质量风险管理--王旭2011.6(上海医药协会).ppt

风险管理,王旭Y2011,介绍风险管理系统要求和指南的来源背景GSK/GSKBio风险内部控制和框架GSKBS风险管理方法概况,目的,英国Turnbull指南公司丑闻Enron,WorldCom,Parmalat,etc.美国塞班斯法案,风险管理的历史,background,在应该对公司的监管，通过一系列的委员会审核和报告，变得愈来愈严格:-1992Cadburyreport（建立公司财务监管标准）UseofboardcommitteesSeparaterolesofChairmanandChiefExecutive1995Greenburyreport（对高管薪酬进行管理）Disclosureofdirectorsremunerationandcompensationincompanyreports1998Hampelcommitteeandreport（要求公司制定内部控制体系保障股东利益）ReviewedtheCadburyCodeanditsimplementation,followeduponmattersarisingfromGreenburyreportAddressedtheroleofshareholdersandauditorsincorporategovernanceissues1998UKListingAuthorityCombinedCode14CodePrinciplesand45CodeprovisionsKeyprinciplerelatestoboardsmaintenanceofasoundsystemofinternalcontrolCodeprovisionreferencesriskmanagement1999TurnbullreportProvidesguidanceontheinternalcontrolandinternalauditprovisionsofthe1998CombinedCodeRiskbasedapproach,一些英国的历史.,background,Companysinternalcontrolsystemshould:beembeddedwithinitsoperationsandnotbetreatedasaseparateexercisebeabletorespondtochangingriskswithinandoutsidethecompanyenableeachcompanytoapplyitinanappropriatemannerrelatedtoitskeyrisksRequirescompaniestoidentify,evaluateandmanagetheirsignificantrisksandtoassesstheeffectivenessoftherelatedinternalcontrolsystemBoarddirectorsaretoregularlyreviewandannuallyassessoninternalcontrols.,May2007,GSKBS,TurnbullRequirements,background,May2007,GSKBS,CorporateMissteps,background,TheSarbanes-OxleyActprovidesacomparableruleintheUSManagementmustassessannuallytheinternalcontrolsandproceduresforfinancialreportingCEOmustcertifyquarterlyandannuallythatfinancialstatementsarefairlypresentedIndependentauditorsmustattesttoandreportonmanagementsassessmentofinternalcontrols.,May2007,GSKBS,塞班斯法案-Y2002关于公司管理的汇报要求,background,May2007,GSKBS,公司的响应:内部的控制模式,GSKRMoverview,May2007,GSKBS,内部控制的要素,Fiveinterrelatedcomponents,May2007,GSKBS,控制的氛围人正直诚信职业道德能力运营环境,内部控制的要素,May2007,GSKBS,政策、规程和标准公司法律合规ITGMP,GSKRMoverview,内部控制的要素,May2007,GSKBS,信息和沟通运营、财务和合规报告沟通流程教育和培训,内部控制的要素,May2007,GSKBS,监控管理者审核审计,内部控制的要素,May2007,GSKBS,ControlEnvironment,RiskManagement,PoliciesandProcedures,InformationandCommunication,Monitoring,风险管理组织框架,内部控制的要素,May2007,GSKBS,PolicyExcerpts:,PolicyHighlights,GSKPolicyPOL-GSK-500RiskManagementandLegalComplianceApprovedin2001,GSKRMoverview,May2007,GSKBS,PolicyExcerpts:,PolicyHighlights,GSKPolicyPOL-GSK-500RiskManagementandLegalComplianceApprovedin2001,GSKRMoverview,May2007,GSKBS,PolicyExcerpts:,PolicyHighlights,GSKPolicyPOL-GSK-500RiskManagementandLegalComplianceApprovedin2001,GSKRMoverview,May2007,GSKBS,风险管理的层次,董事会审计委员会,风险监管和合规委员会,商业风险管理和合规组,合规和风险管理团队,运营团队,监控和审核内部控制体系的有效性和充分性。包括合规控制和风险管理。汇报给董事,识别所有重大风险.监控实施风险控制的有效性.确保为管理层的年度审核提供信息和报告,建立和实施重大风险审核流程，以及确保风险控制管理的有效性,建立内部控制系统：标准,政策,规章流程.提供建议和实施审计和调查,识别评估潜在风险.消除、监控和报告风险确保重大风险通过内部管理框架被迅速沟通,鼓励新技术的应用资源和优化管理理解流程，例如验证建立面对审计的信心但不是为了帮偏离和缺陷找理由,May2007,GSKBS,风险管理的好处,May2007,GSKBS,May2007,GSKBS,我们说了很多风险的背景来源、管理框架.那么风险是什么?如何识别风险?如何管理风险?,Thisiscute,but,风险：是能通过可能性和后果衡量的，一个事件发生后的可感知的后果。可能性：暴露在危险下的可能性。后果：一个事件的结果重大风险：给公司带来重大影响的违法（规）风险，和财务、运营和合规的风险法律风险：有法规问题的风险（如：潜在的违法、违规，承担潜在法律责任）,May2007,GSKBS,风险的定义,Whatisrisk?,May2007,GSKBS,风险定义,May2007,GSKBS,预算,运营计划,工厂战略审核,评估部门风险,评估工厂风险TopDown,更新计划预算,实施计划,BCP,工厂验证主计划,风险清单优先级分类,STP重大风险,风险记录,工厂战略,ISHIKAWA,外部风险,输入过程输出,流程清单,ISHIKAWA,风险台帐,工厂战略,部门战略,STP重大风险,风险管理方式,May2007,GSKBS,风险管理工具:,工艺流程清单初步危害分析PreliminaryHazardAnalysis(PHA)HazardAnalysisofCriticalControlPoints(HACCP)HazardOperabilityAnalysis(HAZOP)Faulttreeanalysis(FTA)FailureModeEffectsandAnalysis(FMEA)FailureModeEffectsandcriticalityAnalysis(FMECA)RiskrankingandFilteringInformalriskmanagement,May2007,GSKBS,风险记录清单格式,May2007,GSKBS,1-风险识别(编号+流程+风险名称+风险描述):通过鱼骨图对各个流程的风险进行系统识别:Numberingprinciple:Finance(No:startwith1,1.1,1.2,.)Supply(No:startwith2,2.1,2.2,.)QA(No:startwith3,3.1,3.2,.)EHS(No:startwith4,4.1,4.2,.)People(No:startwith5,5.1,5.2,.)CI(No:startwith6,6.1,6.2,.)Process:refertoprocesslist-level3,编号+流程+风险名称+风险描述,May2007,GSKBS,失去商业利益和长期生存能力,合作者,环境,政治,Theft,Earthquake,Flood,Distributors,Suppliers,Contractors,Fire,Sabotage,社会、经济,政府机构,Inspections,Regulators,Taxes,PopulationProfile,Policies,Laws,Pricecontrols,商务,Competitoractivity,ShiftincustomerPower,Technologicalchange,AccidentalDisasteregcrash,environmental,lossofpowerlines,infrastructure.,Epidemics,外部风险,Justforyourreferences,May2007,GSKBS,编号+流程+风险名称+风险描述,领导力、战略、声誉,可能影响没有增长失去声誉诉讼亏损销售市场下降股东利益受损,无效率的管理模式,业务发展无法满足发展需要,无效率的文化和工作氛围,失去声誉、相关人失去信心,PoorPRmanagement,Irregularriskmanagement,Uncleardecisionmakingresponsibilities,Lackofopenness,Quality/Riskmanagementnotconsideredimportant,InsufficientactionandResolutionfollowup,Noregulargovernancemeetings/agendas,No,wrongornotcommunicatedstrategy,vision,Noorwrongvolumeforecasts,Noexternalsensingofneeds,PoorShadowoftheleader,Noconsistencyofmessage,Missthebigpicture,NoproactiveinvolvementWithstakeholders,DontkeepupwithNewrequirements/policies,Pooremployeerelationships,Peoplesneedsnottakeintoaccount,Highstress/accidents,BlamecultureIssueshidden,Poorcommunication,Poormoralemotivation,Lackofmarketingintelligence,ScopeforfutureBusinessopportunitiesnotconsidered,PoorReward/recognition,IEnotembeddedDontwalkthetalkPoorfeedback,Lackofaccountability,Actionsnotfollowedup,Poorprocessmeasures,Unethicalpractices,Adverseevent,Failuretomeetregulatorycompliance,May2007,可能后果资产流失公司资源被误用坏帐,1.3公司资产没有很好管理,1.1信息慢，不准,1.2不合规,Poorcreditcontrol,changesinbusinesslaw,changesintaxlaw,Assetregister/management,Lowliquidity,Debtcollection,Corruption,Fraud,Nonexistentemployees,suppliers.Deliveries,customers,expenses,Customs&excise,Longcashtocashcycle,Dataandinformationmaintenance,Inaccurateprojectcosting,Poorprojectcostcontrol,Budgetprocess/control,Forecastaccuracy,Lostsales-tenders,Costsofmaterialsnotunderstoodbyusers,Payroll/Pensions-contractors,SupportofbusinessDecisionmaking,Divisionofduties,Underinsured,Theftorassetsusedfornonbusinessuse,财务,Monthlyclosing,Stocktakingaccuracy,编号+流程+风险名称+风险描述,Shareservice,Inventorycontrol,Shareservice,Shareservice,供应计划,CriticalParametersnotunderstood,可能后果供应能力不能满足需求物料、人无法完成生产计划由于加班造成成本增加外包服务造成成本增加,2.3供应、订单能力没有平衡，或不能满足成本、服务要求,2.1客户要求没有转为生产指令,2.2不清楚供应能力,Demandnotlevelled,Bottlenecksnotidentified,managed,Longleadtimes,Plansnotbasedondemonstratedcapacity,materials,High/lowinventory,ForecastdemandnotVisible/highlyvariable,Longleadtimes,Patient,DoctorHospital,Logistics,Wholesaler,Retailer,Brandstrategy,Promotions,CSAs,ServicelevelsNotagreed,Disruptive/Unsuccessfultenders,Inflexiblesupply,Toohigh/lowContingencystocks/safetystocklevels,Highovertime,InaccurateBoM,Finishedgoods,WIP,Writeoffs,Stockouts,Unsupportedplans,BOMrationalisation,Noscenarioplanning,Sourcechanges(SUPPLIER),IncreasingcomplexityProductmix,InsufficientcapacityHighutilisation,编号+流程+风险名称+风险描述,May2007,GSKBS,可能后果产品质量差造成返工、召回不合规造成不好的政府关系：产品收回、推迟批准.改进措施没有效果造成成本提高.,3.1产品质量和服务差,3.2不合规,Poorvalidation,Lowquality/highvariabilityofmaterial,DeviationfromSOP,Rework,Insufficientknowledge,Poorqualityculture/leadershipdoesnotputqualityfirst,Criticaltoqualityparametersnotunderstood,Equipmentfailure,Poormaterials,TrainingSOPnotinuse,SOPsSpecs,Methods,ToomanyOutofdatepoor,Inadequateresource,Specificationfailure,3.3质量基础流程,SloworincorrectBatchrelease,SloworpoorCAPAs,Poordocumentcontrol,Nonapprovalofnewproduct,Adverseauditsorinspections,Complaints,Recalls,Failedorwrongmaterialused,PPRspoorqualitydoesnotimproveprocesscapability,Validation-highcost/statusnotmaintained,Uncontrolledchangestomaterial,process,equipment,Productnotmadeinlinewithfiling,Deviationsnotrootcaused,QMSinplacenotinuse,SlowfeedbackwhenprocessMovingoutofcontrollimits,质量,编号+流程+风险名称+风险描述,May2007,GSKBS,环境,Energyusage,Useofnon-sustainableresources,Newlegislationegcarbontax,WastemanagementReduce,Reuse,recycle,Waterusage,Emissions,AirWater,Hazardousmaterialsinformation,Contamination,GroundwaterLandAsbestosPCBsRadiationOdoursNoiseFirewater.,Environmentalaccidents,Biodiversity,Landusage,Erosion,infringementofhistoricareas,Wildlife,Safety,Accidents:-atwork,travelling,Alcohol/drugabuse,4.2&4.3健康安全,Stress/Poorworklifebalance,HighAbsence,Absenceprocess,Protectiveclothing,PoorErgonomicsandJobdesign,Equipmentnotused/Poor,PoorsafetyAuditprocess,Poor5S/housekeeping,HighSoundlevels,PoorLighting,Airquality,Infectiousdisease,Flu,Insufficientknowledge,PoorEHSculture/leadershipdoesnotputEHSaspriority,SOPsSpecs,Methods,Inadequateresource,Adverseauditsorinspections,ToomanyOutofdatepoor,4.1不合规,EHS,可能后果工伤事故不合规造成不好的政府关系,编号+流程+风险名称+风险描述,May2007,GSKBS,为了进行风险识别，应有风险台帐来更好帮助风险记录清单的更新流程其中所有可能导致潜在细微风险的危害都应记录.,May2007,GSKBS,风险评估:收集相关历史数据当前控制评估可能后果和可能的发生频率评估风险重要性和优先性,May2007,GSKBS,后果严重性评估-财务:,potentialconsequences,当同一风险造成不同的后果，选高分,May2007,GSKBS,potentialconsequences,Whenoneriskhasdifferentlevelsconsequences,goforthehigherone,后果严重性评估-供应:,May2007,GSKBS,potentialconsequences,Whenoneriskhasdifferentlevelsconsequences,goforthehigherone,后果严重性评估-质量:,May2007,GSKBS,potentialconsequences,Whenoneriskhasdifferentlevelsconsequences,goforthehigherone,后果严重性评估-人员,May2007,GSKBS,probabilityofoccurrence,可能性评估,Riskindexvalue,风险系数值,优先性高(Red):riskindexvalueinrange10-25+catastrophicrisks中度优先(Amber):riskindexvalueinrange5-9低优先(Green):riskindexvalueinrange1-4,后果严重性风险系数值=x发生后果可能性,Escalation,向上汇报:2级-工厂级别和工厂以上级别渠道:从部门向工厂汇报：每月管理会从工厂向总部汇报：月报和风险报告,风险汇报,消除评估+修改和制定风险消除计划:,May2007,GSKBS,红色风险必须有风险消除计划，目的至少是将风险由红色降为黄色黄色风险必须有风险消除计划，目的至少是将风险由黄色降为绿色绿色风险不用有进一步的整改行动，但必须记录，并且下一轮风险评估时重新评估到.如何风险后果达到严重程度（5分），尽管可能性为罕见，必要在持续运营计划中考虑,消除评估+修改和制定风险消除计划:,指定专人负责(acco