WEC

1. WEC MADRID 18TH MARCH 2004 ASTRAZENECA’S APPROACH TO SUPPLIER RISK MANAGEMENT

2. INTEGRATED BUSINESS MANAGEMENT • CORPORATE RESPONSIBILITY PRINCIPLES FOR SUPPLIERS • RISK MANAGEMENT IN BULK DRUG OUTSOURCING PROJECTS

4. Principles • Delivering opportunities by managing risk is a key part of all our activities. • In all our activities, risk should be understood an visible. • Approaches to managing risk will be simple flexible and sustained. • Business context will determine the level of acceptable risk and control. • Risk will be managed consistent with Company Values

5. Risk Management Framework Risk Language Understand Identify • Context • Map Context • Engage Stakeholders • Boundaries • Agree Scope & Objectives • Opportunities • Threats Review Outcomes/ Learning Manage • Plan • Risk Management Plans • Enabling Resources • Monitoring & Reporting • Review& Learning • Review Overall Outcomes • Learning Review • Sharing Learning Assess • Consequences • Rewards • Impacts • Likelihood Culture and Values

6. Risk Criteria

7. Identification Checklist

8. Threat & Opportunity Risk Profile

9. Corporate ResponsibilityPrinciples in Purchasing2003 Progress&2004 Objectives

10. What is Corporate Responsibility (CR)?

11. Purchasing and CR • Mandatory SHE standard • Business interruption risk management • AstraZeneca’s Reputation • Insurers, investors and media interest

12. We are committed to living our values by ensuring consistently high standards of corporate responsibility wherever AstraZeneca has a presence or impact. AstraZeneca CR Goals

13. What does this mean for Purchasing? • The overarching principle is that it is our objective to increase suppliers' awareness and seek improvements, rather than excluding any suppliers based on poor performance. • However, if the performance remains poor, we will take steps to place our business elsewhere. • CR should be incorporated into the selection and relationship management of our suppliers whilst ensuring that basic legal requirements are included in contracts. • We can only expect our suppliers to do what we are prepared to do ourselves.

14. Objectives 2004 • Continue to build CR into contracts, frameworks or master service agreements (Purchasers) • Continue to include CR in Business Control Meetings with strategic and key suppliers (Purchasers). • Build CR into the consistent Category Management process being developed as part of Transformation(Implementation Team)

15. Risk Management in Bulk Drug Outsourcing Projects

16. The purpose of the AstraZeneca Supplier Risk Assessment is to: • Ensure compliance with the AstraZeneca SHE Policy and Standards (Std 6) • Assure security of supply by identifying and managing risk • Facilitate the provision of insurance cover • Identify possible costs associated with SHE improvements as early as possible • Safeguard AstraZeneca’s image and reputation

17. Supplier evaluation – key principles • Carried out for all new suppliers and new projects at existing suppliers. • Scheduled by the Outsourcing Project Managers (OPM) as one of the project deliverables. • Lead by trained auditors (OPMs), supported by others (OPMs, purchasing, project team members) • Reinforced by specialists (Corporate SHE, QA, etc) where necessary.

18. Supplier Risk Assessment • An initial assessment of standards: • Safety, Health and Environmental risks • Corporate Social Responsibility • Technical capability • Quality systems • Commercial status

19. Risk Assessment in an Outsourcing Project Specialist Assessment Unsure Risk Acceptable ? Project Implementation Y Preliminary Assessment Supplier Selection On Going Supply N Do not progress

20. Specialist Assessment Unsure Risk Acceptable ? Project Implementation Y Preliminary Assessment Supplier Selection On Going Supply N Do not progress • Audit Process • Understand management systems • Assess apparent strengths and weaknesses • Gather audit evidence • Re-assess, evaluate results • Report audit findings (AZ only) • Audit Preparation • Pre-audit questionnaire • Pre-audit document request • Form audit team, agree scope of audit • Review returned data • Identify key issues for audit • Finalise scope and logistics

21. Specialist Assessment Unsure Risk Acceptable ? Project Implementation Y Preliminary Assessment Supplier Selection On Going Supply N Do not progress • Supplier Selection • Risk assessment findings considered as part of supplier selection process, along with other factors (e.g. cost, time, capacity, regulatory, commercial, intellectual property) • Project proposal is a formal project document where chosen supplier is approved • Business sign on to associated risks and any improvement plans

22. Specialist Assessment Unsure Risk Acceptable ? Project Implementation Y Preliminary Assessment Supplier Selection On Going Supply N Do not progress • Project Implementation • Project activities to include any improvement plans from audit • Included in development contract • Further project specific audits as required

23. Specialist Assessment Unsure Risk Acceptable ? Project Implementation Y Preliminary Assessment Supplier Selection On Going Supply N Do not progress • On Going Supply • Periodic review of risk assessment • Utilise appropriately trained resources • Basis for continuous improvement, managed through Business Control process

24. Questions For Discussion • How far should we expect/require suppliers to go in complying with CR principles? • To what extent should we monitor/audit their compliance? • In reporting our Environmental performance should we include the impact of outsourced activities?