The biotech and pharmaceutical industries are no stranger to risk - organizing clinical trials for medications that may never reach the open market due to inefficiency can place a significant financial burden on companies. When it comes to managing them, identifying procedures can be essential to avoiding or minimizing the financial impact of risks.

The Economist Intelligence Unit conducted a survey of senior management executives in the pharmaceuticals and life sciences industry regarding risk in their respective companies. The 65 responses were combined with those of an earlier survey of 353 executives in a wider range of other industries. It mainly focused on North America, with 65 percent of respondents hailing from the region, but also included international areas such as Europe, Asia-Pacific, Africa and Latin America.

Management is C-Level
According to its findings, the EIU reported that the ultimate responsibility of risk management was falling on CEOs, CFOs, CROs and general counsel. The survey found that the senior executives could be doing a better job of defining the company's interest in risk, ensuring that information gets to the appropriate people for assessment.

Most Time Spent on Compliance
Following controls and monitoring, compliance takes up most of their time with risk management. However, this leaves managers and executives with less freedom to watch for emerging threats that could create financial hardships. As a result, companies are failing to spread risk awareness throughout their organizations.

Mismatch Between Barriers, Risk Processes
The results showed that two-thirds of respondents had no intention of recruiting a chief risk officer, with less than one-third saying their organization has one on staff already. While breaking down the risk management silo may have been beneficial, the lack of awareness diminishes an organization's ability to understand new risks.

The Benefit of Third-Party Training
According to the U.S. Food and Drug Administration, quality systems are becoming integral to the pharmaceutical industry. In turn, risk management is a valuable component of an effective quality system.

The biotech and pharmaceutical industries can greatly benefit from outsourcing their risk management training to third-party experts. Merit Career Development offers courses specific in project risk management for the biotechnology and pharmaceutical industries. For more information, click here.

The EIU study underscores the advantages that extra training can bring to risk management in the pharmaceutical industry. With a healthy roster of subject matter experts, Merit can help executives not only manage current threads but also look ahead to potential emerging risks.

After 20 years in the training business, you know you can count on Merit Career Development for fresh and relevant content, engaging program activities, and proven-effective delivery methods that best help training “stick.” We assure you that our programs will have immediate application to your workplace, producing an immediate ROI. It’s a modest investment for a smashing return!

New courses in response to marketplace demand include:

Project Leadership	Communicating using DISC
Project Change Management	Negotiating and Influencing
Problem Solving with Root Cause Analysis	Identifying and Managing Risks
Preventing Harassment in the Workplace	Agile Project Management

New and aspiring leaders will benefit from our Handling Employee Performance Problems and Termination, Business Communications and Team Performance (which is also offered for experienced managers.) Visit a complete list of courses or download the catalog here. Our annual training needs survey (again) demonstrated the highest interest in courses that increase proficiency in leadership, strategy and management – even among Project Managers. We have a robust selection of these courses from Fundamentals of Leadership to advanced topics, such as 360-Degree Leadership.

Our project management courses have been updated to align with the 6^th edition of the Project Management Body of Knowledge (PMBOK®) guide. Every course description in the catalog includes a listing of the number of credits by organization. See inset for example of accreditations per course.

Need help bringing training to your organization?

Thousands of studies have been conducted that validate the connection between investing in employee training and development and the increase in loyalty, morale, and retention. Lower turnover reduces costs and prevents unanticipated gaps in performance. Most important, high morale and a loyal staff translates into more satisfied customers and a better bottom line. And after all, aren’t satisfied customers what keeps your organization in the black?!

Our facilitators are expert at tailoring course(s) to the needs and experience levels of your staff. Find out how, by contacting Jim Wynne, for a no obligation discussion at jwynne@meritcd.com or 610-225-0449.

FREE Tips

Check out our LinkedIn Friday Facts. These nuggets are excerpts from our courses that people enjoy sharing with their friends and colleagues. It will be worth your time.

Previously, we wrote about how resolving conflict often has the side benefit of building a cooperative bond — even loyalty — between the factions. As each side gains a deeper understanding of the others’ viewpoints, respect builds and morale improves. Cooperative, low stress interactions, create a fertile environment for productive brainstorming, ultimately boosting the health of your organization.

Being respectful to others, being open to hearing their perspective, and taking the time to understand their objective are very important, but you’ll need more knowledge in your toolkit to dispel conflict when the conflict gets tough. So, let’s dig deeper today.

How can you demonstrate that you are being respectful and open and trying to understand the other’s perspective?

Here are the top 5 proven techniques you can add to your toolkit:

1. Ask questions about the other person’s recommendations or point of view in a sincere, non-judgmental manner. Drill down to make sure you totally understand all of their objectives, concerns, and potential obstacles that you may both face.
2. Replay or paraphrase their points back to show your understanding, and ask for confirmation that you “got it.”
3. Make sure your body language is open and consistent with your words. If they’re not, people instinctively believe your non-verbal message over the spoken word.
4. Even if you don’t agree, be sure to acknowledge that you hear and understand the other person’s points.
5. It wouldn’t hurt (and yes, it could really help) to verbalize some of your “opponents” points that you think are good, smart and, or useful. A sincere compliment, or statement of approval and recognition will go a long way towards resolving conflict.

In Part 3 of this series, we’ll examine the five conflict styles that help people understand their own responses as well as diffuse conflict with others. Specifically, we’ll look at the five conflict styles that Kenneth W. Thomas and Ralph H. Kilmann identified and can be assessed in the Thomas-Kilmann Conflict Mode Instrument (TKI), a globally accepted, widely used diagnostic assessment for resolving conflict.

Understanding the subtleties of conflict and personality styles goes a long way towards elevating an organization’s harmony and effectiveness. At Merit, we frequently facilitate multiple Conflict Management training sessions for our clients where we adjust the level of detail to group (i.e., customer service reps, new managers, and the senior team.) For more information, please contact Jim Wynne at jwynne@meritcd.com or call 610-225-0449.

One of the biggest challenges in risk management is risk identification. Humans are naturally optimistic; therefore, we do not like to recognize or discuss risks. We need to incorporate processes such as scenario planning and the pre-mortem technique into our forecasting practices. These techniques help us overcome our aversion to recognizing and discussing risks. Only after we have identified risks can we implement tactics to reduce their probability.

Merit is frequently asked to help businesses, federal agencies and membership organizations reduce or mitigate risk – regardless of their size and business type. Often their project teams collaborate and discuss methods for improving their risk status but have proven to be flawed. The most common flaw that sets them back is their goal to have all risk plans drive their risk probability and impact to zero, in which case it would not be a risk.

Standard risk responses include Avoidance, Mitigation, Transference, and Acceptance (passive/active). At Merit, we developed a reporting process that would show that the risk factors were decreasing as the project progressed. Supplemented with suitable risk responses, the true reduction of risk probability occurs over time.

The added value that we incorporated into the risk management process was two-fold. First, because of the desire to drive the risk to as low as possible, the use of multiple risk responses could be utilized. The second process improvement would be not only to subsequently reassess the risk, but also to re-evaluate the risk probability and impact matrix after the implementation of the risk response over time.

The Probability and Impact Matrix is one of the tools that we recommend in a risk management strategy. It is superimposed with risks that are labeled or numbered as in the above example. “Red” area risks were uniquely documented on a trending month-to-month basis such that it could be seen “driving” toward zero.

The implementation of a risk response would then “reclassify” the risk event for the next reporting period. However, the biggest impact on reducing risk is time. Time because we are progressively refining our process as our project develops, and because the physical window (amount of time available) for a risk event is reduced.

We invite you to learn about our modified process template so you too can incorporate it into your project plans. For more information, to learn other advanced risk monitoring, reporting, and controlling techniques or to schedule a risk management training customized for your team, contact Jim Wynne at jwynne@meritcd.com or by calling (610) 225-0449.

Project managers can set themselves up for failure by not properly planning for risk. Overly optimistic proposals run over budget, past deadlines and through resources if there isn’t a comprehensive plan for mitigating and responding to expected risk.

John Juzbasich, D.Ed., a risk management expert who has taught courses both in the U.S. and internationally, says that too many project managers underestimate risk because they don’t think about what can go wrong at each step. They don’t recognize the variety, number or prevalence of risk.

For example, Juzbasich recalls an exceptional project leader in one of his courses. This woman, who had an M.D. and Ph.D. worked in the pharmaceutical industry and was in charge of a project with 50 steps. Juzbasich told her that even if she was 99 percent effective at completing the earliest steps, she would have an increasingly higher risk of failure with each ensuing one. With so many balls in the air and so many more potential risks, her effectiveness would decrease. In fact, after completing all 50 steps, her effectiveness had dropped to about 60 percent.

Why Risk Management Training is Important

To be successful in the face of numerous unknown and unpredictable risks, project leaders need to plan for emergencies and unexpected disruptions within their budgets and timelines. Juzbasich explains that there are a variety of techniques and methods that project leaders can use for risk management.

For example, the fishbone—or Ishikawa—diagram helps determine risk by analyzing a problem and pinpointing possible causes. Breaking each possible problem down to its most preventable and actionable sources, the diagram can be used for dealing with current challenges or discovering potential causes of a feared issue.

Juzbasich also uses scenario planning, the Socratic method and seven other techniques for teaching risk management. Although these techniques are familiar to most project leaders, Juzbasich finds that few people actually employ them or fully understand how they can be beneficial. So, he only spends part of the first day of his course explaining the techniques. The rest of the time is used for putting these techniques into practice.

Real World Applications

The purpose of Juzbasich’s course isn’t to learn the techniques—it’s to practice them for future real-world use on actual projects. Risk management techniques are useless if project leaders aren’t able to take them to their team or upper management and present a solution.

Juzbasich points to an example from one of his courses: The class broke into small groups and each worked on one class attendee’s actual project issue. From there, the entire class tackled this issue and employed Juzbasich’s techniques to find solutions. That group member then took the information to her upper management. Her superiors adopted the solution, saving the large project and benefiting her company.

“What we had done during class, and as a team, worked on her situation. She was then immediately able to apply it to a work environment,” Juzbasich explains. “It isn’t theoretical at all. It’s truly hands-on learning. It benefited the overall company as well as her team because of the work we did that day. It was cool to make a difference in one day. That told me we were doing something right.”

May 2014

The Department of Health and Human Services (HHS) entered into settlements totaling $4.8 million with New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) for failing to implement appropriate administrative and technical safeguards to secure the ePHI of approximately 6,800 patients^[i]. This is HHS’ highest financial sanction issued to date as a part of breach settlement agreements, confirming its commitment to enforce HIPAA compliance.

Breach Report, Investigation and Findings

NYP and CU received a complaint from an individual who found confidential health information (ePHI) including status, vital signs, medications, and laboratory results of a deceased relative, a former NYP patient, on the Internet. The HIPAA regulations require such ePHI be maintained in secure systems and kept confidential. In accordance with HIPAA requirements, they submitted a joint report of the complaint to HHS dated September 27, 2010 resulting in an investigation by HHS’ Office of Civil Rights (OCR).

OCR’s investigation found that NYP and CU have a joint healthcare services arrangement wherein CU faculty members work as attending physicians at NYP. To support the services, NYP and CU operate a shared data network including firewalls administered by employees of both entities with shared links to NYP patient information systems.

OCR identified the breach to have occurred when a CU physician employed to develop applications for both entities attempted to de-activate a networked server containing NYP patient ePHI. Due to a lack of technical safeguards in place on the network, the de-activation attempt resulted in NYP ePHI becoming accessible to internet search engines.

OCR found that neither NYP nor CU could demonstrate that its servers were secure or contained software protections prior to the breach. OCR found an additional lack of administrative safeguards, specifically that neither entity had conducted a risk analysis to identify all systems with access to NYP’s ePHI or had a risk management plan in place to address potential hazards or threats to the security of its ePHI.

Finally, OCR found that NYP failed to implement its own technical safeguards including procedures for authorizing access to its databases and information access management processes. In addition to the financial sanctions, NYP and CU agreed to a corrective action plan requiring implementation of the administrative and technical safeguards and to monitor compliance with regular reports back to HHS.

Increased HHS Enforcement of HIPAA Compliance

This action gives notice to Covered Entities and Business Associates that HHS has heightened its enforcement efforts since the enactment of HITECH and the HIPAA Omnibus Rule.

It is imperative that a healthcare organization ensure that its workforce understands the privacy and security regulations, not just completes rote training programs, and recognizes the impact that non-compliance - from even one employee - can have on an organization.

The mandated HIPAA safeguards must be in place to identify risks and threats to ePHI and patient information systems, including insider threats from its own workforce. The safeguards must be regularly monitored through risk analysis as a part of a comprehensive risk management program.

[i] See http://www.hhs.gov/news/press/2014pres/05/20140507b.html