Risk
Management

Navigating regulatory pathways, operational complexities, and volatile market conditions call for a robust risk management framework that straddles the entire gamut of business operations. This comprehensive framework necessitates a deep understanding of the factors that cause uncertainty across the value chain and support systems.
At Lupin, our Executive Management team anchors the tone for risk appreciation and management, resonating across all functions and ably supported by our team members. Various metrics, data analytics and technology platforms form the backbone for the identification, quantification, and control of risks in a comprehensive manner. These factors enable sustained value creation, upholding the spirit of entrepreneurship, which forms an integral part of our ethos.

Risk Governance

Lupin employs a ‘three lines of defense’ system to govern and manage risks.

The Risk Management Committee, constituted by the Board, holds the ultimate responsibility for our approach to risk management and internal controls. With their extensive experience and expertise, the committee translates strategic directives into tactical guidelines for the risk management function and oversees its effective implementation. The RMC establishes our risk appetite, taking a holistic view of risks across the entire organization and considering their global impact and interdependencies. The committee convenes bi-annually to provide strategic direction and oversight on risk management activities.

Reporting to the Board Committee is the Risk Management Cross Functional Team, which comprises of individual risk owners. This team meets as frequently as needed to review risk treatment plans, monitor changes in risk exposures, and adjust the risk appetite as required. The risk owners share their reports on risks and mitigation strategies with this team.

At the operational level, our functional and location teams support the risk owners and are responsible for day-today risk ownership. They ensure clear assignment of risk management responsibilities and implementation of risk treatment plans. The functional and location teams meet regularly to assess risks and review the risk treatment plans.

We maintain an independent internal audit unit tasked with advising and auditing yearly to ensure that policies are followed and processes align with the company’s risk strategy and policies. This unit provides objective assurance, safeguarding against conflicts of interest arising from other business priorities and ensuring effective risk management practices.

Biennially, the internal audit team may invite external experts for their comments on the audit process. This may be done to benchmark our practices with global best practices. Further, to strengthen our ERM capabilities, we are set to pursue ISO 31000 Risk Management certification, thus aligning our risk governance systems with global standards.

Risk Management Framework

Our Risk Management Framework guides our approach across all our subsidiaries and partners, ensuring clarity and effectiveness, thereby safeguarding Lupin’s objectives and operations.

Key elements include

Alignment of strategy and enterprise risk management
The company’s risk management strategy is derived from its overall business strategy. The Board of Directors plays a pivotal role in setting the risk threshold and risk appetite aligned with business expectations. The risk threshold on financial impact and likelihood frames the cornerstone for setting the risk categorization.

Risk Identification and Prioritization
We conduct an extensive assessment of the business landscape, scanning the risk horizon throughout the year to identify external trends that may present opportunities or emerging risks. Additionally, risk owners monitor their business activities and internal environment to identify potential risks. To feed into the internal risk assessment, an external double materiality exercise is undertaken once every two years, where material risks are assessed for their financial materiality and impact materiality. During this process, material Key Performance Indicators (KPIs) are identified and compared against the company’s risk taxonomy, ensuring all relevant risks are captured and addressed.
Insights from risk owners across the organization contribute to the risk prioritization process. Risk exposure is assessed once a year by considering the likelihood of occurrence and the overall impact of the identified risks. We utilize our risk appetite framework to define the likelihood and impact of the risk. By combining likelihood and impact, we determine the severity of risks, allowing us to prioritize the risks. Through this evaluation, risks are categorized as strategic, operational, emerging, and systemic.

Scenario Testing and Sensitivity Analysis
We are evolving sensitivity analysis and scenario planning exercises to evaluate our readiness to respond to our strategic and operational risks. This planning will aid us in anticipating contingencies and developing effective risk mitigation strategies.

Oversight and Governance
A Coordinated effort across all three lines of defence enables us to effectively identify, assess, and manage risks while pursuing our business objectives. The Risk Management Council, with its role in overseeing the implementation of the risk management framework and management of material risks, is the key component in strengthening Lupin’s risk governance and oversight mechanisms.

Risk Mitigation
The respective risk owners, with the support of the site and functional teams, ensure the development and implementation of consistent risk mitigation plans. At the start of each fiscal year, the Internal Audit team conducts an internal risk review. Additionally, an independent third-party Internal Audit of the risk management process is conducted once every two years. The findings from these reviews are used to adjust and refine the company’s risk treatment strategies as needed.

Risk Communication
Risk owners monitor risk treatment plans on a quarterly basis, and the progress and status of risk treatment are communicated to the Board committee on a bi-annual basis. This regular communication ensures that key stakeholders remain informed about the company’s risk exposures and the effectiveness of risk mitigation strategies.

Building a strong risk culture
We are deeply committed to integrating risk processes, procedures and employee awareness initiatives throughout the organizations to embed a strong risk culture. We foster a culture of personal responsibility to understand and manage risks. This robust culture, built on our commitment, helps us fulfill our purpose and meet stakeholder expectations.

Risk Management Committee Education

  • Need based education and training specific to risk management for the Board of Directors and Risk Management Committee (including Non-Executive Directors)
  • Deepens understanding of the company’s risk profile
  • Empowers decision making to mitigate potential risks

Employee Training

  • Multiple trainings are conducted annually to raise awareness about different risks
  • Skill upgradation training sessions are conducted based on training needs identified by the risk response teams
  • Interactive sessions for corporate offices and manufacturing sites are held with our risk experts

Recognition and Reward System

  • Our leadership encourages employees to identify and report potential risk expressions such as near miss incidents, market dynamics, statutory and regulatory changes
  • We have an extensive reward system for employees and contractors, such as EHSAAS Awards and Spirit of Lupin Awards

Reporting Mechanisms

  • Employees can report risks to their leadership or via Ombudsperson
  • Office of Ombudsperson ensures responsive and professional handling of reports

Risk Criteria in Product / Service Development

  • Manufacturing facilities conduct risk management for all activities following Standard Operating Procedures (SOPs) referencing Engineering Controls and Personal Protective Equipment (PPE) usage
  • SOPs are prepared based on risks using Hazard Identification and Risk Assessment (HIRA) methodology and aspect impact to control adverse environmental effects
  • Rigorous regulatory audits by entities such as the U.S. FDA and UK MHRA necessitate preparedness
  • Unique training methods such as the Audit Readiness film simulate real-life audit situations, ensuring employees interact positively and confidently with auditors

Our Risk Categorization

The risks in our portfolio are evaluated based on their likelihood and potential impact and categorized into one of the four risk categories.

Strategic Risks

These are the most critical factors affecting our ability to implement our strategy or accomplish our business objectives. As they stem from the organization’s overarching strategy, business model and strategic decisions, their impact can be far-reaching and potentially undermine the company’s core mission. We conduct regular risk reviews and scenario planning to manage strategic risks and establish robust mitigation measures to treat the risk. This enables us to reduce the likelihood of the risk materializing.

Operational Risks

These risks pertain to potential losses or disruptions arising from identified inadequacy in internal processes, systems, human errors, or external events. They arise from our day-to-day operations, processes, and systems that enable the organization to function effectively. Our operational risks are managed through robust internal control processes, employee training, business continuity planning, compliance mechanisms, and incident response protocols.

Emerging Risks

These risks are potential threats that are newly formed or rapidly evolving, requiring oversight and monitoring as they may develop into strategic or operational risks in the future. They may not be quantifiable, may contain a high degree of uncertainty, and their full impact on the organization may not be immediately apparent. These risks are often driven by nascent trends, disruptive technologies, regulatory shifts, or societal changes. Depending on the priority of the risk, respective risk owners are identified for these risks, and appropriate mitigation measures are implemented.

Systemic Risks

These are evolving trends in the industry, over a longer term, that hold the potential to develop into new risks. They are on the radar of the company but do not warrant an immediate risk response. However, these are assessed to see if the future consequence of the risk would be within our risk appetite and tolerances. Both emerging and systemic risks are communicated regularly and escalated appropriately to the Risk Management Committee so that they can guide decision-making.

Our 2024 Risk Register

Risk Prioritization Matrix

Prioritization is an outcome of likelihood and magnitude assessment. To illustrate this, we have created a risk prioritization matrix, a heat map that highlights their significance.

Risk Responses for our Strategic and Operational Risks

Emerging Risks

Competitive Advantage Erosion in Drug Discovery due to AI

The traditional pharmaceutical industry is facing disruption from AI powered drug discovery startups, which are accelerating the drug discovery process, and potentially eroding the advantages of established players. AI brings more efficiency in today’s high costs and slow processes and holds the potential to identify new drugs that go beyond traditional methods. As per a report by Markets & Markets published in November 2023, the integration of AI and machine learning in drug discovery is expected to grow significantly, with a compound annual growth rate (CAGR) of 40.2% from 2023 to 2028. Lupin faces the risk of being outpaced by digitally agile competitors, and our advantage in NDD could be threatened by the emergence of AI-enabled startups that offer newer medications and therapies.

Mitigation Action
Lupin is investing in technology enabled solutions such as AI and ML, with a potential to disrupt the market.

Supply Chain Disruptions due to Geopolitical and Transition Risk

Our supply chain is always exposed to interruptions in raw material inputs due to factors such as geopolitical risks, physical climate risks and transition risk against import from a specific region. Moreover, international sanctions and trade policies can also cause issues with raw material availability, while conflict ridden trade routes may potentially affect our logistics time.

Mitigation Action
Import substitution strategies can be effective in mitigating the above mentioned supply chain disruptions but require careful consideration of potential risks in sourcing regions. Lupin has an import substitution strategy as part of its broader strategy to de-risk the company’s supply chain, which could be impacted by geopolitical tensions and potential war zones in sourcing regions, particularly in regions such as the Middle East and Eastern Europe. Our Global Sourcing and Contract Manufacturing team engages with suppliers worldwide. However, the emphasis is on collaborating and developing domestic manufacturers to reduce import dependency and contribute to the local economy. We have a cross functional team comprising experts from the Research and Development, Quality Assurance, GSCM, and Regulatory Affairs departments, who collaborate closely with suppliers working on import substitution.

Systemic risks

Misinformation Risks, Deep Fakes and Trust Deficit

The World Economic Forum’s ‘The Global Risks Report 2023’ ranks ‘Misinformation’ as the 5th most severe global risk over the long term.

As the internet evolves, pharmaceutical companies like Lupin are becoming more susceptible to misinformation campaigns that can spread unreliable evidence on any of the products affecting the public’s trust in the brand and the industry at large. With the potential to develop hostility toward the brand, deep fakes and AI-generated content are a novel threat to our credibility and business. It poses higher stakes and more harmful risks due to its capacity to create believable content at scale and at speed, which makes it challenging for us to counter.

Weaponized AI for Cyberattacks

Pharmaceutical companies have experienced an uptick in cyber attacks over the last few years due to valuable data and intellectual property held by these organizations. According to the Journal of the American Medical Association, the frequency of cyberattacks on U.S. hospitals and health systems more than doubled from 2016 to 2021. Another example closer to home is the recent 2023 ransomware attack on one of India’s largest drug manufacturers, drawing attention to the industry’s vulnerability to data breaches and cyber threats. Cyber criminals are increasingly leveraging AI techniques to enhance the effectiveness of their attacks, making them more difficult to detect and defend against. Generative AI tools can be used to create counterfeit medical records, produce sophisticated phishing emails, create malware, and even manipulate diagnostic imaging results from X-rays and MRIs for ransomware. In diagnostic businesses like Lupin’s, medical imagery like MRI and CT scan results are typically stored on a central system and retrieved when required, making them susceptible to weaponized AI attacks without adequate measures to fend them off. AI systems could also be used to analyze and reverse-engineer our proprietary drug formulations, manufacturing processes, or research data, leading to IP infringement and potential legal battles.

ESG
Our Impact
Overview
MD&A
Reports & Financials Assurance Statement