Safeguarding our company from risks

In a rapidly changing business environment, effective risk management is critical to our ability to build resilience and provide sustained, long-term value to patients, shareholders and other stakeholders. We strive to minimize or prevent negative issues from occurring while helping ensure we capture business opportunities as they arise.

The Enterprise Risk Management (ERM) process at Novartis is a series of coordinated activities designed to identify risks, promote accountability and support balanced decision-making for sustainable long-term growth. The process begins with leadership discussions about risk at the global level and in country organizations as part of annual strategic planning. In 2020, we held mostly virtual cross-divisional workshops in our top 11 markets and a number of additional countries in Africa, Asia, Europe and South America. At the global level, we also held risk work shops with business and organizational units. Additionally, we looked at reports by Novartis functions such as Internal Audit, as well as external data on industry and macro-economic trends, to help identify high-risk areas.

The Chief Ethics, Risk & Compliance Officer is responsible for the overall risk management process at Novartis. The Ethics, Risk & Compliance (ERC) function oversees the company’s risk management and compliance functions, including risk-based companywide policy and internal control management, as well as crisis and business continuity management.

The Executive Committee of Novartis (ECN), led by the CEO, reviews and endorses the risk portfolio. The Board of Directors provides the highest layer of oversight. It focuses on the most significant risks, while the Board-level Risk Committee reviews the entire risk portfolio and actions implemented by management. For further details on the Risk Committee and its activities, please see page 146 of the Novartis Annual Report 2020.

While our purpose – reimagining medicine to improve and extend people’s lives – drives our values and defines our culture, our ethical principles guide us in everyday decision-making and ensure we act with integrity. Our new Code of Ethics sets the ethical framework for risk management at Novartis. In addition, within the Novartis Risk & Resilience organization, Business Continuity Management (BCM) and Novartis Emergency Management (NEM) are important elements of our risk management strategy. During the COVID-19 pandemic, more than 100 NEM teams worldwide supported the business to help ensure the safety and well-being of associates as well as the uninterrupted supply of medicines to patients.

Enterprise Risk Management process (ERM)

The Novartis Risk Compass

We use the outcomes of the ERM process to update the Novartis Risk Compass, which provides a single holistic view of risk across the company. We group risks into four categories and assign a risk rating based on likelihood, potential impact and other factors within a time horizon of up to five years. This approach helps senior management and the Board of Directors align the company strategy and our risk exposure. Once a risk is identified, we decide how to treat it based on our risk appetite. We regularly monitor and reassess risks in case there are changes in the risk situation.

Risks in 2020

The Novartis risk portfolio comprises 21 risks, of which seven are categorized as strategic, 10 are categorized as operational, and four are categorized as emerging. In addition, we identified three awareness topics.

For ERM purposes, we assessed whether the COVID-19 pandemic amplified or accelerated known risks in our portfolio, rather than labeling it as a standalone risk. For example, we escalated “geo-political and socio-economic threats” from an awareness topic to an emerging risk in 2020, due in part to the widespread societal and economic impact of the COVID-19 pandemic. We also identified “new ways of working” as an emerging risk, partly due to the potential impact of a widespread shift to remote working amid the pandemic.

Novartis has for some time actively managed a range of ESG matters. These are now included within the risk portfolio as a strategic risk, taking into account their expected impact on the sustainability of our business over time, and the potential impact of our activities on society and the environment.

The below categories show the degree of risk exposure for Novartis, based on a combination of the risk’s likelihood and potential impact on our business.

Risk rating:

Strategic Risks

Key products and commercial priorities
Pricing, reimbursement and access
Research and development
Alliances, acquisitions and divestments
Environmental, social and governance matters
Organizational, structural and cultural transformations
Digitalization and emerging business models

Operational Risks

Cybersecurity and IT systems
Third-party management
Manufacturing and product quality
Fragmented core processes and IT landscape
Talent management
Facility and workplace safety
Legal and compliance
Inadequate oversight of medical programs
Data privacy
Supply chain

Emerging Risks

Geopolitical and socio-economic threats
New ways of working
Global enterprise resource planning (ERP) implementation
Social media and digital engagement

Awareness Topics

Climate change
Antimicrobial resistance and changes in disease patterns, including pandemics
Deterioration of human rights protection

Risks in focus

The following provides further details on key risks for Novartis, including the top risks in each category as well as those that have been significantly upgraded in 2020.

Risk	Context	Actions
STRATEGIC RISKS
Key products and commercial priorities Failure to deliver key commercial priorities and successfully launch new products	Our ability to grow our business depends on the commercial success of key products. Their success could be impacted by a number of factors, including pressure from new or existing competitive products; changes in the prescribing habits of healthcare professionals; unexpected side effects or safety signals; supply chain issues or other product shortages; pricing pressures; regulatory proceedings; changes in labeling; loss of intellectual property protection; and global pandemics.	We are pursuing a “launch excellence” strategy in commercial execution, including investing in earlier prelaunch preparations and using data science to test and learn from new commercial models. We are accelerating the planned implementation of a new customer engagement model, which combines traditional face-to-face visits with digital methods of engaging healthcare professionals. We are similarly changing our approach to engaging healthcare systems, payers and other healthcare providers. We enter into business development agreements with other companies and with academic and other institutions to develop new products and access new markets.

Pricing, reimbursement and access Pricing and reimbursement pressure, including access to healthcare	We experience significant pressures on the pricing of our products and on our ability to obtain and maintain satisfactory rates of reimbursement from governments, insurers and other payers. These pressures have many sources, including rising healthcare costs (exacerbated in 2020 by the COVID-19 pandemic); funding restrictions and policy changes; and public controversies, debate, investigations and legal proceedings around pharmaceutical pricing. Such pressures may impact product pricing and market access. We also face price controls and other measures imposed by governments and other payers. In addition, our Sandoz Division has faced and may in the future face continued price erosion in the generics and biosimilars segment.	We have dedicated teams that actively seek to optimize patient access, including formulary positions, for our products. We are increasing our efforts to enable patient access through innovative pricing and access initiatives in the US, Europe and other markets. These include contract structures such as pay-over-time and outcome-based agreements. We announced new access-to-medicine and global health targets in 2020. We also launched a sustainability-linked bond, embedding the targets into the core of Novartis business operations.
Research and development (R&D) Failure or delay in the research and development of new products or new indications for existing products	We engage in costly, lengthy and uncertain R&D activities, both independently and in collaboration with third parties, to identify and develop new products and new indications for existing products. Failure can occur at any point, including after substantial investment. New products must undergo intensive preclinical and clinical testing. Further, regulatory authorities continue to establish new and increasingly rigorous requirements for approval and reimbursement. The post-approval regulatory burden has also increased.	We enter into agreements with other pharmaceutical and biotechnology companies and with academic and other institutions to develop new products. We are accelerating the use of data science and digital technology to make the drug discovery and development process more efficient and effective.
Environmental, social and governance matters Unsuccessful management of environmental, social and governance matters	Increasingly, in addition to their financial performance, companies are being judged on their performance on a variety of ESG matters. Novartis actively manages a broad range of ESG topics that impact our business, including environmental sustainability, falsified medicines, patient access and human capital management. An inability to demonstrate performance on ESG matters can result in negative impacts to our reputation, operations, recruitment and retention of employees, financial results and/or our share price. Reflecting the growing importance of ESG for Novartis, this risk was upgraded to the strategic category in 2020, from an awareness topic in the previous year.	We announced new access-to-medicine and global health targets in 2020. We also launched a sustainability-linked bond, embedding the targets into the core of Novartis business operations. We strengthened our environmental targets in 2020, including aiming for full carbon neutrality across our entire supply chain (Scope 1, 2 and 3) by 2030. We established an ESG Management Office under Corporate Strategy to track performance and drive strategic initiatives.
OPERATIONAL RISKS
Cybersecurity and IT systems Cybersecurity breaches and catastrophic loss of IT systems	We rely on critical, complex and interdependent information technology (IT) systems to support our business processes. We are therefore vulnerable to cybersecurity attacks and incidents, both on our own networks and those of third parties to whom we outsource parts of our IT infrastructure. In the context of the COVID-19 pandemic, the risk of such threats and attacks has increased as virtual and remote working becomes more widely used and as employees access sensitive data in less secure, home-based environments. The disruption of our IT systems could negatively impact important business processes, including R&D, regulatory submissions to health authorities, and our manufacturing and distribution operations, among others.	We established Security Operations Center and Cyber Security Center teams to proactively assess threats to Novartis, perform security monitoring, and respond to security incidents. Our Vulnerability Management team also monitors the environment for vulnerabilities and coordinates mitigation activities. We continually validate and identify critical assets for enhanced protection.
Third-party management Failure to maintain adequate governance and oversight over third-party relationships, and failure of third parties to meet their contractual, regulatory or other obligations	We outsource certain key business functions to third parties. These include R&D collaborations, manufacturing and distribution, certain finance functions, sales and marketing activities, and data management, among others. We may fail to receive the expected benefits of these agreements if third parties fail to meet their obligations. In addition, we may be held responsible if third parties fail to comply with laws or our standards, or otherwise act inappropriately.	We require third parties to comply with the Novartis Third Party Code. We also expect third parties to adopt standards that cover the same principles and content in the code with their own suppliers. We merged our human rights and Third-Party Risk Management program into one function to help ensure more effective human rights due diligence.
Manufacturing and product quality Inability to ensure proper controls in product development and product manufacturing, and failure to comply with applicable regulations and standards	The development and manufacture of our products is complex and highly regulated by health authorities around the world. We must ensure that all relevant processes comply with regulatory requirements as well as our own quality standards. Failure to do so may result in warning letters, suspension of manufacturing, seizure of products, injunctions, product recalls, failure to secure product approvals, or debarment. Any of these could have a material adverse effect on our business, financial condition, and results of operations.	We aligned the Novartis Quality organization to the business, while embedding Quality Management System requirements closer to the points of execution. In 2020, we took steps to ensure the Novartis Quality audit program continued to cover internal and external sites across the product lifecycle despite COVID-19 challenges. We took action to fulfill new regulatory requirements within specified timeframes with respect to acceptable impurity levels in our products.
EMERGING RISKS
Geo-political and socio-economic threats Negative impact of geo-and socio-political threats and economic instability	A range of geo-political and socio-economic issues may affect our business. These include trade restrictions, such as tariffs, and government policies on drug pricing and other issues. In addition, unpredictable economic conditions may adversely affect the financial position of payers, distributors, customers, suppliers and service providers. Financial market issues may also result in a lower return on our financial investments, and a lower value on some of our assets. This risk was upgraded to an emerging risk in 2020, from an awareness topic in the previous year, as the COVID-19 pandemic, trade frictions and other trends continue to create an unpredictable environment for global business.	We consider assessments of the geo-political, macro-economic and socio-economic environment in our Enterprise Risk Management process to identify high-risk areas. We work with trade associations, key stakeholders and multilateral organizations to anticipate policy/trade developments and related consequences for our business.
New ways of working Impact on productivity and well-being of associates of constant remote working due to the current pandemic crisis and in planned future setup	The COVID-19 pandemic has fundamentally changed the way we work. It has accelerated existing trends and triggered new ones. These include reduced business travel, increased dependence on virtual communications platforms, potential mental health concerns due to prolonged isolation, and blurred lines between working and non-working life. These trends pose several risks for our business, including decreased productivity, challenges around keeping associates engaged with our corporate culture, employee burnout, and data privacy/protection issues.	We accelerated the launch of a new global working model for office-based functions, called Choice with Responsibility, which addresses associates’ need for flexibility in working arrangements while seeking to maintain business performance. We expanded mental health resources and tools available to associates.
Global enterprise resource planning (ERP) implementation Inability to implement and properly operate our new global ERP system	We are in the design and planning phase for the implementation of a new global ERP system that seeks to simplify, standardize and digitize processes across several business functions. The aim is to help ensure efficient and compliant business operations as well as to ensure the availability of high-quality data necessary to aid our decision-making. Any disruption or malfunction of our new ERP system could negatively affect our operations.	We expect the planning, design and build phase to continue through 2021, with the first implementations of our new ERP system expected to begin in the second half of 2022.
AWARENESS TOPIC
Climate change Climate change and increased risk of major natural disasters	Climate change and the potential failure of adaptation are key risks highlighted across most risk and trend reports. The transition to a low-carbon economy and the adjustment of energy production and consumption will continue to be critical for investors and society as a whole. Novartis is potentially exposed to physical risks from varying natural disaster or extreme weather events. In addition, we face increasing transition risks due to market and regulatory dynamics, including carbon taxes and carbon pricing. Novartis is committed to using resources efficiently and reducing greenhouse gas emissions. We aim to achieve carbon neutrality across our supply chain (Scope 1, 2 and 3) by 2030. However, in a rapidly changing world, there can be no certainty that we will manage such issues successfully to meet our targets.	We formally signed on to the Task Force on Climate-related Financial Disclosures. We provided long-term sensitivity and stress-testing analysis for climate and water to relevant business functions. We started a process to assess climate-related risks for our development pipeline and existing medicines. For more information on our climate-related actions and disclosures, please see page Unleashing the power of our people, Enhancing environmental sustainability and Task force on Climate-related financial disclosures (TCFD).