Risk Management Responsibilities
The Company’s Board of Directors believes that overseeing how our management manages the various risks our Company faces is one of its most important responsibilities. The Company’s enterprise risk management framework reflects a collaborative process, whereby the Board and Company management apply a common risk management approach designed to identify potential events that might affect the Company and to manage the associated risks and opportunities.
In carrying out this responsibility, the Board meets at regular intervals with key members of company management with primary responsibility for risk management in their respective areas. The subject matter of these meetings generally falls into the following categories and risk areas:
- Strategy: Business vitality, strategic planning, talent management, reputation, sustainability, and diversity;
- Reporting: Financial results, finance and accounting, internal audit, independent audit, tax, and treasury;
- Compliance: Law and legal proceedings; legislative and regulatory environment; health care compliance; anti-corruption; environment, health and safety; privacy; quality; and product safety and scientific issues, and;
- Operations: Supply chain (including manufacturing and business continuity planning), security (including security of products, sites, personnel and information), and research and development.
The Board also receives regular reports on aspects of the Company’s risk management from the Company’s independent auditor.
In addition, the Audit Committee of the Board meets in private sessions with the Chief Financial Officer, General Counsel, Chief Compliance Officer, Vice President of Corporate Internal Audit, and representatives of the Company’s independent auditor at the conclusion of every regularly-scheduled Audit Committee meeting where aspects of risk management are discussed.
The Board believes that, in light of the interrelated nature of the Company’s risks, oversight of risk management is ultimately the responsibility of the full Board.
Compliance-Related Risks
The Chief Compliance Officer chairs the Johnson & Johnson Compliance Committee, whose members include Compliance Officers for our business sectors as well as the leaders or designees of other key company functions, including Internal Audit, Law, Worldwide Security, Human Resources, Operations, Quality and Environment, Health & Safety.
The Compliance Committee reviews many forms of risk as well as our programs in the areas of healthcare compliance, government contracting, anticorruption, privacy legislation, quality, environmental health and safety and regulatory compliance. The sector Compliance Officers ensure that processes and monitoring are in place at the subsidiary and sector level to assess risk, monitor program results and ensure that corrective actions are ongoing. They are also responsible for an annual update of the risk assessment for their sector.
Reputation Risk
Reputational risk is overseen by the corporate communications function, with representatives from the function in each of the sectors and operating companies, as well as the Law Department.
Financial Risk
Financial risk, including casualty risk, is overseen by the corporate finance function, including Treasury, the Controller, and Internal Audit, together with finance officers of our business sectors and operating companies.
Other Forms of Risk
Operational and regulatory risks are assessed and managed by the business sectors and individual operating companies.
Identifying Risk
Johnson & Johnson uses a variety of management tools to identify risk and measure exposure, including the Mission Assurance Analysis Protocol (MAAP), which is specifically designed for decentralized organizations. We also maintain a database containing current information on risks and risk mitigation and reduction programs. In addition, face-to-face reviews are held to identify, mitigate and reduce risk through appropriate action.
Risk Mitigation
Risks are mitigated down to the manufacturing plant and department level using management planning tools such as the Corrective Action Preventive Action (CAPA) tool.
The Company's worldwide business continuity planning process addresses emergency response, incident management and operations recovery. Business continuity plans are regularly updated and tested. Tabletop exercises are conducted to confirm site managers understand the plan and can execute it if faced with an incident that could severely impact business continuity.
Johnson & Johnson purchases insurance against risks where coverage is available and the cost is economically sensible. Examples include first party property risks, third party risks such as aviation liability, automobile liability, general liability and clinical trials, and risks involving directors & officers.