Enterprise
Risk Management

We integrate enterprise risk management into the heart of our strategy and operations, ensuring resilience throughout our value chain, driven by our mission to accelerate life-changing treatments. We adopt a proactive and rigorous approach to risk management. This integrated approach reinforces innovation, elevates decision-making, and underpins sustained value creation for patients, stakeholders, and the communities we serve.

Our risk management framework is anchored in six core pillars

Our Enterprise Risk Management (ERM) Policy is designed to proactively identify and address internal and external risks across strategic, financial, operational, geopolitical, technological, ESG, climate, governance, social, cybersecurity, information security, and third-party domains. It establishes clear reporting lines, accountability structures, and robust systems and processes for effective risk oversight, ensuring business continuity, transparency, responsiveness, and sustainable growth.

Risk Governance

Three Lines of Accountability

We use the ‘three lines of defense’ model to uphold strong and comprehensive risk governance. The oversight rests with the Board of Directors, supported by the Risk Management Committee (RMC), which guides the effectiveness of our risk management and internal control systems. The RMC reviews and endorses the enterprise risk portfolio and defines risk appetite, taking into account global interdependencies and emerging risks. Meeting biannually, the Committee evaluates management actions, ensuring our responses remain proactive, thoughtful, and closely aligned with our strategic priorities.

The Risk Management Cross-Functional Team leads the execution of this framework, working with designated risk owners to assess mitigation effectiveness, track evolving exposures, and recalibrate risk thresholds. Risk assessments and mitigation strategies are elevated to the RMC, while functional and site teams sustain continuous oversight and disciplined execution across the organization.

Assurance on the design and operating effectiveness of controls that underpin the ERM framework is provided by the independent internal audit team. The annual audit plan follows a risk-based approach and is guided by the enterprise risk portfolio, reflecting changes in the internal and external environment, regulatory developments, prior audit outcomes, and management insights.
Audit coverage is prioritized based on risk likelihood and impact, including emerging and systemic risks, and aligned with defined risk appetite and governance priorities.

The internal audit team systematically reports key observations, control gaps, and improvement opportunities to the management and governance forums, while rigorously tracking the closure of Corrective and Preventive Actions (CAPA). Audit insights and emerging trends actively inform the continuous refinement of risk assessments, recalibration of risk ratings, and advancement of mitigation strategies and internal control frameworks.

To sustain adherence to global benchmarks, external experts are engaged every two years to independently review our audit processes. Reflecting our commitment to global best practices, ISO 31000 Risk Management Principles are being progressively integrated into our enterprise risk management approach, further strengthening its depth, rigor, and resilience.

The Global CFO, serving as Chief Risk Officer, steers the integration of risk management practices across business units and global functions and provides regular oversight updates to the Risk Management Committee of the Board on the effectiveness of risk management processes and internal controls.

Risk Management Framework

We continuously monitor the business landscape to identify emerging risks and opportunities, both internally and externally.

An annual Double Materiality Assessment evaluates risks from both financial and impact perspectives. Risk prioritization is further guided by inputs from risk owners across the organization. Annually, we undertake a comprehensive assessment of risk exposure by evaluating the likelihood and potential impact of identified risks. Scenario planning and sensitivity analyses are continually strengthened to enhance preparedness for strategic and operational risks and to anticipate potential disruptions.

Each identified risk and opportunity is assigned to designated risk owners, typically senior leadership (Lupin Presidents), who are supported by site and functional teams, to develop and implement appropriate mitigation plans. Progress is monitored through quarterly risk reviews, with biannual updates, including the refreshed risk register, presented to the Board-level Risk Management Committee.

The achievement of risk mitigation actions and objectives is integrated into annual performance evaluations, with direct implications for executive and employee compensation and incentives, thus reinforcing accountability across the organization.

Strengthening our Risk Culture

We facilitate structured, periodic risk management training for the Board of Directors and the Risk Management Committee (including Non-Executive Directors) to strengthen governance oversight and enable informed decision-making.

Through structured training, skill development initiatives, and expert-led workshops throughout the year, we build risk awareness and capability across our corporate offices and manufacturing sites, enabling employees at all levels to effectively identify, assess, and manage risks.

Guided by our purpose and values-led culture, we foster an environment where employees are empowered to speak up and raise potential risks. Concerns can be reported through leadership channels or the office of the Ombudsperson, which ensures careful, confidential, and professional handling. Employees and contractors are encouraged to identify and report various early risk signals, including near-miss incidents, changes in market dynamics, and updates in statutory and regulatory requirements, thereby reinforcing a culture of integrity, accountability, and resilience.

Recognizing occupational health and safety as a critical priority, we have embedded reinforcement mechanisms such as the EHSAAS (Environment, Health and Safety Awards and Accolade System) to strengthen vigilance and promote timely reporting. We also integrate a rigorous risk management approach into the development of new products and services, ensuring safety and regulatory compliance at every stage.

Some measures include:

Adhering to Standard Operating Procedures (SOPs) anchored in the Hazard Identification and Risk Assessment (HIRA) methodology, focusing on risk mitigation through engineering controls and the effective use of Personal Protective Equipment (PPE).

Structuring SOPs to holistically address risk impacts, mitigate adverse environmental effects, and support sustainable operations.

Maintaining readiness for rigorous regulatory audits, including those conducted by the U.S. FDA and U.K. MHRA. Employees are prepared through targeted initiatives such as the Audit Readiness film, which simulates real-world audit scenarios.

Annual Risk Process

Lupin’s Risk Portfolio 2026

During FY26, we undertook a comprehensive review of our risk landscape, reflecting evolving regulatory requirements and emerging risks across business, trade, geopolitical, and environmental factors.

Insights from the Double Materiality Assessment and the Task Force on Climate-related Financial Disclosures (TCFD) study are integrated into our Enterprise Risk Management (ERM) framework. Our consolidated risk portfolio offers an enterprisewide perspective and is reviewed biannually. Risks are classified into four categories – strategic, operational, emerging, and systemic – with exposure ratings assigned based on likelihood and potential impact, enabling effective prioritization and response.

Strategic risks that may impede the achievement of an organization’s strategic goals, stemming from key strategic decisions and initiatives.


Emerging risks which are new or rapidly evolving threats characterized by uncertainty, driven by societal changes or trends.

Operational risks that arise from internal processes, systems, or human errors that can disrupt day-to-day operations.


Systemic risks that are long-term industry or environmental trends that have the potential to significantly impact an organization over time.

Top Risks

Risk Prioritization Matrix

Risk Mitigation Measures