본문바로가기

Risk Management

Risk Management System

SK bioscience operates the Enterprise Risk Management(ERM) system to manage financial and non-financial risks that may arise from business activities in an integrated manner. The primary goal of the ERM is to minimize the likelihood of risks materializing and negatively impacting the business. To achieve this, risk factors related to our business are selected as priority management tasks and managed intensively. The general manager of the ERM is the Head of Legal & Patent Office, and the divisions in charge of each priority management task lead risk mitigation activities.

As the control tower of the ERM, the Legal & Patent Office identifies the status of risk management, supports management activities, and regularly reports operational results to the top management. In addition, non-financial risks related to ESG are reported to the Board through the ESG Committee. Moreover, we prioritize a long-term perspective in ERM operations to effectively respond to risks that dynamically change based on the internal and external business environment.

Risk Management Organizational Chart
자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요
  1. CEO
  2. 법무특허실장
  3. 영업비밀보호
    정보보안
    법무
    법률•규정준수
    연구개발, 생산 품질 관리
    법무
    Safety 강화
    임상
    약물감시
    IP•인력 확보
    지적재산권
    채용
Other ESG-related non-financial risks
자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요
  • 이사회
  • ESG위원회
  • ESG위원회 사무국
Risk Report Process
자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요
  1. 이사회
  2. 법무특허실
    각 담당부서의 추진실적과 계획 등을 취합, 정리하여 CEO에 보고
  3. 각 담당부서
    당해 연도 중점 추진사항, 세부 추진계획 및 달성목표 설정
    추진실적 및 특이사항 보고
Risk Management Activities

SK bioscience has established a risk management framework based on the Risk Framework of ISO 31000 and the COSO framework, which are international standard certifications. We take an integrated approach to risk management by encompassing identification, measurement, and assessment of the risks for existing priority management tasks and new tasks that may be identified in the future. Additionally, we conduct systematic risk management activities by continuously monitoring potential emerging risks stemming from changes in the internal and external business environment and establishing proactive response measures to them.

자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요

리스크 식별 - 측정 - 관리 - 평가로 이어지는 프로세스 정립

리스크 식별&측정을 통한 체계적 리스크 기반 마련

  • 리스크 식별

    리스크의 정의 (oiep)
    조직의 목표(objective) 달성에 영향(impact)을 끼치는 사건(events)의 발생 가능성(probability)
    이미 발생한 사건과의 구별
    사건은 이미 발생하였으므로 리스크가 아님
    적절한 사후 대응이 최선의 관리(Management)
    식별, 측정가능성
    식별과 측정이 가능해야 리스크 관리 가능

  • 리스크 측정

    리스크 측정
    발생가능성 및 영향도를 기준으로 - Risk level 측정 (High/Medium/Low) - High Risk부터 중점관리과제로 관리

    영향도,중점관리과제,발생가능성

  • 리스크 관리활동 및 관리효과 평가

    현재 Risk Level 평가
    각 과제별로 수행한 리스크 관리활동을 기반으로 현재 Risk Level을 평가

    영향도,중점관리과제,발생가능성, 관리전/후 : 평가/의견 구성요소별 평가 및 의견

  • 향후 진행 계획 수립

    향후 관리 주체 설정
    각 과제의 리스크 영향도, 발생가능성 및 현재 Risk level을 고려하여 - 전사 차원에서의 계속 관리 또는 - 현업부서에서의 관리 여부 결정
    ERM 계속 관리
    현업부서 관리
    향후 계획 수립
    각 과제별 관리주체가 기존 계획 대비 미비점을 분석하고 신규 계획을 주도적으로 수립하여 이행
ERM Operation and Monitoring System

SK bioscience operates the ERM system so that divisions in charge of each risk can take preventive measures if they identify risks inherent in their work. Risks that require company-wide management are incorporated into ERM priority management tasks, thereby enhancing the overall level of risk management.

The Legal & Patent Office monitors the management status of priority management tasks and conducts support activities as needed. By observing the possible occurrence of social issues that may negatively affect the Company in the future, it warns of risks and takes proactive measures. Simultaneously, the division executes some of the ERM priority management tasks and performs risk management for the assigned tasks.

In 2023, we have restructured its ERM (Enterprise Risk Management) tasks to focus on compliance-related risks, managed intensively by the Legal Team, to enhance the professionalism and efficiency of risk management. Tasks from the existing key management areas with established management systems in their respective departments have been handed over to those departments. However, some tasks remain as key management areas to support the risk management activities of the responsible departments. Dedicated personnel are assigned to each management area to operate the ERM functions more professionally and ensure comprehensive enterprise-wide risk management.

Reform Plan of the ERM System

Centralization

  • Among the nine priority management tasks of our ERM, four tasks that the division in charge can manage in daily operations are transferred to each division.
  • Among the seven tasks that require company-wide management, those compliance-related tasks are directly managed by the Legal Team and the division in charge supports the rest.
  • In the case of social events that may have an impact on the Company, we focus our capabilities on providing timely risk warnings and identifying new management tasks.

Specialization

  • The Legal Team, serving as the ERM Control Tower, assigns dedicated personnel to each key management task to improve the professionalism and efficiency of task management.
  • By restructuring both existing and newly identified key management tasks to focus on compliance-related risks, the Legal Team strengthens its direct risk management functions.

Operation of Business Continuity Plan

SK bioscience has established an emergency response plan to minimize human, material, and environmental losses in the event of an unavoidable accident such as a natural disaster or catastrophe. In case of an accident, we implement a staged systematic response plan consisting of a series of actions that enable us to respond to crises quickly and systematically. These actions include reporting, organizing and convening an emergency response team, and disseminating information about the situation. In accordance with the internal emergency response management regulations, responsibilities, authorities, and response plans for each division are established. The decision to activate the emergency response committee is made based on the severity of the situation.

We have also designed a Business Continuity Plan(BCP) to respond to emergencies and increase our business recovery capacity. We operate situation-specific response scenarios for a possible emergency situation and respond according to unified instructions and reports to minimize the damage caused by disruption of business activities. Additionally, we maintain continuous communication with our stakeholders through both internal and external channels, ensuring that the impact on them is minimized. In fiscal year 2023, we conducted a total of two emergency response drills on a semi-annual basis. As part of our efforts to improve our response capabilities during emergencies, we plan to increase the frequency to once a quarter in fiscal year 2024.

Organizational Chart for Crisis/Emergency Response Committee
자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요
  1. 위기대책 위원회
  2. 간사
    • L House 비상대책본부
    • 본사 비상대응 조직

SK bioscience strives to minimize damages by proactively managing all risk factors that arise in the business sites. Accordingly, we have established an emergency response system and emergency response procedures to promptly respond to emergencies in the workplace.

We set up a disaster prevention system to monitor on-site emergencies 24 hours and prepared response scenarios by predicting emergencies in the SHE(Safety∙Health∙Environment) aspect. The emergencies and response levels are categorized based on the severity of damage and the possibility of further escalation. We have also defined the roles and responsibilities of divisions in charge of on-site response, support, and emergency contacts.

Meanwhile, under the leadership of the SHE Team, we conduct joint drills at least once every quarter to enhance our crisis response capabilities, and we also establish improvement plans for problems identified through the drills.

Emergency Response Policy: Operational Principles
자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요
  1. 인간 생명 보호
  2. 환경 보호
  3. 회사의 자산 및 이미지 보호
Types of Emergency

  • Emergency

    아이콘
    • Personal injury accident
    • Fire and explosion accident
    • Oil leakage accident: land/sea
    • Leakage accident: toxic/flammable gas

  • Quasi-emergency

    아이콘
    • Natural disasters such as typhoons, heavy rains, earthquakes, and tsunamis
    • Risk of an accident occurring in a nearby area that may spread to the business site
    • Blackout
Supply Chain Diversification Strategy

SK bioscience has established and operated a supply chain diversification strategy to ensure stable production and seamless inventory management. By reducing dependence on a small number of suppliers and securing supply chain diversification, the Company ensures a stable and systematic supply chain capable of quickly and flexibly responding to global demand in the event of production disruptions or unforeseen supply interruptions. This strategy allows SK bioscience to maintain continuous and reliable product manufacturing and supply.

Tax Risk Management

SK bioscience complies with domestic and international tax policies and regulations and faithfully fulfills its obligations to file tax returns and pay taxes. We do not transfer income to other countries to exploit differences in tax laws or loopholes in the international tax system. Moreover, we ensure that taxable income is allocated consistently with the value created in each country where we conduct business activities. To proactively manage tax risks, we seek advice on taxes from external tax experts. For major tax issues, we consult tax authorities in advance and carry out tax-related activities based on authoritative interpretations obtained during these consultations.

We evaluate and manage tax risks that may arise due to ongoing changes in tax policies, as well as those associated with our business activities, including new growth investments. Recognizing the complexity of tax laws and differences in interpretation, we understand that it is impossible to eliminate all tax risks entirely. Therefore, our focus lies in preemptive identification and management of uncertain tax issues. To proactively prevent such risks, we continuously monitor domestic and international tax laws, as well as tax trends in each country, and cooperate and communicate with tax experts.

When it comes to transactions between related parties, SK bioscience observes the arm’s length principle aligned with the OECD Transfer Pricing Guidelines and the laws of each country. For transfer pricing transactions with related parties abroad, we will prepare a Base Erosion and Profit Shifting(BEPS) report and a transfer pricing report with an external tax expert if necessary. We will also oversee the implementation of transparent tax strategies such as the prevention of tax evasion and income transfer.

Tax-related Decision-making System
자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요
  1. CEO
    경영지원본부로부터 세무 관련 결산 내용 및 리스크, 중요 특이사항 등을 보고받음
    의사결정 최종 승인

    세무 관련 결산 내용 및 리스크, CEO 의사결정 필요 특이사항 보고

  2. 경영지원본부
    재무실로부터 보고받은 세무 관련 리스크 및 중요 특이사항 검토
    재무실의 세무 전략을 조직 전체 목표에 통합하는 역할

    세무 관련 결산 리스크, 중요 특이사항 보고

  3. 재무실
    회계팀으로부터 보고받은 세무 관련 리스크 및 특이사항 검토
    당사의 조세정책에 근거하여 납세가 이루어졌는지 점검

    세무 관련 리스크 및 특이사항 보고

  4. 회계팀
    경영조세 전략 관련 실무 전담 조직으로, 세무 관련 사항 조정 및 리스크 관리
    회계법인에서 주최하는 개정세법 설명회에 주기적으로 참석하여 세금 관리 정책 및 원칙 내재화 추진

Information Security

Information Security Management System

Starting with the revision of security-related policies, SK bioscience has designated an information protection officer and established an information security management system centered on a dedicated information protection team. In addition, all of our information protection-related policies and procedures are continuously updated in accordance with compliance regulations and changes in the internal work environment. In 2023, we appointed individuals in charge of security for each department who are tasked with disseminating security training and checkpoints within their respective departments, to manage information protection issues. In 2024, SK bioscience is enhancing security in the evolving IT/OT environment and further advancing asset protection activities in the cloud environment.

Information Protection Division

The SK bioscience information protection division’s tasks are managed and supervised by C-level executives. The tasks are divided into three detailed areas which are technical security, privacy, and physical security. Each area is led by a manager, and in the case of physical security, we have allocated a manager at the HQ and Andong L HOUSE respectively. Going forward, we have appointed a personnel with expertise in information protection as the Chief Information Protection Officer, and put our effort to achieve a level of management that corresponds to international standards.

자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요

정보보호 총괄 임원

  • 기술보안
    정보보호 책임자 (CISO)
    정보보호관리자
  • 개인정보보안
    개인정보보호 책임자 (CPO)
    개인정보보호관리자
  • 물리보안
    본사 물리보안 책임자
    본사 물리보안 관리자
    물리보안
    L House 물리보안 책임자
    L House 물리보안 관리자
Information Protection Goals

SK bioscience effectively and reliably protects corporate assets by controlling information leakage routes through information protection and specifying procedures and the roles and authorities of personnel in charge to ensure necessary security measures are implemented. We conduct information protection activities that meet the standard requirements of international standards such as GMP, and strengthen our IT security control system and external data security by reflecting ISO 27001 standard which is the information protection and privacy management system.

Since 2022, SK bioscience has maintained ISO 27001 certification, identifying risk factors in the field of information security. The Company adheres to the standards for publicly listed companies in Korea by annually disclosing transparent security activities through information protection disclosures. Through these efforts, we are committed to enhancing our security capabilities at a global level and earning the trust of our global partners by obtaining international standard certifications.

Prevention of and Response to Cybersecurity Incidents

To prevent and respond to cybersecurity incidents, SK bioscience conducts regular inspections of major systems and strengthens the security review process upon the introduction of new solutions. In addition, we conduct simulated phishing every half year to diagnose vulnerabilities and establish safe business systems through continuous management.

At each simulation training, we send a total of two warning emails to employees who had their computers infected with malware and carry out PC scans and checks. In addition, we conduct DDoS simulation training in the second half of each year to check the detection and blocking abilities of our security systems and the availability of security equipment by conducting three simulated attacks consisting of prevalent and new attack types.

DDoS Simulation Training Procedure

자세한 내용은 아래div를 참고해주세요 자세한 내용은 아래div를 참고해주세요
  1. 공격장비 방어장비 구성
  2. DDoS 훈련대상 선정
  3. 공격 유형 설정
  4. 1차, 2차, 3차 공격 시도
  5. 탐지 및 차단 결과 확인
Information Security Activities and Training

SK bioscience’s company-wide IT system is kept safe from internal and external threats such as information leakage through remote control services provided by a professional security company. To instill a culture of security among employees and preemptively control internal information leaks, SK bioscience designates an annual "Company-wide Security Day." On this day, employees perform self-checks on life security, document security status, and work devices. Penalties are imposed on violators to prevent recurrence. As a result, the security check violation rate significantly decreased from 30.8% in 2022 to 10.9% in 2023. We also try to create an information protection culture by sharing monthly malicious/phishing mail trends and new security threat cases via the Company notice board.

Furthermore, we conduct regular privacy and security training for our employees, including new hires and employees of our business partners to strengthen security awareness and raise awareness of information leaks. The training program is updated annually to deliver customized privacy and information security training.

개인정보보호 교육, 정보보안 교육, 개발보안 교육 내용과 시간
Category Contents Time
Privacy Protection Personal data protection compliance, minimum personal data processing, ensuring information owner’s right to choose, etc. 1 hr
Information Security Trends and cases, SKBS information security status and processes, etc. 1 hr
Development Security Web secure coding, component security, information leakage prevention, etc. 2.5 hr