Integrating a robust third-party risk management program ... · 7 Integrating a robust third- party risk management program with the vendor onboarding process Alexion’s integrated

Integrating a robust third-party risk management program with the vendor onboarding process

1 Integrating a robust third-party risk management program with the vendor onboarding process

Introductions

Kevin BushbakerAlexionSenior DirectorGlobal Requisition To [email protected]

Eric WalsworthErnst & Young LLPSenior [email protected]+1 317 900 6098

Colin MeunierAlexionAssociate DirectorSource-to-Pay [email protected]

Pradeep CaplashAlexionAssociate DirectorSAP Center of Excellence [email protected]


Agenda

► Introduction to Alexion and EY► Third-party due diligence (TPDD) and vendor onboarding (VOB) program overview► TPDD process step walk-through► Practical lessons learned► Q&A


EY works with large companies across industries to address complex procurement challenges

► More than 85 clients (250+ modules) whereAriba has been successfully deployed

► Greater than 15 Ariba clients across eachof the following sectors:► Oil and gas, mining and power and

utilities► Life sciences, pharma, health care and

insurance industries► Financial services and banking► Consumer products and retail

IDC EY ranked No.1 in Supply Chain Mgmt. Business Consulting Services

IDC names EY a Leader for Worldwide Risk Advisory Consulting Services

Gartner Named EY a “Leader” in SAP implementation services.

EY is a SAP Global Alliance Partner

EY is a global Aribaimplementation leader

EY’s helps clients address end-to-end procurement needs

EY has more than 3,000 supply chain professionals globally

► Strategic procurement:► Strategic sourcing and category mgmt.► Contract management► Supplier relationship management

► Procurement optimization:► Technology-enabled transformation► Tax efficient procurement► Operating model design and deployment

► Outsourcing advisory:► Outsourcing health check► Third party advisory deal support

► Procurement analytics and performance management► Spend analytics► Supplier performance management

► We serve many of the largest and best known companies

► Our procurement clients are often► New CFO, SC VP or CPO with a

transformation agenda► Company or industry with a burning

platform (e.g., financial or regulatory)► Recent acquisitions or divestitures ► Dated procurement technology

Engage top talent ► Refresh hiring and retention strategy► Develop a flexible and virtual workplace of

the future► Enhance knowledge management strategy

EY helps our clients realize procurement’s strategic potential

Leverage disruptive technologies► Enable efficiencies

through technology► Robotics► Cloud► Blockchain

Develop procurement analytics beyond spend► Use advanced prescriptive and

predictive data models► Deploy analytics across procurement

areas to enhance decision support► Develop user-focused and mobile

reporting solutions► Leverage big data► Mine social media

Redefine procurement purpose and operating model► Define overall purpose of procurement► Design operating model to align with purpose► Identify talent focus areas on strategic vs. non-

strategic activities

Invest to develop strategic category managers► Identify strategic categories► Establish category governance

structures► Develop category strategies and

execution plans► Define a career path and talent

development program► Deploy gamification and outcomes-

based mechanisms

Create strategic alliances with business partners across the company► Form strong commercial partnerships► Drive supplier development, collaboration

and integration► Develop a 360-degree view of supplier

relationships

Transform source-to-pay business processes► Integrated STP platform strategy

(sourcing, PTP, CLM)► Buying channel strategy► Standardized process taxonomy► Reduce cycle times► Improve users’ procurement

experience

Procurementpurpose and

strategy

Enable a holistic approach to risk management► Quantify cost of risks and risk exposure► Monitor and proactively address supplier risks


Alexion is a global biopharmaceutical company focused on therapies for patients with devastating and rare diseases


Most organizations fall short of effectively managing the increasing risks associated with suppliers

* Vinod R. Singhal, Business Briefing: Global Purchasing and Supply Chain Strategies, Dupree College of Management, Georgia Institute of Technology

9%is the average decrease in stock price

associated with companies that announced a supply chain disruption*

Traditional third-party risk management is approached with a compliance mindset in a fragmented fashion. Managing third-party risk in this fashion can lead to:► Damage to brand and reputation► Operational disruptions ► Costly procurement decisions► Inefficient deployment of resources

The road to maturing supplyrisk management

Reactive: risk efforts are focused on responding to events after they occur and are often looked at in functional silos.

Integrated: risk efforts are more cross-functional and with a quantitative focus.

Optimized: risk management starts becoming forward looking to anticipate concerns.

Incr

easi

ng m

atur

ity


Alexion’s integrated TPDD and VOB process vision

“Improved outcomes”1. Ability to make better-informed decisions

on both near-term risks and strategic investments around risk

2. Defined risk segmentation criteria with supporting due diligence, monitoring and evaluation/response processes

3. Scalable workflow that can adaptto evolving business requirements

Third-party risk management framework

Quality CommercialCapability


Alexion’s integrated TPDD and VOB process vision

The initial focus is on commercial risk. Process and workflow are designed to accommodate capability and quality in the future.

Enabled to expand beyond commercial risk

1. Visibility – Provide visibility prior to on-boarding with controls to mitigate risk/reject them

2. Data gathering – Use workflow to gather additional data to manage third-party risk

3. Operating model options – Consolidate third-party risk management enabling operating model options (e.g., managed services)

Third party risk management framework

Quality CommercialCapability


TPDD and VOB process and enabling technology

Request Register Screen Onboard Monitor and assess Respond

1 2 3 4 5 6

ObjectivesCapture business’s request for new TPDD and/or vendor

Vendor registers in Ariba SIPM and completes supplier profile questionnaire (SPQ)

QA SPQ and assign risk categoryScreen third party based on diligence requirementsAlexion reviewsfindings and recommends approve, approve with conditions, reject or escalate

If third party is a vendor and approved, onboard into SAP

Update SPQ based on ongoing monitoring and scheduled risk assessments Alexion reviewsfindings and recommends approve, approve with conditions, reject or escalate

Alexion response to risk events identified during monitor and assess

Supplier Information and Performance Mgmt. (SIPM)

(Service Now)


EY TPDD and monitoring managed services

EY Managed Services

Risk assessmentsinitiated by defined events

1. New TPDD request

2. Scheduled assessments

3. Red monitoring alert

SIPMWorkflow

EY TPDDManagedServices

Third parties

Request Register Screen Onboard Monitor and assess Respond

1 2 3 4 5 6

EY


Due diligence managed services delivered from EY’s Costa Rica third-party management support hub

Countries with EY presence Countries without EY presence

If needed, other global hubs can be made available to address any regional issues

Costa Rica Americas

service hub

Malaysia global business service hub

Indiaglobal

service hub

► Experienced in third-party management supporting services

► Time zone convenience to support US and EU customers

Ariba data center

Sunnyvale, CA

Ariba global

tech support

Pittsburgh, PA


Commercial due diligence overviewAssessment

Alexion employee enters information about vendor or other third party.

Third party (or Alexion designee in certain instances) completes an Alexion-specific questionnaire in Ariba.

EY duediligence

1

2

3

+

Inputs Process Outputs

Commercial compliance risk review framework

managed by EYDiligence scope profile

Risk area A B CCorruption x x xFinancial x xAdverse media x xLegal xGeopolitical x

SPQ updated with diligence findingsCorruption

Financial

Adverse media

Legal

Geopolitical

Overall(1)

R

G

Y

G

Description

Description

Description

Description

R Description

G Description

1) Design assumes overall diligence finding is max so not to miss reds due to averaging

Responses toIT security questions

Commercial

Capability

SPIM (SPQ)


Commercial due diligence overviewReview

Approved/no action

Approved with conditionsExamples:► Increased monitoring/audit► “Insurance” (e.g., financial hedging, secure

additional source)► Invest in third-party improvement

Escalate

Reject/exit relationship

Inputs Process Outputs

SPQ updated with diligence findingsCorruption

Financial

Adverse media

Legal

Geopolitical

Overall(1)

R

G

Y

G

Description

Description

Description

Description

R Description

G Description

1) Design assumes overall diligence finding is max so not to miss reds due to averaging

Responses toIT security questions

Commercial

Capability

Commercial compliance risk review framework

managed by EY


Technical architecture of Ariba-ECC integration at Alexion(mediated connectivity)

MiddlewareAlexion’s SAP ERP Alexion’s Ariba SIPM instance

Create and update vendor

Confirmation with vendor ID

Alexion is using Ariba SIPM as source of supplier information

► Supplier basic profile

► Address Information

► Bank data► Accounting

data► Tax info► Payment

information► Purchasing

and company code information

► Alternate payee

Suppliers

Alexion SSO into SIPM via Okta Platform

SAP

PI (p

roce

ss in

tegr

atio

n)

Vendor master view

General data Company code

Purchasing data

SIPM

Ups

trea

m

On

Dem

and


Alexion’s Ariba SIPM – SAP ERP integration

Key features:► Automatic creation and updating of supplier record in SAP ECC after approval in SIPM► Supplier blocking and deactivation is enabled► Standard SIPM and custom SPQ fields were integrated

► General data, bank details, tax information, company code, accounting and purchasing data► Additional logic to create alternative payee information and linkage to main supplier

Key benefits:► End-to-end integration of vendor registration and onboarding process► Significant reduction in data entry errors due to automation► Overall improvement in supplier onboarding process efficiency


TPDD and VOB processStep descriptions


Risk triggers and diligence categorization

Inherent risk is determined through a set of trigger questions asked during the internal Alexion TPDD Request for Third-Party Registration.

Request Register Screen Onboard Monitor/assess Respond


Diligence screening and monitoring

EY Managed Services conducts commercial due diligence and provides workflow support for the broader TPDD and VOD process.

Risk assessmentsinitiated by defined events

1. New TPDD request

2. Scheduled assessments

3. Red monitoring alert



Example sources used for monitoring and diligence

Content focusExample sources Financial Media/geopolitical Compliance/legal

InfoNet350,000+ sources

AML, ABC, sanctions, watch lists

Financial viability assessments, corporate relationships, supply chain analytics, BLAW litigation reports, social media, negative news alerts, dynamic geographical supplier analysis, OFAC

EY Growing BeyondBoarders

Country

benchmarking

Potential additional sources (incremental costs)

DUNS, supplier evaluation risk, rating, diversity Sustainability Cyber threat

In-countrylocal support

Internal (Alexion)Suppliers

Exte

rnal

Quality Performance SLAs Other internal systems

Supplier surveys via Ariba SIPM


Dun & Bradstreet Security Scorecard

Thomson Reuters Eikon

Thomson Reuters Clear

Ecovadis EY


Assessment findings scoring guide

Assessment findings are summarized using red, yellow or green based on Alexion’s criteria.



Functional area approvers guide

Decision guides are available to facilitate and standardize the approval process.

Alexion functional area delegates review the TPDD findings and have four options:

1. Approved/no action2. Approved with conditions

Examples:► Increased monitoring/audit► “Insurance” (e.g., financial hedging, secure

additional source)► Invest in third-party improvement

3. Approved with conditions4. Reject/exit relationship



Alexion’s internal governance escalation methodology

Gray boxes represent escalation path to the governance committee.



Escalation response options

A cross-functional governance committee will address escalated risk findings using a TPDD governance response guide.



Escalation response options

For each escalation step, there are several options that can be considered.



Practical lessons learned


Practical lessons learned

TPRM design strategy ObjectivesDimension1. Achieve sponsorship, strategic direction, and funding2. Create cross-functional participation and accountability3. Define risk scope and segmentation approachGovernance

and oversight

Design the risk segmentation framework

Achieve buy-in and sponsorship

1. Identify and select the sources of information for risk management analytics2. Identify the reporting needs for all business units and participants 3. Determine method to consistently normalize and prioritize risk findings4. Confirm alignment between technology road map and the risk management

program

Technology and analytics

Develop risk analytics capability

Leverage enabling technology

People and organizational

design

1. Design the organization to provide scalable, value-added services in a central location for cross-enterprise

2. Identify, train, and develop resources to support the program

Design the operating model

Identify resourcing, responsibilities,and location requirements

Processes

1. Integrate TPRM with existing processes to provide value2. Design for auditability, adaptability, and sustainability3. Establish a normalized approval, rejection, escalation, and response guide

to standardize the process

Develop procedural details tooperationalize the design

Anticipate need to accommodate future requirements (scope and scale)


Importance of change management

Common change management challenges

Shorter implementation timelines introduce greater risk in:► Identifying and engaging all impacted stakeholder groups► Tailoring generic communication and/or training materials from the solution provider to fit

our clients► Enabling suppliers and catalogs – which can result in limited availability at go-live

Faster implementation time and testing cycles

Mature systems based on time-tested leading practice processes

► Internal processes and/or policies that are less mature and less standardized may not support the system

► Existing organizational structures, roles, and/or talent do not align to the way the system is supposed to work

► System implementation often precedes establishing clear data and process governance

► Greater cross-functional governance and alignment is needed before selecting a non-customizable solution.

► Clients with a complex geographical footprint and/or highly autonomous business units have a higher risk of poor solution adoption.Cloud applications are

designed for no/limited customization

WWW


Thank you for joining us today

Kevin BushbakerAlexionSenior Director, Global Requisition To [email protected]

Eric WalsworthErnst & Young LLPSenior [email protected]+1 317 900 6098

Colin MeunierAlexionAssociate Director, Source-to-Pay [email protected]

Pradeep CaplashAlexionAssociate Director, SAP Center of Excellence [email protected]

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm ofErnst & Young Global Limited operating in the US.

© 2017 Ernst & Young LLP.All Rights Reserved.

1702-2202563ED None

This material has been prepared for general informational purposesonly and is not intended to be relied upon as accounting, tax or otherprofessional advice. Please refer to your advisors for specific advice.

ey.com

Documents

Integrating a robust third-party risk management program ... · 7 Integrating a robust third- party risk management program with the vendor onboarding process Alexion’s integrated