Enterprise Risk Management for Life Science Companies

  1. Darren R. Jones

    Darren R. Jones



  2. Mark Laccetti

    Mark E. Laccetti



  3. Mark Scallon

    Mark Scallon


  4. Mallory Thomas

    Mallory Thomas



It is no secret that life sciences companies need to be able to identify risks across all parts of their organization, know the potential impacts, and have a plan to monitor and manage these risks with effective internal controls if they are to become, or remain, successful in today’s complex environment. At Baker Tilly, our team of Value Architects™ are able to offer tailored ERM solutions that protect your company’s value so that your organization can continue focusing on developing and delivering innovations to better patients’ lives.

Risks associated with making strategic business decisions, which includes functions within:

Commercial enablement

  • Commercial organization scalability
  • Commercial launch plan and ability to complete product launch “last mile”
  • Market access strategy implementation
  • Customer base engagement (e.g., HCPs)

Medical affairs

  • Expansion of indications and future trial design
  • Effective evidence generation strategy
  • Patient engagement effectiveness and patient support programs

Human resources

  • Remote work and culture development
  • Hiring plan and retention


  • Foundational corporate governance commensurate to stage of development

Research and development (R&D)

  • Product pipeline, strategic focus, etc.

Risks associated with flawed or failed processes, which include operational functions with:

  • Maturity and scale of quality programs
  • Scope and scale of contract development and manufacturing organization (CDMO) relationship and/or internal capacity
  • Maturity of issues identification and resolution program
  • Ability to efficiently engage with core customers and stakeholders (e.g., HCPs, research institutions, hospitals etc.)
  • External funding process effectiveness

Risks associated with information technology (IT) and cybersecurity, including:

  • Overarching IT strategy development and ability to scale up IT automation across key functions (e.g., commercial, medical, finance, compliance, quality, regulatory, etc.)
  • Information security
  • Logical access (i.e., user access)
  • Data monitoring and loss prevention
  • Physical access, data backup and recovery
  • Data privacy and data protection program maturity (e.g., GDPR, CCPA etc.)

Risks associated with financing and transactions, including:

  • Financial reporting (e.g., staff, systems, internal controls, policies, procedures, etc.)
  • Cross-functional teams: Sarbanes-Oxley Act (SOX) compliance implications for clinical development (e.g., accrual and milestone management), quality, supply chain (e.g., third-party inventory management, product leasing and recalls), commercial/legal (e.g., IP valuation, royalty agreements), and for pricing, chargebacks, and rebates

Risks associated with violation of rules, laws and regulations, including:

  • Appropriateness and maturity of anti-bribery and anti-corruption programs (e.g., controls focused on engaging HCPs, patients, and other third parties such as research organizations, distributors, charitable organizations, patient advocacy groups, etc.)
  • Conflict of interest controls
  • Ability to meet compliance obligations outlined in relevant national laws and industry codes (e.g., event pre-notification, transparency disclosure requirements, etc.)
  • External materials processes
  • Ongoing monitoring of compliance risks and ability to adapt compliance program priorities accordingly
  • Ability to effectively comply with any requirements emanating from prior compliance breaches mandated either internally or as a result of external investigations and settlements
  • Utility of trial results for market authorization process
  • Achieving milestones and timelines
  • Robust overall knowledge of compliance and regulatory requirements and processes in target geographies

Risks associated with utilizing third parties for services or organizational functions, including:

  • Outsourcing decision-making process and strategy, including assessment of decision impact and associated risks
  • Vendor selection process and due diligence
  • Due diligence specific to risk exposure related to healthcare compliance risks such as bribery and corruption and company reputational risk

The discovery stage spans preclinical to Phase I research. In this evolutionary stage, life sciences organizations strive to establish the viability of their innovations. With a deep focus on evidence generation, key risks are concentrated in gaining access to researchers and patients in order to drive these various early-stage studies forward. Cultivating relationships with researchers comes with many risk drivers, such as anti-kickback considerations and patient identification challenges.

After establishing viability of the innovation in early research stages, organizations will next look to establish clinical viability and market viability as Phase II through Phase III studies are underway. Focus remains on clinical development, further cultivating and maintaining a network of key opinion leaders (KOLs) for principal investigator recruitment, and developing partnerships with contract research organizations (CROs). From a market viability perspective, after clinical viability is established, focus begins on sourcing capital, market research, market access planning and preparedness for commercialization or transaction. It is also here where companies need to focus more on the process, governance evolution and culture change needed to transition effectively to a commercial organization.

After the post-launch of a new asset (e.g., pharmaceutical product, medical device, FDA-approved digital health solution, etc.), organizations will be working to reinforce the clinical and market viability, while scaling safety surveillance and reporting. From a therapeutic area (TA) perspective, efforts shift to commercial enablement with a focus on market and patient access, along with medical affairs enablement for supporting relevant medical communities. Further emphasis is placed on sourcing capital, investing in human capital, continuing to build a network of KOLs, gaining access to data and healthcare professionals (HCPs), and developing market content. Secondarily, attention must still be paid to ongoing clinical development in the form of real-world evidence (RWE), health economics outcomes research (HEOR), and Phase IV and investigator-initiated studies (IIS). Key activities that will drive risk in this phase of clinical development will be maintaining a network of KOLs, gaining access to data, initiating strategic partnerships and building safety surveillance protocols. Commercial compliance risks associated with the engagement of HCPs and the necessary requirements around them (e.g., FMV and HCP tiering, transparency reporting, etc.) will also take a center stage in terms of the company’s compliance program focus.

At this point, organizations will need to apply adjustments to the market plan as the real-time dynamics of the market begin to have impact on the new product. The long-term commercial success of the product is incumbent on these adjustments within the first 90 days. Once the fine-tuning is conducted and the asset is on its planned growth trajectory, the next key consideration of the product life cycle management will emerge: continued clinical development, including RWE, HEOR and IIS for new and evolving safety information as well as future label extensions. There will be investment considerations, but rather than solely sourcing funds, there will be focus on normalizing the balance sheet, and beginning to alleviate debt and resolve early private equity or venture capital investor expectations. At this point, organizations may need to reassess their risk appetite and align the new investment strategy with that risk.

The global regulatory landscape surrounding the life sciences industry is complex and evolving, requiring diligent attention to maintain compliance in each market. As organizations consider expanding globally, focus must be concentrated on product life cycle management while continuing to support the collection of data for future label extensions and safety surveillance. In addition, organizations may have grown substantially – in value and headcount – leading to increased corporate structure and governance. Furthermore, the commercial success and growth of the organization may support the case for globalization, which will require deep market evaluations and development of market access strategies.

Define key roles and responsibilities of the program:

  • Develop and communicate the ERM program and ERM charter
  • Train key stakeholders on ERM methodologies
  • Assess maturity of existing compliance and quality functions

Agree upon and understand key risks:

  • Identify and prioritize the risk universe
  • Determine the scope of the ERM program
  • Evaluate the risk management capabilities of compliance and quality functions

Prioritize and focus on the most significant risks:

  • Develop response strategies (i.e., accept, mitigate or transfer) for the highest priority risks
  • Implement consistent risk response governance across risk domains
  • If resources are limited, focus greater attention on risks deemed to have higher severity, low risk tolerance and high organizational governance exposure

Confirm the organization is kept abreast of changes to its risk profile and mitigation efforts:

  • Monitor ongoing policies and procedures to detect and address changes in risk severity and response effectiveness
Life Sciences Whitepaper 2024

What lies ahead: Life sciences industry forecast for 2024 and beyond 

Download our informative whitepaper to help your life sciences company learn more about key developments that should be considered for 2024 and beyond.