MICROSOFT

Risk Management & Analytics

Regulatory oversight and increasingly complex asset classes are revolutionizing risk
management, compliance, security and data management in todays financial services industry.
Financial institutions need greater real-time insight into business exposures, and their potential
impact within a line-of-business as well as holistically across the enterprise, to mitigate risk,
improve profitability and comply with regulatory requirements.
Financial institutions must manage greater data complexity with more intensive data analysis to
gain the flexibility they need to respond to new challenges and opportunities in real-time. This
agility requires efficient access to computing resources for computationally intensive analysis. To
improve productivity, solutions must be easily accessible to all employees, from traders and risk
managers to IT and application development staff, regardless of whether they are spreadsheet
users, actuaries running stochastic models, or developers involved in the programming of new
computationally intensive financial applications.
Financial institutions need a flexible and scalable infrastructure that can be extended to across
the enterprise. In addition to reducing complexity, this approach helps firms achieve a balance
between improved risk management, improvements in service, and reductions in cost. Microsoft
solutions compute, monitor and report real-time risk exposures. Our approach makes risk
analytics pervasive in employees' everyday activities with tools that are seamlessly integrated
into existing applications and systems. Microsoft and its rich ecosystem of partners provide value
through:
Risk management process, workflows, and controls addressing assessment of risk,
collection of key risk indicators and building an enterprise-wide repository
Risk computing and modeling solutions to reduce the time needed to compute realtime risk exposures
Easy-to-use risk visualization and reporting tools that integrate with existing data
warehouses
Consolidated view of the risk management exposures combined with corporate
performance management
http://www.microsoft.com/enterprise/industry/financial-services/banking-and-capitalmarkets/risk-management-and-analytics.aspx#fbid=DlNN4WZN4IW

QUINTILES
Headquarters: United States
Global revenues (in millions): $3,000

The health care/services company was mentioned as a great place to work on lists in Canada,
Germany, Italy, Mexico, Spain, and the United Kingdom.
Great Place to Work determined rankings based on the average score from surveys sent to
employees. Countries must be mentioned on lists from at least five countries to be considered a
best multinational company.

Safety & Risk Management

Turn challenges into opportunities
Safety and value concerns are driving demand for more evidence on the benefit-risk profile of
medical products. Through comprehensive evidence development, real-world research can
complement RCTs to provide a holistic view of benefit-risk, improving the probability of success
of gaining approval, attaining reimbursement and retaining market access.
Innovative benefit-risk programs meet requirements and add value
You work every day to address changing regulatory requirements. With the right partner offering
the right approach, you can develop innovative benefit-risk programs that meet these
requirements, and also deliver cost-effective, value-added tools for monitoring and measuring the
benefit-risk profile of your products.
Change your approach and exceed expectations
Regulatory agencies are increasingly looking at safety through the lens of benefit-risk balance, so
we continually align our approach to theirs. Our capabilities do not reside in a siloed
REMS/RMP department, but in a Global Benefit-Risk Management (GBRM) Center where we
leverage
dedicated
safety
and
real-world
late
phase
resources.
The Quintiles GBRM Center collaborates with customers to:

Establish current disease burden through primary and secondary research.

Determine and understand the drivers of patient and prescriber behaviors.

Uncover the knowledge and attitudes of patients, caregivers and healthcare providers.

Build safety program materials that deliver information as well

engagement/motivation requisite for participation in voluntary programs.

as

the

Notify stakeholders of a safety initiative through multiple channels, including advertising

in professional journals.

Develop, pilot test, refine and field Knowledge, Attitude and Behavior (KAB) surveys.

Design world-class benefit-risk registries to track the success of your benefit-risk

program via outcome indicators as well as process indicators.

Participate in the regulatory discussions shaping the future of safety/benefit-risk

management.

Approach Specialized benefit-risk approach: Quintiles' strategies and data-driven safety and risk
minimization programs demonstrate or enhance appropriate and safe use of drugs, biologics and
devices. Multi-tiered programs range from education and behavior evaluation to postauthorization safety studies (PASS), and safety registries to performance-linked and controlled
access programs.
Reach Global and local operational and regulatory expertise: With over 32,000 employees in more than
100 countries, Quintiles has extensive global reach. We have the insight to apply local solutions
and the depth and breadth of knowledge to help mitigate risk and maximize global markets.
Insight Deep therapeutic insights: More effective and specialized programs along with a greater
understanding of risks are possible with the expertise of Quintiles 900 PhDs, 950 medical
doctors and 13 therapeutic centers of excellence.
Technology Industry-leading technology: Quintiles' industry-leading and patented technologies provide
global workflow management, operational metric reports for productivity, quality and
compliance analyses, full global aggregate reporting capabilities, PSUR/PBRER, expedited
report submissions (E2B and paper), and signal detection and data mining. Our technology
platform facilitates seamless delivery across the drug development lifecycle using the Quintiles
Infosario Outcome technology suite to accelerate implementation of modules, such as web
portals, eCRF, patient and physician safety surveys, real-time reporting, ADR/SADR and
workflows.
Partnership -

Collaborative partnerships for the future: Reflecting our deep methodological expertise and
interest in shaping the future of safety and risk management, Quintiles participates in a number
of collaborative initiatives, including the European Medicine Agencys PROTECT-EU and
ENCePP projects and the US FDAs Sentinel Initiative.
See
more
at:
management#sthash.jsrh6xhp.dpuf

http://www.quintiles.com/services/safety-and-risk-

Novo Nordisk
Headquarters: Denmark
Global revenues (in millions): $11,100
The pharmaceuticals company was named in lists from Italy, Mexico, Switzerland, the
Netherlands, and the United States.
Great Place to Work determined rankings based on the average score from surveys sent to
employees. Countries must be mentioned on lists from at least five countries to be considered a
best multinational company.
Risk management is part of good corporate governance
Novo Nordisk has developed a dynamic approach to risk management to ensure that key risks
are effectively identified, assessed and managed so that they will not affect the companys ability
to achieve our business objectives. Maintaining and monitoring a systematic integrated process
to continually assess business risks is the responsibility of Executive Management. The Risk
Management Board, with representatives of Senior Management from relevant parts of the
business and chaired by the chief financial officer, sets the strategic direction for the risk
management process and challenges the overall risk and control profile for Novo Nordisk.

Our policy for risk management is to proactively manage risk to ensure continued growth of our
business and to protect our people, assets and reputation. This means that we:

utilise an effective and integrated risk management system while maintaining business
flexibility

identify and assess material risks associated with our business

monitor, manage and mitigate risks.

Our risk willingness is not one specific figure or formula, but varies depending upon the specific
category of risk. The main characteristics of Novo Nordisks risk willingness are:

We develop new innovative products to improve treatment of serious diseases such as

diabetes and haemophilia. We accept the high level of risk involved in bringing such products to
market that meet the needs of patients in terms of both safety and efficacy.

We make every effort to reduce safety risks to the lowest level possible in both clinical
trials and already marketed products as the safety of patients is paramount to us.

We take a conservative approach to the management of financial risks.

We strive to reduce supply chain risks through proactive business continuity planning,
regular inspections and back-up facilities.
We never compromise on quality and business ethics.
the set-up of the risk management system
Novo Nordisk's risk management system covers the entire company in terms of geography,
activities and functional areas. It has a cohesive management structure, with a designated Risk
Management Board, which sets the strategic direction for enterprise risk management and
challenges the overall risk and control profile for Novo Nordisk. The Risk Management Board is
composed of senior managers, representing all key parts of the value chain. It is supported by its
secretariat, Risk Office, which is responsible for supporting the organisation in the fulfilment of
their risk management roles and responsibilities.
Novo Nordisk has developed a systematic, integrated process to continually assess a wide range
of potential risk issues. Enterprise risk management increases the company's ability to assess and
understand risks separately and in relation to each other. The key aim is not to avoid risks but
ensure that they are proactively managed. Each quarter, all major business areas in the company
are required to report to the Risk Office their most significant risks, along with plans or processes
to manage these risks.

The Risk Office challenges business areas on reported risks and encourages exploration of
longer-term concerns. Reported risks are then consolidated into a corporate risk profile
containing an assessment of the company's key risks. This information is presented to the Risk
Management Board, which challenges the overall risk and control profile of Novo Nordisk. The
final profile is reviewed by Executive Management, the Audit Committee and the Board of
Directors.
All assessments of risk take into account the likelihood of an event and its potential impact on
the business. Impact is quantified and assessed in terms of potential financial loss or reputational
damage. Risks are assessed both as gross risk and net risk. The assessment of gross risk assumes
that no mitigating actions have been implemented, whereas net risk assessment takes into
account mitigation actions and their anticipated effect.

Roche
Headquarters: Switzerland
Global revenues (in millions): $52,901

The pharmaceuticals company was mentioned on lists from Central America, Colombia,
Denmark, Ecuador, Portugal, Uruguay, and Venezuela.
Great Place to Work determined rankings based on the average score from surveys sent to
employees. Countries must be mentioned on lists from at least five countries to be considered a
best multinational company.
Risk management and compliance
Identifying, analysing and responding appropriately to business risks is vital to attaining Roches
business objectives, protecting the interests of stakeholders and meeting legal requirements.
Managing risk
The Roche Risk Management Policy sets out our approach for managing material risks the
possibility that an event will occur and adversely affect the achievement of Roches objectives.

Risks are managed locally where they arise and where appropriate expertise is present to manage
them. The line managers are responsible for ensuring that effective internal controls are in place
and appropriate action is taken to respond to them.
Therefore, every business unit and global function must conduct at least once a year a risk
assessment and develop processes for identifying and managing material risks. These risk plans
are integral to our overall business plans, which we review together with the risk management
environment in regular performance assessments.
Group Risk Advisory annually compiles and analyses an inventory of major Group-wide risks.
This analysis is published in the Group Risk Report and distributed for review to the Corporate
Executive Committee and the Audit Committee of the Board of Directors.
We continue to strenghten our business continuity management (BCM) to ensure that all our sites
respond effectively to catastrophic events and deliver a minimum, acceptable level of key
products and services. A Group BCM policy and guideline is in place, facilitating a consistent
and aligned local implementation. We are currently rolling out the new BCM framework across
the Group to make sure Roches operations are resilient and capable to effectively responding to
major disruptions.
We seek to avoid situations where personal interests conflict, or even appear to conflict, with the
interests of Roche. If a conflict of interest arises, the employee must immediately inform his/her
line manager to find an appropriate solution.
Sustainability risks and opportunities
The Corporate Sustainability Committee is responsible for assessing social, environmental and
ethical risks, referred to as Business Sustainability Risks. These are identified through regular
workshops involving a wide range of employees, who use their expertise and experience, as well
as stakeholder feedback, to identify emerging risks.
In 2014, Roche enhanced its Business Sustainability Risk Assessment approach, which allows us
to assess emerging risks on an annual basis and to integrate these into our existing Group Risk
Management Process. Using this approach potential business sustainability risks were identified
from literature review, risk intelligence sources and workshops. Each of these risks were then
assessed by an expert cross-functional team resulting in a short list of five risks that have now
been integrated into our 2014 Group Risk Management Process.
The five business sustainability risks identified are:

Earthquake (Basel, Tokyo, South San Francisco)

Inadequate strategies for Cloud, mHealth (use of mobile devices), eHealth (use of
electronic devices) and social media

Cyber attack

Issue response not yet optimised

Third-party relationships

Maintaining compliance
The Chief Compliance Officer serves as a contact person for Roche employees, as well as for
shareholders, business partners, customers and the general public on issues relating to the
implementation of and compliance with the Roche Group Code of Conduct.
Our comprehensive Compliance Officer Network includes also more than 140 local Compliance
Officers located at our affiliates worldwide. These officers liaise with the Chief Compliance
officer and have in particular following responsibilities:

supporting local line management in integrity risk-management processes

coordination of local compliance endeavours, initiatives and training programs

encourage employees to speak up in case of a compliance concern

supporting line management in the adequate handling of local non-compliance cases,

including reporting in the Business Ethics Incident Reporting (BEIR) system;

In addition, Roche uses a Marketing and Sales Compliance questionnaire to help local line
managers assess compliance with and awareness of responsible marketing practices. All general
managers, moreover, must sign annually an assurance declaration on compliance
acknowledging compliance with these practices.
Reporting incidents
Anyone who becomes aware of a potential violation of the Roche Group Code of Conduct can
and should bring it to the attention of their line manager or supervisor, to the local Compliance
Officer or the Chief Compliance Officer (Urs Jaisli, direct phone number: +41(0) 61 688 40 18).
Roche employees can also use the following reporting channels:

The Roche Group Code of Conduct Help & Advice Line in case of compliance
questions or uncertainties

The Roche Group SpeakUp Line to report in good faith a suspected violation, including
a person they believe has done, is doing or may be about to do something that violates the
Roche Group Code of Conduct. Launched in 2009, the system comprises a web and
telephone service that enables employees to report compliance concerns confidentially

and anonymously. The SpeakUp Line operates in 100 countries and 53 languages,
making it available to over 70,000 employees. All reports will be treated as confidential
and the reporting employees will not be penalised by the company for doing so, however,
they are not immune from prosecution for legal violations.
Every Speak Up report is taken serious. Any alleged violation is diligently investigated in order
to evaluate whether or not the reported behaviour or activity violates our standards or applicable
laws and regulations. Where appropriate, the alleged violation will result in corrective measures
or sanctions, or both.
Our Business Ethics Incident Reporting (BEIR) system enables the Top Management, the Chief
Compliance Officer and the Chief Group Audit and Risk Advisory Executiveto capture, track and
monitor alleged violations, from initial reports through to resolution.
The number and related characteristics of non-compliance cases which occurred during a
reporting year will be published in the annual report of Roche Holding Ltd.
In 2014 we received 512 reports relating to alleged violations of the Code of Conduct. Out of
512 allegations, 104 were unfounded, 164 are still under investigation, and 244 were founded.
157 employment contracts were terminated on the grounds of unethical behaviour. 13
agreements with business partners were also terminated for the same reason.

INTEL
Headquarters: United States
Global revenues (in millions): $43,600
The information technology company was mentioned on lists from Argentina, France, India,
Ireland, Japan, and the United States.
Great Place to Work determined rankings based on the average score from surveys sent to
employees. Countries must be mentioned on lists from at least five countries to be considered a
best multinational company.

The Board's Role in Risk Oversight at Intel

One of the Board's functions is oversight of risk management at Intel. "Risk" is inherent in
business, and the Board's oversight, assessment, and decisions regarding risks occur in the
context of and in conjunction with the other activities of the Board and the Board's committees.
Defining Risk
The Board and management consider "risk" for these purposes to be the possibility that an
undesired event could occur that might adversely affect the achievement of our objectives. Risks
vary in many ways, including the ability of the company to anticipate and understand the risk,
the types of adverse impacts that could occur if the undesired event occurs, the likelihood that an
undesired event and a particular adverse impact would occur, and the ability of the company to
control the risk and the potential adverse impacts. Examples of the types of risks faced by Intel
include:

macro-economic risks, such as inflation, reductions in economic growth, or recession;

political risks, such as restrictions on access to markets, confiscatory taxation, or

expropriation of assets;

"event" risks, such as natural disasters; and

business-specific risks related to strategic position, operational execution, financial
structure, legal and regulatory compliance, and corporate governance.
Not all risks can be dealt with in the same way. Some risks may be easily perceived and
controllable, and other risks are unknown; some risks can be avoided or mitigated by particular
behavior, and some risks are unavoidable as a practical matter. In some cases, a higher degree of
risk may be acceptable because of a greater perceived potential for reward. Intel engages in
numerous activities seeking to align its voluntary risk-taking with company strategy, and
understands that its projects and processes may enhance the company's business interests by
encouraging innovation and appropriate levels of risk-taking.
Risk Assessment Processes
Management is responsible for identifying risk and risk controls related to significant business
activities; mapping the risks to company strategy; and developing programs and
recommendations to determine the sufficiency of risk identification, the balance of potential risk
to potential reward, and the appropriate manner in which to control risk. The Board implements
its risk oversight responsibilities by having management provide periodic briefing and
informational sessions on the significant voluntary and involuntary risks that the company faces

and how the company is seeking to control risk if and when appropriate. In some cases, as with
risks of new technology and risks related to product acceptance, risk oversight is addressed as
part of the full Board's engagement with the CEO and management. In other cases, a Board
committee is responsible for oversight of specific risk topics. For example, the Audit Committee
oversees issues related to internal control over financial reporting, the Compliance Committee
oversees issues related to significant pending and threatened litigation, the Finance Committee
oversees issues related to the company's risk tolerance in cash-management investments, and the
Compensation Committee oversees risks related to compensation programs, as discussed in
greater detail below. Presentations and other information for the Board and Board committees
generally identify and discuss relevant risk and risk control; and the Board members assess and
oversee the risks as a part of their review of the related business, financial, or other activity of the
company. The full Board also receives specific reports on enterprise risk management in which
the identification and control of risk are the primary topics of the discussion.
Risk Assessment in Compensation Programs
We annually assess the company's compensation programs and have concluded that our
compensation policies and practices do not create risks that are reasonably likely to have a
material adverse effect on the company. Intel management assessed the company's executive and
broad-based compensation and benefits programs on a worldwide basis to determine if the
programs' provisions and operations create undesired or unintentional risk of a material nature.
This risk assessment process included a review of program policies and practices; program
analysis to identify risk and risk control related to the programs; and determinations as to the
sufficiency of risk identification, the balance of potential risk to potential reward, risk control,
and the support of the programs and their risks to company strategy. Although we reviewed all
compensation programs, we focused on the programs with variability of payout, with the ability
of a participant to directly affect payout and the controls on participant action and payout.
Based on the foregoing, we believe that our compensation policies and practices do not create
inappropriate or unintended significant risk to the company as a whole. We also believe that our
incentive compensation programs provide incentives that do not encourage risk-taking beyond
the organization's ability to effectively identify and manage significant risks; are compatible with
effective internal controls and the risk management practices of Intel; and are supported by the
oversight and administration of the Compensation Committee with regard to executive
compensation programs

Diageo
Headquarters: United Kingdom
Global revenues (in millions): $15,746

The products, beverages, and tobacco company was mentioned on lists from Argentina,
Australia, Brazil, Canada, Central America, Colombia, Ireland, Mexico, Portugal, The
Netherlands, the United Kingdom, Uruguay, and Venezuela.
Great Place to Work determined rankings based on the average score from surveys sent to
employees. Countries must be mentioned on lists from at least five countries to be considered a
best multinational company.

Our Risk and Compliance Programme

Our over-riding aim is to encourage integrity in every part of Diageo.
We want employees to demonstrate exemplary conduct in all their business interactions because
they feel personally connected to, and accountable for, our reputation. Creating this culture
requires a robust risk and compliance programme.
Risk management, internal control, and compliance and ethics are all led by a central team,
managed by our Global Risk and Compliance Director, who reports to the Group Finance
Controller and directly to the Audit Committee on all control, compliance and ethics matters.
Our global team develops the strategy, methodology and core materials to support the
implementation of our risk agenda and the control, compliance and ethics programme in our
markets and functions.
The Diageo Executive Committee oversees these programmes through the Audit and Risk
Committee, with an agenda covering the three pillars of risk, internal controls, and compliance
and ethics. Markets determine how best to implement the programme, based on their local
assessment of risk and what will work for their employees, in the context of local and
international laws and regulations.
Our global programme aims to create an exemplary compliance environment, and an ethical
framework to ensure that Diageo always does business with integrity. Our framework includes:
-

Organisational leadership and culture

Our leaders and managers are at the front line in engaging our people in our Code and policies
and in helping them to make the right decisions. We have developed specific training for our
general managers and people managers, designed to give them an opportunity to share
experiences with their colleagues and to understand their responsibility for risk, controls and

compliance. This will help them lead their teams in a way that sets a clear tone from the top and
act as role models to employees in remaining faithful to our purpose and values.

Standards and procedures

To ensure our global policies are relevant and up to date, we review them at least once a year and
check they are accessible and available to all so that employees understand what is expected of
them. We work with a team of subject matter experts to manage the policies and standards, and
offer support and advice to our markets to help them embed these effectively. See our Codes and
policies section.

Working with our business partners

We're committed to establishing good working relationships with our partners and ensuring that
they adhere appropriately to our principles. We have comprehensive programmes to manage
various potential risks posed by our business partners. These include anti-money laundering
checks, our 'Know Your Business Partner' anti-corruption due diligence programme, credit risk
assessments, and our Partnering with Suppliers programme. As our business expands through
mergers and acquisitions, it is important to ensure that we embed our principles in new business
units, and we are consistent in our approach to non-compliance issues.

Risk management
Great risk management drives better commercial decisions, creating a growing, resilient and
sustainable business. Our risk management global standard requires all markets and functions to
perform two risk assessments at least annually: first, a general assessment of business risk, to
consider the operational, financial, and reputational risks of running the local business; second, a
compliance risk assessment, to consider risks concerning human rights, bribery and corruption,
anti-money laundering, and all other relevant laws and regulations, as well as our own Code,
policies and standards and to ensure that mitigation plans for the most significant risks have
been established. Markets are then responsible for reviewing their risk assessments and progress
against the mitigation plans at their local risk management committee meetings.

Annual certificate of compliance

The annual certificate of compliance (ACC) is an important measure of the effectiveness of our
compliance and ethics programme. It includes questions that are designed to confirm that
managers have fulfilled their duties with regard to compliance, and have read and understood our
Code and the global policies most important to their roles. It requires people managers to
confirm that they have had conversations with their direct reports about our Code, and about the
policies that are most important to their respective roles.

Training and communications

We have a global framework for compliance training which is tailored by markets to best meet
their specific needs. When an employee joins Diageo, he or she must, within 30 days, complete
training about our Code, which covers key areas including human rights and anti-corruption, and
explains how to report breaches and where to get help and advice. Each market has a training
plan covering our key policies, which they deliver through locally organised, risk-based training.
We encourage training to be brought to life through workshops, tailored training sessions and
communications. We've also been giving further training to controls, compliance, and ethics
managers and 'ambassadors' on the necessary function-specific and leadership capabilities for
their roles.

Monitoring, auditing, and reporting

Our business units provide regular updates to our global risk and compliance team, which
monitors adherence to our risk and compliance programme. Significant concerns are reported
quarterly to our Executive and Audit Committees.
In addition, our internal audit team provides independent assurance of local adherence to our
programme, as well as of how well risks are being managed. They also report quarterly to our
Executive and Audit Committees. We expect anyone who comes across a breach of our Code to
report it promptly, either to their manager, or to a member of the controls, compliance and ethics,
human resources or legal teams, or through SpeakUp, our confidential whistleblowing service.
Suppliers can also use SpeakUp to raise concerns with us.
Reported breaches are recorded on a central database, and overall statistics and significant
matters are then reported quarterly in summary format to our Executive and Audit Committees.
The database also allows us to identify business or policy areas that may need specific training or
other interventions. To help employees be better prepared to avoid breaches by learning from
others' mistakes, we routinely share examples of breaches that have recently occurred.

Controls assurance and risk management 'CARM'

Our internal control environment is evolving continually to meet an ever-changing environment.
CARM is our internal control programme, where we assess, test, and report on the effectiveness
of internal controls across our company. This enables us to meet our obligations under SarbanesOxley and 2013 COSO Internal Control-Integrated Framework.
The CARM risk and control framework brings together all aspects of risk, ranging from financial
to operational to reputational risk. All markets and functions are required to understand their
risks and reflect them through their control activities, to certify annually whether their internal
controls are operating effectively, and to remediate any weaknesses quickly.

Response to breaches, enforcement, and continuous improvement

All identified breaches of our Code and policies are taken very seriously, and investigated
appropriately where action is required. Our response to proven breaches varies depending on the
severity of the matter. Wherever possible, we look to improve our culture through training,
coaching, and performance and talent management processes.
However, there are also disciplinary consequences of breaches of our Code or policies. Any
actions by employees that violate certain aspects, for example our provisions on responsible
drinking, could result in the termination of their contract. Further details about breaches and our
response can be found in our Annual Report.