and internal ratings, batch rejection incidences 

7. Risk awareness culture and implement technology to support ERM

 Align regulatory expectations, quality culture and leverage digital tools to improve visibility, traceability, and scalability. Risk platforms must meet pharma’s validation and audit requirements. 

8. Review, report, and continuously improve 

ERM is a project in perpetuity; it is a journey, and it must evolve with the business, regulatory shifts, and product portfolio changes. There should be a regular review of risks in various units in the organisation, and it is important to have a Board level reporting to ensure that the right tone is set-up from the top to make the entire process of ERM effective and efficient. A well-run ERM program not only ensures resilience but also creates competitive advantage through smarter, risk-informed decisions.

Are you future-ready?

In a highly competitive market, risk-resilient companies thrive while others struggle. It’s time to move beyond reactive risk management and adopt an integrated, forwardlooking ERM approach to safeguard the company’s future. The need of the times is to invest in ERM today in order to build a risk-proof tomorrow.