Corporate Governance

Novartis is committed to good corporate governance. The Group’s principles and rules on corporate governance are laid down in the Articles of Incorporation, the Regulations of the Board and the Charters of the Board Committees.  The Board’s Governance, Sustainability and Nomination Committee reviews these principles and rules regularly in light of prevailing best practices and forwards suggestions for improvement to the full Board for approval. 

Relevant links and disclosures

Board and executive remuneration

At Novartis, our compensation system seeks to reward our executives for delivering sustainable growth, successful outcomes on our financial and strategic targets and value creation for our shareholders. We aim to be transparent in how we link executive compensation to performance and continue to engage with shareholders and proxy advisors in this effort. 

Relevant links and disclosures

Business ethics

Building trust with customers, patients, associates and society is the foundation of our long-term success. Our stakeholders not only expect us to do what is legally required, but also to act with high ethical standards wherever we operate and to be accountable for the way our business impacts people and the environment. We recognize these expectations of our company and strive to do what’s right both for Novartis and for society at large. 

Relevant links and disclosures

Other information

  • Internal audit process
    • Internal Audit assists the Board of Directors and the ECN in discharging their governance responsibilities by providing independent assurance and advice on the effectiveness, efficiency and adequacy of processes and controls that support Novartis in achieving its objectives, managing its major risks, and ensuring compliance with applicable policies, laws and regulations. 
    • The Internal Audit function executes the risk-based annual audit plan approved by the Board-level Audit and Compliance Committee (ACC) and reports the results to the audited units, the ECN and the ACC. These audits include the review of ethical standards as well.

Information security & data privacy

At Novartis, and as reflected in our Code of Ethics, we are committed to the responsible use of personal information in our business processes and the setting of the appropriate standards to achieve this purpose. We have robust governance, policies and systems in place to ensure the security of our data and IT systems, including Board-level oversight of cybersecurity through the Risk Committee, and management-level responsibility through our Chief Information Security Officer (CISO). Novartis has not experienced any material cybersecurity incidents in the three years through 2021. 

Relevant links and disclosures

Other information

  • Governance
    • The CISO updates the Risk Committee on cybersecurity matters at least annually. 
    • The Ethics, Risk & Compliance (ERC) function oversees the company’s risk management and compliance functions, including risk-based company-wide policies and internal control management, as well as crisis and business continuity management.
  • Policies and awareness
    • The Novartis Global Information Management Policy is available to all employees via the Novartis intranet.
    • All Novartis employees are required to participate in mandatory training in Information Management. In addition, Novartis has quarterly campaigns to guard against ‘phishing’ and provides regular information on cybersecurity awareness throughout the year. 
    • To ensure compliance with the Information Management Policy, Novartis includes cybersecurity in its Code of Ethics commitments. In case of violation of cybersecurity policies, the company may take disciplinary action, up to and including termination. Novartis may also take legal action against departing employees that have violated security/data confidentiality policies or violated our IP rights.
    • The company requires all suppliers to implement organizational security policies and standards. Please see the Minimum Information Security Controls for more details.
  • Systems and testing
    • To prevent IT system interruptions, Novartis has services continuity and systems recovery plans in place tested periodically and based on risk. The company conducts internal vulnerability analyses (including simulated hacking) as well as external testing via a third party to ensure the effectiveness of its cybersecurity controls. In addition, Novartis works with third parties to audit its cybersecurity controls, including specific assessments of areas such as network security and cloud security and an annual NIST maturity assessment of security programs.  
  • Incident escalation process
    • Novartis requires employees to report IT security incidents to their relevant IT Service Desk. Urgent security incidents must be reported directly to the Novartis IT Security Operations Center (SOC) via a 24/7 telephone hotline.

Risk Management

The Novartis Enterprise Risk Management (ERM) framework is designed to generate a holistic view of risks for the company and drive a culture of smart risk-taking. While our Code of Ethics sets the ethical framework for all employees to manage risk across our business, risk management is a fundamental leadership responsibility that involves active engagement by leaders at each stage of the process. The overall ERM process is the responsibility of the Chief Ethics, Risk & Compliance Officer, with oversight from the Executive Committee of Novartis and the Board of Directors. 

Relevant links and disclosures

Other information

Emerging Risks1

  Emerging Risk 1  Emerging Risk 2
Name of the emerging risk  Emerging business models  Reimbursement of one-time cell and gene therapy treatments 
Category  Technological  Economical 
Description  Rapid progress in medical and digital technologies and in the development of new business models is significantly transforming our industry by creating new opportunities for improving patient care and increasing revenue and profit, while at the same time creating a more uncertain regulatory environment and heightened societal expectations. Technology companies are seeking to enter the healthcare industry across the value chain, from research and development to pharmaceutical distribution and the delivery of care, which generates opportunities for partnerships that may accelerate innovation and complement our capabilities. In addition, the regulatory environment is evolving, with new guidelines to reflect changes in technology. For example, the FDA has issued guidance on software as a medical device as well as Good Machine Learning Practices. Novartis is a pioneer in one-time, ex-vivo and in-vivo cell and gene therapies with Kymriah®, Luxturna®, and Zolgensma®. These innovative medicines offer more targeted approaches to fighting – and, in some cases, potentially curing – serious diseases, replacing chronic therapies that must be administered repeatedly over a longer period. Healthcare systems were not prepared to manage the reimbursement for one-time medicines, and they are adapting at different speeds, which can lead to delays to access and reimbursement of such therapies in selected markets.  
Impact  Given the emerging nature of the risk, a precise quantification of the impact is not possible. However, this trend may potentially disrupt our relationships with patients, healthcare professionals, customers, distributors and suppliers, with potentially negative consequences for our business. If Novartis fails to adequately leverage digital technologies, it risks significant negative business impact, primarily from lost opportunities. We may ultimately fail to either create innovative new products, tools or techniques in an adequate time frame, or to perform digital transformation in a compliant manner leading to regulatory implications. Delays or failure to achieve reimbursement for innovative one-time therapies may affect our ability to secure adequate, value-based prices for our products and maintain an acceptable return on our investments in research and development.  
As of the end of 2021, this risk has largely not materialized in our largest markets i.e. US, Europe, Japan – in part due to our mitigation efforts (see below). In most of the markets where we operate, the prices of pharmaceutical products are subject to both direct and indirect price controls and to drug reimbursement programs with varying price control mechanisms. Due to increasing political pressure and governmental budget constraints, we expect these mechanisms to remain robust – and potentially even to be strengthened – and to have a continued negative influence on the prices we are able to charge for our products. This challenge is expected to intensify in 2022 and beyond as political and budget pressures mount, and healthcare payers step up initiatives to reduce the overall cost of healthcare and restrict access to higher-priced new medicines. 
 
Mitigating actions  To take advantage of these opportunities and avoid potential risk implications, we have embarked upon a digital transformation strategy and have made data and digital one of the pillars of our corporate strategy. We are investing substantial resources into efforts to improve the way we use data in drug discovery and development; to gain insights into customer preferences and behaviors via data science; to improve the ways we engage with patients, doctors and other stakeholders; and to automate business processes. Our success in these efforts will depend on many factors, including data quality, technology architecture, partnering with the right technology companies, training our employees to fully capitalize on the new capabilities, attracting and retaining employees with appropriate skills and mindsets, and successfully innovating across a variety of technology fields.  Achieving sustainable access to one-time cell and gene therapies in diverse markets requires a menu of options to address the needs of stakeholders. For example, Novartis introduced novel contractual arrangements for Zolgensma®, our one-time gene therapy for spinal muscular atrophy, that links reimbursement to individual patient outcomes. We are also working closely with payers to offer payment-over-time options for up to five years, and outcomes-based agreements with terms up to five years based on individual patient health outcomes. Our early access and “Day One” access agreements offer customizable options for payers – including retroactive rebates, deferred payments, installment options and outcome-based rebates. 
 
 

 

  1. The risks are defined “Emerging” based on the S&P Global Corporate Sustainability Assessment definition.