《质量风险管理》

1、.Global Industrial Operations.介绍风险管理系统要求和指南的来源背景GSK/GSK Bio 风险内部控制和框架GSKBS 风险管理方法概况Global Industrial Operations.英国Turnbull指南公司丑闻 Enron, WorldCom, Parmalat, etc.美国塞班斯法案backgroundGlobal Industrial Operations.在应该对公司的监管，通过一系列的委员会审核和报告，变得愈来愈严格:-1992 Cadbury report （建立公司财务监管标准）Use of board committeesSepar

2、ate roles of Chairman and Chief Executive1995 Greenbury report（对高管薪酬进行管理）Disclosure of directors remuneration and compensation in company reports 1998 Hampel committee and report （要求公司制定内部控制体系保障股东利益）Reviewed the Cadbury Code and its implementation, followed up on matters arising from Greenbury repor

3、tAddressed the role of shareholders and auditors in corporate governance issues1998 UK Listing Authority Combined Code14 Code Principles and 45 Code provisionsKey principle relates to boards maintenance of a sound system of internal controlCode provision references risk management 1999 Turnbull repo

4、rt Provides guidance on the internal control and internal audit provisions of the 1998 Combined Code Risk based approachbackgroundGlobal Industrial OperationsMay 2007.Companys internal control system should: be embedded within its operations and not be treated as a separate exercise be able to respo

5、nd to changing risks within and outside the company enable each company to apply it in an appropriate manner related to its key risksRequires companies to identify, evaluate and manage their significant risks and to assess the effectiveness of the related internal control systemBoard directors are t

6、o regularly review and annually assess on internal controls.backgroundGlobal Industrial OperationsMay 2007.Corporate MisstepsbackgroundGlobal Industrial OperationsMay 2007.The Sarbanes-Oxley Act provides a comparable rule in the US Management must assess annually the internal controls and procedures

7、 for financial reporting CEO must certify quarterly and annually that financial statements are fairly presented Independent auditors must attest to and report on managements assessment of internal controls.backgroundGlobal Industrial OperationsMay 2007.公司的响应公司的响应:内部的控制模式内部的控制模式GSK RM overviewGlobal

8、Industrial OperationsMay 2007.控制的氛围控制的氛围风险管理风险管理政策和规程政策和规程信息和沟通信息和沟通监控监控Five interrelated componentsGlobal Industrial OperationsMay 2007.控制的氛围控制的氛围风险管理风险管理政策和规程政策和规程信息和沟通信息和沟通监控监控控制的氛围控制的氛围人人 正直诚信正直诚信 职业道德职业道德 能力能力运营环境运营环境Global Industrial OperationsMay 2007.控制的氛围控制的氛围风险管理风险管理政策和规程政策和规程信息和沟通信息和沟通监控监

9、控政策、规程和标准政策、规程和标准公司公司 法律合规法律合规ITGMPGSK RM overviewGlobal Industrial OperationsMay 2007.控制的氛围控制的氛围风险管理风险管理政策和规程政策和规程信息和沟通信息和沟通监控监控信息和沟通信息和沟通运营、财务和合规报告运营、财务和合规报告沟通流程沟通流程教育和培训教育和培训Global Industrial OperationsMay 2007.控制的氛围控制的氛围风险管理风险管理政策和规程政策和规程信息和沟通信息和沟通监控监控监控监控管理者审核管理者审核审计审计Global Industrial Operatio

10、nsMay 2007.Control EnvironmentRisk ManagementPolicies and ProceduresInformation and CommunicationMonitoring风险管理风险管理组织框架组织框架Global Industrial OperationsMay 2007.3.1 GeneralAll managers have responsibility and accountability for managing the risks arising intheir areas of responsibility.The focus of t

11、his policy is on risks of failing to comply with legal requirements (e.g.,quality/GMP requirements in manufacturing, or anti-competitive laws in sales andmarketing ); and financial, operational and reputational risks which could be significantto GSK (e.g., a recall or supply failure of a major produ

12、ct). These are referred tocollectively as “Significant Risks.”Policy Excerpts:Policy HighlightsGSK Policy POL-GSK-500 Risk Management and Legal ComplianceApproved in 2001GSK RM overviewGlobal Industrial OperationsMay 2007.Policy Excerpts:Policy HighlightsGSK Policy POL-GSK-500 Risk Management and Le

13、gal ComplianceApproved in 2001GSK RM overviewGlobal Industrial OperationsMay 2007.3.3 Internal Control FrameworkWhile line management has responsibility for implementing effective internalcontrols for risk management and legal compliance, GSK has also established anInternal Control Framework to ensu

14、re that Significant Risks are reviewed andmonitored and that specific issues and incidents (e.g. a compliance failure) arefollowed up and corrected.Policy Excerpts:Policy HighlightsGSK Policy POL-GSK-500 Risk Management and Legal ComplianceApproved in 2001GSK RM overviewGlobal Industrial OperationsM

15、ay 2007.董事会审计委员会风险监管和合规委员会商业风险管理和合规组合规和风险管理团队运营团队监控和审核内部控制体系的有效性和充分性。包括合规控制和风险管理。汇报给董事识别所有重大风险.监控实施风险控制的有效性.确保为管理层的年度审核提供信息和报告 建立和实施重大风险审核流程，以及确保风险控制管理的有效性建立内部控制系统： 标准, 政策, 规章 流程. 提供建议和实施审计和调查识别评估潜在风险.消除、监控和报告风险确保重大风险通过内部管理框架被迅速沟通Global Industrial OperationsMay 2007.鼓励新技术的应用资源和优化管理理解流程，例如验证建立面对审计的信心

16、但不是为了帮偏离和缺陷找理由Global Industrial OperationsMay 2007.Global Industrial OperationsMay 2007.This is cute, butGlobal Industrial OperationsMay 2007.风险：是能通过可能性和后果衡量的，一个事件发生后的可感知的后果。可能性：暴露在危险下的可能性。后果：一个事件的结果重大风险：给公司带来重大影响的违法（规）风险，和财务、运营和合规的风险法律风险：有法规问题的风险（如：潜在的违法、违规，承担潜在法律责任）What is risk?Global Industrial O

17、perationsMay 2007.轻视风险不能完全消除风险应该被:降低改变接受控制风险不可能被:忽略风险无处不在风险定义风险定义Global Industrial OperationsMay 2007.预算运营计划工厂战略审工厂战略审核核评估部门风评估部门风险险评估工厂评估工厂风险风险Top Down 更新计划预算更新计划预算 实施实施计划计划BCP工厂验证主计划风险清单优先级分类STP 重大风险风险记录工厂战略ISHIKAWA外部风险输入过程输出流程清单ISHIKAWA风险台帐工厂战略部门战略STP 重大风险风险管理方式Global Industrial OperationsMay 200

18、7.风险管理工具风险管理工具:工艺流程清单初步危害分析 Preliminary Hazard Analysis (PHA)Hazard Analysis of Critical Control Points (HACCP)Hazard Operability Analysis (HAZOP)Fault tree analysis (FTA)Failure Mode Effects and Analysis (FMEA)Failure Mode Effects and criticality Analysis (FMECA)Risk ranking and FilteringInformal r

19、isk managementGlobal Industrial OperationsMay 2007.Areas for likely impactNo.ProcessRisk NameDescription of Potential Risk Impact FinanceSupplyEHSQAPeopleCICurrent Control MechanismsConsequence 1-5Likelihood 1-5Risk Index ValueDate last reviewedEscalate ToRisk OwnerRisk TreatmentConsequence 1-5Likel

20、ihood 1-5Risk Index ValuePlanned Risk ReductionACTIONSTATUS/HISTORY风险管理流程图风险管理流程图风险识风险识别别风险评风险评估估消除评消除评估估修改和制定修改和制定风险消除计风险消除计划划实施计实施计划划触发触发审核和监审核和监控控风险记录清单格式Global Industrial OperationsMay 2007.1-风险识别风险识别 (编号编号 + 流程流程 + 风险名称风险名称+ 风险描述风险描述):通过鱼骨图对各个流程的风险进行系统识别通过鱼骨图对各个流程的风险进行系统识别:Numbering principle:F

21、inance (No: start with 1, 1.1, 1.2, . )Supply (No: start with 2, 2.1, 2.2, . )QA (No: start with 3, 3.1, 3.2, . )EHS (No: start with 4, 4.1, 4.2, . )People (No: start with 5, 5.1, 5.2, . )CI (No: start with 6, 6.1, 6.2, . )Process: refer to process list-level 3影响可能性评估影响可能性评估编号编号流程流程风险名称风险名称风险描述风险描述影

22、响后果影响后果财务财务供应供应EHSQA人员人员持续改进持续改进当前控制措施当前控制措施严重性严重性 1-5可能性可能性 1-5风险系数值风险系数值更新日期更新日期上报上报风险所有者风险所有者分险处理分险处理严重性严重性 1-5可能性可能性1-5风险系数值风险系数值计划风险系数值降计划风险系数值降到到行动状态、历史行动状态、历史风险管理流程图风险管理流程图风险识风险识别别风险评风险评估估消除评消除评估估修改和制定修改和制定风险消除计风险消除计划划实施计实施计划划触发触发审核和监审核和监控控Global Industrial OperationsMay 2007.编号编号 + 流程流程 + 风险

23、名称风险名称+ 风险描述风险描述失去商业利益失去商业利益和长期生存能和长期生存能力力合作者合作者 环境环境政治政治TheftEarthquakeFloodDistributorsSuppliersContractorsFireSabotage社会、经济社会、经济政府机构政府机构InspectionsRegulatorsTaxesPopulation Profile Policies, LawsPrice controls商务商务 Competitor activityShift in customer Power Technological changeAccidental Disaster

24、eg crash , environmental, loss of power lines, infrastructure .Epidemics外部风险外部风险Just for your referencesGlobal Industrial OperationsMay 2007.编号编号 + 流程流程 + 风险名称风险名称+ 风险描述风险描述领导力、战略、声誉领导力、战略、声誉 可能影响可能影响没有增长没有增长失去声誉失去声誉诉讼诉讼 亏损亏损销售市场下降销售市场下降股东利益受损股东利益受损 无效率的管理模式无效率的管理模式业务发展无法满足发展需要业务发展无法满足发展需要无效率的文化和工作氛

25、围无效率的文化和工作氛围失去声誉、相关人失去信心失去声誉、相关人失去信心Poor PR management Irregular risk management Unclear decision making responsibilities Lack of opennessQuality / Risk management not considered important Insufficient action and Resolution follow up No regular governance meetings/ agendas No, wrong or not communica

26、ted strategy, vision No or wrong volume forecasts No external sensing of needsPoor Shadow of the leaderNo consistency of messageMiss the big pictureNo proactive involvement With stakeholdersDont keep up with New requirements/ policiesPoor employee relationships Peoples needs not take into account Hi

27、gh stress / accidents Blame culture Issues hidden Poor communication Poor morale motivation Lack of marketing intelligenceScope for future Business opportunities not considered Poor Reward / recognition IE not embeddedDont walk the talkPoor feedback Lack of accountabilityActions not followed upPoor

28、process measuresUnethical practices Adverse eventFailure to meet regulatory complianceGlobal Industrial OperationsMay 2007.可能后果可能后果资产流失资产流失公司资源被误用公司资源被误用 坏帐坏帐1.3 公司资产没有很好管理公司资产没有很好管理1.1 信息慢，不准信息慢，不准1.2 不合规不合规Poor credit controlchanges in business lawchanges in tax lawAsset register / managementLow l

29、iquidityDebt collectionCorruption FraudNon existent employees, suppliers . Deliveries, customers , expensesCustoms & exciseLong cash to cash cycleData and information maintenanceInaccurate project costingPoor project cost controlBudget process /controlForecast accuracyLost sales - tenders Costs of m

30、aterials not understood by usersPay roll / Pensions -contractorsSupport of businessDecision makingDivision of dutiesUnder insuredTheft or assets used for non business use财务财务Monthly closing Stock taking accuracy编号编号 + 流程流程 + 风险名称风险名称+ 风险描述风险描述Share serviceInventory controlShare serviceShare serviceG

31、lobal Industrial Operations.供应供应 计划计划Critical Parameters not understood可能后果可能后果供应能力不能满足需求供应能力不能满足需求物料、人无法完成生产计划物料、人无法完成生产计划由于加班造成成本增加由于加班造成成本增加外包服务造成成本增加外包服务造成成本增加2.3 供应、订单能力没有平衡，或不能满足成本、供应、订单能力没有平衡，或不能满足成本、服务要求服务要求2.1 客户要求没有转为生产指令客户要求没有转为生产指令2.2 不清楚供应能力不清楚供应能力Demand not levelledBottlenecks not iden

32、tified, managedLong lead timesPlans not based on demonstrated capacity materials High /low inventoryForecast demand not Visible/ highly variableLong lead timesPatient, Doctor HospitalLogistics, Wholesaler,Retailer Brand strategyPromotionsCSAsService levelsNot agreedDisruptive/Unsuccessful tendersInf

33、lexible supplyToo high /low Contingency stocks/safety stock levelsHigh overtimeInaccurate BoMFinished goods, WIPWrite offsStock outsUnsupported plansBOM rationalisationNo scenario planningSource changes (SUPPLIER)Increasing complexityProduct mixInsufficient capacityHigh utilisation编号编号 + 流程流程 + 风险名称

34、风险名称+ 风险描述风险描述Global Industrial OperationsMay 2007.可能后果可能后果 产品质量差造成返工、产品质量差造成返工、召回召回不合规造成不好的政府不合规造成不好的政府关系：产品收回、推迟关系：产品收回、推迟批准批准. 改进措施没有效果造成改进措施没有效果造成成本提高成本提高. 3.1 产品质量和服务差产品质量和服务差 3.2 不合规不合规 Poor validationLow quality/ high variability of materialDeviation from SOPRework Insufficient knowledge Poor

35、 quality culture / leadership does not put quality firstCritical to quality parameters not understoodEquipment failurePoor materialsTrainingSOP not in use SOPsSpecs, MethodsToo manyOut of datepoorInadequate resource Specification failure3.3 质量基础流程质量基础流程Slow or incorrect Batch releaseSlow or poor CAP

36、As Poor document controlNon approval of new product Adverse audits or inspections Complaints RecallsFailed or wrong material usedPPRs poor quality does not improve process capability Validation - high cost / status not maintained Uncontrolled changes to material, process, equipment Product not made

37、in line with filingDeviations not root causedQMS in place not in useSlow feedback when processMoving out of control limits质量质量编号编号 + 流程流程 + 风险名称风险名称+ 风险描述风险描述Global Industrial OperationsMay 2007.环境Energy usageUse of non-sustainable resourcesNew legislation eg carbon taxWaste managementReduce, Reuse,

38、recycle,Water usageEmissionsAirWaterHazardous materialsinformationContaminationGroundwaterLandAsbestosPCBsRadiation OdoursNoiseFire water.Environmental accidentsBio diversity Land usage Erosion , infringement of historic areas, Wild lifeSafety Accidents:- at work , travellingAlcohol / drug abuse4.2

39、& 4.3 健康安全健康安全Stress / Poor work life balanceHighAbsenceAbsence processProtectiveclothingPoor Ergonomics and Job designEquipment not used/PoorPoor safety Audit processPoor 5S/ housekeepingHigh Sound levelsPoor LightingAir qualityInfectious diseaseFlu Insufficient knowledge Poor EHS culture / leaders

40、hip does not put EHS as priority SOPsSpecs, MethodsInadequate resourceAdverse audits or inspections Too manyOut of datepoor4.1 不合规不合规EHS可能后果可能后果 工伤事故工伤事故不合规造成不好的政府不合规造成不好的政府关系关系编号编号 + 流程流程 + 风险名称风险名称+ 风险描述风险描述Global Industrial OperationsMay 2007.为了进行风险识别，应有风险台帐来更好为了进行风险识别，应有风险台帐来更好帮助风险记录清单的更新流程帮助风险记

41、录清单的更新流程其中所有可能导致潜在细微风险的危害都其中所有可能导致潜在细微风险的危害都应记录应记录. .Global Industrial OperationsMay 2007.风险评估:收集相关历史数据 当前控制评估可能后果和可能的发生频率1.评估风险重要性和优先性风险管理流程图风险管理流程图风险识风险识别别风险评风险评估估消除评消除评估估修改和制定修改和制定风险消除计风险消除计划划实施计实施计划划触发触发审核和监审核和监控控影响可能性评估影响可能性评估编号编号流程流程风险名称风险名称风险描述风险描述影响后果影响后果财务财务供应供应EHSQA人员人员持续改进持续改进当前控制措施当前控制措施

42、严重性严重性 1-5可能性可能性 1-5风险系数值风险系数值更新日期更新日期上报上报风险所有者风险所有者分险处理分险处理严重性严重性 1-5可能性可能性1-5风险系数值风险系数值计划风险系数值降计划风险系数值降到到行动状态、历史行动状态、历史Global Industrial OperationsMay 2007.后果严重性评估-财务:potential consequences当同一风险造成不同的后果，选高分Global Industrial OperationsMay 2007.potential consequencesWhen one risk has different levels

43、 consequences, go for the higher one后果严重性评估-供应:Global Industrial OperationsMay 2007.potential consequencesWhen one risk has different levels consequences, go for the higher one后果严重性评估-质量:Global Industrial OperationsMay 2007.potential consequencesWhen one risk has different levels consequences, go fo

44、r the higher one后果严重性评估-人员Global Industrial OperationsMay 2007.probability of occurrence可能性评估Global Industrial Operations.Risk index value风险系数值风险系数值优先性高优先性高 (Red): risk index value in range 10-25+catastrophic risks中度优先中度优先(Amber): risk index value in range 5-9低优先低优先(Green): risk index value in range

45、 1-4后果严重性风险系数值= x 发生后果可能性Global Industrial Operations.Escalation向上汇报: 2 级- 工厂级别 和 工厂以上级别渠道:从部门向工厂汇报：每月管理会从工厂向总部汇报：月报和风险报告风险汇报风险汇报Global Industrial Operations.消除评估 + 修改和制定风险消除计划:影响可能性评估影响可能性评估编号编号流程流程风险名称风险名称风险描述风险描述影响后果影响后果财务财务供应供应EHSQA人员人员持续改进持续改进当前控制措施当前控制措施严重性严重性 1-5可能性可能性 1-5风险系数值风险系数值更新日期更新日期上报

46、上报风险所有者风险所有者分险处理分险处理严重性严重性 1-5可能性可能性1-5风险系数值风险系数值计划风险系数值降计划风险系数值降到到行动状态、历史行动状态、历史风险管理流程图风险管理流程图风险识风险识别别风险评风险评估估消除评消除评估估修改和制定修改和制定风险消除计风险消除计划划实施计实施计划划触发触发审核和监审核和监控控Global Industrial OperationsMay 2007.红色风险必须有风险消除计划，目的至少是将风险由红色降为黄色黄色风险必须有风险消除计划，目的至少是将风险由黄色降为绿色绿色风险不用有进一步的整改行动，但必须记录，并且下一轮风险评估时重新评估到. 如何风

47、险后果达到严重程度（5分），尽管可能性为罕见，必要在持续运营计划中考虑消除评估消除评估 + 修改和制定风险消除计划修改和制定风险消除计划:Global Industrial Operations.指定专人负责(accountable)重要风险 (red and amber)必须是部门负责人重大风险必须准备 STP- 每月在部门会议上评估然后，重新评估风险系数值(Consequence, Likelihood, Risk Index Value)日期日期题目题目形势形势目标目标建议建议状态状态Give reason for escalationEnsure STP is standalone (

48、i.e. it makes sense on its own)Specify what the issue/opportunity isSpecify the risk of doing nothingSpecify what you want to achieveSpecify how you will measure that you have achieved itEstimate anticipated benefitsDefine what will be done, by whom, and by whenEstimate costs and resources requiredS

49、pecify the scope of the proposal and impactSpecify what agreement/support from impacted groups is needed or obtained 原因原因Reason: 问题问题Issue/可能性可能性Opportunity:如果什么都不做风险是什么如果什么都不做风险是什么 Risk of doing nothing:目的目的To achieve:衡量衡量Measure:利益利益Benefits:什么什么What:谁谁Who:何时何时When:成本资源成本资源Costs and resources:范围和影

50、响范围和影响Scope and impact:Agreement/support from impacted groups:消除评估消除评估 + 修改和制定风险消除计划修改和制定风险消除计划:Global Industrial Operations.实施计划通过项目管理的方式对风险消除行动计划进行管理依据计划对进展进行监控和审核CAPA 监控系统风险管理流程图风险管理流程图风险识风险识别别风险评风险评估估消除评消除评估估修改和制定修改和制定风险消除计风险消除计划划实施计实施计划划触发触发审核和监审核和监控控Global Industrial Operations.内部触发内部触发外部触发外部触

51、发公司内部审计发现的不符合项新法规、新药典来自产品事故审核委员会的要求来自于供应商、分销商的变更（组织结果，所有者，财务，质量法规）新产品，包括：新文号的申请政府检查的重要不符合项技术转移公众观念的变化组织结构变更新技术出现定期产品回顾中的重大发现召回和重大产品事故的原因分析重大投资新厂房、扩建供应链变更，分销商、供应商风险管理流程图风险管理流程图风险识风险识别别风险评风险评估估消除评消除评估估修改和制定修改和制定风险消除计风险消除计划划实施计实施计划划触发触发审核和监审核和监控控Global Industrial OperationsMay 2007.当任何触发点出现，必须马上更新风险记录清

52、单 (risk register).组织/人员Organization/People流程Process流程描述流程描述Process DescriptionProcess SOP Training KPI Risk Resp Material职责描述职责描述JobDescriptions人员目标人员目标People Objectives变更变更Change QA027原因原因Trigger (项目Project, 偏差Deviation, 审计发现Audit finding, 市场需求Market Request, 数据分析KPI Analysis, 新机器New machine, )分类分类Classi