AstraZeneca Annual Report and Form 20-F Information 2011

RiskIn this section we describe our key riskmanagement and assurance mechanisms andthe principal risks and uncertainties which weconsider to be material to our business as theymay have a significant effect on our financialcondition, results of operations and/or reputation.Specific risks and uncertainties are alsodiscussed in the Business Review from page 29,where relevant.Managing riskAs an innovation-driven, global, prescription-based biopharmaceuticalbusiness, we face a diverse range of risks and uncertainties that mayadversely affect our business. Our approach to risk management isdesigned to encourage clear decision making as to which risks wetake and how these are managed, based on an understanding of thepotential strategic, commercial, financial, compliance, legal andreputational implications of these risks.We work continuously to ensure that we have effective riskmanagement processes in place to support the delivery of ourstrategic objectives, the material needs of our stakeholders and ourcore values. We monitor our business activities and external andinternal environments for new, emerging and changing risks to ensurethat these are managed appropriately as they arise.The Board believes that the processes and accountabilities which arein place (described below) provide it with adequate information on thekey risks and uncertainties we face. Further information about theserisks and uncertainties is set out in the Principal risks and uncertaintiessection from page 130.Embedded in business processesWe strive to ensure that sound risk management is embedded withinour strategy, planning, budgeting and performance managementprocesses. The Board has defined the Group’s risk appetite expressingthe acceptable levels of risk for the Group using three key dimensions.These are (i) earnings and cash flow, (ii) return on investment, and (iii)potential impact on our reputation. This definition provides a clearstatement by the Board of its position on risk which enables theGroup, in both quantitative and qualitative terms, to judge the levelof risk it is prepared to take so as to achieve its overall objectives.Annually, the Group develops a long-term business plan to supportthe delivery of its strategy which the Board reviews and confirms that itconforms to its risk appetite. Line management are accountable foridentifying and managing risks, and for delivering business objectivesin accordance with the Group’s risk appetite. Each area for which aSET member is responsible (a SET function) is required to provide acomprehensive assessment of its risks as part of the annual businessplanning process. Identified risks are mapped to AstraZeneca’s risk‘taxonomy’, providing a structured disaggregation of the variouspotential risks facing the Group.The CEO and the CFO undertake quarterly business reviews (QBRs)with each SET function, where the key risks are reviewed. Businessmanagers within each SET function are required to provide quarterlyupdates on their key risks, which are then consolidated to create a listof key risks for that SET function to review at QBRs. The key risks foreach SET function are then aggregated into a Group risk register.The purpose of the risk review is to identify and measure risks, andto define and review risk management and mitigation plans. Riskmanagement standards, guidelines and supporting tools are in placeto support the managers in this process.We develop business resilience plans to provide for situations wherespecific risks have the potential to severely impact our business.Global business resilience plans covering crisis management,business continuity and emergency responses are in place. Theseplans are supported by the provision of training and crisis simulationactivities for business managers.One of our strategic priorities is to ensure that a culture of ethicsand integrity is embedded in all our business practices. Our Codeof Conduct (the Code) and our Global Policies and Standards setmandatory minimum standards of responsible behaviour for allemployees. In addition, all employees receive annual training onthe requirements of the Code, as well as more specific targetedtraining on particular policies and standards if required for their role.Employees are encouraged to raise questions on the practicalapplication of these standards and to report suspected breachesand incidents of non-compliance through the reporting channelsdescribed in the Code.For information about how we identify and manage the risksassociated with ‘responsible business’, see Accountabilities andresponsibilities in the Responsible Business section on page 48.Key responsibilitiesManagement of riskDay-to-day risk management is delegated from the Board to theCEO and through the SET to line managers. SET management areasare accountable for establishing an appropriate line management-ledprocess and for providing the resources for supporting effectiverisk management.Line and project managers have primary responsibility, within thecontext of their functional area, for identifying and managing risk aswell as for putting in place appropriate controls and procedures tomonitor effectiveness.Oversight and monitoringThe SET is responsible for overseeing and monitoring theeffectiveness of the risk management processes implemented bymanagement. Our Global Compliance and Group Internal Audit(GIA) business functions support the SET by advising on policyand standard setting, monitoring and auditing, communication andtraining, as well as reporting on the adequacy of line managementprocesses as they apply to managing our risk.Our compliance organisation is comprised of the Global Compliancefunction together with a wide range of specialist compliance functions.Further information about Global Compliance and the Code can befound in the Global Compliance section on page 43.Corporate GovernanceAstraZeneca Annual Report and Form 20-F Information 2011Risk 129