Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Integrating a robust third-party risk management program with the vendor onboarding process
1 Integrating a robust third-party risk management program with the vendor onboarding process
Introductions
Kevin BushbakerAlexionSenior DirectorGlobal Requisition To [email protected]
Eric WalsworthErnst & Young LLPSenior [email protected]+1 317 900 6098
Colin MeunierAlexionAssociate DirectorSource-to-Pay [email protected]
Pradeep CaplashAlexionAssociate DirectorSAP Center of Excellence [email protected]
2 Integrating a robust third-party risk management program with the vendor onboarding process
Agenda
► Introduction to Alexion and EY► Third-party due diligence (TPDD) and vendor onboarding (VOB) program overview► TPDD process step walk-through► Practical lessons learned► Q&A
3 Integrating a robust third-party risk management program with the vendor onboarding process
EY works with large companies across industries to address complex procurement challenges
► More than 85 clients (250+ modules) whereAriba has been successfully deployed
► Greater than 15 Ariba clients across eachof the following sectors:► Oil and gas, mining and power and
utilities► Life sciences, pharma, health care and
insurance industries► Financial services and banking► Consumer products and retail
IDC EY ranked No.1 in Supply Chain Mgmt. Business Consulting Services
IDC names EY a Leader for Worldwide Risk Advisory Consulting Services
Gartner Named EY a “Leader” in SAP implementation services.
EY is a SAP Global Alliance Partner
EY is a global Aribaimplementation leader
EY’s helps clients address end-to-end procurement needs
EY has more than 3,000 supply chain professionals globally
► Strategic procurement:► Strategic sourcing and category mgmt.► Contract management► Supplier relationship management
► Procurement optimization:► Technology-enabled transformation► Tax efficient procurement► Operating model design and deployment
► Outsourcing advisory:► Outsourcing health check► Third party advisory deal support
► Procurement analytics and performance management► Spend analytics► Supplier performance management
► We serve many of the largest and best known companies
► Our procurement clients are often► New CFO, SC VP or CPO with a
transformation agenda► Company or industry with a burning
platform (e.g., financial or regulatory)► Recent acquisitions or divestitures ► Dated procurement technology
Engage top talent ► Refresh hiring and retention strategy► Develop a flexible and virtual workplace of
the future► Enhance knowledge management strategy
EY helps our clients realize procurement’s strategic potential
Leverage disruptive technologies► Enable efficiencies
through technology► Robotics► Cloud► Blockchain
Develop procurement analytics beyond spend► Use advanced prescriptive and
predictive data models► Deploy analytics across procurement
areas to enhance decision support► Develop user-focused and mobile
reporting solutions► Leverage big data► Mine social media
Redefine procurement purpose and operating model► Define overall purpose of procurement► Design operating model to align with purpose► Identify talent focus areas on strategic vs. non-
strategic activities
Invest to develop strategic category managers► Identify strategic categories► Establish category governance
structures► Develop category strategies and
execution plans► Define a career path and talent
development program► Deploy gamification and outcomes-
based mechanisms
Create strategic alliances with business partners across the company► Form strong commercial partnerships► Drive supplier development, collaboration
and integration► Develop a 360-degree view of supplier
relationships
Transform source-to-pay business processes► Integrated STP platform strategy
(sourcing, PTP, CLM)► Buying channel strategy► Standardized process taxonomy► Reduce cycle times► Improve users’ procurement
experience
Procurementpurpose and
strategy
Enable a holistic approach to risk management► Quantify cost of risks and risk exposure► Monitor and proactively address supplier risks
5 Integrating a robust third-party risk management program with the vendor onboarding process
Alexion is a global biopharmaceutical company focused on therapies for patients with devastating and rare diseases
6 Integrating a robust third-party risk management program with the vendor onboarding process
Most organizations fall short of effectively managing the increasing risks associated with suppliers
* Vinod R. Singhal, Business Briefing: Global Purchasing and Supply Chain Strategies, Dupree College of Management, Georgia Institute of Technology
9%is the average decrease in stock price
associated with companies that announced a supply chain disruption*
Traditional third-party risk management is approached with a compliance mindset in a fragmented fashion. Managing third-party risk in this fashion can lead to:► Damage to brand and reputation► Operational disruptions ► Costly procurement decisions► Inefficient deployment of resources
The road to maturing supplyrisk management
Reactive: risk efforts are focused on responding to events after they occur and are often looked at in functional silos.
Integrated: risk efforts are more cross-functional and with a quantitative focus.
Optimized: risk management starts becoming forward looking to anticipate concerns.
Incr
easi
ng m
atur
ity
7 Integrating a robust third-party risk management program with the vendor onboarding process
Alexion’s integrated TPDD and VOB process vision
“Improved outcomes”1. Ability to make better-informed decisions
on both near-term risks and strategic investments around risk
2. Defined risk segmentation criteria with supporting due diligence, monitoring and evaluation/response processes
3. Scalable workflow that can adaptto evolving business requirements
Third-party risk management framework
Quality CommercialCapability
8 Integrating a robust third-party risk management program with the vendor onboarding process
Alexion’s integrated TPDD and VOB process vision
The initial focus is on commercial risk. Process and workflow are designed to accommodate capability and quality in the future.
Enabled to expand beyond commercial risk
1. Visibility – Provide visibility prior to on-boarding with controls to mitigate risk/reject them
2. Data gathering – Use workflow to gather additional data to manage third-party risk
3. Operating model options – Consolidate third-party risk management enabling operating model options (e.g., managed services)
Third party risk management framework
Quality CommercialCapability
9 Integrating a robust third-party risk management program with the vendor onboarding process
TPDD and VOB process and enabling technology
Request Register Screen Onboard Monitor and assess Respond
1 2 3 4 5 6
ObjectivesCapture business’s request for new TPDD and/or vendor
Vendor registers in Ariba SIPM and completes supplier profile questionnaire (SPQ)
QA SPQ and assign risk categoryScreen third party based on diligence requirementsAlexion reviewsfindings and recommends approve, approve with conditions, reject or escalate
If third party is a vendor and approved, onboard into SAP
Update SPQ based on ongoing monitoring and scheduled risk assessments Alexion reviewsfindings and recommends approve, approve with conditions, reject or escalate
Alexion response to risk events identified during monitor and assess
Supplier Information and Performance Mgmt. (SIPM)
(Service Now)
10 Integrating a robust third-party risk management program with the vendor onboarding process
EY TPDD and monitoring managed services
EY Managed Services
Risk assessmentsinitiated by defined events
1. New TPDD request
2. Scheduled assessments
3. Red monitoring alert
SIPMWorkflow
EY TPDDManagedServices
Third parties
Request Register Screen Onboard Monitor and assess Respond
1 2 3 4 5 6
EY
11 Integrating a robust third-party risk management program with the vendor onboarding process
Due diligence managed services delivered from EY’s Costa Rica third-party management support hub
Countries with EY presence Countries without EY presence
If needed, other global hubs can be made available to address any regional issues
Costa Rica Americas
service hub
Malaysia global business service hub
Indiaglobal
service hub
► Experienced in third-party management supporting services
► Time zone convenience to support US and EU customers
Ariba data center
Sunnyvale, CA
Ariba global
tech support
Pittsburgh, PA
12 Integrating a robust third-party risk management program with the vendor onboarding process
Commercial due diligence overviewAssessment
Alexion employee enters information about vendor or other third party.
Third party (or Alexion designee in certain instances) completes an Alexion-specific questionnaire in Ariba.
EY duediligence
1
2
3
+
Inputs Process Outputs
Commercial compliance risk review framework
managed by EYDiligence scope profile
Risk area A B CCorruption x x xFinancial x xAdverse media x xLegal xGeopolitical x
SPQ updated with diligence findingsCorruption
Financial
Adverse media
Legal
Geopolitical
Overall(1)
R
G
Y
G
Description
Description
Description
Description
R Description
G Description
1) Design assumes overall diligence finding is max so not to miss reds due to averaging
Responses toIT security questions
Commercial
Capability
SPIM (SPQ)
13 Integrating a robust third-party risk management program with the vendor onboarding process
Commercial due diligence overviewReview
Approved/no action
Approved with conditionsExamples:► Increased monitoring/audit► “Insurance” (e.g., financial hedging, secure
additional source)► Invest in third-party improvement
Escalate
Reject/exit relationship
Inputs Process Outputs
SPQ updated with diligence findingsCorruption
Financial
Adverse media
Legal
Geopolitical
Overall(1)
R
G
Y
G
Description
Description
Description
Description
R Description
G Description
1) Design assumes overall diligence finding is max so not to miss reds due to averaging
Responses toIT security questions
Commercial
Capability
Commercial compliance risk review framework
managed by EY
14 Integrating a robust third-party risk management program with the vendor onboarding process
Technical architecture of Ariba-ECC integration at Alexion(mediated connectivity)
MiddlewareAlexion’s SAP ERP Alexion’s Ariba SIPM instance
Create and update vendor
Confirmation with vendor ID
Alexion is using Ariba SIPM as source of supplier information
► Supplier basic profile
► Address Information
► Bank data► Accounting
data► Tax info► Payment
information► Purchasing
and company code information
► Alternate payee
Suppliers
Alexion SSO into SIPM via Okta Platform
SAP
PI (p
roce
ss in
tegr
atio
n)
Vendor master view
General data Company code
Purchasing data
SIPM
Ups
trea
m
On
Dem
and
15 Integrating a robust third-party risk management program with the vendor onboarding process
Alexion’s Ariba SIPM – SAP ERP integration
Key features:► Automatic creation and updating of supplier record in SAP ECC after approval in SIPM► Supplier blocking and deactivation is enabled► Standard SIPM and custom SPQ fields were integrated
► General data, bank details, tax information, company code, accounting and purchasing data► Additional logic to create alternative payee information and linkage to main supplier
Key benefits:► End-to-end integration of vendor registration and onboarding process► Significant reduction in data entry errors due to automation► Overall improvement in supplier onboarding process efficiency
16 Integrating a robust third-party risk management program with the vendor onboarding process
TPDD and VOB processStep descriptions
17 Integrating a robust third-party risk management program with the vendor onboarding process
Risk triggers and diligence categorization
Inherent risk is determined through a set of trigger questions asked during the internal Alexion TPDD Request for Third-Party Registration.
Request Register Screen Onboard Monitor/assess Respond
18 Integrating a robust third-party risk management program with the vendor onboarding process
Diligence screening and monitoring
EY Managed Services conducts commercial due diligence and provides workflow support for the broader TPDD and VOD process.
Risk assessmentsinitiated by defined events
1. New TPDD request
2. Scheduled assessments
3. Red monitoring alert
Request Register Screen Onboard Monitor/assess Respond
19 Integrating a robust third-party risk management program with the vendor onboarding process
Example sources used for monitoring and diligence
Content focusExample sources Financial Media/geopolitical Compliance/legal
InfoNet350,000+ sources
AML, ABC, sanctions, watch lists
Financial viability assessments, corporate relationships, supply chain analytics, BLAW litigation reports, social media, negative news alerts, dynamic geographical supplier analysis, OFAC
EY Growing BeyondBoarders
Country
benchmarking
Potential additional sources (incremental costs)
DUNS, supplier evaluation risk, rating, diversity Sustainability Cyber threat
In-countrylocal support
Internal (Alexion)Suppliers
Exte
rnal
Quality Performance SLAs Other internal systems
Supplier surveys via Ariba SIPM
Request Register Screen Onboard Monitor/assess Respond
Dun & Bradstreet Security Scorecard
Thomson Reuters Eikon
Thomson Reuters Clear
Ecovadis EY
20 Integrating a robust third-party risk management program with the vendor onboarding process
Assessment findings scoring guide
Assessment findings are summarized using red, yellow or green based on Alexion’s criteria.
Request Register Screen Onboard Monitor/assess Respond
21 Integrating a robust third-party risk management program with the vendor onboarding process
Functional area approvers guide
Decision guides are available to facilitate and standardize the approval process.
Alexion functional area delegates review the TPDD findings and have four options:
1. Approved/no action2. Approved with conditions
Examples:► Increased monitoring/audit► “Insurance” (e.g., financial hedging, secure
additional source)► Invest in third-party improvement
3. Approved with conditions4. Reject/exit relationship
Request Register Screen Onboard Monitor/assess Respond
22 Integrating a robust third-party risk management program with the vendor onboarding process
Alexion’s internal governance escalation methodology
Gray boxes represent escalation path to the governance committee.
Request Register Screen Onboard Monitor/assess Respond
23 Integrating a robust third-party risk management program with the vendor onboarding process
Escalation response options
A cross-functional governance committee will address escalated risk findings using a TPDD governance response guide.
Request Register Screen Onboard Monitor/assess Respond
24 Integrating a robust third-party risk management program with the vendor onboarding process
Escalation response options
For each escalation step, there are several options that can be considered.
Request Register Screen Onboard Monitor/assess Respond
25 Integrating a robust third-party risk management program with the vendor onboarding process
Practical lessons learned
26 Integrating a robust third-party risk management program with the vendor onboarding process
Practical lessons learned
TPRM design strategy ObjectivesDimension1. Achieve sponsorship, strategic direction, and funding2. Create cross-functional participation and accountability3. Define risk scope and segmentation approachGovernance
and oversight
Design the risk segmentation framework
Achieve buy-in and sponsorship
1. Identify and select the sources of information for risk management analytics2. Identify the reporting needs for all business units and participants 3. Determine method to consistently normalize and prioritize risk findings4. Confirm alignment between technology road map and the risk management
program
Technology and analytics
Develop risk analytics capability
Leverage enabling technology
People and organizational
design
1. Design the organization to provide scalable, value-added services in a central location for cross-enterprise
2. Identify, train, and develop resources to support the program
Design the operating model
Identify resourcing, responsibilities,and location requirements
Processes
1. Integrate TPRM with existing processes to provide value2. Design for auditability, adaptability, and sustainability3. Establish a normalized approval, rejection, escalation, and response guide
to standardize the process
Develop procedural details tooperationalize the design
Anticipate need to accommodate future requirements (scope and scale)
27 Integrating a robust third-party risk management program with the vendor onboarding process
Importance of change management
Common change management challenges
Shorter implementation timelines introduce greater risk in:► Identifying and engaging all impacted stakeholder groups► Tailoring generic communication and/or training materials from the solution provider to fit
our clients► Enabling suppliers and catalogs – which can result in limited availability at go-live
Faster implementation time and testing cycles
Mature systems based on time-tested leading practice processes
► Internal processes and/or policies that are less mature and less standardized may not support the system
► Existing organizational structures, roles, and/or talent do not align to the way the system is supposed to work
► System implementation often precedes establishing clear data and process governance
► Greater cross-functional governance and alignment is needed before selecting a non-customizable solution.
► Clients with a complex geographical footprint and/or highly autonomous business units have a higher risk of poor solution adoption.Cloud applications are
designed for no/limited customization
WWW
28 Integrating a robust third-party risk management program with the vendor onboarding process
Thank you for joining us today
Kevin BushbakerAlexionSenior Director, Global Requisition To [email protected]
Eric WalsworthErnst & Young LLPSenior [email protected]+1 317 900 6098
Colin MeunierAlexionAssociate Director, Source-to-Pay [email protected]
Pradeep CaplashAlexionAssociate Director, SAP Center of Excellence [email protected]
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm ofErnst & Young Global Limited operating in the US.
© 2017 Ernst & Young LLP.All Rights Reserved.
1702-2202563ED None
This material has been prepared for general informational purposesonly and is not intended to be relied upon as accounting, tax or otherprofessional advice. Please refer to your advisors for specific advice.
ey.com