What is the Johnson & Johnson (J&J) ERM?

The Johnson & Johnson ERM framework helps identify
potential events that may affect the enterprise,
manage the associated risks and opportunities, and
provide reasonable assurance that our Company’s
objectives will be achieved.
Johnson & Johnson is one of the largest healthcare enterprises in the world. The company created a custom ERM framework, guided by the COSO ERM framework, to address healthcare-specific risks such as reduced business vitality due to healthcare reform.
What is the J&J’s approach to ERM?
Johnson & Johnson’s approach to ERM is informed by principles outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO defines ERM as “the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value” (COSO, ERM Framework – Integrating with Strategy and Performance, 2017).
Overview of J&J’s approach to risk management:
- Looks to promptly resolve internally identified risks to compliance with laws and regulations to maintain the provision of quality products, protect patient safety and ensure appropriate elationships with customers.
- Supports strategies to ensure effective use of resources, enables an optimized, proactive approach to auditing and identifying/remediating compliance issues, and promotes reporting and monitoring across compliance functions.
- Helps enable improved decision making, planning and prioritization through assessments of opportunities and threats.
- Helps drive value creation by enabling management to respond in a prompt, efficient and effective manner to future events that create uncertainty and represent a significant threat or opportunity.
What are the components of the J&J ERM?
The Johnson & Johnson ERM Framework comprises
five intertwined components:
- Strategy and Objectives: The executive committee establishes strategic goals and financial targets that cascade to global business units through senior management.
- Performance: Establish risk responses with leadership, use risk management functions to implement policies and controls, and develop action plans. The company monitors performance throughout the year using risk assessments, scans, and surveys.
- Review and Revision: Personnel – independent of the business unit they’re reviewing – test, audit, and assess risk response performance. They report risk mitigation activities to leadership, and review metrics.
- Information, Communication, and Reporting: Key risk personnel meet the board of directors, executive committee, and business leaders to ensure ownership of ERM programs. They conduct training and exchange knowledge across business units. They use the employee intranet and direct communication to disseminate information.
- Governance and Oversight: The board of directors provides oversight of risk and meets regularly with leadership. The executive committee establishes strategic goals and oversees risk functions of the business sectors. Various committees share emerging risks and standard practices across core risk functions like healthcare compliance.