tipping the scale - sig
TRANSCRIPT
Reynolds' Supplier Risk Management
Program Creates a Balance between
Cost and Risk
Tipping the Scale:
Reynolds American
Suzanne WoodDirector, Internal Audit
EY
Patrick FishburneManager, Performance Improvement Services
Jason ParnesManager, Advisory Risk Services
www.sig.org/eval
Tipping the scale Reynold’s supplier risk management
program creates a balance between
cost and risk
Reynolds American Inc. & EYSuzanne Wood, RAI
Patrick Fishburne, EY
Jason Parnes, EY
3
Introduction
4
Presenter bios
Name: Jason Parnes
Company: Ernst & Young LLP
Title: Manager, Advisory Risk Services
Background: Jason Parnes is a manager in the Advisory Risk Services practice of Ernst & Young LLP. He
graduated from Northern Kentucky University in 2008 and has been involved in a wide variety of
professional service activities during his career, which includes tax, audit, operational process
assessments and fraud investigation. In the past two years, Jason has been focused on the area of
supply chain and has assisted top global manufacturers across multiple industry lines (automotive
and consumer products) in the development of a global supply chain finance organization and third-
party risk management programs/organizations.
Name: Patrick Fishburne
Company: Ernst & Young LLP
Title: Manager, Performance Improvement Services
Background: Patrick Fishburne is a Manager in the Advisory Services practice of Ernst & Young LLP. He
graduated from the University of Notre Dame in 2005. He is a performance improvement supply
chain professional with four years of industry experience working in government supply chain and
logistics. As a member of the Advisory Service practice, Patrick’s key areas of focus are
procurement risk, sourcing and category management. Prior to joining Ernst & Young LLP, Patrick
was a Supply Corps Officer in the United States Navy, serving on two ships that deployed to the
Middle East and South East Asia. Patrick received his MBA from the University of Notre Dame’s
Mendoza College of Business in 2011.
Name: Suzanne Wood
Company: Reynolds American Inc.
Title: Director, Internal Audit
Background: Suzanne Wood is a director in the Internal Audit Department of Reynolds American Inc.
She graduated from Appalachian State University in 1985 and received her Mastersof Engineering
from North Carolina State University in 2004. In addition to her work with Internal Audit, Suzanne
has industry experience in IT, supply chain and operations strategy. Suzanne managed supply
chain compliance activities and developed models/plans to facilitate and support strategic company
initiatives and decisions. In addition to overseeing operational and FDA readiness audits, she has
spent the last nine months leading a supplier risk management initiative by collaborating with key
business resources, leveraging business knowledge and capitalizing on risks/gaps identified
through Internal Audit work.
5
Reynolds American Inc. (RAI)
company background
Reynolds American Inc. (NYSE: RAI) is the parent company of R.J. Reynolds
Tobacco Company; American Snuff Company, LLC; Santa Fe Natural Tobacco
Company, Inc.; Niconovum USA, Inc.; Niconovum AB; and R. J. Reynolds Vapor
Company.
• R.J. Reynolds Tobacco Company is the second-largest US tobacco company. The company's
brands include two of the best-selling cigarettes in the US: Camel and Pall Mall. These
brands, and the company’s other brands, including Winston, Kool, Doral, Salem, Misty and
Capri, are manufactured in a variety of styles and marketed in the US.
• American Snuff Company, LLC is the nation’s second-largest manufacturer of smokeless
tobacco products. Its leading brands are Grizzly and Kodiak.
• Santa Fe Natural Tobacco Company, Inc. manufactures and markets Natural American Spirit
100% additive-free natural tobacco products, including styles made with organic tobacco.
• Niconovum USA, Inc. and Niconovum AB market innovative nicotine replacement therapy
products in the US and Sweden, respectively, under the Zonnic brand name.
• R.J. Reynolds Vapor Company makes and markets VUSE e-cigarettes, a highly differentiated
vapor product.
6
EY company backgroundEY is a leading global professional services firm committed to helping our people, our clients and
our wider communities achieve their potential. It’s about 175,000 people working together to help
each other develop and succeed professionally and personally. It’s about helping clients deliver on
their promises to their markets and stakeholders. We help businesses improve performance
through a range of services, including tax, advisory, assurance and transactions.
At EY we are committed to building a better working world – one with increased trust and
confidence in business, sustainable growth, development of talent in all its forms, and greater
collaboration.
150 countries
175k people
$27.4b revenue
Americas53,900+people
EMEIA84,200+people
Asia-Pacific29,800+people
Japan6,800+ people
7
Session objectives
This session is designed to provide an overview of
the journey to develop a comprehensive supplier risk
management (SRM) program.
You will learn:
• Key aspects of an effective SRM operating/organizational
model, including technology platforms
• An approach to scoring and monitoring supplier risks by
category
• How to identify, categorize and prioritize risks presented by
suppliers
8
Polling question
How many companies have implemented,
or have begun to implement,
a comprehensive SRM program?
9
Agenda
1. Problem statement – Why SRM?
2. Journey to today
3. Current SRM model
4. The path forward
5. Achievements and challenges
6. Wrap-up
10
Why SRM?
11
A changing environment requires a comprehensive
SRM process
Internal Restructuring
• Outsourcing/subcontracting initiatives
• Supply chain complexities
• Mergers/acquisitions increase the supplier risk universe and demands for efficiency
• Need for a scalable supplier risk scoring and monitoring tool and associated technology
• Permanent, defined organization to manage integrated risk scoring and monitoring
• Investment toward de-risking products prior to introduction to market
• Development of cross-functional teams to co-develop SRM programs
• Increased regulatory compliance requirements, including FDA
• Growing importance of information, data privacy, anti-bribery, corruption risk management
and conflict minerals
• Stringent environmental laws toward investment in greener technologies
Regulatory landscape
Cross-Industry leading practices*
*Cross-industry leading practices were benchmarked against nine leading companies.
12
Our journey
13
Timeline of SRM activities
2012 2013 2014
SRM consulting
engagement initiated
• Identified risk environment pillars
• Partnered with business functions to
develop detailed questionnaires
• Created Procurement Compliance group
• Piloted Supplier Vetting Questionnaires
(SVQ) for sample suppliers
• Full implementation of SVQ
• Initiated educational sessions
• Created “Total Risk Score” used to inform 2015 audit
plans
• In collaboration with an EY team:
• Developed an integrated SVQ and reporting tool
• Began development of cost of risk model
2015
• Implement integrated SVQ model
• Collaborate with business functions to refine
control activity matrix
• Define system requirements for selecting a tool
• Define operational structure for sustainability
• Continue with development of cost of risk model
14
Who was involved?
A comprehensive SRM program requires input from
all areas across the business.
Finance Legal
IT Procurement
Executive
Leadership
Internal Audit
Corporate
Security
Regulatory
OversightSRM
Responsible for setting “tone at the top” and driving program development
Provides direct input into program requirements and actively involved in vetting/monitoring activities
15
SRM program: initial designThe initial SRM program consisted of three disparate
processes.
SVQ• Used to evaluate new and existing suppliers with
new scope
• Combination of internal knowledge and external
supplier questionnaires
• Risk pillars identified
Quadrant analysis• Used to evaluate existing suppliers annually
• Completed internally only
• Subjective ratings
Controls activity
matrix• Defined monitoring activities
for strategic/critical suppliers
• Driven by quadrant
analysis only
• Beginning stages of
development*
*Controls activity matrix is still in active development stages
Internal Audit is collaborating with EY to leverage total
supplier reliability concepts to enhance SRM model
SRMevolution
Ma
turi
ty
PerformanceLow
Low
High
High
Reactive
Corrective
Optimized
Proactive
Integrated
• Create an integrated risk scoring and
monitoring model where risk area
scores drive monitoring activities
• Develop a governance framework to
facilitate decision-making processes
• Implement supplier risk management
process that aligns technology,
governance and organization design
• Optimize cost of risk profile
High-level objectives
Commercial Execution Information Regulatory Continuity Sustainability
Ris
k e
xa
mp
les
• Commodity price
volatility
• Exchange rate
volatility
• Wage inflation
• Contract exposure
• Contract non-
compliance
• Suppliers risk
• Delivery
• Performance
(SLAs)
• Quality
• Component or
service integration
• Intellectual
property theft
• Customer data
• Competitive data
• Personal theft
data violations
• Corruption (FCPA)
• Customs and duty
• Conflict minerals
• Accountability and
transparency (FDA)
• Trade sanctions
(OFAC)
• Workplace practices
(labor, EHS, etc.)
• Supply availability
• Supply disruption –
force majeure
• Supplier failure
• Product/support
discontinuation
• External operations
capacity
(co-manufacturing)
• Environmental
• Social
• Geopolitical
• Ethical
Six critical areas of supplier risk
17
Current SRM model and
next steps
18
Current model: supplier vetting
Integrated SVQ evaluates supplier risk across 9
major categories:
SpendRegulatory /
legal & privacyTechnology
Business
continuity
Sustainability/
reputational
Physical
securityOperational Financial
FDA
compliance
Aggregate and risk area scores,
combined with quadrant assigned
(critical/strategic, leveraged, routine,
bottleneck) drive onboarding
decisions, as well as monitoring and
audit activities.*
*See appendix for example supplier scorecard/quadrant analysis and SRM process flow
19
Current model: supplier vetting
Risk area scoring is determined through a
combination of activities.
Residual
risk score
Initial
vetting
questions
Supplier
questionnaires
& internal
knowledge+ =
Two distinct
scores
• Sector
• Supplier
Determined based on
supplier-specific score
for example:
• Financial viability (e.g., credit
risk)
• Anti-corruption
• Privacy/information security
Inherent Risk Score
20
Current model: monitoring
Supplier scores from the SVQ determine the following:
• Monitoring activities required
• Frequency of activities (annually, quarterly, contract renewal)
• Audit frequency, if necessary
Monitoring activities include:
• Annual conflict minerals survey
• Operational audits
• ITGC reviews
• Corporate security audits
• Contingency plan reviews
Current monitoring
activities are primarily
manual in nature.
21
Oversight
and governance
Technology
and analytics
People and
organizational
design
Processes
Risk scoring
model
Cost of Risk vs.
risk exposure
Risk response
strategy
Risk monitoring
model
Governance
structure*
Organizational
design*
Technology
implementation*
Next steps: overviewThe path forward involves further developing key
aspects of an operating model
Comprehensive SRM
operating model
List of activities to enable the
operating model
Already in place
2015 activities
*See appendix for example governance structure/organizational design and technology platforms that currently offer
SRM modules.
22
Achievements and
challenges
23
Achievements and challenges
Things we did well:• Enhanced existing processes by leveraging leading practice concepts
• Collaboration across the business functions and integration with existing and other in-flight
due diligence efforts
• Defined risk environment pillars as foundation
• Integration of due diligence questionnaires
• Leveraged opportunities to educate business
• Implementation of “quick wins”
Challenges faced or things we could have
done better:• Weighting of risk areas/scoring
• Technology
• Subjectivity of information provided by vendor managers in quadrant analysis
• Disparate initial processes
• Education of internal resources
• Competing priorities
• Organizational design – who should own?
24
Wrap up
25
Final thoughtsMost organizations actively manage financial risks, but
many fall short of managing risks that are external to
their organization
*Vinod R. Singhal, Business Briefing: Global Purchasing and Supply
Chain Strategies, Dupree College of Management, Georgia Institute
of Technology
9%is the average decrease in
stock price associated with
companies that announced
a supply chain disruption*
Traditional SRM is approached in a fragmented fashion, with legal, procurement, finance and operations all working independently. Attempting to manage supplier risk in this fashion can lead to:
• Operational disruptions
• Costly procurement situations
• Damage to brand and reputation
• Inability to adapt to a changing marketplace
• Inability to achieve regulatory compliance
requirements
26
Contact information
Suzanne WoodEmail: [email protected]
Phone: (336) 741-0965
Patrick FishburneEmail: [email protected]
Phone: (757) 575-6853
Jason ParnesEmail: [email protected]
Phone: (513) 476-2488
27
AppendixThe following slides represent examples of SRM
organizations/processes; however, they do not necessarily reflect the
processes and organization in place at Reynolds American Inc.
28
Detailed SRM process
Monitoring and reporting processes
Scoring processes
29
Example supplier scorecardInherent risk score Residual risk score
Score Rating Score Rating
Aggregate Score 62 Moderate-High 62 Moderate-High
Risk area
Spend 60 Moderate 60 Moderate
Regulatory/legal & privacy 55 Moderate 55 Moderate
Technology 70 Moderate-High 70 Moderate-High
Business continuity 55 Moderate 55 Moderate
Sustainability/reputational 46 Moderate 46 Moderate
Physical security 10 Minimal to None 10 Minimal to None
Operational 70 Moderate-High 70 Moderate-High
Financial 70 Moderate-High 70 Moderate-High
FDA compliance 100 High 100 High
Technology platforms for SRM
30
• RSA Archer eGRC
• Oracle
• SAP
• MetricStream
• IBM Emptoris
• Ernst & Young LLP
SRM technology
• Tab EAU
• Spotfire
• SAP Business
Objects
• Ernst & Young
LLP
• SAS
Predictive Analytics
• SAP
ERP System
• Ariba
Business intelligence
• LexisNexis
• BriefCase Analytics
• NAVEX Global
• NEO Group
• D&B
• BEROE
• Maplecroft
Market intelligence
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital
markets and in economies the world over. We develop
outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play
a critical role in building a better working world for our
people, for our clients and for our communities.
EY refers to the global organization, and may refer to
one or more, of the member firms of Ernst & Young
Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of
Ernst & Young Global Limited operating in the US.
© 2015 Ernst & Young LLP.
All Rights Reserved.
1502-1398239
ED None
This material has been prepared for general informational purposes
only and is not intended to be relied upon as accounting, tax or other
professional advice. Please refer to your advisors for specific advice.
ey.com
Evaluation How-to:
Your feedback drives
SIG Event content
By signing and
submitting your
evaluation, you are
automatically entered
into a prize drawing
Why?
Option 1: App
1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description 6. Click on the Evaluation link
Option 2: Browser
1. Go to www.sig.org/eval2. Select Session (#1)
How?
Complete and
submit!
bit.ly/downloadameliaappTweet using: #SIGspring15
Session #1
Tipping the Scale: Reynolds' Supplier Risk Management
Program Creates a Balance between Cost and Risk
Speakers:
www.sig.org/eval
Reynolds American Suzanne Wood [email protected]
EY Patrick Fishburne [email protected]
EY Jason Parnes [email protected]