GlaxoSmithKline plc
(the 'Company')
Publication of 2018 Annual Report
The Company will today publish on its website www.annualreport.gsk.com the Annual Report for the year ended 31 December 2018 (the '2018 Annual Report').
A hard copy version of the following documents will be sent to those shareholders who have elected to receive paper communications on or about 2 April 2019:
- 2018 Annual Report
- 2018 Annual Summary (the '2018 Summary')
- 2019 Notice of Annual General Meeting
Shareholders who have not elected to receive paper communications will be sent the 2018 Summary notifying them of the availability of these documents on the Company's website.
In compliance with Listing Rule 9.6.1R of the UK Financial Conduct Authority ('FCA'), the aforementioned documents will be submitted to the UK Listing Authority and will be available for public inspection at the National Storage Mechanism (NSM) www.morningstar.co.uk/uk/NSM.
The information included in the unaudited preliminary results announcement released on 6 February 2019, together with the information in the Appendices to this announcement which is extracted from the 2018 Annual Report, constitute the materials required by the FCA's Disclosure Guidance and Transparency Rule 6.3.5R. This announcement is not a substitute for reading the 2018 Annual Report in full. Page and note references in the Appendices below refer to page and note references in the 2018 Annual Report.
V A Whyte
Company Secretary
12 March 2019
Cautionary statement regarding forward-looking statements
GSK cautions investors that any forward-looking statements or projections made by GSK, including those made in this announcement, are subject to risks and uncertainties that may cause actual results to differ materially from those projected. Such factors include, but are not limited to, those set out in Appendix A of this announcement.
Brand names
Brand names appearing in italics throughout this announcement are trademarks either owned by and/or licensed to GlaxoSmithKline or associated companies.
APPENDIX A
Principal risks and uncertainties
The principal risks discussed below are the risks and uncertainties relevant to our business, financial condition and results of operations that may affect our performance and ability to achieve our objectives. The risks below are those that we believe could cause our actual results to differ materially from expected and historical results. During 2018 we have evolved the cycle of management of these risks which helps us Identify, manage and report on our most important risks in a proportionate and consistent way.
We must adapt to and comply with a broad range of laws and regulations which apply to research and development, manufacturing, testing, approval, distribution, sales and marketing of Pharmaceutical, Vaccine and Consumer Healthcare products. These affect not only the cost of product development but also the time required to reach the market and the likelihood of doing so successfully on a continuous basis.
Also, during 2018 we have improved consistency of risk management across the organisation through evolution of our enterprise risk management and reporting cycle.
As rules and regulations change, and governmental interpretation evolves, the nature of a particular risk may change. Changes to certain regulatory regimes may be substantial. Any change in, and any failure to comply with, applicable law and regulations could materially and adversely affect our financial results.
Similarly, our global business exposes us to litigation and government investigations, including but not limited to product liability litigation, patent and antitrust litigation and sales and marketing litigation. Litigation and government investigations, including related provisions we may make for unfavourable outcomes and increases in related costs such as insurance premiums, could materially and adversely affect our financial results.
More detail on the status and various uncertainties involved in our significant unresolved disputes and potential litigation is set out in Note 45, 'Legal proceedings,' on pages 215 to 218.
UK regulations require a discussion of the mitigating activities a company takes to address principal risks and uncertainties. A summary of the activities that the Group takes to manage each of our principal risks accompanies the description of each principal risk below. The principal risks and uncertainties are not listed in order of significance.
Patient safety
Risk definition
Failure to appropriately collect, review, follow up, or report human safety information (HSI), including adverse events from all potential sources, and to act on any relevant findings in a timely manner.
Risk impact
The risk impact has the potential to compromise our ability to conduct robust safety signal detection and interpretation and to ensure that appropriate decisions are taken with respect to the risk/ benefit profile of our products, including the completeness and accuracy of product labels and the pursuit of additional studies/ analyses, as appropriate. This could lead to potential harm to patients, reputational damage, product liability claims or other litigation, governmental investigation, regulatory action such as fines, penalties or loss of product authorisation.
Context
Pre-clinical and clinical trials are conducted during the development of investigational Pharmaceutical, Vaccine and Consumer Healthcare products to determine the safety and efficacy of the products for use by humans. Notwithstanding the efforts we make to determine the safety of our products through appropriate pre-clinical and clinical trials, unanticipated side effects may become evident only when products are widely introduced into the marketplace. Questions about the safety of our products may be raised not only by our ongoing safety surveillance and post-marketing studies but also by governmental agencies and third parties that may analyse publicly available clinical trial results. Constant vigilance and flexibility is required in order to respond to a varied regulatory environment which continues to evolve and diverge globally.
The Group is currently a defendant in a number of product liability lawsuits, including class actions, that involve significant claims for damages related to our products. Litigation, particularly in the US, is inherently unpredictable. Class actions that seek to sweep together all persons who take our products increase the potential liability. Claims for pain and suffering and punitive damages are frequently asserted in product liability actions and, if allowed, can represent potentially open-ended exposure and thus, could materially and adversely affect the Group's financial results.
Mitigating activities
The Chief Medical Officer (CMO), who is also the Medical Officer for Pharmaceuticals, is responsible
for medical governance under a global policy. Under that policy, safeguarding human subjects in our
clinical trials and patients who take our products is of paramount importance, and the CMO has the
authoritative role for evaluating and addressing matters of human safety.
Individual Medical Officers within the Pharmaceutical, Vaccines and Consumer Healthcare businesses
and our substantial Safety and Pharmacovigilance organisation keep track of any adverse issues
reported for our products during the course of clinical studies. Once a Group product is approved for
marketing, we have an extensive post-marketing surveillance and signal detection system. Information
on possible side effects of products is received from several sources including unsolicited reports from
healthcare professionals (HCPs) and patients, regulatory authorities, medical and scientific literature,
traditional media and social media. It is our policy that employees are required to report immediately
any issues relating to the safety or quality of our products. Each of our country managers is responsible
for monitoring, exception tracking and training that helps assure the collection of safety information and
reporting the information to the relevant central safety department, in accordance with policy and legal
requirements.
Information that changes the risk/benefit profile of one of our products will result in certain actions to
characterise, communicate and minimise the risk. Proposed actions are discussed with regulatory
authorities and can include modifying the prescribing information, communications to physicians and
other healthcare providers, restrictions on product prescribing/availability to help assure safe use, and
sometimes carrying out further clinical trials. In certain cases, it may be appropriate to stop clinical trials
or to withdraw the medicine from the market.
Our Global Safety Board (GSB), comprising senior physicians and representatives of supporting
functions, is an integral component of the system. The GSB (including subsidiary boards dedicated to
Consumer Healthcare products and Vaccines) reviews the safety of investigational and our marketed
products and has the authority to stop a clinical trial if continued conduct of such trial is not ethically or
scientifically justified in light of information that has emerged since the start of the trial.
In addition to the medical governance framework as described above, we use several mechanisms to
foster the early evaluation, mitigation and resolution of disputes as they arise, and of potential claims
even before they occur. The goal of the programmes is to create a culture of early identification and
evaluation of risks and claims (actual or potential) that remains strong through organisational and
regulatory change, in order to minimise liability and litigation.
Product quality
Risk definition
Failure to comply with current Good Manufacturing Practices (cGMP) or inadequate controls and
governance of quality in the supply chain covering supplier standards, manufacturing and distribution
of products.
Risk impact
A failure to ensure product quality could have far reaching implications in terms of patient and consumer
safety resulting in product launch delays, supply interruptions and product recalls. This would have the
potential to do damage to our reputation, as well as result in other regulatory, legal and financial
consequences.
Context
Patients, consumers and HCPs trust the quality of our products. Product quality may be influenced by
many factors including product and process understanding, consistency of manufacturing components,
compliance with GMP, accuracy of labelling, reliability of the external supply chain, and the embodiment
of an overarching quality culture. The internal and external environment continues to evolve as new
products and new legislation are introduced. Critically, we are addressing the impact of Brexit on our
supply chain management and quality oversight between the UK and the EU and are developing and
deploying appropriate contingency plans to avoid interruption of supply to patients.
Mitigating activities
An extensive global network of quality and compliance professionals is aligned with each business unit
to provide oversight and assist with the delivery of quality performance and operational compliance,
from site level to senior management level. Management oversight of those activities is accomplished
through a hierarchy of Quality Councils and through an independent Chief Product Quality Officer and
Global Product Quality Office.
We have developed and implemented a single Quality Management System that defines the quality
standards and systems for our businesses associated with Pharmaceuticals, Vaccines and Consumer
Healthcare products and clinical trial materials. This system has a broad scope and is applicable
throughout the product lifecycle from R&D to mature commercial supply.
There is no single external quality standard or system that governs the detailed global regulatory
expectations for the quality of medicinal products. Requirements are often complex and fragmented
across national and regional boundaries. We have therefore adopted the internationally recognised
principles from the 'ICH Q10: Pharmaceutical Quality Systems' framework as the basis for the GSK
Quality Management System.
This is an industry standard which incorporates quality concepts throughout the product lifecycle. The
GSK Quality Management System is augmented by a consolidation of the numerous regulatory
requirements defined by markets across the world, which assures that it meets external expectations
for product quality in the markets supplied. The Quality Management System is routinely updated to
ensure that it keeps pace with the evolving external regulatory environment and with new scientific
understanding of our products and processes. As part of our drive to continually improve the operational
deployment of our Quality Management System, we are making our policies and procedures simpler to
understand and implement, as well as adopting innovative tools to give a more user-friendly experience.
We provide the Corporate Executive Team & Risk Oversight and Compliance Council with an integrated
assessment of Regulated Quality (GxP) performance. The defined key performance indicators cover
manufacturing practice, clinical practice, pharmacovigilance practice, regulatory practice, drug safety
assessment, and animal welfare.
We have implemented a risk-based approach to assessing and managing third party suppliers that
provide materials which are used in finished products. Contract manufacturers making our products are
expected to comply with GSK standards and are regularly audited to provide assurance that standards
are met.
All staff members are regularly trained to ensure that cGMP standards and behaviours based on our
values and expectations are followed. Additionally, advocacy and communication programmes are
routinely deployed to ensure consistent messages are conveyed across the organisation, whether they
originate from changes in regulation, learnings from inspections, or regulatory submissions. There is a
continued emphasis on the value of quality performance metrics to facilitate improvement and foster a
culture of 'right first time'.
Financial controls and reporting
Risk definition
Failure to comply with current tax laws or incurring significant losses due to treasury activities; failure to report accurate financial information in compliance with accounting standards and applicable legislation.
Risk impact
Non-compliance with existing or new financial reporting and disclosure requirements, or changes to the recognition of income and expenses, could expose us to litigation and regulatory action and could materially and adversely affect our financial results. Changes in tax laws or in their application with respect to matters such as transfer pricing, foreign dividends, controlled companies, R&D tax credits, taxation of intellectual property or a restriction in tax relief allowed on the interest on debt funding, could impact our effective tax rate. Significant losses may arise from inconsistent application of treasury policies, transactional or settlement errors, or counterparty defaults.
Any changes in the substance or application of the governing tax laws, failure to comply with such tax laws or significant losses due to treasury activities could materially and adversely affect our financial results.
Context
The Group is required by the laws of various jurisdictions to disclose publicly its financial results and
events that could materially affect the financial results of the Group. Regulators routinely review the
financial statements of listed companies for compliance with new, revised or existing accounting and
regulatory requirements. The Group believes that it complies with the appropriate regulatory
requirements concerning our financial statements and disclosure of material information including any
transactions relating to business restructuring such as acquisitions and divestitures. However, should
we be subject to an investigation into potential non-compliance with accounting and disclosure
requirements, this may lead to restatements of previously reported results and significant penalties.
Our Treasury group deals in high value transactions, mostly foreign exchange and cash management
transactions, on a daily basis. These transactions involve market volatility and counterparty risk.
The Group's effective tax rate reflects rates of tax in the jurisdictions in which the Group operates that
are both higher and lower than the UK rate and takes into account regimes that encourage innovation
and investment in science by providing tax incentives which, if changed, could affect the Group's tax
rate. In addition, the worldwide nature of our operations means that our intellectual property, R&D and
manufacturing operations are centered in a number of key locations. A consequence of this is that our
cross-border supply routes, necessary to ensure supplies of medicines into numerous end markets,
can be complex and result in conflicting claims from tax authorities as to the profits to be taxed in
individual countries. Tax legislation itself is also complex and differs across the countries in which we
operate. As such, tax risk can also arise due to differences in the interpretation of such legislation. The
tax charge included in our financial statements is our best estimate of tax liability pending audits by tax
authorities.
We expect there to be continued focus on tax reform in 2019 and future years driven by initiatives of
the Organisation for Economic Cooperation & Development to address the taxation of the digital
economy and European Commission initiatives including the use of fiscal state aid investigations.
Together with domestic initiatives around the world, these may result in significant changes to
established tax principles and an increase in tax authority disputes. These, regardless of their merit or
outcomes, can be costly, divert management attention and may adversely impact our reputation and
relationship with key stakeholders.
Mitigating activities
Financial results are reviewed and approved by regional management and then reviewed with the
Financial Controller and the Chief Financial Officer (CFO). This allows our Financial Controller and our
CFO to assess the evolution of the business over time, and to evaluate performance to plan. Significant
judgments are reviewed and confirmed by senior management. Business re-organisations and newly
acquired activities are integrated into risk assessments and appropriate controls and reviews are
applied.
Counterparty exposure is subject to defined limits approved by the Board for both credit rating and
individual counterparties. Oversight of Treasury's role in managing counterparty risk in line with agreed
policy is performed by a Corporate Compliance Officer, who operates independently of Treasury.
Further details on mitigation of Treasury risks can be found on pages 198 to 200, Note 42, 'Financial
instruments and related disclosures'.
We maintain a control environment designed to identify material errors in financial reporting and
disclosure. The design and operating effectiveness of key financial reporting controls are regularly
tested by management and via Independent Business Monitoring. This provides us with the assurance
that controls over key financial reporting and disclosure processes have operated effectively. A
minimum standard control set has been implemented, whereby all Finance activities, are required to
apply and ensure they are monitored. Our Global Finance Risk Management and Controls Centre of
Excellence provides extra support to large Group organisations undergoing transformation such as
system deployment or significant business and finance transformations. We have also added
operational resources to ensure processes and controls are maintained during business transformation,
the upgrade of our financial systems and processes. Additional risk mitigation has been introduced by
amending the programme timelines of system upgrades to optimise delivery.
The Disclosure Committee reporting to the Board, reviews the Group's quarterly results and Annual
Report and determines throughout the year, in consultation with its legal advisors, whether it is
necessary to disclose publicly information about the Group through Stock Exchange announcements.
The Treasury Management Group meets on a regular basis to seek to ensure that liquidity, interest
rate, counterparty, foreign currency transaction and foreign currency translation risks are all managed
in line with the conservative approach as detailed in the associated risk strategies and policies which
have been adopted by the Board.
Tax risk is managed through robust internal policies, processes, training and compliance programmes
to ensure we have alignment across our business and meet our tax obligations. We seek to maintain
open, positive relationships with governments and tax authorities worldwide and we welcome
constructive debate on taxation policy. We monitor government debate on tax policy in our key
jurisdictions to deal proactively with any potential future changes in tax law. We engage advisors and
legal counsel to confirm the implications for our business of tax legislation such as the recently enacted
US Tax Cuts and Jobs Act. Where appropriate, we are active in providing relevant business input to tax
policy makers. Significant decisions are submitted for consideration to the Tax Governance Board which
meets quarterly and comprises senior personnel from across GSK's Finance division.
Our tax affairs are managed on a global basis through a co-ordinated team of tax professionals led by
the Global Head of Tax who works closely with the business. Our tax professionals are suitably qualified
for the roles they perform, and we support their training needs in order that they continue to be able to
provide up to date technical advice. We submit tax returns according to statutory time limits and engage
with tax authorities to seek to ensure our tax affairs are current, entering arrangements such as
Continuous Audit Programmes and Advance Pricing Agreements where appropriate. These
agreements provide long-term certainty for both tax authorities and for us over the tax treatment of our
business. In exceptional cases where matters cannot be settled by agreement with tax authorities, we
may have to resolve disputes through formal appeals or other proceedings.
We keep up-to-date with the latest developments in financial reporting requirements by working with
our external auditors and legal advisors.
Anti-bribery and corruption (ABAC)
Risk definition
Failure of GSK employees, consultants and third parties to comply with our Anti-bribery & corruption
(ABAC) principles and standards, as well as with all applicable legislation.
Risk impact
Failure to mitigate this risk could expose the Group and associated persons to governmental investigation, regulatory action, and civil and criminal liability and may compromise the Group's ability to supply its products under certain government contracts. In addition to legal and financial penalties, a failure to prevent bribery through complying with ABAC legislation and regulations could have substantial implications for the reputation of the company, the credibility of senior leaders, and an erosion of investor confidence in our governance and risk management.
Context
We are exposed to bribery and corruption risk through our global business operations. In some markets,
the government structure and the rule of law are less developed, and this has a bearing on our bribery
and corruption risk exposure. In addition to the global nature of our business, the healthcare sector by
its very nature maintains relationships with government bodies, is highly competitive and subject to
regulation. This increases the instances where we are exposed to bribery and corruption risk.
The Group has been subject to a number of ABAC inquiries. We reached a resolution with the US
authorities in 2016 regarding their ABAC inquiry, following which we were subject to a self-monitoring
arrangement. The self-monitorship concluded in September 2018. Government investigations regarding
our China and other business operations are ongoing. These investigations are discussed further in
Note 45, 'Legal proceedings'.
Mitigating activities
Programme governance is provided through Enterprise Risk Management overseen by the ABAC
Governance Board which includes representation from key functional areas and the business. We have
a dedicated ABAC team responsible for the implementation and evolution of the programme in response
to developments in the internal and external environment. This is complemented with independent
oversight and assurance undertaken by the Audit & Assurance and Independent Business Monitoring
teams.
We have an enterprise-wide ABAC programme designed to ensure compliance with our ABAC policies
and mitigate the risk of bribery and corruption. It builds on our business standards, values and
expectations to form a comprehensive and practical approach to compliance and is flexible to the
evolving nature of our business.
Our Code of Conduct, values and expectations, and commitment to zero tolerance are integral to how
we mitigate this risk. In light of the complexity and geographic breadth of this risk, we constantly evolve
our oversight of activities and data, reinforce to our workforce clear expectations regarding acceptable
behaviours, and maintain regular communications between the centre and local markets.
Our ABAC programme is built on best in class principles and is subject to ongoing review and
development. It provides us with the basis from which we seek to manage the risk from top down and
bottom up. For example, the programme comprises top-level commitment from the Board of Directors
and leadership, a global risk assessment and key risk indicators to enable targeted intervention and
risk management activities. The programme is underpinned by a global ABAC policy and written
standards that address commercial and other practices that give rise to ABAC risk and ongoing
communications. We provide mandatory periodic ABAC training to our staff and relevant third parties
in accordance with their roles, responsibilities and the risks they face. In addition, the programme
mandates enhanced controls over interactions with government officials and during business
development transactions.
We continually benchmark our ABAC programme against other large multinational companies and use
external expertise and internal insights to drive improvements in the programme.
Commercial practices
Risk definition
Failure to engage in commercial activities that are consistent with the letter and spirit of the law, industry,
or the Group's requirements relating to marketing and communications about our medicines and
associated therapeutic areas; appropriate interactions with healthcare professionals (HCPs) and
patients; and legitimate and transparent transfer of value.
Risk impact
Failure to manage risks related to commercial practices could materially and adversely affect our ability
to grow a diversified global business and deliver more products of value for patients and consumers.
Failure to comply with applicable laws, rules and regulations may result in governmental investigation,
regulatory action and legal proceedings brought against the Group by governmental and private
plaintiffs which could result in government sanctions, and criminal and/or financial penalties. Failure to
provide accurate and complete information related to our products may result in incomplete awareness
of the risk/benefit profile of our products and possibly suboptimal treatment of patients and consumers.
Any practices that are found to be misaligned with our values could also result in reputational harm and
dilute trust established with external stakeholders.
Context
We operate on a global basis in an industry that is both highly competitive and highly regulated. Our
competitors may make significant product innovations and technical advances and may intensify price
competition. In light of this competitive environment, continued development of commercially viable new
products and the development of additional uses for existing products that reflect insights which help
ensure those products address the needs of patients/consumers, HCPs, and payers are critical to
achieve our strategic objectives.
As other pharmaceutical, vaccine and consumer companies, we face downward price pressure in major
markets, declining emerging market growth, and negative foreign exchange impact.
Developing new Pharmaceutical, Vaccine and Consumer Healthcare products is a costly, lengthy and
an uncertain process. A product candidate may fail at any stage, including after significant economic
and human resources have been invested. Our competitors' products or pricing strategies, or any failure
on our part to develop commercially successful products, or to develop additional uses for existing
products, could materially and adversely affect our ability to achieve our strategic objectives.
We are committed to the ethical and responsible commercialisation of our products to support our
mission to improve the quality of human life by enabling people to do more, feel better, and live longer.
To accomplish this mission, we engage the healthcare community in various ways to provide important
information about our medicines. Promotion of approved products seeks to ensure that HCPs globally
have access to information they need, that patients and consumers have access to the information and
products they need and that products are prescribed, recommended or used in a manner that provides
the maximum healthcare benefit to patients and consumers. We are committed to communicating
information related to our approved products in a responsible, legal and ethical manner.
Mitigating activities
Our strategic objectives are designed to ensure we achieve our mission of helping people do more, feel
better and live longer. We continue to strive for new product launches that are competitive and
resourced effectively. We also strive to have a healthy proportion of the Group's sales ratio attributable
to new product or innovation sales.
This innovation helps us defray the effect, for example, of downward price pressure in major markets,
declining emerging market growth and negative foreign exchange impact. Establishing new products
that are priced to balance expectations of patients and consumers, HCPs, payers, shareholders, and
the community enables us to maintain a strong global business and remain relevant to the needs of
patients and consumers. Our values and behaviours provide a guide for how we lead and make
decisions. We constantly strive to do the right thing and deliver quality products and ensure supply is
sustained to meet customer needs and demand requirements, seeking to ensure our actions reflect our
values, behaviours and the mission of our company.
We have taken action to enhance and improve standards and procedures for customer and consumer
engagement utilising the application of data analytics and e-commerce channels. We have policies and
standards governing commercial activities undertaken by us or on our behalf. Training has been
implemented to support the evolution of our activities to all relevant employees. All of these activities
we conduct worldwide must conform to high ethical, regulatory, and industry standards. Where local
standards differ from global standards, the more stringent of the two applies. We have harmonised
policies and procedures to guide above-country commercial practice processes as well as clarified
applicable standards for operations in the various markets in which we operate. Each business has
adopted the Internal Control Framework to support the assessment and management of its risks.
Commercial practices activities have appropriate monitoring programmes and oversight from both
business unit Risk Management and Compliance Boards and Country Executive Boards that manage
risks across in-country business activities. Where in the past we have fallen below our own or any other
regulatory or industry standards, we have sought to improve both the framework and culture for our
compliance processes.
All promotional materials and activities must be reviewed and approved according to our policies and
standards, and conducted in accordance with local laws and regulations, to seek to ensure that these
materials and activities fairly represent the products or services of the Group. When necessary, we
have disciplined (up to and including termination) employees who have engaged in misconduct and
have broadened our ability to claw back remuneration from senior management in the event of
misconduct.
We have eliminated rewards based on individual sales or market share of prescription products for
sales professionals and their managers who interact with HCPs in favour of rewards based on the
quality of the individuals' interactions with HCPs.
In October 2018, we announced changes that allow fair market value payments to be made by GSK to
expert practitioners to speak about our innovative medicines and vaccines in a limited number of
countries during a restricted time period in a product's lifecycle. New controls and training have been
implemented to support these changes while ensuring appropriate oversight and assurance across the
markets. Under the new policy, we will expand our reporting of payments to individual HCPs as part of
our commitment to transparency and responsible disclosure.
Privacy
Risk definition
The failure to collect, secure, use and destroy personal information (PI) in accordance with applicable
data privacy laws.
Risk impact
Non-compliance can lead to harm to individuals (e.g. financial loss, distress, prejudice) and GSK (e.g.
fines, management time, operational inefficiency, out of pocket costs, and reputational damage). It can
also damage trust between GSK and individuals, communities, business partners and government
authorities.
The General Data Protection Regulation (GDPR) increased the enforcement powers of EU supervisory
authorities, including by allowing them to impose fines of up to 4% of global revenue, and to require the
suspension of processing PI in certain circumstances. GDPR also gives individuals the right to bring
collective legal actions against GSK for failure to comply with data privacy laws.
Context
Data Privacy laws are diverse, with limited harmonisation, despite Europe's adoption of GDPR. In many
countries in which GSK operates, local data privacy laws govern how GSK can collect and use PI. It is
challenging for multi-nationals to standardise their approach to compliance with data privacy laws due
to the high-level of local variation. Governments are enforcing compliance with data privacy laws more
rigorously. There is an increasing focus on the ethical use of PI, over and above compliance with data
privacy laws, and individuals are increasingly aware of their rights under data privacy laws.
Mitigating activities
The Chief Compliance Officer is also the chairperson of the Privacy Governance Board (PGB), which
oversees GSK's overall data privacy programme. Each business and function has appointed a Risk
Owner who is accountable for the oversight of privacy risks associated with that business or functional
area. They are supported by Privacy Leaders within their business or function. Additionally, in some
countries data privacy laws require a Data Protection Officer (DPO) to be appointed. GSK has appointed
a single DPO for the European Union, who is represented and supported in specific countries by
Country Privacy Advisors. The Chief Compliance Officer is the Enterprise Risk Owner (ERO). The ERO
has appointed a delegate risk owner, the Global Privacy Officer (GPO) who has accountability on a
day-to-day basis for designing and implementing the control framework. The GPO co-leads the cross
functional Privacy Centre of Excellence (CoE), together with the Global Privacy Counsel. They are
supported by Privacy Officers and Privacy Counsel for each Region and multiple Country Privacy
Advisors (who are familiar with local privacy regulations).
GSK has emphasised the importance of data privacy from an internal risk management perspective by
separating Privacy as a new, standalone Enterprise Risk from the Information Security Enterprise Risk.
It has created a Privacy Centre of Excellence in Global Ethics and Compliance, which has overseen: (i)
the implementation of a control framework; (ii)remediation of certain existing business activities to
ensure compliance with GDPR (including adopting privacy controls e.g. privacy contract terms, written
records of processing activities, data protection impact assessments) and (iii) a comprehensive training
programme to drive greater awareness and accountability for managing PI across the entire
organisation. Key roles of the privacy network at GSK will be certified with an accredited international
privacy association.
Through monitoring, we continuously improve our processes, such as issue identification, reporting and
handling capabilities. We are developing a process to detect and assess new privacy regulations to
proactively prepare and mitigate regulatory risk to GSK.
Research practices
Risk definition
Failure to adequately conduct ethical and sound preclinical and clinical research. In addition, failure to
engage in scientific activities that are consistent with the letter and spirit of the law, industry, or the
Group's requirements, and failure to secure adequate patent protection for GSK's products.
Risk impact
The impacts of the risk include harm to human subjects, reputational damage, failure to obtain the
necessary regulatory approvals for our products, governmental investigation, legal proceedings brought
against the Group by governmental and private plaintiffs (product liability suits and claims for damages),
loss of revenue due to inadequate patent protection or inability to supply GSK products, and regulatory
action such as fines, penalties, or loss of product authorisation. Any of these consequences could
materially and adversely affect our financial results and cause loss of trust from our customers and
patients.
Context
Research relating to animals can raise ethical concerns. While we attempt to address this proactively,
animal studies remain a vital part of our research. In many cases, they are the only method that can be
used to investigate the effects of a potential new medicine in a living body before it is studied in humans.
Animal research can provide critical information about the causes of diseases and how they develop.
Nonetheless, we are continually seeking ways in which we can minimise our use of animals in research,
whilst complying with regulatory requirements.
Clinical trials in healthy volunteers and patients are used to assess and demonstrate an investigational
product's efficacy and safety or further evaluate the product once it has been approved for marketing.
We also work with human biological samples. These samples are fundamental to the discovery,
development and safety monitoring of our products.
The integrity of our data is essential to success in all stages of the research data lifecycle: design,
generation, recording and management, analysis, reporting, storage and retrieval. Our research data is
governed by legislation and regulatory requirements. Research data and supporting documents are
core components at various stages of pipeline progression decision-making and form the content of
regulatory submissions, publications and patent filings. Poor data integrity can compromise our
research efforts and negatively impact company reputation.
There are innate complexities and interdependencies required for regulatory filings, particularly given
our global research and development footprint. Continually changing and increasingly stringent
submission requirements continue to increase the complexity of worldwide product registration.
Scientific engagement (SE), defined as the interaction and exchange of information between GSK and
external communities to advance scientific and medical understanding, including the appropriate
development and use of our products, is an essential part of scientific discourse. Such non-promotional
engagement with external stakeholder groups is vital to GSK's mission and necessary for scientific and
medical advance. SE activities are essential but present legal, regulatory, and reputational risk if the
sharing of data, invited media coverage or payments to HCPs have, or are perceived to have,
promotional intent.
A wide variety of biological materials are used by GSK in discovery, research and development phases.
Through the Convention on Biological Diversity (CBD) and the Nagoya Protocol, the international
community has established a global framework regulating access to, and use of, genetic resources of
non-human origin in Research and Development (R&D). We support the principles of access and
benefit sharing to genetic resources as outlined in the CBD and the Nagoya Protocol, recognising the
importance of appropriate, effective and proportionate implementation measures at national and
regional levels.
Patent rights play an important role in providing GSK with a competitive advantage in the market. Any
loss of patent protection in a market for GSK's products developed through our R&D, including reducing
the availability or scope of patent rights, could materially and adversely affect our financial results in
that market. Absence of adequate patent or data exclusivity protection, which could lead to, for example,
competition from manufacturers of generic pharmaceutical products, could limit the opportunity to rely
on such markets for future sales growth for our products, which could also materially and adversely
impact our financial results. Following expiration of certain intellectual property rights, a generic
manufacturer may lawfully produce a generic version of a product. Introduction of generic products
typically leads to a rapid and dramatic loss of sales and reduces our revenues and margins for our
proprietary products.
Mitigating activities
We have an established Office of Animal Welfare, Ethics and Strategy (OAWES), led by the Chief of
Animal Welfare, Ethics and Strategy, that ensures the humane and responsible care of animals and
increases the knowledge and application of non-animal alternatives. The OAWES provides a framework
of animal welfare governance, promotes application of 3Rs (replacement, refinement and reduction of
animals in research), conducts quality assessments and develops and deploys strategies on animal
model reproducibility and translatability.
The Chief Medical Officer oversees the following enterprise Medical Governance Boards:
- The Human Subject Research Board is in place to provide oversight for the human subject research sponsored and supported by us to ensure it conforms to ethical, medical and scientific standards
- The Data Disclosure Board provides oversight for disclosure of our sponsored and supported human subject research. We make information available on our clinical studies, including summaries of the results - whether positive or negative. We were the first company to publish clinical study reports that form the basis of submissions to regulatory agencies and we have publicly posted more than 2,400 clinical study reports in addition to more than 6,400 study result summaries
- Specific accountability and authorisation for SE is overseen by the Scientific Engagement and Promotional Practices Board. This Board is responsible for oversight of applicable policies and seeking to ensure the highest level of integrity and continuous development of SE
We have a Global Human Biological Samples Management (HBSM) governance framework in place to
oversee the ethical and lawful acquisition and management of human biological samples. Our HBSM
Enterprise Risk Management Team champions HBSM activities and provides an experienced group to
support internal sample custodians regarding best practice.
It remains an important priority to enhance our data integrity controls. Data Integrity Committees are in
place to provide oversight and Data Integrity Quality Assurance teams conduct assessments to provide
independent business monitoring of our internal controls for R&D activities.
The Regulatory Governance Board serves as the global regulatory risk management and compliance
board, promoting compliance with regulatory requirements and procedures, and oversees Group-wide
written standards for cross business regulatory processes.
We established an Access and Benefit Sharing Centre of Excellence to oversee applicable
requirements and enforcement measures for the acquisition and use of genetic material of non-human
origin in scope of the Nagoya Protocol.
R&D maintains and controls pre-publication procedures to guard against public disclosure in advance
of filing patent applications. In addition, because loss of patent protection can occur due to lack of data
integrity in preparing patent application data and information, legal experts collaborate with R&D to
support the review process for new patent applications.
The Research Practices risk is overseen by an Enterprise framework that seeks to ensure strengthened
governance across the R&D businesses in Pharmaceuticals, Vaccines and Consumer Healthcare.
Under the leadership of the Research Practices Enterprise Risk Owner, management of the risk takes
a pragmatic approach to information sharing, streamlining risk identification and escalation, while
ensuring ownership stays with the business.
Third party oversight (TPO)
Risk definition
Failure to maintain adequate governance and oversight over third party relationships and failure of third
parties to meet their contractual, regulatory, confidentiality or other obligations.
Risk impact
Failure to adequately manage third party relationships could result in business disruption and exposure
to risks ranging from sub-optimal contractual terms and conditions, to severe business and legal
sanctions and/or significant reputational damage. Any of these consequences could materially and
adversely affect our business operations and financial results.
Context
Third parties are critical to our business delivery and are an integral part of the solution to meeting our
business objectives. We rely on third parties, including suppliers, advisors, distributors, individual
contractors, licensees, and other pharmaceutical and biotechnology collaboration partners for
discovery, manufacture, and marketing of our products and for supporting other important business
processes.
These business relationships present a material risk. For example, we share critical and sensitive
information such as marketing plans, clinical data, and employee data with specific third parties who
are conducting the relevant outsourced business activities. Inadequate protection or misuse of this
information by third parties could have significant business impact. Similarly, we use distributors and
agents in a range of activities such as promotion and tendering which have inherent risks such as
inappropriate promotion or corruption. Insufficient internal compliance and controls by the distributors
could affect our reputation. These risks are further increased by the complexities of working with large
numbers of third parties across a diverse geographical spread.
Mitigating activities
To guide and enforce our global principles for interactions with third parties we have a global policy
framework applicable to buying goods and services, managing our external spend, paying and working
with our third parties. This policy framework applies to all employees and complementary workers
worldwide. The enterprise-wide TPO programme takes an enterprise-wide view of third party related
risks to ensure compliance with our ABAC policies and additional risks such as Labour Rights, Health
and Safety and Human Safety Information. It forms a comprehensive and practical approach to third
party oversight that is flexible to the evolving nature of our business and the type of engagement being
managed. The programme is managed through the Global Ethics and Compliance organisation and
has been globally deployed. It has strengthened risk assessment, contractual terms and due diligence
efforts on third parties and improved the overall management of our third party risks through the lifecycle
of the third party engagement.
Programme governance is provided through Enterprise Risk Management overseen by the TPO
Governance Board which includes representation from key functional areas and the business. We have
a dedicated TPO team responsible for the implementation and evolution of the programme in response
to developments in the internal and external environment.
Each business leadership team retains ultimate accountability for managing third party interactions and
risks. When working with third parties, our employees are expected to manage external interactions
and commitments responsibly. This expectation is embedded in our values and Code of Conduct. It is
our responsibility that all activities carried out on our behalf are performed safely and in compliance with
applicable laws and our values, expectations, standards and Code of Conduct (See ABAC report
above).
Our programme is complemented with independent oversight and assurance undertaken by the Audit
& Assurance and Independent Business Monitoring teams. We review the TPO programme against
other large multinational companies and use external expertise and internal insights to drive
improvements in the programme.
Environment, health & safety and sustainability (EHS&S)
Risk definition
Failure to manage environment, health & safety and sustainability (EHS&S) risks in line with our
objectives and policies and with relevant laws and regulations.
Risk impact
Failure to manage EHS&S risks could lead to significant harm to people, the environment and
communities in which we operate, fines, failure to meet stakeholder expectations and regulatory
requirements, litigation or regulatory action, and damage to the Group's reputation, which could
materially and adversely affect our financial results.
Context
We are subject to health, safety and environmental laws of various jurisdictions. These laws impose
duties to protect people, the environment, and the communities in which we operate, as well as potential
obligations to remediate contaminated sites. We have also been identified as a potentially responsible
party under the US Comprehensive Environmental Response Compensation and Liability Act at a
number of sites for remediation costs relating to our use or ownership of such sites in the US. Failure
to manage these environmental risks properly could result in litigation, regulatory action and additional
remedial costs that may materially and adversely affect our financial results. See Note 45 to the financial
statements, 'Legal proceedings', for a discussion of the environmental related proceedings in which we
are involved. We routinely accrue amounts related to our liabilities for such matters.
Mitigating activities
The Corporate Executive Team (CET) is responsible for EHS&S governance under a global policy.
Under that policy, the CET seeks to ensure there is a control framework in place to manage the risks,
impacts and legal compliance issues that relate to EHS&S and for assigning responsibility to senior
managers for providing and maintaining those controls. Individual managers seek to ensure that the
EHS&S control framework is effective and well implemented in their respective business area and that
it is fully compliant with all applicable laws and regulations, adequately resourced, maintained,
communicated, and monitored. Additionally, each employee is personally responsible for ensuring that
all applicable local standard operating procedures are followed by them and expected to take
responsibility for EHS&S matters.
Our risk-based, proactive approach is articulated in our Global EHS&S standard which supports our
EHS&S policy and our objective to discover, develop, manufacture, supply and sell our products without
harming people or the environment. In addition to the design and provision of safe facilities, plant and
equipment, we operate rigorous procedures that help us eliminate hazards where practicable and
protect employees' health and well-being.
Through our continuing efforts to improve environmental sustainability we have reduced our value chain
carbon intensity per pack, water consumption and waste generation. We actively manage our
environmental remediation obligations and seek to ensure practices are environmentally sustainable
and compliant.
Information security
Risk definition
The risk to GSK business activities if information becomes disclosed to those not authorised to see it,
or if information or systems fail to be available or are corrupted, typically because of cybersecurity
threats, although accident or malicious insider-action may be contributory causes.
Risk impact
Failure to adequately protect critical and sensitive systems and information may result in loss of
commercial or strategic advantage and could materially affect our ongoing business operations, such
as scientific research, clinical trials and manufacturing and supply chain activities.
Context
We rely on critical and sensitive systems and data, such as corporate strategic plans, intellectual
property, manufacturing systems and trade secrets. There is the potential that our computer systems
or information may be exposed to misuse or unauthorised disclosure.
We believe that the cyber security incidents that we have experienced to date have not resulted in
significant disruptions to our operations and have not had a significant adverse effect on our results of
operations, or on third parties. However, as the threats evolve we cannot provide assurance that our
significant efforts in protecting and monitoring our systems and information will always be successful in
preventing compromise or disruption in future. They increasingly involve highly-resourced threat actors
such as nation-states and organised criminals. Combined with the size and complexity of our IT systems
and those of our supply chain partners (including outsourced operations), this means that our systems
and information have been, and are expected to continue to be, the subject of cyber-attacks of various
types.
Mitigating activities
We have a global information protection policy and accompanying information technology standards
and processes that are supported through a dedicated team and programme of activity. Our Information
Protection function provides strategy, direction, and oversight, including active monitoring of cyber
security, while enhancing our global information security capabilities, through an ongoing programme
of investment that is in its sixth year.
We assess changes in our information protection risk environment through briefings by government
agencies, subscription to commercial threat intelligence services and knowledge sharing with other
pharmaceutical businesses and cross-industry bodies. Such changes are regularly reviewed by our
Executive team and our Board and suitable adjustments agreed.
We aim to apply industry best practices as part of our information security policies, processes and
technologies and invest in strategies that are commensurate with the changing nature of the security
threat landscape. This will include suitable levels of cyber-risk insurance cover in future.
Supply continuity
Risk definition
Failure to deliver a continuous supply of compliant finished product; inability to respond effectively to a
crisis incident in a timely manner to recover and sustain critical operations, including key supply chains.
Risk impact
We recognise that failure to supply our products can adversely impact consumers and patients who rely
on them. A material interruption of supply or exclusion from healthcare programmes could expose us
to litigation or regulatory action and financial penalties that could adversely affect the Group's financial
results. The Group's international operations, and those of its partners, expose our workforce, facilities,
operations and information technology to potential disruption from natural events (e.g. storm,
earthquake), man-made events (e.g. civil unrest, terrorism), and global emergencies (e.g. Ebola
outbreak, flu pandemic). It is important that we have robust crisis management and recovery plans in
place to manage such events.
Context
Our supply chain operations are subject to review and approval by various regulatory agencies that
effectively provide our license to operate. Failure by our manufacturing and distribution facilities or by
suppliers of key services and materials could lead to litigation or regulatory action such as product
recalls and seizures, interruption of supply, delays in the approval of new products, and suspension of
manufacturing operations pending resolution of manufacturing or logistics issues.
We rely on materials and services provided by third party suppliers to make our products, including
active pharmaceutical ingredients (API), antigens, intermediates, commodities, and components for the
manufacture and packaging of Pharmaceutical, Vaccine and Consumer Healthcare products. Some of
the third party services procured, such as services provided by contract manufacturing and clinical
research organisations to support development of key products, are important to ensure continuous
operation of our business.
Although we undertake risk mitigation we recognise that certain events could nevertheless still result in
delays or service interruptions. We use effective crisis management and business continuity planning
to provide for the health and safety of our people and to minimise impact to us, by maintaining functional
operations following a natural or man-made disaster, or a public health emergency.
Mitigating activities
Our supply chain model is designed to ensure the supply, quality and security of our products globally,
as far as possible. Through the Supply Chain Governance Committees we closely monitor the inventory
status and delivery of our products, with the aim of ensuring that customers have the Pharmaceutical,
Vaccines and Consumer Healthcare products they need. Improved links between commercial
forecasting and manufacturing made possible by our core commercial cycle should, over time, reduce
the risk associated with demand fluctuations and any impact on our ability to supply or the cost of write
offs where products exceed their expiry date. Each node of the supply chain is periodically reviewed to
ensure adequate safety stock, while balancing working capital in our end-to-end supply chain. Particular
attention is placed on mitigating supply risks associated with medically critical and high-revenue
products.
We routinely monitor the compliance of manufacturing external suppliers to identify and manage risks
in our supply base. Where practical, we minimise our dependence on single sources of supply for critical
items. Where alternative sourcing arrangements are not possible, our inventory strategy aims to protect
the supply chain from unanticipated disruption.
We continue to implement anti-counterfeit systems such as product serialisation in accordance with
emerging supply chain requirements such as the EU Falsified Medicines Regulation around the world.
A corporate policy requires each business and functional area head to ensure effective crisis
management and business continuity plans are in place that include authorised response and recovery
strategies, key areas of responsibility and clear communication routes, before any business disruption
occurs. Corporate Security supports the business by: coordinating crisis management and business
continuity training; facilitating simulation exercises; assessing our preparedness and recovery capability;
and providing assurance oversight of our central repository of plans supporting our critical business processes.
Each business performs risk oversight to assure adequate risk mitigation including identifying new and
emerging threats. We have a coordinated approach to evaluate and manage the implications for our
business arising from Brexit. Our approach to Brexit is set out on page 36.
These activities help ensure an appropriate level of readiness and response capability is maintained.
We also develop and maintain partnerships with external bodies like the Business Continuity Institute
and the UN International Strategy for Disaster Risk Reduction, which helps improve our business
continuity initiatives in disaster-prone areas and supports the development of community resilience to
disasters.
APPENDIX B
Directors' responsibility statement
Each of the current Directors, whose names and functions are listed below in the Corporate Governance section of the Annual Report 2018 confirms that, to the best of his or her knowledge:
- the Group financial statements, which have been prepared in accordance with IFRS as adopted by the EU and IFRS as issued by the IASB, give a true and fair view of the assets, liabilities, financial position and profit of the Group; and
- the Strategic report and risk sections of the Annual Report, which represent the management report, include a fair review of the development and performance of the business and the position of the Group, together with a description of the principal risks and uncertainties that it faces.
| Name | Function |
| Sir Philip Hampton | Independent Non-Executive Chairman |
| Emma Walmsley | Chief Executive Officer |
| Dr Hal Barron | Chief Scientific Officer and President, R&D |
| Simon Dingemans Iain Mackay | Chief Financial Officer Chief Financial Officer Designate |
| Manvinder Singh (Vindi) Banga | Senior Independent Non-Executive Director |
| Dr Vivienne Cox | Independent Non-Executive Director and Workforce Engagement Director |
| Lynn Elsenhans | Independent Non-Executive Director |
| Dr Laurie Glimcher | Independent Non-Executive Director and Scientific & Medical Expert |
| Dr Jesse Goodman | Independent Non-Executive Director and Scientific & Medical Expert |
| Judy Lewent | Independent Non-Executive Director |
| Urs Rohner | Independent Non-Executive Director |
|
|
|
APPENDIX C
Related party transactions
At 31 December 2018, GSK owned 32 million shares or 31.7% of Innoviva Inc. which is a biopharmaceutical company listed on NASDAQ. GSK began recognising Innoviva as an associate on 1 September 2015. The royalties due from GSK to Innoviva in the year were £209 million (2017 - £173 million). At 31 December 2018, the balance payable by GSK to Innoviva was £64 million (2017 - £53 million).
At 31 December 2018, GSK held a 50% interest in Japan Vaccine Co. Ltd (JVC) through its subsidiary GlaxoSmithKline K.K. This joint venture with Daiichi Sankyo Co., Ltd is primarily responsible for the development and marketing of certain prophylactic vaccines in Japan. During 2018, GSK sold £43 million (2017 - £41 million) of its vaccine products into the joint venture. At 31 December 2018, the trading balance due to GSK from JVC was £15 million (2017 - £11 million) and the balance payable by GSK to JVC was £nil (2017 - £nil).
Loans of £5 million to Medicxi Ventures I LP and £6 million to Index Ventures Life VI (Jersey) LP remained due to GSK at 31 December 2018. In 2018, GSK increased the equity investment in Kurma Biofund II, FCPR by £3 million, Apollo Therapeutics LLP by £2 million and Longwood Founders Fund LP by £0.2 million, and reduced a liability with Qura Therapeutics LLC by £3 million. As at 31 December 2018, the outstanding liability to Qura was £4 million.
The aggregate compensation of the Directors and CET is given in Note 9, 'Employee costs'.